Loading...
HomeMy WebLinkAbout15.E.1. Adopting the HIPPA Policies and Procedures-Res. No. 6107 CITY OF SHAKO PEE Memorandum is, Et I f TO: Mayor and City Council Members COf~Cr:l"T . 4 .~\iJ.: ,. 'f' 1 Mark McNeill, City Administrator . . '. i~ ..~ ,,,.. ~iI,~.. . , . . YbfiiJ ' FROM: Marilyn Remer, Payrol1/Benefits Coordinator DATE: August 30, 2004 Re: Health Insurance Portability & Accountability Act (HIP AA) Privacy Standards Background & Information: Congress passed the Health Insurance and Accountability Act (HIPAA) in 1996 to reform health care. It is intended to streamline industry inefficiencies, reduce paper work, make it possible for workers to switch jobs even ifthey or a family member has a pre-existing condition, and protect the privacy of individual health information. There are three components to HIP AA' s administrative simplification regulations: . Electronic Data Interchange (EDI) Standards (completed 2003) . Privacy Standards (2004) . Security Standards (2006) HIP AA requires covered entities to establish and implement policies and procedures reflecting HIP AA's privacy mandates. This will fulfill the requirements of the second phase of the Act. The City of Shakopee' s health plans, including the flexible spending plan (medical reimbursement account) are subject to HIP AA privacy requirements. The League of Minnesota Cities worked with Darcy Hitesman of the Haynes and Hitesman law firm to develop a template of HIP AA policies and procedures that cities are able to customize to their particular needs. The League negotiated a discounted fee with Haynes & Hitesman for individualized city assistance in developing these policies and procedures. Ms. Hitesman has reviewed the city's policies, procedures and conducted a "walk through" of city practices to determine how they relate to the policies. The City of Shakopee HIP AA Policies and Procedures and Administrative Forms has been developed which establishes the required policies and procedures with respect to protected health information. The plan requires the designation of a HIP AA Privacy Officer. The Plan appoints the City Administrator as the Health Plan's Privacy Officer. The HIP AA Privacy Officer may delegate certain job functions to be performed by other individuals; however, the ultimate responsibility for compliance with HIP AA remains with the HIP AA Privacy Officer. Sections 1-3 are attached, which provide an overview ofthe policy. The entire document (120 pages) may be obtained upon request. Action Requested: Adopt Resolution No. 6107, A RESOLUTION ADOPTING HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS FOR THE CITY OF SHAKOPEE RESOLUTION NO. 6107 A RESOLUTION ADOPTING HIP M POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS FOR THE CITY OF SHAKOPEE WHEREAS, Congress passed the Health Insurance Portability and Accountability Act (HIP AA) in 1996 to reform health care; and WHEREAS, the City's health plans are required to comply with the Privacy Standards promulgated by the Department of Health and Human Services under the Health Insurance Portability and Accountability Act (HIP AA) WHEREAS, HIP AA Privacy Standards mandate that the city establish and implement policies and procedures with respect to protected health information. NOW, THEREFORE, BE IT RESOLVED, that the City Council of the City of Shakopee hereby adopts the HIP AA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS FOR THE CITY OF SHAKOPEE. Adopted in session of the City Council of the City of Shakopee, Minnesota, held this day of , 2004. Mayor of the City of Shako pee ATTEST: City Clerk City of Shakopee HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS TABLE OF CONTENTS 1. HIPM Privacy Policies & Procedures Overview (Policy & Procedure) 2. HIPM Privacy Officer (Policy & Procedure) 3. Notice of Privacy Practices (Policy & Procedure) a. Notice of Privacy Practice for Organized Health Care Arrangement (Administrative Form) 4. Use of Disclosure of PHI for TPO Purposes (Policy & Procedure) . 5. Minimum Necessary Standard (Policy & Procedure) 6. Individual's Rights to Access and Copy PHI (Policy & Procedure) a. Request to Access Own PHI (Administrative Form) b. Grant of Request to Access Own PHI (Administrative Form) c. Notification of Additional Time to Respond to Access to Own PHI (Administrative . Form) d. Denial of Request to Access Own PHI (Administrative Form) e. Access Request Tracking Log (Administrative Form) 7. Amendment of PHI (Policy & Procedure) a. Request for Amendment of PHI Request (Administrative Form) b. Grant of Amendment of PHI Request (Administrative Form) c. Notification of Additional Time to Respond to Amendment of PHI (Administrative Form) d. Denial of Request for Amendment of PHI (Administrative Form) e. Notice to Others of Amendment of PHI (Administrative Form) f. Requestor's List of Person's or Entities to Be Notified of Amendment (Administrative Form) g. Amendment Request Tracking Log (Administrative Form) 8. Accounting of Disclosures of PHI (Policy & Procedure) a. Request for An Accounting of Disclosures (Administrative Form) b. Accounting of Disclosures of PHI (Administrative Form) c, Notification of Additional Time to Respond to Accounting Request (Administrative Form) 1 d. Notification of Charges for Second Request in 12 Month Period (Administrative. Form) e. Accounting Request Tracking Log (Administrative Form) f. Disclosure Tracking Log (Administrative Form) 9. Verification Prior to Disclosure of PHI (Policy & Procedure) a. Disclosure Tracking Log (Administrative Form) 10. Individual Requested Restrictions of Use or Disclosure of PHI (Policy & Procedure) a. Request to Restrict Certain Uses and Disclosures (Administrative Form) b. Response to Request to Restrict Certain Uses and Disclosures (Administrative Form) 11. Individual Requested Restrictions on Confidential Communications (Policy & Procedure) a. Request for Confidential Communications (Administrative Form) b. Restricted Uses and Confidential Communication Request Tracking Log (Administrative Form) 12. Privacy Complaint Procedure (Policy & Procedure) c . ~ a. Privacy Complaint Form (Administrative Form) .. .. b. . 'Response to Privacy Complaint (Administrative Form) c. Complaint Tracking Log (Administrative Form) 13. Authorization for Use or Disclosure of PHI (Policy & Procedure) a. Authorization for Use or Disclosure (Administrative Form) 14. Revocation of an Authorization (Policy & Procedure) a. Revocation by Subject of Protected Health Information (Administrative Form) 15. Business Associates and Business Associate Agreements (Policy & Procedure) 16. Retention of PHI Documentation (Policy & Procedure) 17. HIPM Privacy Training Program (Policy & Procedure) a. Acknowledgment of Training Attendance (Administrative Form) 18. Personal Representative (Policy & Procedure) a. Designation of Personal Representative (Administrative Form) 19. Coordination with Other Laws (Policy & Procedure) 20. Disclosures to Plan Sponsor (Policy & Procedure) 21. Duty to Mitigate (Policy & Procedure) 22. Discipline Policy (Policy & Procedure) 23. Administrative Safeguards (Policy & Procedure) 1. Computer Terminals/Workstations (Policy & Procedure) 2 2. Electronic Mail System (E-mail) (Policy & Procedure) 3. Facsimile Machines (Policy & Procedure) 4. Copy Machines (Policy & Procedure) 5. Mail - Internal and External (Policy & Procedure) 6. Storage of Documents (Policy & Procedure) 3 1. HIPAA Privacy Policies and Procedures Overview Policv Statement HIPAA requires covered entities to have policies and procedures reflecting HIPAA's privacy mandates. The Health Plan, as a covered entity, has developed administrative policies and procedures reflecting the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations. Policy Interpretation and Implementation HIPAA Policies and Procedures 1. HIPAA requires covered entities to have policies and procedures to ensure compliance with HIPAA's regulations. A health plan is a "covered entity" under HIPAA. Consequently, the Health Plan is responsible for the research, development, implementation, monitoring and maintenance of the Health Plan's HIPAA privacy policies and procedures. Health Plan 2. HIPAA defines a "health plan" as an individual or group health plan that provides or pays the cost of medical care, including, but not limited to, employee welfare benefit plans covered. by ERISA, health insurers, HMOs, group health plans, and many public benefit programs (Medicaid, Medicare, etc.). Revisions to HIPAA Policies and 3. The Health Plan's HIPAA privacy policies and procedures Procedures may be revised at any time, in order to comply or enhance compliance with HIPAA. Distribution of Revisions to . 4. Any revisions to the Health Plan's HIPAA privacy policies HIPAA Policies and Procedures and procedures will be distributed to individual's family members, representatives, employees, business associates, etc., within five (5) working days of the release of such revisions. Policy Inquiries 5. Inquiries relative to HIPAA policies and procedures should be directed to the HIPAA Privacy Officer. Specific Policies and Procedures 6. The Health Plan's specific policies and procedures have been.created in order to satisfy HIPAA's requirements. Organized Health Care 7. HIPAA recognizes Organized Health Care Arrangements Arrangement (OHCA) (OHCAs). An OHCA can exist when an employer sponsors more than one health plan that is a covered entity. Being part of an OHCA allows the covered entities to satisfy the HIPAA privacy requirements together, as if they are a single covered entity. The following covered entities are designated as an OHCA: Medica, Delta Dental, Acclaim Benefits & Post Employment Health Plan (PEHP) For pu rposes of these HIPAA privacy policies and Form 1 - HIPAA Privacy Policies & Procedures Overview. League of Minnesota Cities HIP~.A policies & Procedures Guide. copyright ~ 2004 by League of Minnesota Cities. All rights reserved. 