HomeMy WebLinkAbout5.E.1. Updated HIPAA Policies and Procedures-Res. No. 7008 5.E.1.
City of Shakopee
MEMORANDUM ENT
TO: Mayor and City Council
Mark McNeill, City Administrator
FROM: Kris Wilson, Assistant City Administrator
SUBJECT: Adoption of Updated HIPAA Policies and Procedures
DATE: May 28, 2010
Introduction
The Council is asked to adopt the attached policies and procedures to ensure that the City's
Group Health Plans continue to comply with the federal Health Insurance Portability and
Accountability Act (HIPAA) and its subsequent amendments, expansions and related
regulations.
Background
Late last summer, the City hired Financial Concepts Inc. as its new insurance broker for
employee benefits. One of the services Financial Concepts offers is review of its clients HIPAA
policies and procedures. The City took advantage of this review and discovered that several
aspects of the existing HIPAA policies and procedures, which were originally adopted in 2004,
needed updating. The magnitude of the changes needed was such that a strike -thru and
underline style edit wouldn't be sufficient. Therefore staff is asking that Council adopt the
attached policies and procedures as a whole and repeal those adopted in 2004 in their entirety.
This action encompasses 4 documents:
1. The City of Shakopee Organized Health Care Arrangement HIPAA Privacy Manual. This
item covers the two benefits we offer that are considered to be "self- insured" — the
Flexible Medical Spending Account and the Post - Employment Health Care Savings
Account.
2. The City of Shakopee HIPAA Security Policy. This item is all that is required in relation
to our medical and dental plans because those are fully insured plans, from which we
collect and maintain nothing more than enrollment data and non - identifiable claims
statistics.
3. Privacy Officer Job Description. The HIPAA Privacy Manual names the Assistant City
Administrator as the Privacy Officer. This document outlines and the roles and
responsibilities of this position.
4. Notice of Privacy Practices. This is a notice that we must provide to enrollees of our
fully insured plans, providing an overview of our privacy policies and information on
how they can access the complete policy and their own protected health information.
Relationship to Vision
This is a housekeeping item. (Goal F).
Budgetary Impact.
None.
Requested Action
The Council is asked to offer Resolution No. 7008, a resolution adopting revised HIPAA Policies
and Procedures for the City of Shakopee's Group Health Plans, and move its adoption.
RESOLUTION No. 7008
A RESOLUTION ADOPTING REVISED HIPAA POLICIES AND PROCEDURES
FOR THE CITY OF SHAKOPEE'S GROUP HEALTH PLANS
WHEREAS, Congress passed the Health Insurance Portability and Accountability Act
(HIPAA) in 1996 to reform health care; and
WHEREAS, the City's group health plans are required to comply with the Health
Insurance Portability and Accountability Act (HIPAA); and
WHEREAS, HIPAA Privacy Standards mandate that the City establish and implement
policies and procedures with respect to protected health information; and
WHEREAS, legislative and regulatory actions require that the City's HIPAA policies and
procedures be updated from time to time; and
WHEREAS, staff, in consultation with the City's insurance advisor /broker, has recently
completed a thorough review and updating of the City's HIPAA policies and procedures.
NOW, THEREFORE, BE IT RESOLVED, that the City Council of the City of Shakopee hereby
adopts the following HIPAA policies and procedures for the City of Shakopee, which are
heretofore attached:
1. The City of Shakopee Organized Health Care Arrangement HIPAA Privacy Manual.
2. The City of Shakopee HIPAA Security Policy.
3. Privacy Officer Job Description.
4. Notice of Privacy Practices.
BE IT FURTHER RESOLVED, that Resolution No. 6170 and all other Resolutions, policies
and procedures in conflict with this resolution are hereby repealed and terminated effective
June 1, 2010.
Adopted in regular session of the City Council of the City of Shakopee, Minnesota, held
this 1 day of June, 2010.
Mayor of the City of Shakopee
ATTEST:
City Clerk
THE CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
HEALTH INSURANCE PORTABILITY
AND ACCOUNTABILITY ACT (HIPAA) PRIVACY MANUAL
City of Shakopee HIPAA Policies & Procedures
TABLE OF CONTENTS
Page
Statement of HIPAA Privacy Compliance Program 1
Glossary of Defined Terms 3
Plan's Uses and Disclosure of Health Information 11
Minimum Necessary Requirements 24
Individual Authorization for Uses and Disclosures 27
Authorization To Use and Disclose Health Information 1
Authorization Revocation 3
No Consent To Use or Disclose Health Information for Plan's Payment or Health Care
Operations 4
Disclosures of De- Identified Health Information 2
Disclosures of Limited Data Sets 4
Contracts With Business Associates 6
Safeguarding Protected Health Information 9
Administrative Requirements 12
Record Retention 15
Training of Employees on the Plan's Policies and Procedures 17
Mitigation of Harmful Effect of Improper Use or Disclosure 19
Uses and Disclosures of Health Information for Marketing 21
Confidential Communication Requirements 22
Request for Confidential Communication of Health Information 1
Individual Right of Access To Protected Health Information 3
Request For Access 5
Denial of Access 7
Right of Individual To Request Restrictions on Uses and Disclosures 8
Request for Restriction On Use and Disclosure of Health Information 10
POLICY AND FORM: Amendment of Protected Health Information 12
Accounting of Disclosures of Protected Health Information 19
Review and Resolution of Complaints 24
City of Shakopee HIPAA Policies & Procedures
-1-
Personal Representatives of Individuals 26
Personal Representative Form 29
Unsecured PHI Breach Determination and Notification Procedures 31
City of Shakopee HIPAA Policies & Procedures
-11-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
STATEMENT OF HIPAA PRIVACY COMPLIANCE PROGRAM
April 14, 2004
On December 28, 2000 and August 14, 2002, the Department of Health and Human Services
( "HHS ") issued regulations entitled "Standards for Privacy of Individually Identifiable Health
Information," 65 Fed. Reg. 82462 (December 28, 2000) and 67 Fed. Reg. 53182 (August 14,
2002) (collectively, the "Privacy Rule "), which set forth in detail the duties of health plans and
other health care entities with respect to the privacy of health information under the Health
Insurance Portability and Accountability Act of 1996 ( "HIPAA "). It is the intent of the City of
Shakopee Organized Health Care Arrangement (the "City of Shakopee OHCA ") and its sponsor
and administrator, the City of Shakopee, (the "Plan Administrator ") to comply in all respects
with the Privacy Rule.
For Purposes of this HIPAA Privacy Compliance Program, consisting of the attached policies
and procedures ( "Policies and Procedures "), the following plans, which have been adopted by
the Plan Sponsor, are members of the City of Shakopee OHCA and are referred to throughout as
"Plan":
City of Shakopee Flexible Spending Account Plan
City of Shakopee Post - Employment Health Care Savings Account Plan
The City of Shakopee OHCA and Plan Administrator will from time to time implement other
Policies and Procedures, and may modify existing Policies and Procedures, to reflect their
commitment to privacy and compliance with the Privacy Rule. All such additional Policies and
Procedures, and amendments, will be approved by the Plan Administrator and implemented by
senior management with your assistance.
It is also the policy of the City of Shakopee OHCA and Plan Administrator to comply with all
relevant State laws governing health information privacy, to the extent those laws are not
preempted by the Employee Retirement Income Security Act ("ERISA") or the Privacy Rule. If
any provision of these Policies and Procedures are not compliant with the Privacy Rule or a more
restrictive State privacy law, the Policies and Procedures will be interpreted so that they comply
with such law. If you have a question as to whether a State law applies to the City of Shakopee
OHCA or is preempted by ERISA or the Privacy Rule, please contact the Privacy Officer.
1 The Privacy Rule is one of several proposed and final rules that are being published to implement the
Administrative Simplification provisions of HIPAA. 45 C.F.R. Subchapter C, Parts 160 and 162, were added
by the Final Rule at 65 Fed. Reg. 50365 (Aug. 17, 2000) Part 160 comprises general provisions; Part 162
comprises various administrative simplification regulations relating to transactions and identifiers. Part 164
comprises the regulations implementing the security and privacy requirements of the legislation, the Privacy
Rule. 65 Fed. Reg. 82462 - 82829 (December 28, 2000), as amended by 67 Fed. Reg. 53182 -53273 (August 14,
2002).
City of Shakopee OHCA HIPAA Privacy Manual
-1-
The HIPAA Privacy Compliance Program is a detailed and specific statement of Policies and
Procedures with which all personnel must comply. The HIPAA Privacy Compliance Program,
and other information pertaining to the Plan's protection of health information privacy, is at all
times subject to inspection by the Secretary of HHS for the purpose of monitoring the City of
Shakopee OHCA 's compliance with the Privacy Rule. All such requests for inspection should
be directed to the City of Shakopee OHCA's Privacy Officer.
A violation of the Privacy Rule could be extremely detrimental to the City of Shakopee OHCA,
its participants and beneficiaries and the Plan Administrator and its personnel. Failure to follow
the City of Shakopee OHCA 's Privacy Policies and Procedures not only could lead to civil and
criminal liability for you and the City of Shakopee OHCA, but also can result in disciplinary
action, including the termination of your employment. Therefore, it is imperative that all
personnel comply with the standards contained in the HIPAA Privacy Compliance Program and
related Policies and Procedures, immediately report any actual or potential violation of the
Program to the Privacy Officer and assist the City of Shakopee OHCA in investigating any
allegations of violations.
Potential Sanctions for Violations of the Privacy Rule
1. Penalties Imposed on You by the Plan Administrator. Depending on the severity of the
violation, as evaluated by your supervisor and with appropriate input by the Plan
Administrator, sanctions against you can range from a warning to immediate termination of
your employment and possible reporting to Federal and State administrative agencies.
2. Civil Sanctions.
(a) HHS may impose fines of $100 per violation, per person, up to $25,000 per year for
negligent violation of a single standard.
3. Criminal Sanctions.
(a) HHS may make a criminal referral to the Department of Justice for any person who
knowingly violates a standard, with potential fines of up to $50,000 and/or
imprisonment for up to one year.
(b) Fines of up to $100,000 and/or imprisonment for up to five years may be imposed on
any person who violates the standards under false pretenses.
(c) Fines of up to $250,000 and /or imprisonment for up to 10 years may be imposed on
any person who violates any standard with the intent to sell, transfer or use health
information protected under the Privacy Rule for commercial advantage.
City of Shakopee OHCA HIPAA Privacy Manual
-2-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #1: GLOSSARY OF DEFINED TERMS
(HIPAA CITES: 45 C.F.R. § §160.103; 162.103; 164.501; 164.504(a))
I. Background
This Policy defines terms that are used in the City of Shakopee OHCA's policies implementing
its compliance with the Standards for Privacy of Individually Identifiable Health Information, 45
C.F.R. Parts 160 and 164, which were promulgated pursuant to the Health Insurance Portability
and Accountability Act ( "HIPAA "). Unless a specific City of Shakopee OHCA policy indicates
otherwise, the following terms have the meanings ascribed to them in this Policy.
II. Definitions
A. "Authorization" means an Individual's specific written permission, as described in
Policy No. 04, requested by an Authorized Employee to use and disclose PHI for
purposes other than Treatment, Payment or Health Care Operations and other specified
purposes described in Policy No. 02.
B. "Authorized Employee" means an Employee whose job duties require access to PHI for
purposes of Plan administration and who have been so identified in Plan documents.
These employees include the following:
• Privacy Officer
• City Attorney
• Assistant City Administrator
• Human Resources Technician
• Accounting Clerk II
• Administration Department Office Service Worker
C. "Breach" means the unauthorized acquisition, access, use or disclosure of Protected
Health Information which compromises the security or privacy of such information, as
defined in 45 CFR Section 164.402.
D. "Business Associate" means a natural person or organization that:
1. On behalf of a Plan, performs or assists in the performance of a Plan function or
activity involving the use or disclosure of Protected Health Information, including
claims processing or administration, data analysis, processing or administration,
utilization review, quality assurance, billing, benefit management, and repricing, or
any other Plan function or activity regulated by 45 C.F.R. Subtitle A, Subchapter C;
or
City of Shakopee OHCA HIPAA Privacy Manual
-3-
2. Provides legal, actuarial, accounting, consulting, data aggregation, management,
administrative, accreditation, or financial services to or for a Plan, where the
provision of the services involves the disclosure to the person of Protected Health
Information from a Plan or from another business associate of a Plan.
Business Associate does not include:
3. An employee or other person whose conduct, in the performance of work for a Plan,
is under the direct control of the Plan Administrator;
4. A Health Care Provider to which a Plan discloses Protected Health Information in
connection with the treatment of an Individual; or
5. The Plan Sponsor to the extent that the requirements of 45 C.F.R. §164.504(f) are
met.
E. "Covered Entity" means:
1. A Health Plan.
2. A Health Care Clearinghouse.
3. A Health Care Provider who transmits any health information in electronic form in
connection with a transaction covered by the regulations promulgated pursuant to
HIPAA.
F. "Data Aggregation" means, with respect to Protected Health Information created or
received by a person in its capacity as a Business Associate of a Plan, the combining of
such Protected Health Information by the person with the Protected Health Information
received by the person in its capacity as a Business Associate of another Covered Entity,
to permit data analyses that relate to the Health Care Operations of a Plan and the other
Covered Entity.
G. "Designated Record Set" means a group of records maintained by or for a Plan that is (i)
the enrollment, Payment, claims adjudication, and case or medical management record
systems maintained by or for a Plan; or (ii) used, in whole or in part, by or for the Plan to
make decisions about Individuals. As used herein, the term "Record" means any item,
collection, or grouping of information that includes Protected Health Information and is
maintained, collected, used, or disseminated by or for the Plan.
H. "Disclose" means to release, transfer, provide access to, or divulge information in any
other manner outside the entity that holds the information.
"Discover" (or Discovery or Discovered) means that the Plan has discovered a breach or
Security Incident as of the first day on which the breach or Security Incident is known to
the Plan or, by exercising reasonable diligence would have been known to the Plan. A
Plan shall be deemed to have knowledge of a breach if such breach is known, or by
City of Shakopee OHCA HIPAA Privacy Manual
-4-
exercising reasonable diligence would have been known, to any person, other than the
person committing the breach, who is an Authorized Employee of the Plan Sponsor.
J. "Electronic Media" means the mode of electronic transmissions. It includes the Internet,
extranet (using Internet technology to link a business with information only accessible to
collaborating parties), leased lines, dial -up lines, private networks, and those
transmissions that are physically moved from one location to another using magnetic
tape, disk, or compact disk media.
K. "Group Health Plan" means an employee welfare benefit plan (as defined in Section
3(1) of the Employee Retirement Income Security Act, including insured and self - insured
plans, to the extent that it provides medical care (as defined in Section 2971(a)(2) of the
Public Health Service Act, including items and services paid for as medical care, to
employees and their dependents directly or through insurance, reimbursement or
otherwise.
L. "Health Care Clearinghouse" means a public or private entity, including a billing
service, repricing company, community health management information system or
community health information system, and "value- added" networks and switches, that
does either of the following functions:
1. Processes or facilitates the processing of health information received from another
entity in a nonstandard format or containing nonstandard data content into standard
data elements or a standard transaction.
2. Receives a standard transaction from another entity and processes or facilitates the
processing of health information into nonstandard format or nonstandard data content
for the receiving entity.
M. "Health Care Operations " means any of the following activities of the Plan:
1. Conducting quality assessment and improvement activities, including outcomes
evaluation and development of clinical guidelines, provided that the obtaining of
generalizable knowledge is not the primary purpose of any studies resulting from
such activities; population -based activities relating to improving health or reducing
health care costs, protocol development, case management and care coordination,
contacting of Health Care Providers and patients with information about Treatment
alternatives; and related functions that do not include Treatment;
2. Reviewing the competence or qualifications of health care professionals, evaluating
practitioner, provider or Plan performance, conducting training programs in which
students, trainees, or practitioners in areas of health care learn under supervision to
practice or improve their skills as Health Care Providers, training of non - health care
professionals, accreditation, certification, licensing, or credentialing activities;
3. Securing a contract of stop -loss insurance or excess of loss insurance, provided that
the requirements of 45 C.F.R. §164.514(g) are met, if applicable;
City of Shakopee OHCA HIPAA Privacy Manual
-5-
4. Conducting or arranging for medical review, legal services and auditing functions,
including fraud and abuse detection and compliance programs;
5. Business planning and development, such as conducting cost - management and
planning- related analyses related to managing and operating a Plan, including
formulary development and administration, development or improvement of methods
of Payment or coverage policies; and
6. Business management and general administrative activities of a Plan, including, but
not limited to:
a. Management activities relating to implementation of and compliance with the
requirements of the HIPAA rules at 45 C.F.R. Subtitle A, Subchapter C;
b. The provision of data analyses for the Plan Sponsor, provided that Protected
Health Information is not disclosed to such Plan Sponsor;
c. Resolution of internal grievances;
d. The sale, transfer, merger, or consolidation of all or part of a Plan with another
Covered Entity, or an entity that following such activity will become a Covered
Entity and due diligence related to such activity; and
e. Consistent with the applicable requirements of 45 C.F.R. §164.514, creating de-
identified health information or a limited data set, and fundraising for the benefit
of a Plan.
N. "Health Care Provider" means a provider of services (as defined in the Medicare
statute), a provider of medical or health services (as defined in the Medicare statute), and
any other person or organization who furnishes, bills, or is paid for health care in the
normal course of business.
O. "Health Plan" means an Individual or group plan that provides, or pays the cost of,
medical care.
1. Health Plan includes the following, singly or in combination:
a. A Group Health Plan;
b. A health insurance issuer;
c. An HMO;
d. Part A or Part B of the Medicare program;
e. The Medicaid program;
f. An issuer of a Medicare supplemental policy;
City of Shakopee OHCA HIPAA Privacy Manual
-6-
g. An issuer of a long -term care policy, excluding a nursing home fixed- indemnity
policy;
h. An employee welfare benefit plan or any other arrangement that is established or
maintained for the purpose of offering or providing health benefits to the
employees of two or more employers;
i. The health care program for active military personnel under title 10 of the United
States Code;
j. The veterans health care program under 38 U.S.C. chapter 17;
k. The Civilian Health and Medical Program of the Uniformed Services
(CHAMPUS)(as defined in 10 U.S.C. 1072(4));
1. The Indian Health Service program under the Indian Health Care Improvement
Act, 25 U.S.C. 1601, et seq.;
m. The Federal Employees Health Benefits Program under 5 U.S.C. 8902, et seq.;
n. An approved State child health plan under title XXI of the Social Security Act,
providing benefits for child health assistance that meet the requirements of section
2103 of the Social Security Act, 42 U.S.C. 1397, et seq.;
o. The Medicare + Choice program;
p. A high risk pool that is a mechanism established under State law to provide health
insurance coverage or comparable coverage to eligible Individuals; and
q. Any other Individual or group plan, or combination of Individual or group plans,
that provides or pays for the cost of medical care.
2. Health Plan excludes the following:
a. Any policy, plan, or program to the extent that it provides, or pays for the cost of,
excepted benefits that are listed in section 2791(c)(1) of the PHS Act, 42 U.S.C.
300gg- 91(c)(1) (i.e., accident or disability income coverage only, or any
combination thereof; coverage issued as a supplement to liability insurance;
liability insurance, including general liability insurance and automobile liability
insurance; worker's compensation or similar insurance; automobile medical
payment insurance; credit -only insurance; coverage for on -site medical clinics;
and other similar insurance coverage, specified in regulations, under which
benefits for medical care are secondary or incidental to other insurance benefits);
and
b. A government - funded program:
City of Shakopee OHCA HIPAA Privacy Manual
-7-
i. Whose principal purpose is other than providing, or paying the cost of, health
care; or
ii. Whose principal activity is the direct provision of health care to persons or
the making of grants to fund the direct provision of health care to persons.
P. "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, Pub.
Law 104 -191 (Aug. 21, 1996) as it may be amended from time to time.
Q. "Individual' means the person who is the subject of PHI.
R. "Payment" means:
1. The activities undertaken by a Plan:
a. To obtain premiums or to determine or fulfill its responsibility for coverage and
provision of benefits under a Plan; or
b. To obtain or provide reimbursement for the provision of health care.
2. The activities in paragraph (1) of this definition relate to the Individual to whom
health care is provided and include, but are not limited to:
a. Determinations of eligibility or coverage (including coordination of benefits or
the determination of cost sharing amounts), and adjudication or subrogation of
health benefit claims;
b. Risk adjusting amounts due based on enrollee health status and demographic
characteristics;
c. Billing, claims management, collection activities, obtaining payment under a
contract of stop -loss insurance or excess of loss insurance, and related health care
data processing;
d. Review of health care services with respect to medical necessity, coverage under
a Plan, appropriateness of care, or justification of charges;
e. Utilization review activities, including precertification and pre - Authorization of
services, concurrent and retrospective review of services; and
f. Disclosure to consumer reporting agencies of any of the following Protected
Health Information relating to collection of premiums or reimbursement:
i. Name and address;
ii. Date of birth;
iii. Social security number;
City of Shakopee OHCA HIPAA Privacy Manual
-8-
iv. Payment history;
v. Account number; and
vi. Name and address of the Health Care Provider and /or Plan.
