Policy 425.1 - Health Insurance Portability and Accountability Act (HIPAA)

Minnetonka School District #276 maintains a self-insured medical plan, a self-insured dental plan, and a medical flexible spending account (herein referred to as “Minnetonka ISD #276”), which are subject to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)

Index: Policy 425:

425.1    Designation of a Privacy Officer

425.2    Administrative Record Retention

425.3    Mitigation of Harmful Effects

425.4    Employee Sanctions

425.5    Training for Staff

425.6    Complaint and Grievance Process

425.7    Accounting for Disclosures

425.8    Inspect and Copy

425.9    Request Amendment

425.10    Request Confidential Information

425.11    Request Restriction of Disclosures

425.12    Minimum Necessary Information

425.13    Personal Representative

425.14    Business Associates

425.15    Authorization and Authorization Forms

425.16    General Disclosure with Notice

425.17    Deceased Individuals

425.18    Verification of Requests for PHI (Personal Health Information)

425.19    Use and Disclosure; Employer/Plan Sponsor

425.20    Required by Law

Adopted: April 22, 2004
Procedures Effective April 14, 2004
 
 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.1 HIPAA - Designation of a Privacy Officer

Designation of a Privacy Officer

Objective: Establish accountability for the protection of private health information within Minnetonka ISD # 276.

Policy:       The Privacy Officer will be appointed by the School Board by resolution and documented in such person’s job description.

The Privacy Officer for Minnetonka ISD # 276 will be the Executive Director for Finance and Operations.

The Privacy Officer will report directly to the Superintendent of Schools.

The Privacy Officer will be accountable for Minnetonka ISD # 276’s privacy program and will be responsible for:

Development and implementation of Minnetonka ISD # 276’s privacy policies and procedures.

Development and oversight of Minnetonka ISD # 276’s privacy training program.

Development and maintenance of a complaint and grievance system that encompasses the receipt and processing of internal and external complaints.

Accountable for the resolution of any actions contrary to the policies and procedures of Minnetonka ISD # 276 and/or its business associates.

Ensure the overall compliance with the appropriate documentation usage and retention within Minnetonka ISD # 276.

Keep the Minnetonka ISD # 276 workforce updated and knowledgeable of changes and current events that pertain to the privacy standard.

Report to the School Board on the state of compliance with the privacy regulations within Minnetonka ISD # 276.

Ref:    §§164.530(a), 164.526(d)(1)(iv)

Adopted: April 22, 2004

 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.2 HIPAA – Administrative Record Retention

Administrative Record Retention

Objective: Establish requirements that all privacy documentation be maintained in written or electronic form for a specified period of time.

Policy:    All privacy policies and procedures and all communications, actions, activities or designations required to be maintained pursuant to the enclosed policies will be maintained in written and/or electronic form for the time period required by law.

Procedure:

  1. All required documents shall be maintained in written or electronic form for:
     
    1. Six years from the date of the required document’s creation or the date when the required document was last in effect, whichever is later, or
       
    2.  Longer if required by law.
       
  2. All hard copies of the required documents will be kept.
     
  3. All documentation, once expired, will be disposed of in accordance with the State of Minnesota's record destruction policies.
Ref:    
§§164.530(j); 164.508; 164.512(i);
164.520(e); 164.522; 164.524(e); 164.526(f);
164.528(d); 164.530(i)(3); 164.520(b)(3)
 
Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004



 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.3 HIPAA – Mitigation of Harmful Effects

Mitigation of Harmful Effects

Objective:    Mitigate the harmful effects of violations of the privacy policies and procedures or the HIPAA privacy standards known to Minnetonka ISD #276.

Policy:    Minnetonka ISD #276 shall mitigate, to the extent practical, any harmful effect that is known to Minnetonka ISD #276 to have occurred as a result of a use or disclosure of Protected Health Information in violation of the requirements of the Privacy Rule, Minnetonka ISD #276’s policies and procedures, or any applicable law.

