HomeMy WebLinkAbout15.E.1. Adopting the HIPPA Policies and Procedures-Res. No. 6107
CITY OF SHAKO PEE
Memorandum is, Et I
f
TO: Mayor and City Council Members COf~Cr:l"T
. 4 .~\iJ.: ,. 'f' 1
Mark McNeill, City Administrator . . '. i~ ..~ ,,,.. ~iI,~.. .
, . . YbfiiJ '
FROM: Marilyn Remer, Payrol1/Benefits Coordinator
DATE: August 30, 2004
Re: Health Insurance Portability & Accountability Act (HIP AA)
Privacy Standards
Background & Information:
Congress passed the Health Insurance and Accountability Act (HIPAA) in 1996 to reform
health care. It is intended to streamline industry inefficiencies, reduce paper work, make
it possible for workers to switch jobs even ifthey or a family member has a pre-existing
condition, and protect the privacy of individual health information. There are three
components to HIP AA' s administrative simplification regulations:
. Electronic Data Interchange (EDI) Standards (completed 2003)
. Privacy Standards (2004)
. Security Standards (2006)
HIP AA requires covered entities to establish and implement policies and procedures
reflecting HIP AA's privacy mandates. This will fulfill the requirements of the second
phase of the Act. The City of Shakopee' s health plans, including the flexible spending
plan (medical reimbursement account) are subject to HIP AA privacy requirements.
The League of Minnesota Cities worked with Darcy Hitesman of the Haynes and
Hitesman law firm to develop a template of HIP AA policies and procedures that cities are
able to customize to their particular needs. The League negotiated a discounted fee with
Haynes & Hitesman for individualized city assistance in developing these policies and
procedures. Ms. Hitesman has reviewed the city's policies, procedures and conducted a
"walk through" of city practices to determine how they relate to the policies. The City of
Shakopee HIP AA Policies and Procedures and Administrative Forms has been developed
which establishes the required policies and procedures with respect to protected health
information.
The plan requires the designation of a HIP AA Privacy Officer. The Plan appoints the
City Administrator as the Health Plan's Privacy Officer. The HIP AA Privacy Officer
may delegate certain job functions to be performed by other individuals; however, the
ultimate responsibility for compliance with HIP AA remains with the HIP AA Privacy
Officer.
Sections 1-3 are attached, which provide an overview ofthe policy. The entire document
(120 pages) may be obtained upon request.
Action Requested:
Adopt Resolution No. 6107, A RESOLUTION ADOPTING HIPAA POLICIES &
PROCEDURES AND ADMINISTRATIVE FORMS FOR THE CITY OF SHAKOPEE
RESOLUTION NO. 6107
A RESOLUTION ADOPTING HIP M POLICIES & PROCEDURES AND
ADMINISTRATIVE FORMS FOR THE CITY OF SHAKOPEE
WHEREAS, Congress passed the Health Insurance Portability and Accountability Act
(HIP AA) in 1996 to reform health care; and
WHEREAS, the City's health plans are required to comply with the Privacy Standards
promulgated by the Department of Health and Human Services under the Health Insurance
Portability and Accountability Act (HIP AA)
WHEREAS, HIP AA Privacy Standards mandate that the city establish and implement
policies and procedures with respect to protected health information.
NOW, THEREFORE, BE IT RESOLVED, that the City Council of the City of
Shakopee hereby adopts the HIP AA POLICIES & PROCEDURES AND ADMINISTRATIVE
FORMS FOR THE CITY OF SHAKOPEE.
Adopted in session of the City Council of the City of
Shakopee, Minnesota, held this day of , 2004.
Mayor of the City of Shako pee
ATTEST:
City Clerk
City of Shakopee
HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS
TABLE OF CONTENTS
1. HIPM Privacy Policies & Procedures Overview (Policy & Procedure)
2. HIPM Privacy Officer (Policy & Procedure)
3. Notice of Privacy Practices (Policy & Procedure)
a. Notice of Privacy Practice for Organized Health Care Arrangement (Administrative
Form)