S. "Personal Representative" shall have the meaning set forth in Policy No. 22 regarding
Personal Representatives.
T. "Plan" means the following Group Health Plan(s) sponsored by the Plan Sponsor that
together comprise individually and collectively the City of Shakopee OHCA:
City of Shakopee Flexible Spending Account Plan
City of Shakopee Post - Employment Health Care Savings Account Plan
U. "Plan Administrator" means the City of Shakopee.
V. "Plan Sponsor" means the City of Shakopee.
W. "Privacy Rule" means the Standards for Privacy of Individually Identifiable Health
Information, 45 C.F.R. Parts 160 and 164, which was promulgated pursuant to HIPAA.
X. "Protected Health Information" means any information, including demographic
information collected from an Individual, whether oral or recorded, maintained or
transmitted in any other form or medium, that:
1. Is created or received by a Health Plan, Health Care Provider, Health Care
Clearinghouse or employer; and
2. Relates to the past, present or future physical or mental health or condition of an
Individual; the provision of health care to an Individual; or the past, present or
future Payment for the provision of health care to an Individual; and
3. Identifies the Individual, or with respect to which there is a reasonable basis to
believe the information can be used to identify the Individual.
"Protected Health Information" does not include education records covered by the Family
Educational Rights and Privacy Act, as amended, 20 U.S.C. §1232g, records described in
20 U.S.C. §1232g(a)(4)(B)(iv) and employment records held by a Covered Entity in its
role as employer.
Y. "Responsible Employees" means an employee (including contract or - temporary
employees) whose duties make it likely that she/he will have access to, receive, record, or
transmit PHI on behalf of a Plan. Her/his job duties do not require her/him to have access
to files or systems containing PHI for purposes of performing administration duties for a
Plan. These Individuals may consist of an employee's supervisor, a person who has
general access to the computer network, an Authorized Employee's e -mail, the
City of Shakopee OHCA HIPAA Privacy Manual
-9-
receptionist who receives a call from an Individual who discusses her/his PHI prior to
being directed to an Authorized Employee, etc.
Z. "Security Incident" shall have the same meaning as the term "security incident" in 45
CFR 164.304.
AA. "Security Rule" shall mean the Security Standards and Implementation Specifications at
45 CFR Part 160 and Part 164, subpart C as in effect or as amended.
BB. "Summary Health Information" means information, that may be Individually
identifiable health information, and that summarizes the claims history, claims expenses
or type of claims of Individuals for whom Plan benefits have been provided, and from
which the Individual identifiers specified in the Privacy Rule have been deleted, except
for five digit zip codes.
CC. "Treatment" means the provision, coordination, or management of health care and
related services by one or more Health Care Providers, including the coordination or
management of health care by a Health Care Provider with a third party; consultation
between Health Care Providers relating to a patient; or the referral of a patient for health
care from one Health Care Provider to another.
DD. "Unsecured Protected Health Information" or "Unsecured PHI" means Protected
Health Information that is not rendered unusable, unreadable, or indecipherable to
unauthorized individuals through the use of a technology or methodology specified by the
Secretary in guidance.
EE. "Use" means the sharing, employment, application, utilization, examination or analysis of
information within an entity that holds the information.
FF. "Workforce" means employees, volunteers, trainees, and other persons whose conduct,
in the performance of work for a Covered Entity, is under the direct control of such
Covered Entity, whether or not they are paid by the Covered Entity. (A Covered Entity
may treat an independent contractor that performs a substantial portion of his/her
activities on the premises of the Covered Entity as a member of its Workforce.)
City of Shakopee OHCA HIPAA Privacy Manual
-10-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #2: PLAN'S USES AND DISCLOSURE OF HEALTH INFORMATION
PART A: USES AND DISCLOSURES FOR HEALTH AND SAFETY PURPOSES
(HIPAA CITES: 45 C.F.R. § 164.512)
I. POLICY:
A Plan in the City of Shakopee OHCA shall not use or disclose PHI except as required or
permitted by the Privacy Rule. All disclosures for Health or Safety purposes must first be
authorized by the Privacy Officer.
II. PROCEDURES:
1. Threat to Public Health or Safety. An Authorized Employee may use or disclose PHI to
prevent or lessen serious, imminent threat to public health or safety if made to someone
who can prevent or lessen the threat. An Authorized Employee must not, however, use or
disclose PHI if the information was learned through a request by the Individual to initiate
or be referred for treatment, counseling, or therapy to address the Individual's propensity
to commit a crime. The Plan must track these disclosures in accordance with Policy No.
20.
2. Abuse, Neglect, or Domestic Violence. If an Individual is a victim of abuse, neglect, or
domestic violence, an Authorized Employee may disclose PHI to a government authority
authorized by law to receive such reports. Except instances of child abuse or neglect,
such disclosure must meet at least one of the following conditions:
(a) Disclosure is made only to the extent required by a law;
(b) The Individual agrees to the disclosure; or
(c) The disclosure is authorized by a law or regulation and either (i) the disclosure is
necessary to prevent serious harm to the Individual or others or (ii) the Individual
is unable to agree to the disclosure because he or she is incapacitated but,
according to an official authorized to receive the disclosure, it is necessary for
immediate enforcement activity and it will not be used against the Individual.
In instances of abuse, neglect, or domestic violence not involving a child, the
Authorized Employee must inform the Individual of the disclosure unless (i)
doing so would put the Individual at risk of serious harm, or (ii) the Authorized
Employee would be informing the Individual's Personal Representative and the
Personal Representative is believed to be responsible for the abuse, neglect, or
other injury.
City of Shakopee OHCA HIPAA Privacy Manual
-11-
If the abuse, neglect, or domestic violence involves a child, none of the conditions
(a), (b), or (c) above needs to be met. Also in such instances, the Authorized
Employee need not inform the Individual of the disclosure. The Plan must track
these disclosures in accordance with Policy No. 20.
3. Public Health Activities. An Authorized Employee may use or disclose PHI to the
following:
(a) To a public health authority authorized by law to collect or receive such
information for prevention purposes (e.g., disease, injury, or disability),
(b) To a public health authority or other appropriate government authority authorized
by law to receive reports of child abuse or neglect, or
(c) To a person subject to jurisdiction of the Food and Drug Administration under
limited circumstances (i.e., to track product defects or improper labeling).
The Plan also may disclose information to the Plan Sponsor's workers' compensation
carrier to evaluate whether the Individual has a work - related illness or injury if required
by law. The Plan must track these disclosures in accordance with Policy No. 20.
4. Health Oversight Activities. An Authorized Employee may use or disclose PHI to a
health oversight agency for oversight activities authorized by law. Health oversight
activities do not include investigations or other activities in which the Individual is the
subject of that investigation or activity unless it arises out of and is related to the receipt
of health care, a claim for public health benefits, or eligibility for or receipt of public
benefits or services related to a patient's health. The Plan must track these disclosures in
accordance with Policy No. 20.
City of Shakopee OHCA HIPAA Privacy Manual
-12-
CITY SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
PLAN'S USES AND DISCLOSURE OF HEALTH INFORMATION
B. Uses and Disclosures for Legal Proceedings and Law Enforcement
HIPAA CITES: 45 C.F.R. §164.512
POLICY NUMBER: 02B
I. POLICY
A Plan in the City of Shakopee OHCA shall not use or disclose PHI except as required or
permitted by the Privacy Rule. All disclosures for legal proceedings and law enforcement
purposes must first be authorized by [the Legal Department].
II. PROCEDURES
1. Legal Proceedings with Court Order. An Authorized Employee may, to the extent ordered,
disclose PHI in the course of a judicial or administrative proceeding in response to an order
from a court or an administrative tribunal. The Plan must track these disclosures in
accordance with Policy No. 20.
2. Legal Proceedings without Court Order. Absent a court order, disclosure of PHI may be
made in response to a subpoena, discovery request, or other legal process provided one of the
following conditions is met:
(a) The Authorized Employee receives documentary evidence that (i) the requesting
party provided or made a reasonable attempt to provide written notice to the
Individual (including sufficient information to enable the Individual to raise an
objection), (ii) the time for raising an objection has elapsed, and (iii) either no
objection was raised or all objections have been resolved in a way that permits the
disclosure; or
(b) The Authorized Employee receives documentary evidence that the requesting party
obtained or made a reasonable attempt to obtain a qualified protective order (i.e., an
agreed Qualified Protective Order has been presented to the court or the requesting
party has sought such an order from the court or tribunal); or
(c) The Authorized Employee makes reasonable efforts to notify the Individual (as
described in (a) above) or to obtain a qualified protective order (as described in (b)
above).
The Plan must track these disclosures in accordance with Policy No. 20.
3. Law Enforcement. An Authorized employee may disclose PHI to a law enforcement
officer for law enforcement purposes, provided the following conditions are met, if
applicable:
City of Shakopee OHCA HIPAA Privacy Manual
-13-
(a) Court Orders. The disclosure is required by law or is in compliance with a court order
(including court- ordered warrant, subpoena, or summons), a grand jury subpoena, or
an administrative request, provided (i) the information requested is relevant and
material to a legitimate law enforcement inquiry and is limited to the purpose of that
inquiry, and (ii) De- indentified Information could not reasonably be substituted for
the PHI.
(b) Suspects, Missing Persons, etc. The disclosure is in response to a law enforcement
officer's request, and is for the purpose of locating a suspect, fugitive, material
witness, or missing person and the disclosure is limited to following information:
• Name and address,
• Date and place of birth,
• Social security number,
• ABO blood type and rh factor,
• Type of injury,
• Date and time of treatment,
• Date and time of death, and
• Distinguishing physical characteristics.
(c) Crime Victims. The disclosure is in response to a law enforcement officer's request
for information about an Individual who is a suspected crime victim and the
Individual /victim agrees to the disclosure. If the Individual /victim is unable to agree
to the disclosure because of incapacity or emergency circumstances, the Authorized
Employee will make the disclosure only if the law enforcement official represents
that (i) the disclosure is necessary to determine if someone other than the
Individual /victim committed a crime, (ii) it is necessary for immediate enforcement
activity, (iii) it will not be used against the Individual /victim, and (iv) the disclosure is
in the Individual's /victim's best interests.
(d) Crime Related to Individual's Death. The disclosure is made to a law enforcement
officer and is about a deceased Individual whose death may have resulted from a
crime.
(e) Crime on Premises. The disclosure is made to a law enforcement officer and is
evidence of a crime that occurred on the City of Shakopee 's premises.
The Plan must track these disclosures in accordance with Policy No 20.
4. Fugitives, Violent Crime. An Authorized Employee may use or disclose PHI for law
enforcement identification or apprehension of an Individual because the Individual
admitted participating in a violent crime that may have caused serious physical harm to the
victim or where it appears that the Individual is a fugitive of lawful custody. If the
Individual's admission was made in connection with a request for treatment referral,
however, the Authorized Employee is not permitted to make the disclosure without the
Individual's Authorization. The disclosure must be limited to:
• The Individual's admission statement,
City of Shakopee OHCA HIPAA Privacy Manual
-14-
• Name and address,
• Date and place of birth,
• Social security number,
• ABO blood type and rh factor, type of injury,
• Date and time of treatment,
• Date and time of death, and
• Distinguishing physical characteristics.
The Plan must track these disclosures in accordance with Policy No. 20.
City of Shakopee OHCA HIPAA Privacy Manual
-15-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
PLAN'S USES AND DISCLOSURE OF HEALTH INFORMATION
C. Uses and Disclosures Concerning Decedents
HIPAA CITES: 45 C.F.R. §164.502, §164.504, and 164.512
POLICY NUMBER: 02C
I. POLICY
A Plan in the City of Shakopee OHCA shall not use or disclose PHI except as required or
permitted by the Privacy Rule. All disclosures concerning decedents must first be authorized by
[the Legal Department].
II. PROCEDURES
1. Post -mortem Identification, etc. An Authorized Employee may use or disclose PHI to (a)
a coroner or medical examiner for purposes of identifying the decedent, determining
cause of death, or other lawful purpose or (b) a funeral director as necessary for purposes
of carrying out his duties. (If the requested disclosure is to a law enforcement officer and
is about a deceased Individual whose death may have resulted from a crime.
2. Tissue Donation. An Authorized Employee may use or disclose PHI for purposes of
cadaveric organ, eye, or tissue donation to organizations engaged in procuring, banking,
or transplanting such cadaveric organs, eyes, or tissues.
The Plan must track these disclosures in accordance with Policy No. 20.
City of Shakopee OHCA HIPAA Privacy Manual
-16-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
PLAN'S USES AND DISCLOSURE OF HEALTH INFORMATION
D. Uses and Disclosures for Other Government Purposes
HIPAA CITES: 45 C.F.R. §164.512
POLICY NUMBER: 02D
POLICY
A Plan in the City of Shakopee OHCA shall not use or disclose PHI except as required or
permitted by the Privacy Rule. All disclosures for government purposes must first be authorized
by [the Legal Department].
II. PROCEDURES
1. Armed Forces. An Authorized Employee may use or disclose PHI about Individuals who
are members of the Armed Forces for activities necessary to assure proper execution of
military mission, provided the appropriate military authority has published a notice in the
Federal Register that includes appropriate military command authorities and permitted
purposes for the use or disclosure. The Plan must track these disclosures in accordance
with Policy No. 20.
2. National Security. An Authorized Employee may use or disclose PHI to authorized federal
officer for intelligence, counter- intelligence, or other national security activities authorized
by the National Security Act. The Plan does not need to track these disclosures.
3. Federal Protective Services. An Authorized Employee may use or disclose PHI to
authorized federal officer for the provision of protective services to the President or others
authorized by 18 U.S.C. 3056, foreign heads of state or others authorized by 22 U.S.C.
2709(a)(3), or for the conduct of investigations authorized by 18 U.S.C. 871 and 879. The
Plan must track these disclosures in accordance with Policy No. 20.
4. Correctional Institution or Lawful Custody. An Authorized Employee may use or disclose
PHI to a correctional institution or law enforcement officer who has lawful custody of the
Individual if the information is necessary for provision of health care to the Individual or
for ensuring the Individual's, other inmates', or correctional institution employees' health
or safety. The Plan does not need to track these disclosures.
City of Shakopee OHCA HIPAA Privacy Manual
-17-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
PLAN'S USES AND DISCLOSURE OF HEALTH INFORMATION
E. Uses and Disclosures for Workers Compensation Purposes
HIPAA CITES: 45 C.F.R. §164.512
POLICY NUMBER: 02E
I. POLICY
A Plan in the City of Shakopee OHCA shall not use or disclose PHI except as required or
permitted by the Privacy Rule.
II. PROCEDURES
The Authorized Employee may use or disclose PHI if legally required for compliance with
workers compensation and similar laws that provide benefits for work - related injuries or
illnesses without regard to fault to the extent necessary for such compliance. The Plan
must track these disclosures in accordance with Policy No. 20.
City of Shakopee OHCA HIPAA Privacy Manual
-18-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
PLAN'S USES AND DISCLOSURE OF HEALTH INFORMATION
F. Disclosures to an Individual, a Family Member or a Close Personal Friend of the
Individual.
HIPAA CITES: 45 C.F.R. §164.510 and §164.524
POLICY NUMBER: 02F
I. POLICY
A Plan in the City of Shakopee OHCA may not disclose Protected Health Information ( "PHI ") to
the Individual, a family member or a close personal friend of the Individual, except as required
or permitted below.
II. PROCEDURES
1. Disclosures to Individuals. An Authorized Employee must disclose an Individual's own
PHI to the Individual when requested by the Individual, except information compiled in
reasonable anticipation of or use in legal proceedings, psychotherapy notes, or clinical lab
tests or lab results that fall under the Clinical Laboratory Improvements Amendments of
1988, 42 C.F.R. 493.3(a)92). Disclosures to Individuals do not need to be recorded.
2. Disclosures to Friends and Family Members. An Authorized Employee will generally only
disclose an Individual's PHI to another person if the Plan has a written Authorization from
that Individual permitting it to make such disclosure. However, under limited
circumstances an Authorized Employee may disclose PHI to a family member, close
personal friend, or other person identified by the Individual without Authorization. Such
disclosure is limited to PHI that is directly relevant to that person's involvement with the
Individual's care or payment for health care where at least one of the following conditions
also is met -
(a) The Individual agrees to the disclosure;
(b) The Individual had an opportunity to agree or object to the disclosure and did not
object;
(c) Based on professional judgment and the circumstances, it can reasonably be inferred
that the Individual did not object to the disclosure; or
(d) If the Individual was not available to agree or object, or cannot agree or object due to
the Individual's incapacity (i.e. due to an emergency situation), but the disclosure is
in the Individual's best interest.
Opportunity to object, for these purposes, means the Individual was present or otherwise
available prior to the disclosure and had the capacity to make health care decisions.
City of Shakopee OHCA HIPAA Privacy Manual
-19-
An Authorized Employee also may use or disclose PHI to notify or assist in the notification of
a family member, Personal Representative, another person responsible for the Individual's
care, or a disaster relief organization of the Individual's location, condition, or death provided ,
(a), (b), (c) or (d) above is satisfied.
Uses and disclosures under these circumstances do not need to be tracked.
City of Shakopee OHCA HIPAA Privacy Manual
-20-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
PLAN'S USES AND DISCLOSURE OF HEALTH INFORMATION
G. Disclosures to Secretary of HHS
HIPAA CITES: 45 C.F.R. §164.512; 45 C.F.R. §164.408
POLICY NUMBER: 02G
I. POLICY
A Plan in the City of Shakopee OHCA shall not disclose Protected Health Information ( "PHI ")
to the Secretary of Health and Human Services ( "HHS "), except as required or permitted below.
II. PROCEDURES
An Authorized Employee must disclose PHI to HHS when requested by HHS for purposes of
determining the Plan's compliance with the Privacy Rule. An Authorized Employee must track
these disclosures in accordance with Policy No. 20.
An Authorized Employee will notify the Secretary of any Breach of Unsecured PHI involving
less than 500 individuals no later than sixty (60) days after the end of the calendar year in which
such Breach occurs. Such notification will be made in the manner prescribed on the HHS
website. The information required to provide this notification will be maintained by the Plan in
its Breach Log, as described in Policy No. 23.
An Authorized Employee will notify the Secretary of any Breach of Unsecured PHI involving
500 or more individuals contemporaneously with the Notice to Individuals described in Policy
No. 23, but in no case later than sixty (60) days after such Breach is Discovered by the Plan.
Such notification will be made in the manner prescribed on the HHS website. An Authorized
Employee will track any notification of a Breach of Unsecured PHI to the Secretary in
accordance with Policy No. 20 if such notification requires a disclosure of PHI.
Notwithstanding anything herein to the contrary, notification to the Secretary of any Breach of
Unsecured PHI will apply only to Breaches that occur on or after September 23, 2009.
City of Shakopee OHCA HIPAA Privacy Manual
-21-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
PLAN'S USES AND DISCLOSURE OF HEALTH INFORMATION
Part H: Uses for and Disclosures to another Covered Entity, another Benefit Plan
Sponsored by Plan Sponsor, Business Associate or to the City of Shakopee, the
Employer
HIPAA CITES: 45 C.F.R. §164.504 and § 164.506
POLICY
A Plan in the City of Shakopee OHCA shall not use or disclose Protected Health Information
( "PHI ") for or to another Covered Entity, another benefit plan sponsored by the Plan Sponsor, a
Business Associate or the City of Shakopee, the employer, except as required or permitted
below.
II. PROCEDURES
1. Disclosures to Another Covered Entity. An Authorized Employee may disclose an
Individual' s PHI to another Covered Entity or its Business Associate as long as the
disclosure is for Treatment, Payment or certain Health Care Operation purposes, and only
the minimum necessary is disclosed (see Policy No. 03). If the disclosure is for reasons
other than Treatment, Payment or Health Care Operation purposes, an Authorization must
first be obtained from the Individual.
(a) Treatment- An Authorized Employee may disclose PHI to a Health Care Provider for
Treatment activities of that Health Care Provider.
(b) Payment - An Authorized Employee may disclose an Individual's PHI to another
Covered Entity or a Health Care Provider as long as the disclosure is for Payment
purposes of that Covered Entity or Health Care Provider.
(c) Health Care Operations - An Authorized Employee may disclose PHI to another
Covered Entity for Health Care Operations of that Covered Entity as long as both
entities have or had a relationship with the Individual and the PHI pertains to such
relationship. In addition, the Health Care Operation activities must include, but are
not limited to, quality assessment and improvement activities, population based
activities relating to improving health or reducing health care costs, case
management, conducting training programs and accreditation, certification, licensing
or credentialing activities, fraud and abuse detection, or compliance programs.
2. Disclosures to Another Benefit Plan sponsored by Plan Sponsor, Other than a Plan in the
City of Shakopee OHCA. An Authorized Employee may only disclose PHI to a plan
sponsored by the Plan Sponsor (other than a Plan in the City of Shakopee OHCA) if it first
City of Shakopee OHCA HIPAA Privacy Manual
-22-
receives an Authorization from the Individual. If possible, de- identified health information
should be used instead of PHI. No Authorization or de- identification of health information
is necessary, however, if disclosure of PHI is made to a workers compensation plan and
such disclosure is required by law.