4 procedures, "Health Plan" means the OHCA designated above. Third Party Service Providers 8. Nothing precludes the Health Plan from contracting with a third party service for assistance in complying with the Health Plan's HIPM privacy policies and procedures. Other Laws 9. In addition to HIPM, covered entities may be subject to other laws that address the privacy of health information, including, but not limited to, the Minnesota Data Practices Act. HIPPA establishes a floor - the minimum requirements with which a covered entity must comply. To the extent the requirements of any other law provide more protection to the subject of the health information, those requirements will apply. Record Retention 10. A copy of all HIPM covered information and any revisions shall be maintained for a period of at least six (6) years. Such retention may be in printed or electronic format, or both. HIPAA,PTiv~cy,qff~c:~r 11. The HIPM Privacy Officer is responsible for the - .......- development and implementation of the HIPM policies and procedures. The HIPM Privacy Officer is also the contact person for any questions or complaints regarding HIPM. If you have a question or concern about. your HIPM rights contact the HIPM Privacy Officer during regular business office hours Monday through Friday, except holidays at (952) 233-3800. Violations 12. Violations of this policy will be subject to discipline. Effective Date. 13. April 14, 2004 References: 45 C.F.R. 9 164.501 Form 1 - HIPM Privacy Policies & Procedures Overview. League of Minnesota Cities HIPAA policies & Procedures Guide. Copyright @ 2004 by League of Minnesota Cities. All rights reserved. 5 2. HIPAA Privacy Officer Policy Statement A HIPM Privacy Officer has been designated by this Health Plan to be responsible for the development and implementation of this Health Plan's HIPM policies and procedures. POliCY Interpretation and Implementation Appointment of HIPAA Privacy 1. The Health Plan has appointed the City Administrator, as Officer the Health Plan's HIPM Privacy Officer. HIPAA Privacy Officer's 2. The HIPM Privacy Officer's responsibilities include: Responsibilities a. Assisting management in the development, implementation, and updating of the Health Plan's HIPM policies and procedures; b. Performing periodic privacy risk assessments; c. Development of security procedures and guidelines for the protection of the Health Plan's information systems; d. Assisting management in the assigning Of pas~w<?-rds and user identification codes for access to protected health information (PHI) by authorized users; e. Receiving complaints concerning the Health. Plan's HIPM policies and procedures; f. Receiving complaints concerning the Health Plan's compliance with its established policies and procedures; g. Maintaining a complaint tracking log; h. Assisting in obtaining use and disclosure of PHI authorizations; i. Assisting in the development of training materials and training to ensure that relevant staff are well trained in matters relating to the use and disclosure of protected health information (PHI); j. Providing staff, individuals, business associates, government agencies etc., with information relative to the Health Plan's HIPM policies and procedures; and k. Working with the Health Plan's legal counsel on matters relative to HIPM. Delegation 3. The HIPAA Privacy Officer may delegate certain job functions to be performed by other individuals; however, the ultimate responsibility for compliance with HIPAA remains with the HIPAA Privacy Officer. Form 2 - HIPAA Privacy Officer (Policy & Procedure). League of Minnesota Cities HIPAA policies & Procedures Guide. copyright @ 2004 by League of Minnesota Cities. All rights reserved. Record Retention 4. A copy of all HIPAA covered information and any revisions shall be maintained for a period of at least six (6) years. Such retention may be in printed or electronic -,' format, or both. HIPAA Privacy Officer 5. The HIPAA Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The HIPAA Privacy Officer is also the contact person for any questions or complaints regardingHIPAA. Questions or concerns about HIPAA rights should be directed to the HIPAA Privacy Officer during regular business office hours Monday through Friday, except holidays at (952) 233-3800. Violations 6. Violations of this policy will be subject to discipline. Effective Date 7. April 14, 2004. References: 45 C.F.R. 9 164.530(a) Form 2 - HIPAA Privacy Officer (Policy & Procedure). League of Minnesota Cities HIPAA Policies & Procedures Guide. Copyright @ 2004 by League of Minnesota Cities. All rights reserved. 