4. Use of Disclosure of PHI for TPO Purposes (Policy & Procedure) .
5. Minimum Necessary Standard (Policy & Procedure)
6. Individual's Rights to Access and Copy PHI (Policy & Procedure)
a. Request to Access Own PHI (Administrative Form)
b. Grant of Request to Access Own PHI (Administrative Form)
c. Notification of Additional Time to Respond to Access to Own PHI (Administrative
. Form)
d. Denial of Request to Access Own PHI (Administrative Form)
e. Access Request Tracking Log (Administrative Form)
7. Amendment of PHI (Policy & Procedure)
a. Request for Amendment of PHI Request (Administrative Form)
b. Grant of Amendment of PHI Request (Administrative Form)
c. Notification of Additional Time to Respond to Amendment of PHI (Administrative
Form)
d. Denial of Request for Amendment of PHI (Administrative Form)
e. Notice to Others of Amendment of PHI (Administrative Form)
f. Requestor's List of Person's or Entities to Be Notified of
Amendment (Administrative Form)
g. Amendment Request Tracking Log (Administrative Form)
8. Accounting of Disclosures of PHI (Policy & Procedure)
a. Request for An Accounting of Disclosures (Administrative Form)
b. Accounting of Disclosures of PHI (Administrative Form)
c, Notification of Additional Time to Respond to Accounting Request (Administrative
Form)
1
d. Notification of Charges for Second Request in 12 Month Period (Administrative.
Form)
e. Accounting Request Tracking Log (Administrative Form)
f. Disclosure Tracking Log (Administrative Form)
9. Verification Prior to Disclosure of PHI (Policy & Procedure)
a. Disclosure Tracking Log (Administrative Form)
10. Individual Requested Restrictions of Use or Disclosure of PHI (Policy & Procedure)
a. Request to Restrict Certain Uses and Disclosures (Administrative Form)
b. Response to Request to Restrict Certain Uses and Disclosures (Administrative
Form)
11. Individual Requested Restrictions on Confidential Communications (Policy & Procedure)
a. Request for Confidential Communications (Administrative Form)
b. Restricted Uses and Confidential Communication Request
Tracking Log (Administrative Form)
12. Privacy Complaint Procedure (Policy & Procedure)
c . ~
a. Privacy Complaint Form (Administrative Form)
.. ..
b. . 'Response to Privacy Complaint (Administrative Form)
c. Complaint Tracking Log (Administrative Form)
13. Authorization for Use or Disclosure of PHI (Policy & Procedure)
a. Authorization for Use or Disclosure (Administrative Form)
14. Revocation of an Authorization (Policy & Procedure)
a. Revocation by Subject of Protected Health Information (Administrative Form)
15. Business Associates and Business Associate Agreements (Policy & Procedure)
16. Retention of PHI Documentation (Policy & Procedure)
17. HIPM Privacy Training Program (Policy & Procedure)
a. Acknowledgment of Training Attendance (Administrative Form)
18. Personal Representative (Policy & Procedure)
a. Designation of Personal Representative (Administrative Form)
19. Coordination with Other Laws (Policy & Procedure)
20. Disclosures to Plan Sponsor (Policy & Procedure)
21. Duty to Mitigate (Policy & Procedure)
22. Discipline Policy (Policy & Procedure)
23. Administrative Safeguards (Policy & Procedure)
1. Computer Terminals/Workstations (Policy & Procedure)
2
2. Electronic Mail System (E-mail) (Policy & Procedure)
3. Facsimile Machines (Policy & Procedure)
4. Copy Machines (Policy & Procedure)
5. Mail - Internal and External (Policy & Procedure)
6. Storage of Documents (Policy & Procedure)
3
1. HIPAA Privacy Policies and Procedures Overview
Policv Statement
HIPAA requires covered entities to have policies and procedures reflecting HIPAA's privacy mandates.
The Health Plan, as a covered entity, has developed administrative policies and procedures reflecting the
Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations.
Policy Interpretation and Implementation
HIPAA Policies and Procedures 1. HIPAA requires covered entities to have policies and
procedures to ensure compliance with HIPAA's
regulations. A health plan is a "covered entity" under
HIPAA. Consequently, the Health Plan is responsible for
the research, development, implementation, monitoring
and maintenance of the Health Plan's HIPAA privacy
policies and procedures.
Health Plan 2. HIPAA defines a "health plan" as an individual or group
health plan that provides or pays the cost of medical care,
including, but not limited to, employee welfare benefit
plans covered. by ERISA, health insurers, HMOs, group
health plans, and many public benefit programs
(Medicaid, Medicare, etc.).
Revisions to HIPAA Policies and 3. The Health Plan's HIPAA privacy policies and procedures
Procedures may be revised at any time, in order to comply or
enhance compliance with HIPAA.
Distribution of Revisions to . 4. Any revisions to the Health Plan's HIPAA privacy policies
HIPAA Policies and Procedures and procedures will be distributed to individual's family
members, representatives, employees, business
associates, etc., within five (5) working days of the
release of such revisions.
Policy Inquiries 5. Inquiries relative to HIPAA policies and procedures should
be directed to the HIPAA Privacy Officer.
Specific Policies and Procedures 6. The Health Plan's specific policies and procedures have
been.created in order to satisfy HIPAA's requirements.
