HIPAA Privacy Policy

Purpose: New federal privacy regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have been enacted which require sponsors of group health plans to comply with certain rules for sharing and disclosing Protected Health Information (PHI), amending plan documents with privacy language, preparing and distributing a Notice of Privacy Practices, and other related activities. The new regulations also provide individuals with new rights, including the right to access their PHI in a Designated Record Set, the right to amend or append to the PHI and the right to request restrictions on use and disclosure of their PHI. The policy will be effective September 14, 2004.

Scope of Policy: Lewis & Clark College is the plan sponsor for our Personal Choice Plan (Health Care reimbursement, Dependent Care reimbursement) and the Employee Assistance Program (which are referred to in this Policy as the Plans). Although Lewis & Clark College's other health plans are designed to comply with HIPAA rules, this policy covers only the Plans. The plan documents describing the plans should be referred to as the "Plan Documents."

Policy Statement: The regulations allow the plan sponsor to provide PHI to treating health care providers and the plan's contract claims payers and other business associates as may be required for health care operations purposes.

As a Covered Entity under the HIPAA Privacy Rule, Lewis & Clark College (the "College") is required to comply with the privacy requirements, including amending Plan Document(s) with privacy language, creating and distributing a HIPAA privacy policy, designating a Privacy Officer, training employees who receive or handle PHI and ensuring that our procedures for using, disclosing or sharing PHI fully comply with the new HIPAA privacy requirements.

HIPAA and its implementing regulations restrict the Plan's ability to use and disclose PHI, defined as:

Information that is created or received by the Plan(s) and relates to the past, present, or future physical or mental health condition of a participant; the provision of health care to a participant; or the past, present or future payment for the provision of health care to a participant; and that identifies the participant or for which there is a reasonable basis to believe the information can be used to identity the participant. PHI includes information about persons living or deceased.

It is the College's policy to comply fully with HIPAA's requirements. To that end, all members of the College's workforce who have access to PHI must comply with this Privacy Policy. For purposes of this Policy, the College's workforce includes individuals who would be considered part of the workforce under HIPAA such as employees, volunteers, trainees, and other persons whose work performance is under the direct control of the College, whether or not they are paid by the College. The term "employee" includes all of these types of workers.

No third party rights (including, but not limited to, rights of Plan participants, beneficiaries, covered dependents, or business associates) are intended to be created by this Policy. The College reserves the right to amend or change this Policy at any time (and even retroactively) without notice. Any such amendment shall be in writing, signed on behalf of the College and state its intention to amend this Policy. To the extent this Policy establishes requirements and obligations above and beyond those required by HIPAA, the Policy shall be aspirational and shall not be binding upon the College. This Policy does not address requirements under other federal laws or under state laws.

Procedures:

College's Responsibilities as Covered Entity

I. Privacy Officer and Contact Person

The Assistant Vice President for Human Resources is the Privacy Officer for the College. The Privacy Officer will be responsible for the development and implementation of policies and procedures relating to privacy including, but not limited to, this Privacy Policy. The Privacy Officer will also serve as the contact person for participants who have questions, concerns, or complaints about the privacy of their PHI. Any decision by the Officer within the Officer's authority shall be final and bind all parties. The Officer shall have absolute discretion to carry out the responsibilities pursuant to this Policy.

Any person serving as the Officer may resign on 15 days' advance written notice to the College. The College may remove the Officer without having to show cause. The College shall appoint a new Officer as soon as reasonably practicable. Until a new appointment is made, the College's General Counsel shall serve as the Officer.

If the College approves, the Officer may delegate all or part of its administrative duties to one or more agents and may retain advisors to assist it. The Officer may consult with and rely upon the advice of counsel, who may be counsel for the College.

All College functions or responsibilities shall be exercised by the President of the College, who may delegate all or any part of these functions.

II. Workforce Training

It is the College's policy to train members of its workforce on its privacy policies and procedures. The Privacy Officer is charged with developing training schedules and programs so that all workforce members receive the training necessary and appropriate to permit them to carry out their functions.

III. Technical and Physical Safeguards and Firewall

The College will establish appropriate technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA's requirements. Technical safeguards include limiting access to information by creating computer firewalls. Physical safeguards include locking doors or filing cabinets to the extent applicable.

Firewalls are designed ensure that only authorized employees will have access to PHI, that they will have access to only the minimum amount of PHI necessary for Plan administrative functions, and that they will not further use or disclose PHI in violation of HIPAA's privacy rules.