3. Disclosures to Plan Sponsor. No health insurance issuer, HMO or Business Associate of a
Plan in the City of Shakopee OHCA will disclose PHI to Authorized Employees of the Plan
Sponsor until the Plan's documents have been amended to provide for such a disclosure
and the Plan Sponsor has provided a certification to the Plan, health insurance issuer, HMO
or Business Associate with respect to the Plan that the Plan has been amended to comply
with the Privacy Rule. If the disclosure is for purposes other than Treatment, Payment or
Health Care Operations, an Authorization first must be obtained from the Individual.
Notwithstanding the foregoing, Summary Health Information may be disclosed to the Plan
Sponsor for purposes of obtaining premium bids for providing health insurance coverage or
modifying, amending or terminating a plan. In addition, a Plan, or health insurance issuer
or HMO with respect to a Plan, may disclose to the Plan Sponsor information on whether
the Individual is participating in the Plan or has enrolled in or disenrolled from a health
insurance issuer or HMO offered by the Plan.
4. Disclosures among Plans in the City of Shakopee OHCA. An Authorized Employee may
use or disclose PHI obtained from one Plan in the City of Shakopee OHCA to another Plan
in the City of Shakopee OHCA for Health Care Operations or Payment purposes of the
Plan.
5. Disclosures to Business Associates of the Plan. An Authorized Employee may disclose
information to Business Associates of Plans in the City of Shakopee OHCA provided the
Business Associate has entered into a business associate agreement with such Plan in
accordance with the requirements of Policy No. 08.
City of Shakopee OHCA HIPAA Privacy Manual
-23-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #3: MINIMUM NECESSARY REQUIREMENTS
(HIPAA CITES: 45 C.F.R. § §164.502(b); 164.514(d))
I. POLICY
When using or disclosing Protected Health Information ( "PHI ") or when requesting PHI from
another Covered Entity, the Plan will make reasonable efforts to limit PHI to the minimum
necessary to accomplish the intended purpose of the use, disclosure or request. As a general
rule, an Authorized Employee may not use, disclose or request more PHI than is contained in the
limited data set (as defined in § 164.514(e)(2) and policy number 07 of this manual) unless PHI
not contained in the limited data set is specifically justified as the amount that is reasonably
necessary to accomplish the purpose of the use, disclosure or request.
II. PROCEDURES
1. When Minimum Necessary Applies. An Authorized Employee shall use, disclose or
request the minimum necessary amount of PHI in all situations, except the following:
(a) Disclosures made to the Individual who is the subject of PHI or pursuant to the
Individual's valid Authorization under Policy No. 04;
(b) Disclosures to the Secretary of Health and Human Services;
(c) Uses or disclosures that are required by law (See Policy No. 02B);
(d) Uses or disclosures that are required for the Plan's compliance with applicable
provisions of the federal regulations governing health information systems; or
(e) Uses or disclosures for which the Plan has received an Authorization in
accordance with Policy No. 04.
2. Protocol for Using, Disclosing or Requesting Minimum Necessary Information. The Plan
documents identify Authorized Employees who need access to PHI to carry out their
duties to perform the Plan administration functions of the Plan.
(a) For each such Authorized Employee the Privacy Officer shall identify the
category (or categories) of Protected Health Information to which access is
needed and any conditions appropriate to such access.
(b) The Plan must make reasonable efforts to limit access only to such Authorized
Employees and such uses or disclosures only in such identified categories.
City of Shakopee OHCA HIPAA Privacy Manual
-24-
(c) Type of disclosure or request dictates what procedure shall be required:
(i) When the disclosure or request is of a type that occurs on a routine or
recurring basis, the Plan shall implement a standard protocol for use within
the Plan that limits the PHI disclosed or requested to the limited data set or, if
additional PHI is required for a particular type of disclosure or request, the
amount reasonably necessary to achieve the purpose of the disclosure. (See
Exhibit A attached.)
(ii) For any other type of disclosure or request the Privacy Officer must develop
criteria and train the Plan' s Authorized Employees: (i) to limit the PHI
disclosed to the limited data set or, if additional PHI is required for a
particular type of disclosure or request, the amount reasonably necessary to
accomplish the purpose of the disclosure or request; and (ii) to review requests
for disclosure beyond the limited data set on an Individual basis in accordance
with such criteria.
(d) An Authorized Employee may rely on a requested disclosure as the minimum
necessary for the stated purpose (if reliance is reasonable under the
circumstances) if the requested information is the limited data set or, if the
requested information is for PHI in addition to that contained in the limited data
set, in the following situations:
(i) When making disclosures to public officials under Policy No. 02A or 02B if
the requesting official represents that the information is the minimum
necessary for the stated purpose(s).
(ii) When the information is requested by another Covered Entity.
(iii)When the information is requested by a professional who is a member of the
Plan Administrator's workforce or is a Business Associate of the Plan for the
purpose of providing professional services to the Plan, if the professional
represents that the information requested is the minimum necessary for the
stated purpose(s).
(iv) When the information requested is for research purposes and the request
complies with Policy No. 07, Disclosures of a Limited Data Set.
City of Shakopee OHCA HIPAA Privacy Manual
-25-
EXHIBIT A
Minimum Necessary
Routine and Recurring Uses and Disclosures
The Privacy Officer of the City of Shakopee Organized Health Care Arrangement has identified
the following disclosures as occurring on a routine or recurring basis and deems the following
information to be minimally necessary to enable the Authorized Employee to carry out his or her
specified plan administration duties:
Use or Type of Protected
Disclosure of Minimum
Health Information
Job Title or PHI Necessary Necessary Data
Classification to Carry Out Necessary to Carry Required to Carry
Plan Duty Out Plan Duty Out Plan Duty
HR Technician Use PHI to Personally Name, SS #, date of
Accounting Clerk II enroll & amend identifiable birth, address, $
Asst. City Administrator enrollment in enrollment and amount elected,
Plans demographic data direct deposit
information
HR Technician Use PHI to Personally Name, $ amount of
Accounting Clerk II facilitate claims identifiable claims claim
payment/reimb data
ursement
HR Technician Processing Personally $ amount elected,
Accounting Clerk II payroll / identifiable SS #, Name
withholding enrollment and
FSA plan demographic data
contributions
Administration Dept. Filing, copying Personally Access to enrollment
Office Service Worker and mailing identifiable and payroll
enrollment and paperwork
demographic data containing name,
SS #, address, $
amount elected &
Direct Deposit info
City of Shakopee OHCA HIPAA Privacy Manual
-26-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #4: INDIVIDUAL AUTHORIZATION FOR USES AND DISCLOSURES
(HIPAA CITES: 45 C.F.R. § 164.508)
POLICY
Except for uses and disclosures for Treatment, Payment, Health Care Operations, or as otherwise
permitted by the City of Shakopee OHCA's Policies and Procedures in accordance with
applicable law, a Plan in the City of Shakopee OHCA will not use or disclose Protected Health
Information ( "PHI ") or request another Covered Entity to disclose PHI to a Plan in the City of
Shakopee OHCA without the valid Authorization of the Individual who is the subject of the PHI.
II. PROCEDURES
1. Validity of Authorization. Prior to using, disclosing or requesting another Covered Entity
to disclose PHI pursuant to an Authorization, the validity of the Authorization must be
confirmed. To be valid, an Authorization must be in writing and complete, not be expired
or known by the Plan to have been revoked, not contain any material information known by
the Plan to be false, not impermissibly condition enrollment or eligibility for benefits on the
Authorization, and not be combined with any other document, except that (i)
Authorizations solely for uses or disclosures of psychotherapy notes may be combined and
(ii) Authorizations that are not for uses or disclosures of psychotherapy notes may be
combined unless the Plan has conditioned enrollment or eligibility for benefits on the
provision of one of the Authorizations.
2. Contents of Authorization. A valid Authorization must contain the following information:
(a) A statement that the Plan will not condition enrollment in the Plan or eligibility for Plan
benefits on the Individual's provision of Authorization, unless the Plan requested the
Authorization prior to the Individual's enrollment only for the Plan's eligibility,
enrollment or underwriting determinations relating to the Individual and the
Authorization is not for a use or disclosure of psychotherapy notes.
(b) A description of the PHI to be used or disclosed;
(c) The name or job titles of the person(s) authorized to make the use or disclosure
described;
(d) The name or job titles of the person(s) to whom the disclosure may be made;
(e) A description of each purpose of the requested use or disclosure or a statement that it is
at the request of the Individual;
City of Shakopee OHCA HIPAA Privacy Manual
-27-
(f) An expiration date or expiration event related to the Individual or to the purpose of the
use or disclosure (i.e. when the person's participation in a Plan terminates);
(g) A statement of the Individual's right to refuse to sign the Authorization;
(h) If the Plan conditions eligibility or enrollment on the signing of an Authorization, a
statement of such condition;
(i) A statement of the Individual's right to revoke and a description of the procedure for
the Individual to revoke the Authorization;
(j) A statement that the PHI might be further disclosed by the recipient and might not
thereafter be protected by the Privacy Rule; and
(k) The Individual's signature or that of his /her Personal Representative together with a
description of that Personal Representative's authority to act on behalf of the
Individual.
3. Individual Shall Receive Copy of Authorization. When an Authorization has been
requested by an Authorized Employee for the Plan's own uses or disclosures of PHI, a
copy of the signed Authorization must be provided to the Individual.
4. Rules Governing Authorizations. An Authorization may be sought as a condition for
enrollment in the Plan for purposes of determining eligibility for benefits under the Plan or
for its underwriting or risk rating determinations, however such Authorization does not
apply to the disclosure of psychotherapy notes.
An Authorization may be sought solely for the purpose of creating PHI for disclosure of the
PHI to a third party. For example, if an employment physical is required by the City of
Shakopee, and as a condition of employment the employee will be required to turn over
these medical records to the City of Shakopee, those records will not be able to be obtained
from a covered health care provider, without first obtaining an Authorization from the
employee. Thus, employment may be conditioned on an employee providing an
Authorization which requires a covered Health Care Provider to turn these records over to
the City of Shakopee. Authorization must also be obtained for disclosure of PHI to any
other benefit plan of the employer or for employment - related purposes.
5. Maintenance of an Authorization. Each signed Authorization must be given to the Privacy
Officer or his designee who will retain the Authorization for a period of at least six years
from the later of (a) the effective date or (b) expiration date, if any. The Privacy Officer or
his designee will provide the Individual with a copy of the Authorization.
6. Revoking an Authorization. An Individual may revoke an Authorization in writing at any
time except to the extent that the Plan already has acted in reliance on the Authorization or,
if the Authorization was a condition for enrollment under an insurance contract, where the
insurer has the legal right to contest a claim. (See Attached Revocation Form) The
Individual must deliver the written revocation to the Privacy Officer or his designee who
City of Shakopee OHCA HIPAA Privacy Manual
-28-
will notify the relevant Authorized Employee(s) and retain the revocation for a period of at
least six years from its effective date.
The Plan does not need to track disclosures made pursuant to an Authorization.
City of Shakopee OHCA HIPAA Privacy Manual
-29-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
INSTRUCTIONS REGARDING AUTHORIZATION
A signed Authorization gives the Plan permission to use and disclose an Individual's protected
health information ( "Protected Health Information ") for reasons other than treatment, payment,
or health care operations under the Plan.
You generally do not need to obtain an Authorization if disclosure is for any of the following
reasons:
• required by law;
• for public health activities or purposes;
• regarding child abuse, neglect, or domestic violence;
• to a health oversight agency for activities authorized by law;
• for a judicial or administrative proceeding;
• for law enforcement purposes;
• for identification purposes regarding a deceased person;
• for organ, cadaveric, eye, or tissue donations;
• for certain approved research purposes;
• to avert a serious threat to health or safety;
• for specialized government functions; or
• for workers' compensation purposes, if the disclosure is required by law.
You may require an Individual to sign an Authorization as a condition of their enrollment in the
Plan or their eligibility for Plan benefits. Please note that even if the Individual signs the
Authorization form, the Plan is not permitted to use or disclose an Individual's psychotherapy
notes, except as required by or consistent with applicable law.
An Individual must be permitted to revoke his or her Authorization by completing the
Authorization Revocation form. Since certain Plan decisions regarding enrollment and eligibility
for benefits are conditioned on Individual Authorization, revocation of an Authorization could
negatively impact an Individual's rights and benefits under the Plan.
Once you are aware that an Individual has revoked his or her Authorization, or once an
Individual's Authorization has expired, you must discontinue using the Individual's Protected
City of Shakopee OHCA HIPAA Privacy Manual
-30-
Health Information. However, you are not required to retrieve Protected Health Information
already used or disclosed based on the prior Authorization.
An Individual may designate a Personal Representative to sign an Authorization or an
Authorization Revocation. If this is the case, a Personal Representative Form must be attached
to the Authorization or Authorization Revocation Form unless such form is not applicable.
You must provide a copy of the signed Authorization to the Individual (or his or her personal
representative).
Please remember that completed Authorization, Authorization Revocation, and Personal
Representative Forms must be retained by the Plan for six years (or longer if required under
applicable state law) after the effective date of the Individual's Authorization, revocation, or
representative designation.
City of Shakopee OHCA HIPAA Privacy Manual
-3 1 -
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
AUTHORIZATION TO USE AND DISCLOSE HEALTH INFORMATION
Individual's Name:
Last First Middle
Home Address:
Home Telephone: Date of Birth:
MY HEALTH INFORMATION. The health information that is subject to this Authorization consists of:
❑ All health information about me created or received by the Plan, except for the following:
❑ Other:
AUTHORIZED USE AND /OR DISCLOSURE. By my signature below:
❑ I hereby authorize the Plan to use my health information described above for the following specific
purpose(s)
❑ I hereby authorize the Plan to disclose my health information described above to
Name ( "Recipient ")
Address
for the following specific purpose(s)
❑ I hereby authorize to disclose my health information described above to the Plan for
the following specific purpose(s)
TERM. This Authorization will remain in effect:
❑ Until I revoke it in writing.
❑ From the date of this Authorization until the day of , 200_.
❑ Until the following event occurs:
❑ Other:
City of Shakopee OHCA HIPAA Privacy Manual -1-
I understand that the Plan will not condition my enrollment in the Plan or eligibility for Plan benefits on my
provision of this Authorization unless the Plan requested this Authorization before my enrollment only for its
eligibility, enrollment or underwriting determinations relating to me and this Authorization is not for use or
disclosure of psychotherapy notes.*
I understand that once the Plan discloses my health information to the Recipient in accordance with the terms
and conditions of this Authorization, the Plan cannot guarantee that Recipient will not redisclose my health
information to a third party. The third party may not be required to abide by this Authorization or applicable
federal and state law governing the use and disclosure of my health information.
I understand that I may revoke this Authorization in writing at any time.
I understand that this Authorization will remain in effect until the Term of the Authorization expires or I
provide a written notice of revocation to the Plan's Privacy Officer [Contact Person] at the address listed below.
The revocation will be effective immediately upon the Plan's receipt of my written notice, except that the
revocation will not have any effect on any action taken by the Plan in reliance on this Authorization before it
received my written notice of revocation.
The address of the Plan's Privacy Officer is: Assistant City Administrator, Shakopee City Hall, 129 Holmes St.
S., Shakopee, MN 55379 and I may contact the Privacy Officer by telephone at (952) 233 — 9312 or by email at
kwilson @ci. shakopee.mn. us.
* Psychotherapy notes are notes recorded by a mental health professional that document or analyze the
conversation during a private, group, joint or family counseling session and that are separated from the rest
of my medical record. Psychotherapy notes do not include medication prescription and monitoring,
counseling session start and stop times, the types and frequencies of treatment, clinical test results, or any
summary of diagnosis, functional status, treatment plan, symptoms, prognosis or progress to date.
I have read and understand the terms of this Authorization and I have had an opportunity to ask questions about
the use and disclosure of my health information. I hereby, knowingly and voluntarily, authorize use and/or
disclosure of my health information in the manner described above.
Signature of Individual Date Signature of Witness
If Individual is a minor or is otherwise unable to sign this Authorization, please complete the information
below:
Signature of authorized Legal Guardian, Health Care Agent, or other authorized Personal Representative
Relationship Date Witness
Describe authority of Personal Representative to act on your behalf:
[provide a copy of signed Authorization to Individual]
City of Shakopee OHCA HIPAA Privacy Manual -2-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
AUTHORIZATION REVOCATION
I, , revoke my Authorization signed on (date) permitting the City
of Shakopee OHCA to collect, use, or disclose information relating to my physical or mental health that could
be used to identify me (my "Protected Information "). My Authorization is revoked effective as of
(date).
I understand and acknowledge that my enrollment in the Plan or the determination of my eligibility for benefits
may be affected by this revocation.
I understand and acknowledge that this Authorization Revocation is only effective to the extent that the Plan has
not taken any action in reliance upon my Authorization.
I understand and acknowledge that this Authorization Revocation is effective only with respect to the Plan. Any
other Authorizations I have provided to other entities, such as to my physician, will not be affected by this
Authorization Revocation.
I have read and understood the above, and I agree to the terms of this Authorization Revocation. By
signing this Authorization Revocation form, I understand that my prior Authorization (referenced above) to the
Plan's use of my Protected Information (as specified in the Authorization) are revoked.
Signature* Date
• If the Authorization is signed by a personal representative, a signed and completed Personal Representative
Form must be attached as part of this Authorization, unless the Personal Representative Form is not applicable.
For Plan use only:
Approved by:
Privacy Officer Signature Date
City of Shakopee OHCA HIPAA Privacy Manual -3-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #5: NO CONSENT TO USE OR DISCLOSE HEALTH INFORMATION
FOR PLAN'S PAYMENT OR HEALTH CARE OPERATIONS
(HIPAA CITES: 42 C.F.R. § §164.502(a)(1)(ii); 164.506(a))
I. POLICY
A Plan in the City of Shakopee OHCA will not seek or obtain an Individual's oral or written
consent or Authorization for the use or disclosure of an Individual's Protected Health
Information ( "PHI "), by the Plan or its Business Associates, to carry out the Plan's Payment and
Health Care Operations activities. The Plan also does not need to obtain an Individual's oral or
written consent or Authorization for the use or disclosure of PHI for Treatment purposes,
however a Health Plan in the City of Shakopee OHCA will not engage in Treatment activity
under the Privacy Rule definitions.
II. PROCEDURES
In the event of uncertainty as to whether any activity is a Plan Payment or Health Care
Operations activity for which PHI may be used and disclosed without the Individual's consent or
Authorization, the Privacy Officer shall make the determination following any consultation with
legal counsel or other expert advisors that the Privacy Officer may deem necessary or desirable.
Each such determination of the Privacy Officer shall be made in writing and shall be attached to
and incorporated in this HIPAA Privacy Policy No. 05.
The Plan does not need to track disclosures made for Payment or Health Care Operations
Activities.
City of Shakopee OHCA HIPAA Privacy Manual -4-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #6: DISCLOSURES OF DE- IDENTIFIED HEALTH INFORMATION
(HIPAA CITES: 45 C.F.R. § §164.502(d); 164.514(a) -(c))
I. POLICY
1. A Plan in the City of Shakopee OHCA may use or disclose de- identified health
information. De- identified health information is health information that does not identify
an Individual and with respect to which there is no reasonable basis to believe that the
information can be used to identify an Individual. Health information shall be considered
de- identified only if either of the de- identification procedures set forth below is followed.
2. A Plan in the City of Shakopee OHCA may use Protected Health Information ( "PHI ") to
create de- identified health information or disclose PHI to a Business Associate to use to
create de- identified health information.
II. PROCEDURES
1. A Plan in the City of Shakopee OHCA may determine that health information is de-
identified health information only if:
(a) Statistical Methods. A person with appropriate knowledge of and experience with
generally accepted statistical and scientific principles and methods for rendering
information not Individually identifiable: (i) determines that the risk is very small that
the information could be used, alone or in combination with other reasonably available
information, by an anticipated recipient to identify an Individual who is a subject of the
information; and (ii) documents the methods and results of the analysis to justify such
determination; or
(b) Safe Harbor.
(i) All eighteen (18) of the following identifiers of the Individual or of relatives,
employers or household members of the Individual are removed:
• Names;
• All geographic subdivisions smaller than a state (e.g., street address, city,
county, precinct, zip code and their equivalent geocodes, except for the initial
three digits of a zip code, if according to the currently available data from the
Bureau of the Census, the geographic unit formed by combining all zip codes
with the same three initial digits contains more than 20,000 people. If such
geographic units contain 20,000 people or less, then the initial three digits of
City of Shakopee OHCA HIPAA Privacy Manual
-2-
the zip codes must be changed to 000 and thus treat them as a single
geographic area;
• All elements of dates, except year, directly related to an Individual including
birth date, admission date, discharge date, date of death; and for all ages over
89, all elements of date (including year) indicative of such age, except that
such ages and elements may be aggregated into a single category of age 90 or
older. Note, however, that for research or other studies relating to young
children or infants, the Plan's policy does not prohibit age of an Individual
from being expressed in months, days or hours;
• Telephone numbers;
• Fax numbers;
• Electronic -mail addresses;
• Social security numbers;
• Medical record numbers;
• Health plan beneficiary numbers;
• Account numbers;
• Certificate /license numbers;
• Vehicle identifiers and serial numbers, including license plate numbers;
• Device identifiers and serial numbers;
• Web universal resource locators (URLs);
• Internet protocol (IP) address numbers;
• Biometric identifiers including finger and voice prints;
• Full face photographic images and any comparable images; and
• Any other unique identifying number, characteristic, or code;
and
The Plan does not have actual knowledge that the information could be used alone or in
combination with other information to identify an Individual who is a subject of the
information.