Organized Health Care 7. HIPAA recognizes Organized Health Care Arrangements
Arrangement (OHCA) (OHCAs). An OHCA can exist when an employer sponsors
more than one health plan that is a covered entity. Being
part of an OHCA allows the covered entities to satisfy the
HIPAA privacy requirements together, as if they are a
single covered entity. The following covered entities are
designated as an OHCA:
Medica, Delta Dental, Acclaim Benefits
& Post Employment Health Plan (PEHP)
For pu rposes of these HIPAA privacy policies and
Form 1 - HIPAA Privacy Policies & Procedures Overview. League of Minnesota Cities HIP~.A policies & Procedures
Guide. copyright ~ 2004 by League of Minnesota Cities. All rights reserved.
4
procedures, "Health Plan" means the OHCA designated
above.
Third Party Service Providers 8. Nothing precludes the Health Plan from contracting with a
third party service for assistance in complying with the
Health Plan's HIPM privacy policies and procedures.
Other Laws 9. In addition to HIPM, covered entities may be subject to
other laws that address the privacy of health information,
including, but not limited to, the Minnesota Data Practices
Act. HIPPA establishes a floor - the minimum
requirements with which a covered entity must comply.
To the extent the requirements of any other law provide
more protection to the subject of the health information,
those requirements will apply.
Record Retention 10. A copy of all HIPM covered information and any revisions
shall be maintained for a period of at least six (6) years.
Such retention may be in printed or electronic format, or
both.
HIPAA,PTiv~cy,qff~c:~r 11. The HIPM Privacy Officer is responsible for the
- .......- development and implementation of the HIPM policies
and procedures. The HIPM Privacy Officer is also the
contact person for any questions or complaints regarding
HIPM. If you have a question or concern about. your
HIPM rights contact the HIPM Privacy Officer during
regular business office hours Monday through Friday,
except holidays at (952) 233-3800.
Violations 12. Violations of this policy will be subject to discipline.
Effective Date. 13. April 14, 2004
References:
45 C.F.R. 9 164.501
Form 1 - HIPM Privacy Policies & Procedures Overview. League of Minnesota Cities HIPAA policies & Procedures
Guide. Copyright @ 2004 by League of Minnesota Cities. All rights reserved.
5
2. HIPAA Privacy Officer
Policy Statement
A HIPM Privacy Officer has been designated by this Health Plan to be responsible for the development
and implementation of this Health Plan's HIPM policies and procedures.
POliCY Interpretation and Implementation
Appointment of HIPAA Privacy 1. The Health Plan has appointed the City Administrator, as
Officer the Health Plan's HIPM Privacy Officer.
HIPAA Privacy Officer's 2. The HIPM Privacy Officer's responsibilities include:
Responsibilities
a. Assisting management in the development,
implementation, and updating of the Health Plan's
HIPM policies and procedures;
b. Performing periodic privacy risk assessments;
c. Development of security procedures and guidelines
for the protection of the Health Plan's information
systems;
d. Assisting management in the assigning Of pas~w<?-rds
and user identification codes for access to protected
health information (PHI) by authorized users;
e. Receiving complaints concerning the Health. Plan's
HIPM policies and procedures;
f. Receiving complaints concerning the Health Plan's
compliance with its established policies and
procedures;
g. Maintaining a complaint tracking log;
h. Assisting in obtaining use and disclosure of PHI
authorizations;
i. Assisting in the development of training materials
and training to ensure that relevant staff are well
trained in matters relating to the use and disclosure
of protected health information (PHI);
j. Providing staff, individuals, business associates,
government agencies etc., with information relative
to the Health Plan's HIPM policies and procedures;
and
k. Working with the Health Plan's legal counsel on
matters relative to HIPM.
Delegation 3. The HIPAA Privacy Officer may delegate certain job
functions to be performed by other individuals; however,
the ultimate responsibility for compliance with HIPAA
remains with the HIPAA Privacy Officer.
Form 2 - HIPAA Privacy Officer (Policy & Procedure). League of Minnesota Cities HIPAA policies & Procedures
Guide. copyright @ 2004 by League of Minnesota Cities. All rights reserved.
Record Retention 4. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least six
(6) years. Such retention may be in printed or electronic
-,' format, or both.
HIPAA Privacy Officer 5. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints
regardingHIPAA. Questions or concerns about HIPAA
rights should be directed to the HIPAA Privacy Officer
during regular business office hours Monday through
Friday, except holidays at (952) 233-3800.
Violations 6. Violations of this policy will be subject to discipline.
Effective Date 7. April 14, 2004.
References:
45 C.F.R. 9 164.530(a)
Form 2 - HIPAA Privacy Officer (Policy & Procedure). League of Minnesota Cities HIPAA Policies & Procedures
Guide. Copyright @ 2004 by League of Minnesota Cities. All rights reserved.