IV. Privacy Notice

The Privacy Officer is responsible for developing and maintaining a notice of the College's privacy practices that describes:

  • the uses and disclosures of PHI that may be made by the College;
  • the individual's rights; and
  • the College's legal duties with respect to the PHI.

The privacy notice will inform participants that the College will have access to PHI in connection with Plan(s) administrative functions. The privacy notice will also provide a description of the College's complaint procedures, the name and telephone number of the contact person for further information, and the date of the notice.

The notice of privacy practices will be individually delivered to all participants:

  • immediately upon completion;
  • on an ongoing basis, at the time of an individual's enrollment in Plan(s); and
  • within 60 days after a material change to the notice.

The College will also provide notice of availability of the privacy notice at least once every three years.

V. Complaints

The Privacy Officer will be the College's contact person for receiving complaints.

The Privacy Officer is responsible for creating a process for individuals to lodge complaints about the College's privacy procedures and for creating a system for handling such complaints. A copy of the complaint procedure shall be provided to any participant upon request.

VI. Sanctions for Violations of Privacy Policy

Sanctions for using or disclosing PHI in violation of this HIPAA Privacy Policy will be imposed in accordance with College policy up to, and including, termination.

VII. Mitigation of Inadvertent Disclosures of PHI

The College shall mitigate, to the extent possible, any harmful effects that become known to it of a use or disclosure of an individual's PHI in violation of the policies and procedures set forth in this Policy. If an employee becomes aware of a disclosure of PHI, either by an employee of the College or an outside consultant/contractor who does not comply with this Policy, the employee shall immediately contact the Privacy Officer so that the appropriate steps to mitigate the harm to the participant can be taken.

VIII. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy

No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.

No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility.

IX. Plan Documents

The Plan Documents include provisions to describe the permitted and required uses and disclosures of PHI by the College for administrative purposes under the Plans by reference and incorporation of this Policy. Specifically, the College is required to:

  • not use or further disclose PHI other than as permitted by the Plan Documents or as required by law;
  • ensure that any agents or subcontractors to whom it provides PHI agree to the same restrictions and conditions that apply to the College;
  • not use or disclose PHI for employment-related actions or in connection with any other employee benefit plan;
  • report to the Privacy Officer any use or disclosure of the information that is inconsistent with the permitted uses or disclosures;
  • make PHI available to plan participants, consider their amendments and, upon request, provide them with an accounting of PHI disclosures;
  • make the College's internal practices and records relating to the use and disclosure of PHI received from the College available to the Department of Health & Human Services (DHHS) upon request; and
  • if feasible, return or destroy all PHI received from the Plan(s) that the College still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

X. Documentation

The College's privacy policies and procedures shall be documented and maintained for at least six years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented.

If a change in law impacts the privacy notice, the privacy policy must promptly be revised and made available. Such change is effective only with respect to PHI created or received after the effective date of the notice.

The College shall document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to an individual's privacy rights.

The documentation of any policies and procedures, actions, activities and designations may be maintained in either written or electronic form. Covered entities must maintain such documentation for at least six years.

USE AND DISCLOSURES OF PHI:

I. Use and Disclosure Defined

The College will use and disclose PHI only as permitted under HIPAA. The terms "use" and "disclosure" are defined as follows:

  • eligibility and coverage determinations;
  • related health care data processing.

Health Care Operations. Health care operations, in relation to the covered Plans, mean any of the following activities to the extent that they are related to plan administration:

  • conducting quality assessment and improvement activities;
  • reviewing health Plan(s) performance;
  • business planning and development; and
  • business management and general administrative activities.

V. No Disclosure of PHI for Other Benefit Plan Purposes

PHI may not be used or disclosed for the payment or operations of the College’s other benefits (e.g., long-term disability, life insurance, medical insurance, dental insurance etc.), unless the participant has provided an authorization for such use or disclosure (as discussed in "Disclosures Pursuant to an Authorization") or such use or disclosure is required by applicable state law and particular requirements under HIPAA are met.

VI. Mandatory Disclosures of PHI: to Individual and Department of Health and Human Services (DHHS)

A participant's PHI must be disclosed as required by HIPAA in two situations:

The disclosure is to the individual who is the subject of the information (see the policy for "Access to Protected Information and Request for Amendment" that follows); or the disclosure is made to DHHS for purposes of enforcing of HIPAA.

VII. Permissive Disclosures of PHI: for Legal and Public Policy Purposes

PHI may be disclosed in the following situations without a participant's authorization, when specific requirements are satisfied. Permitted are disclosures:

  • about victims of abuse, neglect or domestic violence;
  • for judicial and administrative proceedings;
  • for law enforcement purposes;
  • for public health activities;
  • for health oversight activities;
  • about decedents;
  • for cadaveric organ, eye or tissue donation purposes;
  • for certain limited research purposes;
  • to avert a serious threat to health or safety;
  • for specialized government functions; and
  • that relate to workers' compensation programs.