3. Use of Codes. A code or other means of record identification designed to enable coded or
otherwise de- identified information to be re- identified may not be disclosed except as
permitted under the Plan's policies for disclosure of Protected Health Information.
4. Re- identified Information. De- identified information that has been re- identified may not be
disclosed or used except as permitted under the Plan's policies for disclosure and use of
Protected Health Information.
City of Shakopee OHCA HIPAA Privacy Manual
-3-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #7: DISCLOSURES OF LIMITED DATA SETS
(HIPAA CITES: 45 CFR §164.514(e))
POLICY
1. A Plan in the City of Shakopee OHCA may use or disclose a limited data set only for the
purposes of research, public health, or Health Care Operations.
2. A Plan in the City of Shakopee OHCA may disclose a limited data set if the Plan enters
into a data use agreement with the recipient of the limited data set.
3. A Plan in the City of Shakopee OHCA may use Protected Health Information ( "PHP') to
create a limited data set or disclose PHI only to a Business Associate for such purpose,
whether or not the limited data set is to be used by the Plan.
II. PROCEDURES
1. What is a Limited Data Set. PHI is a limited data set if it excludes the following direct
identifiers of the Individual or of relatives, employers, or household members of the
Individual:
• Names;
• Postal address information, other than town or city, State, and zip code;
• Telephone numbers;
• Fax numbers;
• Electronic mail addresses;
• Social security numbers;
• Medical record numbers;
• Health plan beneficiary numbers;
• Account numbers;
• Certificate /license numbers;
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers;
• Web universal resource locators (URLs);
• Internet protocol (IP) address numbers;
• Biometric identifiers, including finger and voice prints; and
• Full face photographic images and any comparable images.
2. Contents of a Data Use Agreement. An Authorized Employee may use or disclose a limited
data set only if it obtains satisfactory assurance, in the form of a data use agreement, that
City of Shakopee OHCA HIPAA Privacy Manual
-4-
the limited data set recipient will only use or disclose the PHI for limited purposes. The
data use agreement must:
(a) Establish the permitted uses and disclosures of such information by the limited data
set recipient. The data use agreement may not authorize the limited data set recipient
to use or further disclose the information in a manner that would violate the
requirements of the Privacy Rule if done by the Plan;
(b) Establish who is permitted to use or receive the limited data set; and
(c) Provide that the limited data set recipient will:
(i) Not use or further disclose the information other than as permitted by the data use
agreement or as otherwise required by law;
(ii) Use appropriate safeguards to prevent use or disclosure of the information other
than as permitted by the data use agreement;
(iii)Report to an Authorized Employee any use or disclosure of the information not
permitted by the data use agreement of which it becomes aware;
(iv)Ensure that any agents, including a subcontractor, to which it provides the limited
data set agrees to the same restrictions and conditions that apply to the limited
data set recipient with respect to such information; and
(v) Not identify the information or contact the Individuals.
City of Shakopee OHCA HIPAA Privacy Manual
-5-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #8: CONTRACTS WITH BUSINESS ASSOCIATES
(HIPAA CITES: 45 C.F.R. § §164.502(e); 164.504(e))
POLICY
A Plan in the City of Shakopee OHCA will disclose Protected Health Information ( "PHI ") to a
Business Associate or will allow a Business Associate to create or receive PHI on behalf of the
Plan only if there is a written contract in effect between the Business Associate and the Plan
( "Business Associate Contract "). At a minimum, the Business Associate Contract must include
the provisions set forth in this Policy.
II. PROCEDURES
1. Applicability of this Policy to a Contract. The first step under this Policy is to determine
whether it applies to the proposed arrangement or contract. This Policy does not apply to
every arrangement or contract between the Plan and another person or organization. It only
applies to a contract with a person or organization that meets the definition of Business
Associate (See Policy No. 01 Glossary of Defined Terms). If the proposed contract is a
Business Associate Contract, then it is subject to the terms and conditions of this Policy.
2. Elements and Provisions of Business Associate Contract. If a contract is a Business
Associate Contract, then it must be in writing and include the following elements and
provisions:
(a) Permitted and Required Uses and Disclosures. As used in this Policy, the term PHI
means such information that is disclosed to its Business Associate by the Plan or that
the Plan allows its Business Associate to create or receive on behalf of the Plan. The
Business Associate Contract must provide that the Business Associate may only use
or disclose PHI as permitted or required by the Business Associate Contract or as
required by law. The Business Associate Contract must specify and describe the
permitted and required uses and disclosures of PHI by the Business Associate. The
Business Associate Contract may not permit or require the Business Associate to use
or disclose PHI in a manner that would violate the requirements of the Privacy Rule,
if done by the Plan.
The Business Associate Contract may permit the Business Associate to use PHI, if
necessary: (1) for the proper management and administration of the Business
Associate and to carry out the Business Associate's legal responsibilities; and /or (2)
to provide data aggregation services relating to the Health Care Operations of the
Plan. If the Business Associate Contract permits the Business Associate to disclose
PHI to third parties, including any subcontractors, (in addition to using such
information), the Business Associate Contract must require the Business Associate to
City of Shakopee OHCA HIPAA Privacy Manual
-6-
obtain (before making such disclosures): (1) reasonable assurances from the third
party that the third party will hold such information confidentially and only use such
information as required by law or for the purposes for which it was disclosed to the
third party; and (2) the third party's agreement to report to the Business Associate any
instances of which it is aware in which the confidentiality of the information has been
breached.
(b) Safeguards by Business Associate. The Business Associate Contract must provide
that the Business Associate will use appropriate safeguards to prevent use or
disclosure of PHI other than as provided for by the Business Associate Contract.
(c) Reporting by Business Associate. The Business Associate Contract must provide that
the Business Associate will report to the Plan any use or disclosure of PHI not
provided for by the Business Associate Contract of which the Business Associate
becomes aware.
(d) Subcontractors. The Business Associate Contract must provide that the Business
Associate will ensure that any third parties, including any agent or subcontractor of
the Business Associate, to which it discloses PHI agree to the same restrictions and
conditions that apply to the Business Associate with respect to the information.
(e) Inspection and Copying. The Business Associate Contract must provide that the
Business Associate will make PHI available in accordance with the Plan's policies on
access, inspection and copying of PHI in the Plan's Designated Record Sets.
(f) Amendments to Designated Record Set. The Business Associate Contract must
provide that the Business Associate will make PHI contained in the Plan's Designated
Record Sets available for amendment and incorporate any amendments into the
Designated Record Sets in accordance with the Plan's policies on amendment of the
Designated Record Sets.
(g) Accounting. The Business Associate Contract must provide that the Business
Associate will make available the information required for the Plan to provide an
accounting of disclosures to Individuals in accordance with the Plan Policy on
accounting for uses and disclosures of certain PHI.
(h) Inspection by HHS. The Business Associate Contract must provide that the Business
Associate will make its internal practices, books, and records relating to the use and
disclosure of PHI received from, or created or received by the Business Associate on
behalf of, the Plan available to HHS for purposes of determining the Plan's
compliance with the Privacy Rule.
(i) Termination for Material Breach. The Business Associate Contract must provide that
the Plan may terminate the contract if the Plan determines that the Business Associate
has materially breached its obligations under the Business Associate Contract.
(j) Return of PHI; Post - Termination Obligations. The Business Associate Contract must
provide that at termination of the Business Associate Contract, if feasible, the
City of Shakopee OHCA HIPAA Privacy Manual
-7-
Business Associate will return or destroy all PHI that the Business Associate still
maintains in any form and retain no copies of such information or, if such return or
destruction is not feasible, extend the protections of the Business Associate Contract
to the information and limit further uses and disclosures to those purposes that make
the return or destruction of the information infeasible.
3. Enforcement of Contract; Compliance Oversight. If an Authorized Employee learns of a
pattern of activity or practice of a Business Associate that constitutes a material breach or
violation of the Business Associate's obligations under the Business Associate Contract,
the Authorized Employee should report this to the Privacy Officer or his designee. The
Authorized Employee should take reasonable steps to cure the breach or end the violation,
as applicable, and, if such steps are unsuccessful, then the Authorized Employee shall: (1)
if feasible, terminate the contract or arrangement; or (2) if termination is not feasible, report
the problem to the Secretary of the U.S. Department of Health and Human Services.
City of Shakopee OHCA HIPAA Privacy Manual
-8-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #9: SAFEGUARDING PROTECTED HEALTH INFORMATION
(HIPAA CITES: 45 C.F.R. §164.530(c)(1))
I. POLICY
A Plan in the City of Shakopee OHCA must take reasonable steps to ensure that PHI is not
intentionally or unintentionally used or disclosed in any manner not consistent with these privacy
policies. Such steps include securing Protected Health Information ( "PHP'); using
administrative, physical and electronic access barriers; destroying documents containing PHI that
do not need to be retained (see Policy No. 11 regarding record retention), training Authorized
Employees regarding privacy policies (see Policy No. 12 regarding such training), and limiting
the number of persons included as Authorized Employees. Physical access to areas containing
PHI will be limited, wherever possible, to Authorized Employees only.
II. PROCEDURES
1. Printed Materials.
(a) Storing PHI. Authorized Employees must store all printed materials containing PHI
in secure locations when not in use. For example, PHI should be stored in locked
filing cabinets, desk drawers, or rooms to which only an Authorized Employee has
physical and administrative access.
(b) Using PHI. When in use, the Authorized Employee must take reasonable steps to
ensure that such printed materials are viewable only by the Authorized Employee. At
no time will the files remain unlocked when the Authorized Employee has left the
office premises.
(c) Removing PHI from the Premises. If an Authorized Employee needs to remove a file
containing PHI from the office premises, that Authorized Employee will maintain
such file in a secure location, and use all necessary steps to maintain the
confidentiality of the information.
(d) Mail Containing PHI. Mail addressed to Authorized Employees who regularly
receive mail containing PHI should be unsealed only by that addressee. Mail should
be left in a mail slot belonging only to that Authorized Employee. In cases of both
U.S. Mail and inter - office mail, authorized Employees shall use sealed envelopes at
all times when sending documents containing PHI.
If printed material no longer needs to be retained after use, it should be shredded or
otherwise destroyed by the Authorized Employee so that it is not reconstructable,
unless subject to Policy No. 11 regarding record retention.
City of Shakopee OHCA HIPAA Privacy Manual
-9-
2. Facsimile Machines and Printers. Authorized Employees must take reasonable steps to
ensure that all incoming facsimiles and print jobs containing PHI are viewable and
retrievable only by the Authorized Employee with a legitimate need to know. An
Authorized Employee who transmits a facsimile will take reasonable steps to verify that the
intended recipient is a person to whom the Authorized Employee is required, permitted, or
authorized to disclose PHI. Documents containing PHI shall only be faxed using the secure
fax machine devoted to Human Resources staff. This fax machine shall be secured during
non - working hours.
If a fax or copy containing PHI is retrieved by someone other than the Authorized
Employee, that person will not read the contents of such fax except to determine the
intended recipient. If an Authorized Employee knows that an Individual will be sending
PHI to her through a fax, the Authorized Employee will instruct that Individual to send the
information to the secured Human Resource fax machine. The Authorized Employee also
must not disclose an Individual's PHI to another person, unless that other person is the
Personal Representative of the Individual (See Policy No. 22), or such disclosure is
permissible under the City of Shakopee OHCA's Privacy Policies and Procedures.
If a fax or copy no longer needs to be retained after use, it should be shredded so that it is
not reconstructable, unless subject to Policy No. 11 regarding record retention.
3. Electronic Information. All Electronic PHI is subject to the Plan's Security policy
promulgated under the Security Rule. Authorized Employees must take reasonable steps to
ensure that access to electronically transmitted PHI is password protected. Electronically-
stored PHI, including such information residing in electronic mail messages, electronic
document files, databases, and other computer files should be password - protected and
accessible only by an Authorized Employee who has a need for access.
An Authorized Employee also must take reasonable steps to ensure that PHI displayed on
his monitor is viewable only by the Authorized Employee. For example, if the Authorized
Employee has PHI displayed on his computer screen, he should close the window
containing the PHI before leaving his desk for any amount of time. All Authorized
Employees must look their computers any time they leave the office premises.
If an Authorized Employee needs to remove a laptop containing PHI from the office
premises, that Authorized Employee will maintain the laptop in a secure location, and use
all necessary steps to maintain the confidentiality of the information.
If the information or file no longer needs to be retained after use, it should be deleted in a
manner that makes it neither readable nor retrievable, unless subject to Policy No. 11
regarding record retention.
4. Telephonic and Other Verbal Communication. Authorized Employees must take
reasonable steps to ensure that telephone and other verbal conversations in which PHI is
discussed are not overheard by persons who do not have a legitimate need to know the
content of the conversation. For example, conferences in which PHI is discussed generally
should be conducted in a closed room. If a conversation where PHI is discussed is
City of Shakopee OHCA HIPAA Privacy Manual
-10-
conducted in a cube, the Authorized Employee will speak in a manner not to be overheard
by others. At no time should Authorized Employees converse about PHI in a place where
others who do not have a need to know such information may overhear.
A voice -mail message containing PHI shall only be left for a person who has a legitimate
need to know the content and the Authorized Employee must take reasonable steps to
ensure that his or her voice -mail box is accessible only by the Authorized Employee.
A voice -mail message containing PHI will not be left on an answering machine which is
accessible by someone other than the Individual. When receiving a voice message,
Authorized Employee should not put the phone on speaker, unless there are other
Authorized Employees who need to hear the message in order to perform their job or a
necessary function. The Authorized Employee should make sure that others who do not
have a need to hear the message are outside of hearing distance from the speaker phone.
When speaking with an Individual on the phone about PHI, the Authorized Employee will
take steps to ensure that the Individual is actually who they say they are. When in doubt
regarding the identity of an individual on the phone, the Authorized Employee shall seek to
verify the individual's identity by requesting the last four digits of the individual's social
security number. If an Authorized Employee is unable to verify the identity of the
Individual, no PHI will be discussed on the telephone.
5. Office Safeguards. Only Authorized Employees with appropriate clearance will be
provided access to PHI. Only Responsible Employees from the City's Information
Technology staff will perform technical system maintenance on any computer hardware or
software containing PHI. Any outside entity performing operating and maintenance
services on computer hardware or software containing PHI will be monitored by the
Privacy Officer or his designee.
(a)After hours. The offices of Authorized Employees shall be locked and secured during
non - business hours. All Authorized Employees shall place forms or document
containing PHI in locked cabinets and /or offices.
(b) Termination. When a Responsible Employee or an Authorized Employee who has
access to PHI is terminated, that access to PHI shall immediately be terminated. If
that terminated employee has a key or access card, it will be immediately retrieved
from the terminated employee.
(c) Guests. No guest shall be permitted within the human resource office area unless
escorted by an Authorized Employee, unless that guest is a the City of Shakopee
employee and is entering the human resources office to meet with an Authorized
Employee or other human resources employee to discuss benefit or employment
matters.
City of Shakopee OHCA HIPAA Privacy Manual
- 11-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #10: ADMINISTRATIVE REQUIREMENTS
(HIPAA CITES: 45 C.F.R. §164.530)
POLICY
A Plan in the City of Shakopee OHCA shall comply with the Administrative Requirements under
the Privacy Rule.
II. PROCEDURES
1. Privacy Officer and Contact Person Appointed. The City of Shakopee OHCA's Privacy
Officer is the Assistant City Administrator. The City of Shakopee OHCA's Contact Person
is the Assistant City Administrator. The Privacy Officer will either perform the following,
or designate an Authorized Employee to perform the following:
(a) Develop, implement, and update privacy Policies and Procedures,
(b) Ensure appropriate privacy training for Authorized Employees,
(c) Investigate and respond to Individuals' complaints regarding impermissible uses or
disclosures of PHI and related policy violations,
(d) Provide Individuals with Notice and information regarding policies and procedures
related to PHI, and
(e) Maintain documentation of policies, notices, complaints, and related activities
consistent with the record retention procedures in Policy No.11.
2. Designating Authorized and Responsible Employees. The Privacy Officer will be
responsible for choosing which employees will be designated as Authorized Employees,
and will be responsible for informing such employees which uses and disclosures of PHI
are permissible with respect to that Authorized Employee's duties and responsibilities. The
Privacy Officer will also designate which employees will be designated as Responsible
Employees, and will inform such employees which uses and disclosures are permissible
and impermissible. No employees, other than Authorized or Responsible Employees
should have access, accept receipt, record or transmit PHI, other than PHI that relates
directly to that employee as an Individual.
3. Employee Training. The Privacy Officer will ensure that all existing Authorized
Employees must be trained in accordance with Policy No. 12 and new Authorized
Employees must be trained within a reasonable time after such employee begins working as
an Authorized Employee. The level of training will depend upon the Authorized
City of Shakopee OHCA HIPAA Privacy Manual
-12-
Employee's access to PHI. Training will also be provided to Responsible Employees
depending on their access to PHI. Such training will cover safeguarding PHI, permissible
uses and disclosures of PHI, Individual rights with respect to PHI, applicable document
retention and disciplinary action for violations of applicable Policies and Procedures. The
Privacy Officer will ensure that additional training is provided if one or more of these
privacy policies changes in a material way. Such additional training will be delivered
within a reasonable time after the change becomes effective.
The Privacy Officer or his designee must maintain a record of all such training consistent
with the record retention procedures in Policy No. 11.
4. Remedies for Violations of Protected Health Information Privacy Policies and Procedures.
Any complaints regarding these Policies and Procedures or other report of impermissible
uses or disclosures of PHI shall be forwarded to the Privacy Officer or his designee. Such
complaints will be promptly investigated. Any Authorized or Responsible Employee who
violates a Privacy Policy or Procedure will be subject to disciplinary action up to and
including discharge.
5. Mitigation. An Authorized Employee is required to mitigate harm resulting from an
impermissible use or disclosure. If an Authorized Employee is aware of an impermissible
use or disclosure the Authorized Employee will report the impermissible use or disclosure
to the Privacy Officer immediately and shall cease from performing the use or practice
which resulted in an impermissible use or disclosure. If the Authorized Employee fails to
report the impermissible use or disclosure and or ceases to take any action to mitigate the
harm of such an impermissible use or disclosure, disciplinary action also will apply to that
employee.
6. Intimidation or Retaliation. An Authorized or Responsible Employee who intimidates or
retaliates against an Individual for exercising his or her HIPAA rights, shall be subject to
disciplinary action. In addition, disciplinary action shall be taken against an Authorized or
Responsible Employee who intimidates or retaliates against an Individual who files a
complaint with the Secretary of HHS, testifies or assists in the participation of an
investigation or compliance review, proceeding or hearing, or opposes any act or practice
which he or she reasonable believes is unlawful under HIPAA. If such opposition is taken,
it must be taken in a reasonable manner and will not involve the disclosure of PHI in
violation of HIPAA.
The Privacy Officer or his designee must document the investigation and disciplinary
action taken and must maintain such documentation consistent with the record retention
procedures in Policy No. 11.
7. Reporting Policy Violations. Each Authorized or Responsible Employee must promptly
report violations of these Policies and Procedures to the Privacy Officer. In addition, other
employees shall be informed through the Privacy Notice how to report a violation to the
Privacy officer. Each such report will be subject to the investigation and remedy
provisions described in Policy No. 21.
City of Shakopee OHCA HIPAA Privacy Manual
-13-
8. Breach Notifications and Records. Each Authorized or Responsible Employee must
promptly report any Discovered or suspected Breach to the Privacy Officer. The Privacy
Officer or his designee will supervise the ensuing investigations and notifications, if any, in
accordance with Policy No. 23 and Policy No. 02G. The Privacy Officer will document
each investigation and its conclusions and maintain such documentation consistent with the
record retention procedures in Policy No. 11.
9. Written Policies and Procedures. These comprehensive Privacy Policies and Procedures
shall be maintained at all times by the City of Shakopee OHCA. The Privacy Officer shall
be responsible for amending these Policies and Procedures. The Privacy Officer shall
ensure that all amendments are in a written or electronic form and communicated to
Authorized Employees, Responsible Employees, and other necessary parties. The Privacy
Officer shall enforce and ensure that all Authorized and Responsible Employees adhere to
these Policies and Procedures. If an unforeseen circumstance requires a deviation from
these Policies and Procedures, the Privacy Officer shall decide whether or not to grant an
exception from complying with the requirements herein.
Although these Policies and Procedures are designed to comply with HIPAA, if there is a
more restrictive state law, that law will be adhered to instead of HIPAA.