3. Notice of Privacy Practices
Policy Statement
Each individual that is the subject of Protected Health Information (PHI) must receive a Notice of Privacy
Practices (NPP) describing (1) the uses and disclosures of his/her PHI that may be made by or on behalf.
of the Health Plan, (2) the individual's rights, and (3) the Health Plan's legal duties with respect to the
individual's PHI.
POlicy Interpretation and Implementation
Issue of NPP 1. Individuals who are covered under the Health Plan will
be provided with a copy of the Health Plan's NPP;
Content of NPP 2. NPPs must be prepared in easy to read language and
contain, as a minimum, the following elements:
a. A statement indicating how medical information
about the individual may be used and disclosed
and how the individual can obtain access to such
information;
b. A description, including at least one example, of
the types of uses and disclosures that the Health
Plan is permitted to make for purposes of
treatment, payment and healthcare operations,
with sufficient. detail to place an individual on
notice of the uses and disclosures permitted or
required;
c. A description of. each of the other purposes for
which the Health Plan is permitted or required to
use or disclose PHI without the individual's
consent or authorization, with sufficient detail to
place an individual on notice of the uses and
disclosures permitted or required;
d. A statement that other uses or disclosures will be
made only with the ' individual's written
authorization, and that the authorization may be
revoked in accordance with the policy on
authorization;
e. A statement of the individual's rights with respect
to his/her. PHI, and a brief description of how the
individual may exercise those rights, including:
i. The right to request restrictions on certain
uses/disclosures of PHI, and the fact that the
Health Plan does not have to agree to such
restrictions;
ii. The right to receive confidential
communications of PHI;
iii. The right to inspect and copy PHI;
Form 3 - Notice of Privacy Practices (Policy & Procedure). League of Minnesota Cities HIPA.ZI. Policies &
Procedures Guide. Copyright @ 2004 by League of Minnesota Cities. All rights reserved.
iv. The right to amend PHI;
v. The right to receive an accounting of
disclosures of PHI; and
vi. The right to receive a paper copy of the
privacy notice.
f. A statement of the Health Plan's duties with
respect to PHI, including statements:
i. That the Health Plan is required by law to
maintain the privacy of PHI and to
provide individuals with notice of its legal
duties and privacy practices;
ii. That the Health Plan is required to abide
by the terms of its current effective
privacy notice; and
iii. That the Health Plan reserves the right to
change the terms of the notice and make
a new notice provision effective for all
PHI maintained, along with a description
of. how the Health Plan will provide
individuals with the revised notice.
g, A statement that individuals may complain to the
Health Plan and to the Secretary of the U.S.
Department of Health and Human Services about
privacy rights violations, including. a brief
statement about how a complaint may be filed
and an assurance that the individual will not be
retaliated against for filing a complaint;
h. The name, or title, and telephone number of the
Health Plan's HIPAA Privacy Officer to. contact for
further information;
i. The name, telephone number and address of the
person designated by the Health Plan to receive
complaints regarding the Health Pian's. privacy
practices; and
j. The effective date of the NPP, which may not be
earlier than the date printed or published.
Distribution of NPP 3. The Health Plan will distribute the NPPs at the times
specified below:
a. On the Health Plan's initial compliance date;
b. At the time of enrollment in the Health Plan for
new enrollees; and
c. Within sixty (60) days of a material revision of the
NPP to individuals covered by the Health Plan.
4. The NPP will be distributed no less frequently than once
every three (3) years.
Form 3 - Notice of Privacy Practices (Policy & Procedure). League of Minnesota Cities HIPAA policies &
Procedures Guide. Copyright ~ 2004 by League of Minnesota Cities. All rights reserved.
5. The NPP will be delivered by first class U.S. Mail to the
address of record on file with the Health Plan. The NPP
will be addressed to the individual, spouse and all
dependents covered by the Health Plan.
Posting of NPP- 6. A copy of the NPP will be posted on the web page, if
one, of the employer sponsoring the Health Plan. The
HIPAA Privacy Officer is responsible for prompt
distribution of changes to the privacy notice.
Record Retention 7. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least six
(6) years. Such retention may be in printed or electronic
format, or both.
HIPAA Privacy Officer 8. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact. person for any questions or complaints
regarding HIPAA. Questions or concerns about HIPAA
rights should be directed to the HIPAA Privacy Officer
during regular business office hours Monday through
Friday, except holidays at (952) 233-3800.
Violations 9. Violations of this policy will be subject to discipline.
Effective Date 10. April 14, 2004.
References:
45 C.F.R. 9 164.520
Form 3 - Notice of Privacy Practices (Policy & Procedure). League of Minnesota Cities HIPAA Policies &
Procedures Guide. Copyright ~ 2004 by League of Minnesota Cities. All rights reserved.