VIII. Disclosures of PHI Pursuant to an Authorization

PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA's requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.

IX. Complying With the "Minimum-Necessary" Standard

HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the "minimum necessary" to accomplish the purpose of the use or disclosure.

The "minimum-necessary" standard does not apply to any of the following:

  • uses or disclosures made to the individual;
  • uses or disclosures made pursuant to a valid authorization;
  • disclosures made to the Department of Labor;
  • uses or disclosures required by law; and
  • uses or disclosures required to comply with HIPAA.

Minimum Necessary When Disclosing PHI.

All disclosures must be considered on an individual basis to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure.

Minimum Necessary When Requesting PHI.

All requests must be reviewed to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.

X. Disclosures of PHI to Business Associates

Employees may disclose PHI to the College's business associates and allow the College’s business associates to create or receive PHI on its behalf. However, prior to doing so, the College must first obtain assurances from the business associate that it will appropriately safeguard the information. Before sharing PHI with outside consultants or contractors who meet the definition of a "usiness associate," employees must contact the Privacy Officer and verify that a business associate contract is in place.

Business Associate is an entity that:

Minimum Necessary When Disclosing PHI.

All disclosures must be considered on an individual basis to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure.

Minimum Necessary When Requesting PHI.

All requests must be reviewed to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.

X. Disclosures of PHI to Business Associates

Employees may disclose PHI to the College's business associates and allow the College[s business associates to create or receive PHI on its behalf. However, prior to doing so, the College must first obtain assurances from the business associate that it will appropriately safeguard the information. Before sharing PHI with outside consultants or contractors who meet the definition of a "usiness associate," employees must contact the Privacy Officer and verify that a business associate contract is in place.

Business Associate is an entity that:

  1. performs or assists in performing a Plan function or activity involving the use and disclosure of protected health information (including claims processing or administration, data analysis, underwriting, etc.); or
  2. provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services where the performance of such services involves giving the service provider access to PHI.

XI. Disclosures of De-Identified Information

The College may freely use and disclose de-identified information. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. There are two ways a covered entity can determine that information is de-identified: either by professional statistical analysis, or by removing 18 specific identifiers.

INDIVIDUAL RIGHTS:

Access to Protected Health Information and Requests for Amendment

HIPAA gives participants the right to access and obtain copies of their PHI that the College (or its business associates) maintains in designated record sets. HIPAA also provides that participants may request to have their PHI amended. The College will provide access to PHI and it will consider requests for amendment that are submitted in writing by participants.

Designated Record Set is a group of records maintained by or for the College that includes:

  • the enrollment and transfer of funds by or for the Plan(s); or
  • other PHI used, in whole or in part, by or for the Plan to make coverage decisions about an individual.

I. Accounting

An individual has the right to obtain an accounting of certain disclosures of his or her own PHI. This right to an accounting extends to disclosures made in the last six years and after the effective date of this policy, other than disclosures:

  • to carry out treatment, payment or health care operations;
  • to individuals about their own PHI;
  • incident to an otherwise permitted use or disclosure;
  • pursuant to an authorization;
  • for purposes of creation of a facility directory or to persons involved in the patient's care or other notification purposes;
  • as part of a limited data set; or
  • for other national security or law enforcement purposes.

The College shall respond to an accounting request within 60 days. If the College is unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period.

The accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure (or a copy of the written request for disclosure, if any).

The first accounting in any 12-month period shall be provided free of charge. The Privacy Officer may impose reasonable production and mailing costs for subsequent accountings.

II. Requests for Alternative Communication Means or Locations

Participants may request to receive communications regarding their PHI by alternative means or at alternative locations. For example, participants may ask to be called only at work rather than at home. Such requests may be honored if, in the sole discretion of the College, the requests are reasonable.

However, the College shall accommodate such a request if the participant clearly provides information that the disclosure of all or part of that information could endanger the participant. The Privacy Officer has responsibility for administering requests for confidential communications.

III. Requests for Restrictions on Uses and Disclosures of Protected Health Information

A participant may request restrictions on the use and disclosure of the participant's PHI. It is the College's policy to attempt to honor such requests if, in the sole discretion of the College, the requests are reasonable. The College's human resources or benefits department, as applicable, is charged with responsibility for administering requests for restrictions.

Approved by the Executive Council, August 23, 2004.