City of Shakopee OHCA HIPAA Privacy Manual
-14-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #11: RECORD RETENTION
(HIPAA CITES: 45 C.F.R. §164.530(j))
I. POLICY
A Plan in the City of Shakopee OHCA must retain the following records either in paper or
electronic form for six years from the date of creation or the date when it was last in effect,
whichever is later: Privacy Policies and Procedures, Authorizations and revocations, training
records, designation of Privacy Officer, complaints and related investigations and sanctions,
requests for restrictions on uses and disclosures, and uses and disclosures of PHI subject to an
accounting.
II. PROCEDURES
1. Documenting Certain Uses and Disclosures. For purposes of providing an Individual an
accounting of his PHI (See Policy No. 20), the Plan must record each instance in which the
Authorized Employee uses or discloses PHI unless such use or disclosure is made -
(a) For purposes of Treatment, Payment or Health Care Operations;
(b) To the Individual about his or her own PHI;
(c) For national security or intelligence purposes;
(d) To correctional institutions or law enforcement officer;
(e) Prior to April 14, 2004;
(f) Incident to a use or disclosure otherwise permitted or required by the Privacy Rule;
(g) Pursuant to an Authorization; or
(h) As part of a Limited Data Set.
The record for each use and disclosure for which a record must be maintained must include
the date, name of the recipient (and address if known), description of information
disclosed, and purpose for the disclosure (or a copy of the request for disclosure). Such
record will be retained in the Individual's Plan file. For multiple disclosures to the same
recipient, the first disclosure will be maintained along with the frequency or number of
disclosures and the date of the last such disclosure.
2. Authorization, revocations, and other Individual requests. The Privacy Officer or his
designee must maintain a copy of each Individual Authorization (See Policy No. 04),
City of Shakopee OHCA HIPAA Privacy Manual
-15-
revocation of Authorization, request for restriction on use (See Policy No. 18), an
Individual's request for access to PHI (See Policy No. 17), or an Individual's request to
amend PHI (See Policy No. 19). Such record will be retained in the Individual's Plan file.
3. Training Records. Training records must include the names of those attending, the date
when and location where training was provided, and a copy of the training materials (See
Policy No. 12).
4. Complaints and Remedial Action. Complaint files must document each reported complaint
and known policy violation, related investigation and findings, and the remedial action
taken to address these complaints (See Policy No. 21). If such complaint is made by an
Individual, a copy of the complaint and investigation shall be maintained in the
Individual's Plan file. If a complaint is made by someone other than an Individual, then the
complaint will be maintained in a locked file cabinet.
5. Privacy Notices. All versions of the privacy notice and the dates such version was in use
must be retained for six years from its effective date. In addition, a record of the dates and
the means such privacy notice was distributed will be maintained in order to ensure that the
notice is distributed no less than once every three years.
6. Breach Documentation. All records of each investigation of an alleged Breach under
Policy No. 23, the conclusion as to whether or not a Breach existed, the reasoning used to
reach the conclusion and records of notifications made and mitigating action taken will be
retained for six years from the date the matter is resolved by either (1) a conclusion that no
Breach occurred, or (2) the later of (i) notification of the Secretary of a Breach pursuant to
Policy Nos. 02G and 23 or (ii) final action is taken by the Plan to mitigate harm to the
participants.
City of Shakopee OHCA HIPAA Privacy Manual
-16-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #12: TRAINING OF EMPLOYEES ON THE PLAN'S POLICIES & PROCEDURES
(HIPAA CITES: 45 C.F.R. §164.530(b))
I. POLICY
The City of Shakopee OHCA will train all of its Authorized Employees, and as necessary its
Responsible Employees, concerning the City of Shakopee OHCA's Policies and Procedures
regarding Protected Health Information ( "PHI "). Such training will be necessary and appropriate
for the employees to carry out their specific functions with respect to Plan administration. Such
administration includes Plan Payment or Health Care Operations.
II. PROCEDURES
1. Current Employees. The City of Shakopee OHCA will provide training to all current
Authorized and Responsible Employees involved in Plan administration functions no later
than April 14, 2004. All such employees will be expected to attend such training programs.
Attendance will be taken to ensure that all employees have received such training.
2. New Employees. As part of orientation for each new Authorized and Responsible
Employee, the City of Shakopee OHCA will train new Authorized and Responsible
Employees involved in Plan administration functions concerning the City of Shakopee
OHCA's Policies and Procedures regarding PHI. Such training will occur within a
reasonable period of time after such new employee joins the Plan Sponsor's Workforce.
3. Changes in Policies and Procedures Regarding PHI. The City of Shakopee OHCA will
train each Authorized and Responsible Employee whose functions are affected by a
material change in the City of Shakopee OHCA's Policies and Procedures regarding PHI
within a reasonable period of time after the change becomes effective. The City of
Shakopee OHCA will conduct programs covering such changes on a regular basis.
4. Documentation. The Privacy Officer or his designee will document the time, date, place
and content of each training session, as well as the attendees at each training session. Such
documentation will be maintained by the Privacy Officer. In addition, the Privacy Officer
or his designee will require all employees to execute a Certification of Training in the form
attached hereto. The Privacy Officer or his designee will maintain all Certifications in the
City of Shakopee OHCA's files and in each employee's respective personnel file and will
make them available for inspection by regulatory authorities, as appropriate.
City of Shakopee OHCA HIPAA Privacy Manual
-17-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
CERTIFICATION AND AGREEMENT OF COMPLIANCE
WITH THE CITY OF SHAKOPEE OHCA'S HIPAA
PRIVACY POLICIES AND PROCEDURES
I certify that:
1. I have attended the City of Shakopee's education training session regarding compliance
with the Health Insurance Portability and Accountability Act ( "HIPAA ") health
information privacy requirements for group health plans.
2. During the training session, I was instructed on the City of Shakopee OHCA's Policies and
Procedures regarding Protected Health Information and HIPAA as determined by the
Privacy Officer to be necessary and appropriate for me to carry out my specific job
responsibilities for the Plan. I had the opportunity to ask my supervisor and/or the Privacy
Officer questions about the City of Shakopee OHCA's Policies and Procedures regarding
HIPAA. All of my questions have been answered to my satisfaction. In the event any
further questions or concerns about HIPAA should arise, I agree to contact the Privacy
Officer to discuss such issues.
3. I agree specifically to act in accordance with the Policies and Procedures of the City of
Shakopee OHCA regarding HIPAA made available to me. I understand that I may be
subject to disciplinary action, up to and including termination of employment, for violating
these policies or failing to report any violation of these policies.
Signature:
Print Name:
Position:
Date:
Duplicate Form to be maintained by: Privacy Officer /HIPAA Compliance Files
Personnel File /Human Resources
City of Shakopee OHCA HIPAA Privacy Manual
-18-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #13: MITIGATION OF HARMFUL EFFECT OF IMPROPER USE OR DISCLOSURE
(HIPAA CITES: 45 C.F.R. §164.530(f))
I. POLICY
The City of Shakopee OHCA shall mitigate, to the extent practicable, any harmful effect that is
known to an Authorized Employee or the Privacy Officer of a use or a disclosure of Protected
Health Information ( "PHI ") in violation of the City of Shakopee OHCA's HIPAA Privacy
Policies and Procedures or the requirements of the Privacy Rule (each an "Improper Act ") by
either the City of Shakopee OHCA or any of its Business Associates (as defined in Policy No.
01) or an Authorized or Responsible Employee.
II. PROCEDURES
Information regarding any Improper Act by the City of Shakopee OHCA or any of its Business
Associates or an Authorized or Responsible Employee shall be forwarded promptly to the
Privacy Officer.
The Privacy Officer, in response to such reports or other information regarding an Improper Act
by an Authorized or Responsible Employee, the City of Shakopee OHCA or any of its Business
Associates, including self - disclosures made by the Business Associates pursuant to the terms of
each Business Associate's contract or other agreement with a Plan in the City of Shakopee
OHCA, shall develop and implement a plan as soon as reasonably practicable to mitigate any
known or reasonably anticipated harmful effects of such act (the "Mitigation Plan"). The
Mitigation Plan shall be tailored to the circumstances of each case, but may include as
appropriate, the following:
1. Identifying the source(s) of the Improper Act and taking appropriate corrective action.
2. Contacting the recipient of the information that was disclosed by the Improper Act and
entering into an agreement with the recipient ensuring that such recipient will either
destroy or return the information and to make no further use or disclosure of such
information.
3. Depending on the circumstances, and in accordance with Policy No. 23, notifying the
Individual whose Protected Health Information ( "PHI ") was the subject of the Improper
Act.
4. Reviewing, and correcting where appropriate, any Policy or Procedure of the City of
Shakopee OHCA that directly caused or contributed to the Improper Act.
City of Shakopee OHCA HIPAA Privacy Manual
-19-
The Privacy Officer shall immediately notify the City of Shakopee OHCA's legal counsel
regarding the Improper Act and shall take further action as so advised. The legal counsel shall
determine, in the event that the Improper Act was made by a Business Associate, whether such
act warrants termination of such Business Associate's contract. The City of Shakopee OHCA
must track these disclosures in accordance with Policy No. 20.
City of Shakopee OHCA HIPAA Privacy Manual
-20-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #14: USES AND DISCLOSURES OF HEALTH INFORMATION FOR MARKETING
(HIPAA CITES: 45 C.F.R. § §164.501 and 164.508(a)(3))
POLICY
A Plan in the City of Shakopee OHCA will not use or disclose Protected Health Information
( "PHI ") about an Individual for marketing without first obtaining the Individual's written
Authorization except as otherwise provided herein.
II. PROCEDURES
1. Marketing Defined. For the purposes of this policy, the term "marketing" means an
arrangement between the Plan and any other entity whereby the Plan discloses Protected
Health Information to the other entity, in exchange for direct or indirect remuneration, for
the other entity or its affiliate to make a communication about its own product or service
that encourages recipients of the communication to purchase or use that product or service.
2. Restriction on Uses and Disclosures of PHI for Marketing. An Authorized Employee may
not use or disclose PHI about an Individual for marketing without first obtaining the
Individual's written Authorization in accordance with Policy No. 04, except as provided in
Section 3 below.
3. Permitted Uses and Disclosures of Protected Health Information for Marketing.
(a) An Authorized Employee may use or disclose PHI to make a marketing communication
to an Individual without first obtaining the Individual's written Authorization in
accordance with Policy No. 04, only if such communication:
(i) Is made by the Business Associate for compensation received from the Covered
Entity pursuant to the Business Associate Agreement; or
(ii) Is payment for the treatment of an Individual.
(b) An Authorized Employee may not disclose PHI for purposes of making a
communication described in Section 3(a)(i) to any person other than the Individual.
City of Shakopee OHCA HIPAA Privacy Manual
-21-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #16: CONFIDENTIAL COMMUNICATION REQUIREMENTS
(HIPAA CITES: 45 C.F.R. §164.522(b)(1)(ii))
I. POLICY
A Plan in the City of Shakopee OHCA will permit Individuals to request, and will accommodate
any reasonable request, for an Individual to receive communications of Protected Health
Information ( "PHI ") from a Plan by alternative means or at alternative locations. [The
Individual must clearly state that the disclosure of all or part of that information could endanger
the Individual in order for the Plan to grant such a request.] The Individual must complete the
attached form for the Plan to consider his or her request.
II. PROCEDURES
The Individual's request must be provided to the Plan in writing [and must clearly state that the
disclosure of all or part of the information to which the request pertains could endanger the
Individual].
The Individual's request must specify an alternative address or other method of contact.
City of Shakopee OHCA HIPAA Privacy Manual
-22-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
REQUEST FOR CONFIDENTIAL COMMUNICATION OF HEALTH INFORMATION
Please provide the information below. We cannot respond to your request without this information.
Your name:
Member name: Member ID:
Best way to contact you:
Plan communications are normally mailed to the address on record with the Plan. Use this form if you want the
Plan to send communications containing your health information via another means (e.g., by fax) or to another
location (e.g., your work address). Due to administrative constraints, the Plan may not be able to honor your
request. However, we will accommodate all reasonable requests if you believe that you would be
endangered if your health information was disclosed in the standard way.
This request applies to my following health information (describe the specific information or category of
information):
Please send the above health information by this alternative means or to this alternative location:
If you believe that the denial of this request could put you in danger, please write the following on the lines
below: "Disclosure of my health information described above without my requested accommodation
could put me in danger." Otherwise, explain your need for disclosure.
Apply the requested restriction to the following Plan(s):
❑ Flexible Spending Account Plan
❑ Post - Employment Health Care Savings Plan
I hereby request confidential communication of my health information, as described above. I understand that
the Plan is not required to agree to my request unless (1) my request is reasonable, and (2) I have stated on this
form that I could be in danger if my request is denied. If my request is granted, I understand that
communications in accordance with my request will continue until I notify the Plan that the alternate
communication is no longer necessary, or until I am notified by the Plan that communications will resume in the
normal form.
Signature* Date
(over, please)
City of Shakopee OHCA HIPAA Privacy Manual -1-
If you are making this request on behalf of another Individual, a completed Personal Representative Form must
be on file with the Plan unless you are the Individual's parent or guardian and you are also a participant in the
Plan.
Send this completed request form to:
City of Shakopee Human Resources Department
Attn: Assistant City Administrator
129 Holmes St. S.
Shakopee, MN 55379
Fax: (952) 233 - 3860
E -mail: kwilson @ci.shakopee.mn.us
If you have questions about this form or your right to request to inspect or receive copies of your health
information, contact the Assistant City Administrator at (952) 23 — 9312.
The Plan will notify you that your request has been either granted or denied.
For internal use only: Approved Denied Notice of extension sent:
Date received: Response date:
City of Shakopee OHCA HIPAA Privacy Manual -2-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #17: INDIVIDUAL RIGHT OF ACCESS TO PROTECTED HEALTH INFORMATION
(HIPAA CITES: 45 C.F.R. §164.524)
I. POLICY
The City of Shakopee OHCA recognizes the right of an Individual to have access to inspect and
obtain a copy of Protected Health Information ( "PHI ") about himself or herself which is
maintained by a Plan in a Designated Record Set for as long as the PHI is maintained in the
Designated Record Set. The Individual must complete the attached form for the City of
Shakopee OHCA to consider his or her request.
II. PROCEDURES
1. Definition of Designated Record Set. For purposes of this policy, a "Designated Record
Set" means records, i.e., any item, collection or grouping of information, maintained by or
for the Plan, that include:
(a) Enrollment, payment, claims adjudication, case or medical management records; and
(b) Other records used, in whole or in part, by or for the Plan to make decisions about
Individuals.
The Individual will have access to any PHI that is used, in whole or in part, to make
decisions about him or her, except for PHI listed in Section 4 below or in situations in
which the Plan has determined that access would be inappropriate in accordance with
Section 6 below.
2. Access Request Forms. The City of Shakopee OHCA will make available through the
Assistant City Administrator an Access Request Form notifying Individuals that, except in
the circumstances described in Sections 4 and 6 below, they have the right of access to any
of their PHI maintained in the Plan's Designated Record Sets. Additionally, this Access
Request Form explains the Plan's procedures for obtaining such PHI. See Access Request
Form attached.
3. Request for Access in Writing. All requests by Individuals to inspect or to obtain a copy of
their PHI (a "Request ") must be made in writing on the Access Request Form.
4. Exception to Right of Access. An Authorized Employee shall not provide an Individual
with access to the following types of information maintained in a Designated Record Set:
(a) Psychotherapy notes; or
(b) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or
administrative action or proceeding.
City of Shakopee OHCA HIPAA Privacy Manual -3-
5. Request for Access.
(a) An Authorized Employee shall act on the Request within 30 days of receiving the
Request if the information is maintained or accessible on -site, or within 60 days if the
information is not maintained or accessible on -site. If the Authorized Employee is
unable to act on a Request by this deadline, the Plan may extend the deadline once by
no more than 30 days by providing the Individual with a written statement of the
reasons for the delay and the date by which the Plan will complete its action on the
Request.
(b) An Authorized Employee may provide access, or may deny the Request for the
reasons set forth in Section 6 below.
(c) If access to the information is provided (in whole or in part):
(i) An Authorized Employee will notify the Individual of the decision and
arrange for a mutually convenient time and place to provide the access
requested. Once the Authorized Employee has located the requested PHI, the
Individual has the right to inspect the information and/or copy the
information.
(ii) An Authorized Employee shall provide the Individual with access to a
summary of PHI or an explanation of the underlying information in a timely
fashion, if the Individual agrees in advance to such summary or explanation
and agrees in advance to the fees imposed for such summary or explanation.
(iii) If the same PHI is maintained in more than one Designated Record Set or at
more than one location, the Authorized Employee will only produce the
information once per Request.
(iv) An Authorized Employee shall provide the requested information in the form
or format requested, provided that the information is readily producible in
such form or format. If it is not, an Authorized Employee shall produce it in
readable hard copy form or in another form or format on which the Individual
and Plan can agree.
(v) If the Individual requests that the Plan mail a copy of the requested
information, the Authorized Employee shall do so. If the Individual requests
inspection of information that is maintained electronically, the Authorized
Employee shall print out a copy and allow the Individual to view the print -out
on -site.
6. Denial of Access. An Authorized Employee may (but is not required to) deny a Request
without providing the Individual with a right to have the denial reviewed for any of the
following three reasons:
(a) If the requested information falls under either exception to the Right of Access rules
discussed in Section 4 above;
City of Shakopee OHCA HIPAA Privacy Manual
-2-
(b) If the requested information is subject to the Privacy Act (5 U.S.C. §552a), and
denial of access is permitted under the Privacy Act;
(c) If an Authorized Employee obtained the requested information from someone other
than a health care provider under a promise of confidentiality and such access
would be reasonably likely to reveal the source of the information.
An Authorized Employee may (but is not required to) deny a Request, provided that the
Authorized Employee affords the Individual the right to have the denial reviewed by a
licensed health care professional designated by the Plan who did not participate in the
original decision to deny access, in the following three circumstances:
(a) A licensed health care professional has determined that providing such access is
reasonably likely to endanger the life or physical safety of the Individual or another
person;
(b) The requested information contains a reference to another person (who is not a
health care provider) and a licensed health care provider has determined that
providing the access requested is reasonably likely to cause substantial harm to such
other person;
(c) The Request is made by the Individual's personal representative and a licensed
health care professional has determined that providing the requested access is
reasonably likely to cause substantial harm to the Individual or another person.
If the access is denied, in whole or in part, under Section 4 or Section 6 an Authorized
Employee shall, to the extent possible, give the Individual access to any other PHI
requested after excluding the information to which the Authorized Employee had grounds
to deny access. If the Authorized Employee denies the Request because the Plan does not
maintain the requested information, the Authorized Employee shall inform the Individual
where to direct the Request for access, if known.
If the access to PHI is denied in whole or in part, an Authorized Employee shall provide a
timely, written denial to the Individual containing (i) the basis for the denial; (ii) if
applicable, a statement of the Individual's right to have the denial reviewed and description
of how to exercise such right; (iii) a description of how the Individual may make a
complaint to the Plan or to the Secretary of the Department of Health and Human Services,
and the name or title and telephone number of the Plan's designated contact person or
office responsible for receiving complaints. (See attached Denial of Access Form).
7. Review Procedures.
(a) The Privacy Officer shall be responsible for appointing on a case -by -case basis a
representative of the Plan to serve as the Reviewing Official for denials of Requests
for access to PHI. The Reviewing Official shall be a licensed health care professional
who did not participate in the original denial decision.
City of Shakopee OHCA HIPAA Privacy Manual
-3-
(b) An Authorized Employee shall promptly refer a Request for review to the Reviewing
Official.
(c) Within a reasonable time after receiving the Request for review, the Reviewing
Official shall determine whether or not to deny the requested access, and an
Authorized Employee will promptly provide written notice of the Reviewing
Official's decision to the Individual. The Reviewing Official's decision shall be final.
8. Fees. The City of Shakopee OHCA may charge the Individual only the following
reasonable, cost -based fees associated with obtaining access to PHI:
(a) Copying: fees may include the labor and supply costs;
(b) Mailing: fees may include the cost of postage;
(c) Electronic: fees may include the cost of computer disk.
(d) The City of Shakopee OHCA shall not charge any fees for retrieving or handling the
information or for processing the Request.
(e) The City of Shakopee OHCA shall charge $ per hour for the preparation of an
explanation or summary of the PHI that the Plan provides to an Individual, if the
Individual agrees in advance to such explanation or summary, and to the fees to be
charged.
9. Documentation. The City of Shakopee OHCA shall retain written or electronic
documentation of its Designated Record Sets that are subject to access by Individuals and
the titles of the persons or offices responsible for receiving and processing Requests for
such access. Such documentation shall be retained for six years after the later of the date of
its creation or the date it was last in effect.
City of Shakopee OHCA HIPAA Privacy Manual
-4-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
REQUEST FOR ACCESS
Individual's Name:
Last First Middle
Home Address:
Home Phone: Date of Birth:
I hereby request that the Plan provide me with [please check all boxes that apply]
❑ access to ❑ my own copy of the "Requested Information" checked below:
❑ My enrollment records.
❑ My payment records.
❑ My claims adjudication records.
❑ My case or medical management records.
❑ Any other personally identifiable information used by the Plan to make decisions
about me.
❑ I am only interested in accessing or obtaining a copy of Requested Information
relating to the time period through
❑ I am interested in accessing or obtaining a copy of all Requested Information
maintained by the Plan.