3. Notice of Privacy Practices Policy Statement Each individual that is the subject of Protected Health Information (PHI) must receive a Notice of Privacy Practices (NPP) describing (1) the uses and disclosures of his/her PHI that may be made by or on behalf. of the Health Plan, (2) the individual's rights, and (3) the Health Plan's legal duties with respect to the individual's PHI. POlicy Interpretation and Implementation Issue of NPP 1. Individuals who are covered under the Health Plan will be provided with a copy of the Health Plan's NPP; Content of NPP 2. NPPs must be prepared in easy to read language and contain, as a minimum, the following elements: a. A statement indicating how medical information about the individual may be used and disclosed and how the individual can obtain access to such information; b. A description, including at least one example, of the types of uses and disclosures that the Health Plan is permitted to make for purposes of treatment, payment and healthcare operations, with sufficient. detail to place an individual on notice of the uses and disclosures permitted or required; c. A description of. each of the other purposes for which the Health Plan is permitted or required to use or disclose PHI without the individual's consent or authorization, with sufficient detail to place an individual on notice of the uses and disclosures permitted or required; d. A statement that other uses or disclosures will be made only with the ' individual's written authorization, and that the authorization may be revoked in accordance with the policy on authorization; e. A statement of the individual's rights with respect to his/her. PHI, and a brief description of how the individual may exercise those rights, including: i. The right to request restrictions on certain uses/disclosures of PHI, and the fact that the Health Plan does not have to agree to such restrictions; ii. The right to receive confidential communications of PHI; iii. The right to inspect and copy PHI; Form 3 - Notice of Privacy Practices (Policy & Procedure). League of Minnesota Cities HIPA.ZI. Policies & Procedures Guide. Copyright @ 2004 by League of Minnesota Cities. All rights reserved. iv. The right to amend PHI; v. The right to receive an accounting of disclosures of PHI; and vi. The right to receive a paper copy of the privacy notice. f. A statement of the Health Plan's duties with respect to PHI, including statements: i. That the Health Plan is required by law to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy practices; ii. That the Health Plan is required to abide by the terms of its current effective privacy notice; and iii. That the Health Plan reserves the right to change the terms of the notice and make a new notice provision effective for all PHI maintained, along with a description of. how the Health Plan will provide individuals with the revised notice. g, A statement that individuals may complain to the Health Plan and to the Secretary of the U.S. Department of Health and Human Services about privacy rights violations, including. a brief statement about how a complaint may be filed and an assurance that the individual will not be retaliated against for filing a complaint; h. The name, or title, and telephone number of the Health Plan's HIPAA Privacy Officer to. contact for further information; i. The name, telephone number and address of the person designated by the Health Plan to receive complaints regarding the Health Pian's. privacy practices; and j. The effective date of the NPP, which may not be earlier than the date printed or published. Distribution of NPP 3. The Health Plan will distribute the NPPs at the times specified below: a. On the Health Plan's initial compliance date; b. At the time of enrollment in the Health Plan for new enrollees; and c. Within sixty (60) days of a material revision of the NPP to individuals covered by the Health Plan. 4. The NPP will be distributed no less frequently than once every three (3) years. Form 3 - Notice of Privacy Practices (Policy & Procedure). League of Minnesota Cities HIPAA policies & Procedures Guide. Copyright ~ 2004 by League of Minnesota Cities. All rights reserved. 5. The NPP will be delivered by first class U.S. Mail to the address of record on file with the Health Plan. The NPP will be addressed to the individual, spouse and all dependents covered by the Health Plan. Posting of NPP- 6. A copy of the NPP will be posted on the web page, if one, of the employer sponsoring the Health Plan. The HIPAA Privacy Officer is responsible for prompt distribution of changes to the privacy notice. Record Retention 7. A copy of all HIPAA covered information and any revisions shall be maintained for a period of at least six (6) years. Such retention may be in printed or electronic format, or both. HIPAA Privacy Officer 8. The HIPAA Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The HIPAA Privacy Officer is also the contact. person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the HIPAA Privacy Officer during regular business office hours Monday through Friday, except holidays at (952) 233-3800. Violations 9. Violations of this policy will be subject to discipline. Effective Date 10. April 14, 2004. References: 45 C.F.R. 9 164.520 Form 3 - Notice of Privacy Practices (Policy & Procedure). League of Minnesota Cities HIPAA Policies & Procedures Guide. Copyright ~ 2004 by League of Minnesota Cities. All rights reserved.