❑ I would prefer to receive the Requested Information in the form of a summary
prepared by the Plan at a cost to me of [$ 1.
I understand that any information provided to me pursuant to this request will not include
psychotherapy notes, information compiled in reasonable anticipation of (or for use in) a civil,
criminal or administrative proceeding or as may otherwise be required by applicable law.
I understand that the Plan may deny this request under limited circumstances as provided for
under federal regulations governing the protection of personally identifiable health information.
I further understand that, except as otherwise permitted under applicable federal law, I have the
right to have a denial of my request reviewed by a licensed health care practitioner selected by
the Plan who did not participate in the Plan's decision to deny my request.
I understand that the Plan will notify me of its decision to approve or deny my request to inspect
or obtain a copy of the Requested Information within thirty (30) days of receiving this request if
the information is maintained or accessible on -site at the Plan or within sixty (60) days if the
Requested Information is not maintained or accessible on -site at the Plan. If the Plan is unable to
City of Shakopee OHCA HIPAA Privacy Manual
-5-
comply with my approved request within the applicable time limit, it may extend the applicable
deadline for up to thirty (30) days by notifying me in writing.
Please provide the Requested Information to me in [please check the appropriate boxes] ❑
electronic form (on a disc) ❑ paper form.
I would prefer to: ❑ pick -up or view the Requested Information at a mutually agreeable time
and place; ❑ have the Requested Information mailed to me at the following address:
I understand that the Plan will charge me copying fees of [$ ] per page, as well as any
applicable postage.
If I am granted access to the Requested Information, I [please check the appropriate box] ❑
would ❑ would not like the Plan to provide me with an additional written explanation of such
Requested Information at an additional cost to me of I$ ].
Signature of Individual (or Personal Representative) Date
Printed name of Personal Representative Relationship to Individual
* * * * *
After you have completed this form please return it to the Privacy Officer by mail or by facsimile
at the following address: Privacy Officer, the City of Shakopee Organized Health Care
Arrangement; c/o the City of Shakopee, 29 Holmes St. S., Shakopee, MN 55379 (Fax# (952) 233
- 3860).
City of Shakopee OHCA HIPAA Privacy Manual
-6-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
DENIAL OF ACCESS
Individual's Name:
Last First Middle
Home Address:
Home Phone: Date of Birth:
Date of Access Request:
Your request to access or obtain a copy of your protected health information from the Plan has
been denied for the following reason:
In accordance with applicable federal law and the Plan's privacy policies, you [please check the
appropriate box] ❑ do ❑ do not have the right to have this denial reviewed by a licensed health
care practitioner who did not participate in the decision to deny your request.
If this denial is reviewable in accordance with the above and you desire to have the decision
reviewed, please check the box below and return this form within 30 days to the Plan's Privacy
Officer by mail or facsimile at the following address: Privacy Officer, the City of Shakopee
Organized Health Care Arrangement; c/o the City of Shakopee, 129 Holmes St. S., Shakopee,
MN 55379(Facsimile: (952) 233 - 3860).
If you desire to register a complaint regarding this denial, please contact the City of Shakopee
OHCA's Privacy Officer by mail or by facsimile at the above address. Your written complaint
must include the following information: your name, the specific details of your complaint.
You may also file a written complaint with the Secretary of the U.S. Department of Health and
Human Services. Your complaint must describe the Plan acts or omissions that you believe to
be in violation of applicable law. A complaint to the Secretary may be submitted either by mail
or electronic transmission within 180 days of the date you first knew or should have known of
the occurrence of the act or omission upon which you have based your complaint.
* * * * *
❑ I hereby request a review of the Plan's denial of my request to access or obtain a copy of my
personal health information by a licensed health care practitioner selected by the Plan who did
not participate in the decision to deny my request.
City of Shakopee OHCA HIPAA Privacy Manual
-7-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #18: RIGHT OF INDIVIDUAL TO REQUEST RESTRICTIONS
ON USES AND DISCLOSURES
(HIPAA CITES: 45 C.F.R. §164.522(a))
I. POLICY
The City of Shakopee OHCA will consider an Individual's request that a Plan restrict (i) uses
and disclosures of an Individual's Protected Health Information ( "PHI ") to carry out Treatment,
Payment or Health Care Operations, and (ii) disclosures of PHI to a relative, a personal friend or
any other person identified by the Individual that is directly relevant to such person's
involvement with the Individual's care or payment and related to the Individual's health care.
However, where HIPAA does not require a Plan to agree to a restriction requested by an
Individual, the acceptance by the Plan of any restrictions concerning disclosure should not be
undertaken without extra consideration. The Individual must complete the attached form for a
Plan to consider his or her request.
II. PROCEDURES
1. Requests to Restrict Uses and Disclosures of PHI. An Authorized Employee will review an
Individual's request that a Plan restrict (i) uses or disclosures of the Individual's PHI to
carry out Treatment, Payment, or Health Care Operations, and (ii) disclosures of PHI to a
relative, a personal friend or any other person identified by the Individual that is directly
relevant to such person's involvement with the Individual's care or payment and related to
the Individual's health care.
If the request meets the following requirements, the request will be granted: (1) except as
otherwise required by law, the disclosure is to a health plan for the purposes of carrying out
payment or health care operations (and is not for purposes of carrying out treatment); and
(2) the protected health care information pertains solely to a health care item or service for
which the health care provider involved has been paid out of pocket in full.
If the request does not meet the requirements in the paragraph above, a Plan will only
consider the addition of restrictions on use and disclosure in very limited circumstances as
determined on a case -by -case basis. No restrictions (other than one that meets the
requirements in the paragraph above) will be agreed to by a Plan without prior consultation
between the Individual and the Privacy Officer.
2. Exceptions to Restrictions. If, in the rare event an Authorized Employee has agreed to
restrict the use or disclosure of PHI pursuant to Section 1 above, no Authorized Employee
shall use or disclose PHI in violation of such restriction except that:
City of Shakopee OHCA HIPAA Privacy Manual
-8-
(a) If the Individual who requested the restriction is in need of emergency treatment and
the restricted PHI is needed to provide the emergency treatment, an Authorized
Employee may disclose such information to a health care provider to provide such
treatment to the Individual, provided that an Authorized Employee requests such health
care provider not to further use or disclose the information; and
(b) A Plan may use or disclose restricted PHI as permitted or required under the Plan's
HIPAA Privacy Policy No. 2.
3. Terminating a Restriction. A Plan may terminate its agreement to a restriction if:
(a) The Individual agrees to or requests the termination in writing;
(b) The Individual orally agrees to the termination and the oral agreement is documented;
or
(c) The Plan informs the Individual that it is terminating its agreement to a restriction,
except that such termination is only effective with respect to PHI about the Individual
created or received after the Plan has so informed the Individual.
4. Documentation. A Plan in the City of Shakopee OHCA shall make and maintain a written
or electronic record of each restriction to which it has agreed for six (6) years from the date
when the restriction was last in effect.
City of Shakopee OHCA HIPAA Privacy Manual
-9-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
REQUEST FOR RESTRICTION ON USE AND DISCLOSURE
OF HEALTH INFORMATION
Please provide the information below. We cannot respond to your request without this
information.
Your name:
Member name: Member ID:
Best way to contact you:
This request applies to my following health information (describe the specific information or
category of information):
Please apply the following restriction(s) on the use and/or disclosure of my health information:
Apply the requested restriction to the following Plan(s):
❑ Flexible Spending Account Plan
❑ Post - Employment Health Care Savings Plan
Submission of this form does not guarantee that your request for restriction will be granted.
Because the Plan uses your health information as necessary for Plan administrative purposes, we
may be unable to agree to your request. The Plan is not required to accommodate your
request unless the request is to limit disclosure to a health plan for purposes of payment or
health care operations, the disclosure is not otherwise required by law and your request
relates solely to a health care item or service for which you have paid youself, out of pocket
and in full You will be notified that your request has been either granted or denied. Please note
that, if we are able to grant your request, the Plan may use or disclose your health information in
violation of the restriction if needed for your emergency treatment.
I hereby request the restriction described above. I understand that the Plan is not required to
agree to my request unless it meets the requirements described above. If the Plan agrees to
my request, I understand that the restriction will take effect immediately, and will remain in
effect until I revoke the restriction or until the Plan notifies me that the restriction will be
terminated. I understand that the Plan can terminate a restriction at any time. The restriction
will not apply to my health information created or received after the restriction is terminated. I
understand that my health information may be used or disclosed in violation of a granted
restriction if necessary to provide me with emergency treatment.
City of Shakopee OHCA HIPAA Privacy Manual
-1 0-
Signature* Date
*If you are making this request on behalf of another Individual, a completed Personal
Representative Form must be on file with the Plan unless you are the Individual's parent or
guardian and you are also a participant in a Plan.
Send this completed request form to:
City of Shakopee Human Resources Department
Attn: Assistant City Administrator
129 Holmes St. S.
Shakopee, MN 55379
Fax (952) 233 - 3860
E -mail: kwilson@ci.shakopee.mn.us
If you have questions about this form or your right to request to inspect or receive copies
of your health information, contact the Privacy Officer at (952) 233 — 9312.
For internal use only: ❑Approved ['Denied
Notice of extension sent:
Date restriction revoked:
Response date:
City of Shakopee OHCA HIPAA Privacy Manual
-11-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #19: AMENDMENT OF PROTECTED HEALTH INFORMATION
(HIPAA CITES: 45 C.F.R. § 164.526)
POLICY
The City of Shakopee OHCA will recognize the right of an Individual to request that a Plan
amend Protected Health Information ( "PHI ") or a record about the Individual in a Designated
Record Set for as long as the PHI is maintained in the Designated Record Set. The Individual
must complete the attached form for the Plan to consider his or her request.
II. PROCEDURES
1. Definition of Designated Record Set. For purposes of this policy, a "Designated Record
Set" means records, i.e., any item, collection or grouping of information, maintained by or
for the Plan, that include:
(a) Enrollment, payment, claims adjudication, case or medical management records; and
(b) Other records used, in whole or in part, by or for the Plan to make decisions about
Individuals.
The Individual will have access to any PHI that is used, in whole or in part, to make
decisions about him or her, except for PHI listed in Section 4 below or in situations in
which the Plan has determined that access would be inappropriate in accordance with
Section 6 below.
2. Request for Amendment. An Individual must make a request for an amendment in writing.
All requests must be submitted in writing on the form attached hereto and the Individual
must provide a reason to support the requested amendment. All requests shall be directed
to the City of Shakopee OHCA's Privacy Officer, the City of Shakopee Organized Health
Care Arrangement, c/o the City of Shakopee, 129 Holmes St. S., Shakopee, MN 55379.
3. Action on the Request for Amendment.
(a) An Authorized Employee shall act on the Individual's request no later than 60 days
after its receipt of the request.
(b) An Authorized Employee may extend the time for action by no more than 30 days
provided that he or she provides the Individual with a written statement (within the
60 -day period described above) of the reasons for the delay and the date by which the
Plan will complete its action on the request. A Plan in the City of Shakopee OHCA
may have only one such 30 -day extension.
City of Shakopee OHCA HIPAA Privacy Manual
-12-
(c) An Authorized Employee will accept the request for amendment, unless it determines
that the PHI or record that is the subject of the request:
(i) Was not created by an Authorized Employee (unless the Individual provides a
reasonable basis to believe that the originator of the information is no longer
available to act on the request for amendment);
(ii) Is not part of a Designated Record Set;
(iii)Would not be available for inspection because of the following:
a. It consists of psychotherapy notes;
b. It is information compiled in reasonable anticipation of a legal action or
proceeding; or
c. It consists of particular non - disclosable lab records.
(iv)Is accurate and complete.
Determinations of whether to accept or deny the request will be made by the Privacy
Officer or his designee following a review of the relevant record and Designated
Record Set, evaluation of the Individual's request and other fact finding to the extent
necessary to make the determination.
4. Acceptance of the Requested Amendment. If the amendment is accepted, an Authorized
Employee will make the appropriate amendment to the PHI or record that is the subject of
the request for amendment by identifying the records in the Designated Record Set that are
affected by the amendment and appending or otherwise providing a link to the location of
the amendment.
(a) An Authorized Employee will timely inform the Individual in writing that the
amendment has been accepted and obtain the Individual's identification of and
agreement to have the Plan notify the relevant persons with whom the amendment
needs to be shared as provided by Section 4(b) of this Policy.
(b) An Authorized Employee will make reasonable efforts to notify and provide the
amendment within a reasonable time to:
(i) Persons identified by the Individual as having received PHI about the Individual
and requiring the amendment; and
(ii) Persons, including Business Associates of the Plan, that the Plan knows have
the PHI that is the subject of the amendment and that may have relied, or could
foreseeably rely, on such information to the detriment of the Individual.
City of Shakopee OHCA HIPAA Privacy Manual
-13-
5. Denial of the Requested Amendment. If the amendment is denied in whole or in part:
(a) An Authorized Employee will provide the Individual who requested the amendment
with a written denial within 60 days after receipt of the request for amendment. The
denial will use plain language and contain:
(i) The basis for the denial (i.e., the PHI or record that is the subject of the request
(i) was not created by Plan and the Individual did not provide a reasonable basis
to believe that the originator of the information is no longer available to act on
the requested amendment; (ii) is not part of a Designated Record Set; (iii) would
not be available for inspection because it contains i.e. psychotherapy notes or
information compiled in anticipation of, or for use in a civil, criminal or
administrative action or proceeding; or (iv) is accurate and complete).
(ii) A statement of the Individual's right to submit a written statement disagreeing
with the denial and how the Individual may file such a statement;
(iii)A statement that, if the Individual does not submit a statement of disagreement,
the Individual may request that the Plan provide the Individual's request for
amendment and the denial with any future disclosures of the PHI that is the
subject of the denied amendment; and
(iv)A description of how the Individual may complain to the Plan's Privacy Officer
pursuant to the complaint procedures established in Policy No. 21, or to the
Secretary of Health and Human Services pursuant to the procedures established
in 45 C.F.R. § 160.306. The description must include the name or title and
telephone number of the City of Shakopee OHCA's Privacy Officer.
(b) The Plan will permit the Individual to submit to an Authorized Employee a written
statement disagreeing with the denial of all or part of a requested amendment and
giving the basis of such disagreement. A Plan in the City of Shakopee OHCA may
reasonably limit the length of a statement of disagreement.
(c) An Authorized Employee may prepare a written rebuttal to the Individual's statement
of disagreement. Whenever such a rebuttal is prepared, the Authorized Employee
will provide a copy to the Individual who submitted the statement of disagreement.
(d) An Authorized Employee will, as appropriate, identify the record or PHI in the
Designated Record Set that is the subject of the disputed amendment and append or
otherwise link the Individual's request for an amendment, Plan's denial of the
request, the Individual's statement of disagreement, if any, and Plan's rebuttal, if any,
to the Designated Record Set.
(e) Future disclosures.
City of Shakopee OHCA HIPAA Privacy Manual
-14-
(i) If a statement of disagreement has been submitted by the Individual, an
Authorized Employee will include the material appended, or at the election of
the Plan, an accurate summary of any such information, with any subsequent
disclosure of the PHI to which the disagreement relates.
(ii) If the Individual has not submitted a written statement of disagreement, an
Authorized Employee will include the Individual's request for amendment and
its denial, or an accurate summary of such information, with any subsequent
disclosure of the PHI only if the Individual has requested such action.
(iii)When a subsequent disclosure of the PHI is made as part of a HIPAA standard
transaction that does not permit additional material to be included with the
disclosure, an Authorized Employee may separately transmit the material
required by Section II 5(e)(i) or (ii) of this policy, as applicable, to the recipient
of the standard transaction.
(f) If an Authorized Employee is informed by another Covered Entity of an amendment
to an Individual's PHI, the Authorized Employee will amend the PHI in its
Designated Record Sets as provided in Section II B.4 of this policy.
6. Documentation. The City of Shakopee OHCA will retain all documentation associated
with requests for amendments (and the associated Plan determinations) for the longer of: (i)
six (6) years from the date of its creation, and (ii) the last effective date of the relevant
documents. All such documentation shall be maintained by the Privacy Officer.
City of Shakopee OHCA HIPAA Privacy Manual
-15-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
REQUEST FOR AMENDMENT OF HEALTH INFORMATION
Individual's Name:
Last First Middle
Home Address:
Home Phone: Date of Birth:
I hereby request that the Plan amend [please check all boxes that apply]:
❑ its enrollment, payment, claims adjudication, case or medical management records
❑ other records used by or for the Plan to make decisions about me.
as more specifically described below.
I understand that the Plan may deny this request as permitted under Federal law, and that I will
be informed by the Plan concerning the basis for any denial along with instructions concerning
my right to submit a statement disagreeing with such denial. I further understand that the Plan
will notify me of its decision to accept or deny my request within sixty (60) days of receiving
this request. If the Plan is unable to act on my request within this time frame, I understand that it
may extend the deadline for up to an additional thirty (30) days by notifying me in writing.
1. Describe the information you want amended
2. Date(s) of information to be amended
City of Shakopee OHCA HIPAA Privacy Manual
-16-
3. What is your reason for making this request?
4. How is the information incorrect, incomplete, or outdated?
5. What should the entry say to be more accurate or complete? (Please be as specific as possible)
6. Do you know of anyone who may have received or relied on the information in question?
yes no
If yes, please specify the name(s) and address(es) of the organizations or Individuals.
Signature of Individual (or Personal Representative) Date
Printed name of Personal Representative Relationship to Individual
FOR PLAN USE ONLY
Amendment has been: Accepted Denied
If denied, check the reason for denial:
Protected Health Information was not created by Plan
Protected Health Information is not part of Plan's Designated Record Set
Federal law forbids making the Protected Health Information available to the Individual for
inspection
Protected Health Information is accurate and complete
City of Shakopee OHCA HIPAA Privacy Manual
-17-
Comments
Signature of Privacy Officer Date
City of Shakopee OHCA HIPAA Privacy Manual
-18-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #20: ACCOUNTING OF DISCLOSURES OF PROTECTED
HEALTH INFORMATION
(HIPAA CITES: 45 C.F.R. § 164.528)
POLICY
The City of Shakopee OHCA will provide Individuals with an accounting of all disclosures of
their Protected Health Information ( "PHI "), except for those disclosures listed below in II.3 and
I1.4, made by a Plan or by a Business Associate of a Plan during the six years prior to the date of
the Individual's request ( "Accountable Disclosures "). The Individual must complete the
attached form for a Plan to consider his or her request.
II. PROCEDURES
1. Individuals Who May Request an Accounting. The Individual who is the subject of the
PHI or his personal representative (as described in Policy No. 21) may request an
accounting in accordance with this Policy. Any Individual who contacts an Authorized
Employee to obtain an accounting will be immediately forwarded the Accounting Request
Form (a copy of which is attached to this Policy). The Individual will be encouraged to fill
out the Accounting Request Form and submit it to the Privacy Officer or his designee for
processing, but the Authorized Employee may accept any other written request from the
Individual.
2. Types of Disclosures that are Accountable. Upon an Authorized Employee's receipt of a
written request for an accounting from an Individual, the Authorized Employee shall
provide the Individual an accounting of all disclosures of PHI (except for those disclosures
listed below in 3 and 4 made by an Authorized Employee or by a Business Associate of the
Plan during the six years prior to the date of the Individual's request, or during any lesser
period that the Individual expressly requests ( "Accounting Period "). Throughout the
Policies and Procedures, there are references to when and if the Plan must track certain
disclosures. Those disclosures that need to be tracked shall be provided within the
Individual's accounting. The accounting of the disclosures must be provided in accordance
with the procedures outlined below.
3. Permissible Exceptions. An Authorized Employee is not required to provide Individuals an
accounting of disclosures of PHI that were made:
(a) To carry out the Plan's Payment or Health Care Operations;
(b) To the Individual;
(c) Incident to a use or disclosure otherwise permitted or required by the Privacy Rule;
City of Shakopee OHCA HIPAA Privacy Manual
-19-
(d) Pursuant to an Authorization;
(e) For national security or intelligence purposes in accordance with Policy No. 02A;
(f) To correctional institutions or law enforcement officials in accordance with Policy
No. 02B; or
(g) As part of a limited data set; or
(h) Prior to April 14, 2004.
4. Required Exceptions. An Authorized Employee must temporarily suspend an Individual's
right to receive an accounting of disclosures that were made to a health oversight agency or
law enforcement official (in accordance with Policy No. 02B) if the health oversight
agency or law enforcement official informs an Authorized Employee that providing such
an accounting to the Individual would be reasonably likely to impede such agency's or
official's activities. The terms and length of such suspension will be as follows:
(a) Written Request. The length of time specified in a written request for a suspension
that the Plan receives from the health oversight agency or law enforcement official.
(b) Oral Request. 30 days from the date of the health oversight agency's or law
enforcement official's oral request for a suspension, unless the Plan receives a
written request during such 30 day period, in which case the Plan will continue the
suspension for the length of time specified in such written request. In the event that
the Plan receives an oral request, it must document the occurrence of the request,
including the identity of the agency or official making the request.
5. Content of the Accounting. An Authorized Employee must provide the Individual a written
accounting that includes all of the following with respect to each Accountable Disclosure
that was made by the Plan or any of its Business Associates during the Accounting Period:
(a) The date of the disclosure;
(b) The name of the entity or person who received the PHI and, if known, the address
of such entity or person;
(c) A brief description of the PHI disclosed; and
(d) One of the following, as applicable:
(i) A brief statement of the purpose of the disclosure that reasonably informs the
Individual of the basis for the disclosure; or
(ii) A copy of a written request, if any, for the disclosure from the Secretary of
Health and Human Services ( "Secretary's Request ") to investigate or
determine the Plan's compliance with the federal regulations pertaining to
privacy of individually identifiable health information; or
City of Shakopee OHCA HIPAA Privacy Manual
-20-
(iii)A copy of a written request, if any, for the disclosure, if the disclosure was
required by law, for public health or health oversight activities, about a
decedent, for a specialized government function, or to comply with laws
relating to workers' compensation, and did not require the Individual's
consent or Authorization pursuant to Policy No. 04.
6. Multiple Disclosures Exception. If, during the Accounting Period, an Authorized Employee
has made multiple disclosures of PHI to the same person or entity for a single purpose
pursuant to the Individual's written Authorization, a Secretary's Request, or a request
described in II.5(d)(iii) above, the written accounting may, with respect to such multiple
disclosures, contain the following:
(a) The information listed in II.5 above with respect to the first disclosure during the
Accounting Period;
(b) The frequency, periodicity, or number of the disclosures made during the
Accounting Period; and
(c) The date of the last such disclosure during the Accounting Period.
7. Timing of Response to Individual's Request for Accounting. Within 60 days after the
Plan's receipt of a written request for an accounting, the Plan must provide the Individual
one of the following:
(a) A written accounting as described in II.5 above; or
(b) In the event that an Authorized Employee is unable to provide the written
accounting within 60 days of the Plan's receipt of the Individual's written request,
then a written statement of the reasons for the delay and the date by which the
Authorized Employee will provide the accounting (which may not be later than 90
days from the date of the Plan's receipt of the Individual's initial written request).
8. Fee for Accounting. An Authorized Employee will provide the first accounting to an
Individual in any 12 month period without charge. For each subsequent request for an
accounting during such 12 month period, the Plan will charge the Individual [$ 1 per
page for copying costs and [$ 1 per hour of clerical work necessary to complete the
requested accounting. This fee represents a reasonable, cost -based fee. The Plan's policy
regarding fees charged for an accounting are stated in the Accounting Request Form. In
the event that the Individual did not submit a completed Accounting Request Form to the
Privacy Office, an Authorized Employee will, prior to charging the Individual any
applicable fee, inform the Individual of the fee and will provide the Individual with an
opportunity to withdraw or modify the request for such subsequent accounting in order to
avoid or reduce the fee.
9. Retention of Accounting. A Plan in the City of Shakopee OHCA shall retain each written
accounting that it creates in accordance with this Policy and each written response it
provides to an Individual in connection therewith for a period of 6 years from the date that
the written accounting or other written response, as applicable, is created. In addition, the
City of Shakopee OHCA HIPAA Privacy Manual
-21-
Plan shall retain each written request for an accounting it receives and any documentation it
creates pursuant to II.B.4 of this Policy from the date such written request is received or
such documentation is created, as applicable. All requests shall be maintained by the
Privacy Officer or his designee.
10. Authorized Employees for Receiving and Processing Requests.
(a) Receiving Requests. The following Authorized Employees are responsible for
receiving requests for an accounting: Assistant City Administrator and /or Human
Resources Technician.
(b) Processing Requests. The following Authorized Employees are responsible for
processing requests for an accounting in accordance with this Policy: Assistant City
Administrator and /or Human Resources Technician.
City of Shakopee OHCA HIPAA Privacy Manual
-22-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
ACCOUNTING REQUEST FORM
Individual's Name:
Last First Middle
Home Address:
Home Phone: Date of Birth:
By my signature below, I hereby request an accounting of all accountable disclosures of my
Individually identifiable health information that the Plan or a business associate of the Plan has
made during the past number of years checked below [please check one of the boxes] :
1 year ❑ 3 years ❑ 5 years ❑
2 years ❑ 4 years ❑ 6 years ❑
If I need further information regarding the types of disclosures that are "accountable," I
understand that I can ask the Plan for a copy of its Policy that describes them. In particular, I
understand that disclosures made for the purpose of the Plan's Payment or Health Care
Operations are not "accountable."
I understand that if this is my first request for an accounting of disclosures during the past 12
months, then my requested accounting will be provided free of charge. I understand that if I
have made one or more prior requests during the past 12 months for an accounting of
disclosures, then the Plan will charge me [$ ] per page for copying costs and [$ ] per hour
of clerical work necessary to complete this requested accounting.
Signature of Individual (or Personal Representative) Date
Printed name of Personal Representative
Relationship to Individual
After you have completed this form please return it to the Privacy Officer by mail or by facsimile
at the following address: Privacy Officer, the City of Shakopee Organized Health Care
Arrangement, c/o the City of Shakopee, 29 Holmes St. S., Shakopee, MN 55379 (Facsimile: (952)
233 - 3860).
City of Shakopee OHCA HIPAA Privacy Manual
-23-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #21: REVIEW AND RESOLUTION OF COMPLAINTS
(HIPAA CITES: 45 C.F.R. §164.530(d))
POLICY
The City of Shakopee OHCA has put in place a process for Individuals to file a complaint
concerning a Plan's compliance with the Privacy Rules or the City of Shakopee OHCA' s Privacy
Policies and Procedures. The City of Shakopee OHCA will review and resolve any complaints it
receives regarding a Plan's compliance with the Privacy Rule and the City of Shakopee OHCA's
Policies and Procedures (collectively, "Privacy Complaints ").
II. PROCEDURES
1. Who to Contact. All Privacy Complaints shall be forwarded to the Privacy Officer.
2. Privacy Complaint Log. The Privacy Officer, or his designee, shall document the
following with respect to each Privacy Complaint received:
(a) The date the Privacy Complaint was received;
(b) A copy of the written Privacy Complaint, if any, or a general description of the oral
Privacy Complaint; and
(c) A copy of the written statement provided to the Individual making the Privacy
Complaint, as described below.
3. Responsible Party to Investigate and Resolve Complaint. The Privacy Officer will review
and resolve any Privacy Complaints that the Privacy Officer receives.
4. Time Frame for Resolution.
(a) Investigation. Within 30 days after the Privacy Officer receives a Privacy Complaint,
the Privacy Officer must investigate the underlying circumstances relating to the
Privacy Compliant.
(b) Resolution. Within 60 days after the Privacy Officer receives a Privacy Complaint,
the Privacy Officer must provide a written response to the Individual who submitted
the Privacy Complaint containing the following information:
(i) The name of an Authorized Employee contact person who will answer questions
relating to the investigation and resolution of the Privacy Complaint;
(ii) A general description of the steps taken to investigate the Privacy Complaint;
City of Shakopee OHCA HIPAA Privacy Manual
-24-
(iii)An explanation of the Privacy Officer's resolution regarding the Privacy
Complaint; and
(iv)The date of completion of the investigation of the Privacy Complaint.
5. Document Retention. A Plan in the City of Shakopee OHCA shall retain copies of the
documentation listed in II.2 for a period of six years from the date that the Privacy Officer
provides the Individual the written response described in II.4(b) above.
City of Shakopee OHCA HIPAA Privacy Manual
-25-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #22: PERSONAL REPRESENTATIVES OF INDIVIDUALS
(HIPAA CITES: 45 C.F.R. §164.502(g))
I. POLICY
The City of Shakopee OHCA will treat an Individual's personal representative as the Individual
with respect to the Individual's Protected Health Information ( "PHI "), except as otherwise
provided in this Policy. The personal representative of an Individual is a person who, under
applicable state law, has the authority to act on behalf of the Individual in making decisions
related to health care. For those relationships that would not fall under applicable state law, the
personal representative will be required to complete the attached form.
II. GENERAL PROCEDURES
Prior to allowing a person to act as an Individual's personal representative in connection with an
Authorized Employee's use or disclosure of the Individual's PHI, an Authorized Employees
must determine if the Individual is (a) an adult or emancipated minor; (b) an unemancipated
minor; (c) deceased; or (d) a victim of abuse, neglect or endangerment. After making this
determination, the Authorized Employee must follow the procedures applicable to the
Individual's category as set forth in Section III below.
For all categories of Individuals, an Authorized Employee must obtain written documentation of
a person's authority under applicable state law to act as the Individual's personal representative
before allowing the person to act as the Individual's personal representative in connection with
the use or disclosure of the Individual's PHI. An Authorized Employee shall maintain in the
Individual's Plan record the written documentation of a person's authority to act as the
Individual's personal representative. The Authorized Employees shall also maintain in the
Individual's Plan record the personal representative's name, address, telephone number and
relationship to the Individual.
III. PROCEDURES FOR CERTAIN CATEGORIES OF INDIVIDUALS
1. Adults and Emancipated Minors. If the Individual is an adult or emancipated minor, the
Authorized Employee will treat a person who has authority under applicable state law to
act on behalf of the Individual in making decisions related to health care. That person will
be treated as the Individual's personal representative with respect to PHI relevant to such
personal representation.
2. Unemancipated Minors.
(a) An Authorized Employees will treat a parent, guardian or other person acting in loco
parentis, as authorized under state law, as the personal representative of an
City of Shakopee OHCA HIPAA Privacy Manual
-26-
unemancipated minor with respect to such minor's PHI. However, such person may
not be an unemancipated minor's personal representative, if the minor has the
authority to act on his or her own behalf, with respect to PHI pertaining to a health
care service under any of the following three circumstances:
(i) The minor consents to the health care service; no other consent to such health
care service is required by law, regardless of whether the consent of another
person has also been obtained; and the minor has not requested that such
person be treated as the minor's personal representative;
(ii) The minor may lawfully obtain the health care service without the consent of
a parent, guardian, or other person acting in loco parentis, and the minor, a
court, or another person authorized by law consents to such health care
service; or
(iii)A parent, guardian, or other person acting in loco parentis assents to an
agreement of confidentiality between a covered health care provider and the
minor with respect to such health care service.
(b) Notwithstanding Section (a) above:
(i) If, and to the extent, permitted or required by applicable state or other law,
including case law ( "state law "), an Authorized Employees may disclose, or
provide access in accordance with Policy No. 17 to, PHI about an
unemancipated minor to a parent, guardian or other person acting in loco
parentis;
(ii) If, and to the extent, prohibited by state law, an Authorized Employees may
not disclose, or provide access in accordance with Policy No. 17 to, PHI about
an unemancipated minor to a parent, guardian or other person acting in loco
parentis; and
(iii)An Authorized Employees may provide or deny access under Policy No. 17 to
a parent, guardian or other person acting in loco parentis who is not the
personal representative under Section III.3.2(i), (ii) or (iii) of this Policy, if
there is no applicable access provision under state law, such action is
consistent with state law, and the decision is made by a licensed health care
professional in the exercise of professional judgment.
3. Deceased Individuals. If under applicable law an executor, administrator, or other person
has authority to act on behalf of a deceased Individual or the Individual's estate, an
Authorized Employee will treat such person as a personal representative with respect to
PHI relevant to such personal representation. The Authorized Employee will require the
executor, administrator or other person to provide a copy of relevant documentation prior
to treating that person as a personal representative.
City of Shakopee OHCA HIPAA Privacy Manual
-27-
4. Abuse, Neglect, Endangerment Situations. Notwithstanding state law or any requirement
of this policy to the contrary, an Authorized Employees may elect not to treat a person as
the personal representative of an Individual if:
(a) An Authorized Employees has a reasonable belief that:
(i) The Individual has been or may be subjected to domestic violence, abuse, or
neglect by such person; or
(ii) Treating such person as the personal representative could endanger the
Individual; and
(b) An Authorized Employees, in the exercise of professional judgment, decides that it is
not in the best interest of the Individual to treat the person as the Individual's personal
representative.
(c) The Authorized Employee will provide copies of any documentation to substantiate
this position to the Privacy Officer.
City of Shakopee OHCA HIPAA Privacy Manual
-28-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
PERSONAL REPRESENTATIVE FORM
This form should be completed by the Personal Representative of a Plan participant.
A Personal Representative is a person entitled under applicable law to decide and act on behalf
of a Plan participant with respect to the Plan participant's health care. A Personal Representative
is entitled to act on behalf of the Plan participant for purposes of exercising certain rights relating
to the Plan participant's health information.
Plan participant name:
Employee's name: Employee's ID:
Representative's name:
Best way to contact Representative:
Relationship to the Plan participant (select one):
❑ Guardian of the minor Plan participant - Attach a copy of the proof of guardianship.
❑ Power of attorney with authority to make health care decisions on behalf of the Plan
participant - Attach copy of signed power of attorney form
❑ Executor or administrator of the deceased Plan participant's estate - Attach Letters
Testamentary or other legal documents evidencing executor or administrator status.
❑ Other (please describe your relationship to the Plan participant, and attach proof of your
authority to make health care decisions on behalf of the Plan participant):
I hereby certify that I am a person with legal authority to make health care decisions for the Plan
participant listed above. I have attached the required documentation to establish my status as the
Plan participant's Personal Representatives. I certify that the information on this Personal
Representative Form is true, correct, and accurate to the best of my knowledge. I understand that
the Plan may request information; now or if the future, as it deems necessary to confirm my
Personal Representative status.
Signature* Date
City of Shakopee OHCA HIPAA Privacy Manual
-29-
Send this completed request form to:
City of Shakopee Human Resources Department
Attn: Assistant City Administrator
129 Holmes St. S., Shakopee, MN 55379
Fax: (952) 233 — 3860
Email: kwilson @ci.shakopee.mn.us
If you have questions about this form or your right to request to request amendment of your
health information, contact the City of Shakopee Human Resources Department at (952) 233 -
9312.
For internal use only: n Approved nDenied
Notice of extension sent:
City of Shakopee OHCA HIPAA Privacy Manual
-30-
CITY OF SHAKOPEE
ORGANIZED HEALTH CARE ARRANGEMENT
POLICY #23: UNSECURED PHI BREACH DETERMINATION
AND NOTIFICATION PROCEDURES
(HIPAA CITES: 45 C.F.R. §164.400 et seq.)
I. POLICY
The City of Shakopee OHCA will make reasonable efforts, in compliance with this Policy and
Procedures Manual and the City of Shakopee OHCA's Security Policy, to ensure that the City of
Shakopee OHCA's PHI is secure. If a breach of the City of Shakopee OHCA's PHI occurs, the
City of Shakopee OHCA will determine under this Policy No. 23 whether the breach is a Breach
of Unsecured PHI and, if so, whether the notifications described below are required. The City of
Shakopee OHCA will provide any required notifications as described below.
II. PROCEDURES TO DETERMINE BREACH
1. Investigation. When the City of Shakopee OHCA Discovers a Breach or a possible Breach
of PHI, the City of Shakopee OHCA shall take the following actions:
a. Within 5 business days, the City of Shakopee OHCA will create, in writing, a summary
of the Breach or possible Breach, including as much of the following information as is
available:
i. The type of PHI that was involved (i.e., electronic, paper, oral, etc.);
ii. The number of individuals whose PHI was involved;
iii. The names of the individuals whose PHI was involved;
iv. The information contained in the PHI (i.e., name, address, social security
number, treatment information, etc.);
v. The identity and position, if any, of the person who committed the Breach or
potential Breach;
vi. The extent of the disclosure of the PHI beyond the person who committed the
Breach or potential Breach;
vii. The uses to which the Breached PHI may be, or have been, put;
viii. Any mitigation actions that can be taken by the City of Shakopee OHCA or
the affected individuals;
ix. Any additional investigation that is needed and a plan to implement such an
investigation.
Using the information described in this paragraph, the City of Shakopee OHCA will take
the following steps:
City of Shakopee OHCA HIPAA Privacy Manual
-31-
b. The City of Shakopee OHCA will determine whether the PHI allegedly Breached was
"unsecured" under HHS guidance.
If the PHI involved was "secured" under HHS guidance or if it was in the form of a
Limited Data Set, no further action is needed under this Policy No. 23. The City of
Shakopee OHCA will, however, take steps to prevent a similar Breach from occurring
in the future.
c. The City of Shakopee OHCA will determine whether PHI was used or disclosed in a
manner not permissible under the Privacy Rule.
If the alleged Breach involved PHI that was used or disclosed in a manner permissible
under the Privacy Rule, no further action is needed under this Policy No. 23. The City
of Shakopee OHCA will review procedures to determine that only the minimum
necessary PHI is being used for the purpose.
d. The City of Shakopee OHCA will conduct a risk assessment to determine whether the
alleged Breach poses a significant risk of financial, reputational or other harm to the
individual(s) whose PHI was involved in the alleged Breach.
If there is no significant risk of financial, reputational or other harm to the individual(s),
the City of Shakopee OHCA will document its assessment and conclusion in writing.
The Privacy Officer will be responsible for maintaining the records of the investigation
and its conclusions. These records will be available to the Secretary under Policy No.
02G. No further action is needed under this Policy No. 23.
e. The City of Shakopee OHCA will determine whether the alleged Breach falls within
one of the following three (3) exceptions to the definition of a Breach:
i. The "breach" was an unintentional acquisition, access or use of PHI by a
workforce member or person acting under the authority of the Covered Entity or
a Business Associate which was made in good faith and within the scope of that
person's authority and the "breach" did not result in further use or disclosure in
a manner not permitted under the Privacy Rule, or;
ii. The "breach" was an inadvertent disclosure by a person who is authorized to
access PHI at the Covered Entity or Business Associate to another person
authorized to access PHI at the same Covered Entity or Business Associate and
the disclosure did not result in further use or disclosure in a manner not
permitted by the Privacy Rule, or;
iii. The "breach" was a disclosure of PHI where the Covered Entity or Business
Associate has a good faith belief that the unauthorized person to whom the
disclosure was made would not reasonably have been able to retain such
information.
City of Shakopee OHCA HIPAA Privacy Manual
-32-
If the alleged Breach falls within one of these exceptions, the City of Shakopee OHCA
will document its assessment and conclusion in writing. The Privacy Officer will be
responsible for maintaining the records of the investigation and its conclusions. These
records will be available to the Secretary under Policy No. 02G. No further action is
needed under this Policy No. 23.
2. Timeliness. If the City of Shakopee OHCA determines that a Breach occurred or is likely
to have occurred during the process described in paragraph 1, above, the City of Shakopee
OHCA will send all notifications required by statute and regulations without unreasonable
delay, but in no case later than 60 calendar days after the date the Breach was Discovered
by the City of Shakopee OHCA.
Notwithstanding this provision, however, if a law enforcement official determines that a
notification, notice or posting required under CFR §164.400 et seq. would impede a
criminal investigation or cause damage to national security, notification may be delayed as
follows:
i. If a law enforcement official provides a statement in writing to the City of Shakopee
OHCA that a delay in notification is necessary because notification would impede a
criminal investigation or cause damage to national security, and specifies the time for
which a delay is required, the City of Shakopee OHCA will delay notification
accordingly, or
ii. If a law enforcement official states orally that a notification would impede a criminal
investigation or cause damage to national security, the Privacy Officer or other
representative of the City of Shakopee OHCA will document the statement and the
identity of the official and delay notification for no longer than 30 days, unless a
written statement meeting the above requirements is provided during that time.
III. PROCEDURES TO NOTIFY INDIVIDUALS
Under CFR § 164.404, the City of Shakopee OHCA will provide notification to all individuals
whose PHI has been Breached or whose PHI is likely to have been Breached.
1. Method. Notification to individuals will be made in writing and sent either:
a. by first -class mail to the last known address of the individual; or
b. in the form of electronic mail, provided the individual has agreed to receive electronic
notice and such agreement has not been withdrawn.
2. Incapacitated individual. Notification to a minor or another individual who lacks legal
capacity may be sent to the parent or personal representative of the individual.
City of Shakopee OHCA HIPAA Privacy Manual
-33-
Notification to a deceased individual may be made to that individual's next of kin or
personal representative, provided the City of Shakopee OHCA both knows the individual is
deceased and has the address of the next of kin or personal representative.
3. Content of Notice. The notice to the individual will include, to the extent possible, the
following elements:
a. A brief description of what happened, including the date of the Breach and the date,
of the Discovery of the Breach, if known;
b. A description of the types of unsecured PHI that were involved in the breach (such
as whether full name, social security number, date of birth, home address,
diagnosis, account number, or other types of information were involved);
c. Any steps individuals should take to protect themselves from potential harm
resulting from the Breach;
d. A brief description of what the covered entity involved is doing to investigate the
breach, to mitigate harm to individuals, and to protect against any further breaches;
and
e. Contact procedures for individuals to ask questions or learn additional information,
which will include at least one of the following: a toll -free telephone number, an e-
mail address, Web site or postal address.
If insufficient information is known at the time of the first notification, additional
notifications will be sent as the Covered Entity obtains additional information.
4. Insufficient Contact Information. If the City of Shakopee OHCA does not have sufficient
contact information for some or all of the affected individuals, or if some notices are
returned as undeliverable, the City of Shakopee OHCA will provide substitute notice. Such
substitute notice will be provided as soon as reasonably possible after the City of Shakopee
OHCA becomes aware that it has insufficient or out -of -date contact information for one or
more affected individuals.
a. The City of Shakopee OHCA may attempt to update its contact information for the
individuals (except for deceased individuals) and resend the notice.
b. If there are fewer than 10 individuals for whom the contact information is or remains
insufficient or out -of -date, the City of Shakopee OHCA may provide a substitute
form of notice reasonably calculated to reach the individuals for whom it is being
provided, such as e -mail, telephone or other means.
c. If there are fewer than 10 individuals for whom the contact information is or remains
insufficient or out -of -date, the City of Shakopee OHCA may post a notice on the Plan
City of Shakopee OHCA HIPAA Privacy Manual
-34-
Sponsor's web site or at another location that is reasonably calculated to reach the
individuals.
d. If there are 10 or more individuals for whom the contact information is or remains
insufficient or out -of -date, the City of Shakopee OHCA will conspicuously post
substitute notice in a manner reasonably calculated to reach the affected individuals
either:
i. on the home page of the Plan Sponsor (the City of Shakopee OHCA may post
either substitute notice or a hyperlink to the notice) for a period of 90 days; or
ii. in major print or broadcast media in geographic areas where the individuals
affected by the Breach are likely to reside.
In either case, the City of Shakopee OHCA will include in the substitute notice a toll -
free phone number, active for at least 90 days, where an individual can learn whether
the individual's unsecured PHI may be included in the Breach.
5. Urgent Situations. In cases deemed by the City of Shakopee OHCA to require urgency
because of possible imminent misuse of unsecured PHI, notice by telephone, e-mail or
other means may be made. This notice is in addition to, and not in lieu of, the written
notice described above.
IV. REQUIRED NOTIFICATION OF MEDIA
Additional notification will be provided to the media as required under CFR § 164.406 in the case
of the Discovery of a Breach if the unsecured PHI of more than 500 residents of a State or
jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during
such Breach of the City of Shakopee OHCA's unsecured PHI.
Such notification will be provided to prominent media outlets serving the State or jurisdiction
(such as a county, city or town). The notification will include the same content as the individual
notices in III.4 above, including a toll -free telephone number to call for additional information.
V. NOTIFICATION OF SECRETARY
In the case of a Breach of unsecured PHI of 500 or more individuals (whether or not those
individuals are in the same State or jurisdiction), the City of Shakopee OHCA will notify the
Secretary at the same time as it notifies the individuals under III above in a manner to be
specified on the HHS web site.
The Privacy Officer will maintain a record of all Breaches involving less than 500 individuals
and will submit information to the Secretary no later than 60 days after the end of each calendar
year of all such Breaches occurring during the preceding calendar year. Such report will be
submitted in the manner specified on the HHS web site.
City of Shakopee OHCA HIPAA Privacy Manual
-35-
For calendar year 2009, the City of Shakopee OHCA will only submit information to the
Secretary for Breaches occurring on or after September 23, 2009.
City of Shakopee OHCA HIPAA Privacy Manual
-36-
CITY OF SHAKOPEE HIPAA SECURITY POLICY
FOR ITS FULLY INSURED GROUP HEALTH AND GROUP DENTAL PLANS
The City of Shakopee (the "Company ") sponsors group health and dental plans (the
"Plans ") of which all of the benefits are provided under contracts with one or more
insurers or HMOs (collectively the "Insurer "). Neither the Company nor any member of
its workforce creates, receives, maintains, or transmits electronic protected health
information (as defined below) on behalf of the Plans.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its
implementing regulations require the Plans to implement various security measures with
respect to electronic protected health information. It is the Plans' policy to comply fully
with HIPAA's requirements. This Policy is intended to meet the requirements under
HIPAA' s Security Rule. To the extent that it establishes requirements and obligations
beyond those required by HIPAA's Security Rule, the Policy shall be aspirational and
shall not be binding on the Plans.
No third -party rights (including but not limited to rights of Plan participants,
beneficiaries, or covered dependents) are intended to be created by this Policy. The Plans
reserve the right to amend or change this Policy at any time, prospectively or
retroactively, without notice.
I. Definitions
A. Electronic protected health information is protected health information that is
transmitted by or maintained in electronic media.
B. Protected health information (PHI) is the information that is subject to and defined
in the Plans' privacy policies and procedures. For purposes of this Policy, PHI does not
include Exempt Information, which is:
(1) Summary health information for purposes of
(a) obtaining premium bids or
(b) modifying, amending or terminating the Plans;
(2) Enrollment and disenrollment information; and
(3) Information received pursuant to a HIPAA- compliant authorization.
C. Electronic Media means:
(1) Electronic storage media including memory devices in computers (hard
drives) and any removable /transportable digital memory medium, such as
magnetic tape or disk, optical disk or digital memory card; or
(2) Transmission media used to exchange information already in electronic
storage media. Transmission media include, for example, the Internet,
extranet, leased lines, dial -up lines, private networks and the physical
movement of removable /transportable electronic storage media. Certain
transmissions, including paper, facsimile and voice via telephone are not
considered to be transmission via electronic media because the information
being exchanged did not exist in electronic form before the transmission.
II. Security Official
The Assistant City Administrator is the Security Official for the Plans. The Security
Official is responsible for the development and implementation of the Plans' policies and
procedures relating to security, including but not limited to this Policy.
III. Risk Analysis
The Plans have no employees. Except for functions performed by the Company using
Exempt Information, all of the Plans' functions, including creation and maintenance of its
records, are carried out by the Insurers. The Plans do not own or control any of the
equipment or media used to create, maintain, receive and transmit electronic PHI relating
to the Plans, or any of the facilities in which such equipment and media are located. Such
equipment, media, and facilities are owned or controlled by the Insurers. Accordingly,
the Insurers create and maintain all of the electronic PHI relating to the Plans, own or
control all of the equipment, media and facilities used to create, maintain, receive or
transmit electronic PHI relating to the Plans and have control of employees, agents and
subcontractors that have access to electronic PHI relating to the Plans. The Plans do not
have the ability to assess or modify any potential risks and vulnerabilities to the
confidentiality, integrity and availability of electronic PHI relating to the Plans — that
ability lies solely with the Insurers.
Because the Plans have no access to or control over the Insurers' employees, equipment,
media, facilities, policies, procedures or documentation affecting the security of
electronic PHI relating to the Plans, and the Insurers are covered entities responsible
under HIPAA to implement security measures with respect to electronic PHI (including
electronic PHI relating to the Plans, the Plans' policies and procedures (including this
Policy) do not address the following standards (including the implementation
specifications associated with them) established under HIPAA and set out in Subpart C of
45 CFR Part 164:
• security management process;
• workforce security;
• information access management;
• security awareness and training;
• security incident procedures;
• contingency plan;
• evaluation;
• business associate contracts and other arrangements;
• facility access controls;
• workstation use;
• workstation security;
• device and media controls;
• access control;
• audit controls;
• integrity;
• person or entity authentication; and
• transmission security.
Because the Company has no access to electronic PHI relating to the Plans, the Plans are
not required to include provisions regarding security in their plan documents.
IV. Documentation
Except to the extent controlled by the Insurers, the Plans' security policies and
procedures shall be documented, reviewed periodically, updated as necessary in response
to environmental or operational changes affecting the security of Plans' electronic PHI,
and any changes to policies or procedures will be documented promptly.
Except to the extent controlled by the Insurers, the Plans shall document certain actions,
activities and assessments with respect to electronic PHI required by HIPAA to be
documented.
Policies, procedures and other documentation controlled by the Plans may be maintained
in either written or electronic form and will be maintained for at least six years from the
date of creation or the date last in effect, whichever is later.
The Plans will make their policies, procedures and other documentation available to the
Security Official, the Insurers and the Company, as well as other persons responsible for
implementing the procedures to which the document pertains.
The City of Shakopee, on behalf of the City of Shakopee Group Health and Group Dental
Plans:
Signature Date
Print name Title
CITY OF SHAKOPEE
PRIVACY OFFICER JOB DESCRIPTION
Position Summary
The position of Privacy Officer is required under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). The Privacy Officer is responsible for coordinating the
City of Shakopee's policies and procedures under HIPAA's privacy rules and monitoring and
deciding any issues that occur under the rules.
Reporting Structure
The Privacy Officer reports to the City Administrator.
Position Functions
The primary function of the Privacy Officer is to develop, implement, and maintain HIPAA's
privacy rules as applicable to the City of Shakopee. The Privacy Officer is the designated
decision maker for issues and questions involving interpretation of the privacy rules, in
coordination with internal and external legal counsel. The Privacy Officer ensures the
appropriate employee training programs are developed and the Privacy Notice is published and
distributed according to the HIPAA privacy rules.
The Privacy Officer is responsible for the following tasks:
• Inventory the uses and disclosures of all protected health information (PHI)
• Ensure that legal issues in drafting compliance documents are addressed, including
amendments to plan documents, negotiation of business associate contracts and
development of authorizations
• Coordinate with other employer functions such as FMLA leave, drug testing and fitness-
for -duty exams
• Develop and implement appropriate firewalls between the employer organization and the
group health plan component of the organization
• Establish structures to ensure individual rights guaranteed by HIPAA
• Set up a complaint process and sanctions
• Develop overall privacy policies and procedures for the plan as well as a notice of
information practices
• Develop a training program
• Establish a procedure to audit and monitor business associates and internal privacy
compliance
• Maintain knowledge of the latest privacy and security developments and federal and state
laws and regulations.
Position Qualifications
The Privacy Officer position requires the following minimum qualifications:
• Familiarity with all federal and state laws and regulations concerning information
security and privacy
• Familiarity with federal and state laws governing operations, including ADA, FMLA,
OSHA or other relevant statutes
• Familiarity with business functions and operational structure
• Familiarity with health care strategy and benefits offering
• Knowledge of and ability to work with complex information systems and technologies
• Ability to manage large projects
• Ability to make presentations to decision - makers and large groups, and to organize and
conduct employee training
• Ability to communicate both orally and in writing
• Strong interpersonal skills
• Ability to effectively communicate technical and legal information to non - technical and
non -legal staff in employee training and advisory context
• Strong organizational and problem- solving skills
• Ability to work in a team - oriented environment
• Ability to effectively report on the status and implementation of projects to senior
management
CITY OF SHAKOPEE GROUP HEALTH PLANS
NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT
YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS
TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
I. The City of Shakopee Group Health Plans
This Notice describes the privacy practices of the following group health plans sponsored by
City of Shakopee (individually, a "Plan" or collectively, the "Plans ").
City of Shakopee Flexible Spending Account Plan
City of Shakopee Post - Employment Health Care Savings Account Plan
The Plans provide health benefits to the eligible employees of City of Shakopee (the "Plan
Sponsor ") and their eligible dependents.
II. The Plan's Privacy Obligations
The City of Shakopee has always been committed to keeping our employees' personnel
information confidential. In addition, the Plans are required by federal and applicable state law
to protect the privacy of individually identifiable health information about you that they create or
receive ( "Your Protected Health Information ") and to provide you with this Notice of their legal
duties and privacy practices. When the Plans use or disclose Your Protected Health Information,
they are required to abide by the terms of this Notice (or other notice in effect at the time of the
use or disclosure).
III. Uses and Disclosures Without Your Written Authorization
The Plans may use and disclose to others Your Protected Health Information without your
written Authorization for the following purposes. The amount of health information used or
disclosed will be limited to the "minimum necessary" for these purposes.
A. Treatment. The Plans may disclose Your Protected Health Information to your health
care provider for its provision, coordination, or management of your health care and
related services — for example, for managing your health care with the Plan or for
referring you to another provider for care.
B. Payment. The Plans may use and disclose Your Protected Health Information to obtain
payment for your coverage and to determine and fulfill the Plans' responsibility to
provide health benefits — for example, to make coverage determinations, administer
claims and coordinate benefits with other coverage you may have. The Plans also may
disclose your Protected Health Information to another health plan or a health care
provider for its payment activities — for example, for the other health plan to determine
your eligibility or coverage, or for the health care provider to obtain payment for health
care services provided to you.
C. Health Care Operations. The Plans may use and disclose Your Protected Health
Information for their health care operations — for example, to do business planning,
arrange for medical review and conduct quality assessment and improvement activities.
The Plans also may disclose Your Protected Health Information to another health plan or
a health care provider that has or had a relationship with you for it to conduct quality
assessment and improvement activities; accreditation, certification, licensing, or
credentialing activities; or for the purpose of health care fraud and abuse detection or
compliance — for example, for the other health plan to perform case management or
evaluate health care provider performance, or for the health care provider to evaluate the
outcomes of treatments or conduct training programs to improve health care skills.
D. To Comply with the Law. The Plans may use and disclose your Protected Health
Information to the extent required to comply with applicable law.
E. Disclosures to the Plan Sponsor. The Plans may disclose Your Protected Health
Information to certain employees or other individuals under the control of the Plan
Sponsor as necessary for them to carry out the Plan Sponsor's responsibilities to
administer Plan payment and health care operations activities. The Plan documents
identify by position the specific employees or other individuals under the control of the
Plan Sponsor who are authorized to have access to or receive Your Protected Health
Information for the purpose of administering the Plans. The Plan Sponsor cannot use
Your Protected Health Information obtained from the Plans for any employment - related
actions without your authorization. However, health information derived from other
sources, for example in connection with an application for disability benefits or a leave
qualifying under the Family and Medical Leave Act, is not protected by HIPAA.
F. Business Associates. The Plans contracts with various service providers, called business
associates, to perform plan administration functions on their behalf. The Plans' business
associates will receive, create, use and disclose Your Protected Health Information, but
only after the business associates have agreed in writing to appropriately safeguard and
keep confidential Your Protected Health Information. Business Associates are also
subject to HIPAA.
G. Marketing Communications. The Plans may contact you to provide appointment
reminders or information about treatment alternatives or other health - related benefits and
services that may be useful to you. In most cases, the Plans may not use and disclose
Your Protected Health Information to communicate face -to -face with you to encourage
you to purchase or use a product or service that is not part of the health benefits provided
by the Plan, or to provide a promotional gift of nominal value to you, without your
authorization.
H. Public Health Activities. The Plans may disclose Your Protected Health Information for
the following public health activities and purposes: (1) to report health information to
public health authorities that are authorized by law to receive such information for the
purpose of preventing or controlling disease, injury or disability; (2) to report child abuse
or neglect to a government authority that is authorized by law to receive such reports; (3)
to report information about a product or activity under the jurisdiction of the U.S. Food
and Drug Administration to a person who has responsibility for activities related to the
quality, safety or effectiveness of such FDA - regulated product or activity; and (4) to alert
a person who may have been exposed to a communicable disease if the Plan is authorized
by law to give such notice.
I. Health Oversight Activities. The Plans may disclose Your Protected Health Information
to a government agency that is legally responsible for oversight of the health care system
or for ensuring compliance with the rules of government benefit programs such as
Medicare or Medicaid, or other regulatory programs for which health information is
necessary for determining compliance.
J. Judicial and Administrative Proceedings. The Plans may disclose Your Protected Health
Information in the course of a judicial or administrative proceeding in response to a legal
order or other lawful process.
K. Law Enforcement Officials. The Plans may disclose Your Protected Health Information
to the police or other law enforcement officials as required by law or in compliance with
a court order or other process authorized by law.
L. Health or Safety. The Plans may disclose Your Protected Health Information to prevent
or lessen a serious and imminent threat to the health or safety of an Individual or the
public.
M. Specialized Government Functions. The Plans may disclose Your Protected Health
Information to units of the government with special functions, such as the U.S. military
or the U.S. Department of State.
N. Workers' Compensation. The Plans may disclose Your Protected Health Information as
necessary to comply with workers' compensation laws.
IV. Uses and Disclosures With Your Written Authorization
The Plans may use or disclose to others Your Protected Health Information for a purpose other
than the purposes described in Section III above, only when you give the Plans your
authorization on its Authorization Form. You may revoke your authorization, except to the
extent the Plan has taken action in reliance on it, by delivering a written revocation statement to
the Plan's Privacy Officer identified below.
V. Your Individual Rights
A. Right to Request Additional Restrictions. You may request restrictions on the Plans' use
and disclosure of Your Protected Health Information for payment and health care
operations in addition to those explained in this Notice. If your request meets the
following requirements, the request will be granted: (1) except as otherwise required by
law, the disclosure to be restricted is to a health plan for purposes of payment or health
care operations (and not for treatment); and (2) the Protected Health Information pertains
solely to a health care item or service for which the health care provider involved has
been paid out of pocket in full. While a Plan will consider all other requests for
additional restrictions carefully, it is not required to agree to a requested restriction. If
you wish to request additional restrictions, please obtain a request form from the Privacy
Officer and submit the completed form to the Privacy Officer. You will be given a
written response.
B. Right to Receive Confidential Communications. A Plan will accommodate any
reasonable request for you to receive Your Protected Health Information by alternative
means of communication or at alternative locations. Your request must specify how or
where you wish to be contacted. Please note that in certain situations, such as eligibility
and enrollment information, the Plan is obliged to communicate directly with the
employee rather than a dependent unless the request clearly states that disclosure of that
information to the employee could endanger you.
C. Right to Inspect and Copy Your Protected Health Information. You may request access
to the Plans' records that contain Your Protected Health Information in order to inspect
and request copies of the records. Under limited circumstances, a Plan may deny you
access to a portion of your records. If you desire access to your records, please obtain a
record request form from the Privacy Officer and submit the completed form to the
Privacy Officer. If you request copies, the Plan will charge you copying and mailing
costs.
D. Right to Amend Your Records. You have the right to request that a Plan amend Your
Protected Health Information maintained in the enrollment, payment, claims adjudication
and case or medical management record systems maintained by or for the Plan and any
other records used by or for the Plan to make decisions about individuals. To make such
a request, please obtain an amendment request form from the Privacy Officer and submit
the completed form to the Privacy Officer. The Plan will comply with your request
unless special circumstances apply. If your physician or other health care provider
created the information that you desire to amend, you should contact the provider to
amend the information. The Plan may deny your request for an amendment if it does not
include a reason to support the request or if the Plan believes that the information is
accurate as is. In addition, the Plan may deny your request if you ask us to amend
information that was created by another healthcare organization. But the Plan will inform
you of the source of that information if we know it.
E. Right to Receive An Accounting of Disclosures. Upon request, you may obtain an
accounting of certain disclosures of Your Protected Health Information made by a Plan
on or after April 14, 2004, excluding disclosures made earlier than six years before the
date of your request. If you request an accounting more than once during a twelve (12)
month period, the Plan may charge you a reasonable fee for the second and any
subsequent accounting statements. The accounting will not include disclosures of Your
Protected Health Information made in accordance with federal law: to carry out
treatment, payment or health care operations activities; to you; pursuant to your written
authorization; for national security or intelligence purposes; or to correctional institutions
or law enforcement officials.
F. Right to Receive Paper Copy of this Notice. Upon request, you may obtain a paper copy
of this Notice, even if you agreed to receive such notice electronically.
G. Personal Representatives. You may exercise your rights through a personal
representative who will be required by a Plan to produce evidence of his or her authority
to act on your behalf. Proof of authority may be made, for example, by a notarized power
of attorney, a court order of appointment of the person as your legal guardian or
conservator. The Plan reserves the right to deny access to your personal representative.
H. For Further Information; Complaints. If you desire further information about your
privacy rights, are concerned that a Plan has violated your privacy rights or disagree with
a decision that a Plan made about access to Your Protected Health Information, you may
contact the Plans' Privacy Officer. You may also file a written complaint with the
Secretary of the U.S. Department of Health and Human Services. Upon request, the
Privacy Officer will provide you with the correct address for the Secretary. The Plans
will not retaliate against you if you file a complaint with them or the Secretary.
VI. Effective Date and Duration of This Notice
A. Effective Date: This Notice is effective on , -20 .
B. Right to Change Terms of this Notice. The Plan Sponsor may change the terms of this
Notice at any time. If the Plan Sponsor changes this Notice, it may make the new notice
terms effective for all of Your Protected Health Information that it maintains, including
any information created or received prior to issuing the new notice. If the Plan Sponsor
changes this Notice, it will send the new notice to you if you are then covered by the
Plans. You also may obtain any new notice by contacting the Privacy Officer.
C. Limitation on Application of Notice. This Notice does not apply to information that does
not identify an Individual and with respect to which there is no reasonable basis to
believe that the information can be used to identify an Individual. In addition, the Plans
may use or disclose "summary health information" to the Plan Sponsor for its purposes of
obtaining premium bids or modifying, amending or terminating a Plan. Summary health
information is information that summarizes claims history, claims expenses or types of
claims experienced by individuals for whom the Plan Sponsor provides benefits under the
Plans and from which the individual identifying information, except for five -digit zip
codes, has been deleted. The Plan and Plan Sponsor also may use or disclose eligibility
and enrollment information without your authorization.
VII. Privacy Officer
The Assistant City Administrator has been designated as the City of Shakopee's Privacy
Officer. You may contact the Privacy Officer at:
Privacy Officer
City of Shakopee Organized Health Care Arrangement
129 Holmes St. S.
Shakopee, MN 55379
Telephone Number: (952)233 -9312
E -mail: kwilson @ci.shakopee.mn.us