Procedure:

  1. The Privacy Officer, in the event of a violation of which Minnetonka ISD #276 is aware, by Minnetonka ISD #276 or a business associate of Minnetonka ISD #276, of Minnetonka ISD #276’s privacy policies and procedures or applicable law, shall develop and implement a plan to take reasonable steps to determine the harmful effects of such violation, based on its knowledge of where or how PHI has been inappropriately used or disclosed, how it might be used to cause harm to an individual, and what steps can actually have a mitigating effect in the particular situation.
  2. The plan shall be tailored to the circumstances of each case, but may include as appropriate, the following elements:
  • Identifying the source(s) of the disclosure and taking appropriate corrective action.
  • Contacting the recipient of the information that was the subject of the unauthorized disclosure and requesting that such recipient either destroy or return the information.
  • Instructing such recipient to make no further disclosures of such information.
  • Depending on the circumstances, notifying the individual whose Protected Health Information was the subject of the unauthorized disclosure.
  • Reviewing, and correcting where appropriate, any policy or procedure of Minnetonka ISD #276 that directly caused or contributed to the unauthorized disclosure.
  1. Members of Minnetonka ISD #276’s workforce who know of a harmful effect of a privacy violation shall alert the Privacy Officer.
     
  2. The Privacy Officer with the advice of legal counsel will take practicable corrective actions.
     
  3. Minnetonka ISD #276 shall not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against employees or others who may:
  • File a complaint with the Secretary of Health and Human Services.
  • Testify, assist or participate in an investigation, compliance review, proceeding, or hearing related to a use or disclosure of PHI.
  • Opposing any act or practice related to the use or disclosure of PHI.

Ref:    §164.530(f)

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004


 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.4 HIPAA – Employee Sanctions

Employee Sanctions

Objective:  Provide processes for reporting of non-compliance with Minnetonka ISD #276’s Privacy Policies and Procedures and to impose sanctions for non-compliance

Policy:    Minnetonka ISD #276 shall implement sanctions, to the extent practical, when PHI is use or disclosed in violation of the requirements of the Privacy Rule, Minnetonka ISD #276’s policies and procedures or any applicable law by either members of Minnetonka ISD #276’s workforce or its Business Associates.

Procedure:

  1. All employees of Minnetonka ISD #276 will adhere to policies, standards and procedures. Violations of those policies are grounds for corrective action up to and including termination, professional discipline, and civil or criminal prosecution.
     
  2. Information regarding any unauthorized disclosure by Minnetonka ISD #276 or any of its Business Associates discovered by any employee of Minnetonka ISD #276 shall be reported promptly to the Privacy Officer.
     
  3. The Privacy Officer will handle complaints from external sources concerning violations of the privacy policies and procedures.
     
  4. All complaints, or situations that involve alleged violations, will be investigated for the severity and the intent of the infraction.
     
  5. The following sanction schedule will be followed:
     
    1. If there was no willful violation by the employee, training on the specific policy will be addressed by the Privacy Officer.
       
    2. For a second violation by the same employee of the same policy, the Privacy Officer will initiate the Minnetonka ISD #276’s disciplinary process.
       
    3. If there was knowledge of a willful violation of the privacy policies and procedures by the employee, the employee will be subject to the disciplinary process of Minnetonka ISD #276, up to and including termination.
       
  6. If a willful violation of the privacy policies and procedures is suspected, the Privacy Officer should be immediately notified.

Ref:    §§164.502(j)(1); 164.502(j)(2); 164.530(e)(1); 164.530(e)(2); 164.530(g); 164.530(j)

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004


 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.5 HIPAA – Training for Staff

Training for Staff

Objective:    All applicable Minnetonka ISD #276 employees will be knowledgeable and consistently able to apply the privacy policies and procedures to their daily activities.

Policy:    All applicable Minnetonka ISD #276 employees will be trained and knowledgeable of the privacy policies and procedures and be able to perform their daily duties in accordance with the privacy policies and procedures.

Procedure:

  1. A training program developed by the Privacy Officer will be required for all applicable employees to participate in within 60 days of their employment with Minnetonka ISD #276.
     
  2. The Privacy Officer is responsible for the assurance of the applicable employee’s participation with the training program and for appropriate documentation within the employee file.
     
  3. Training will encompass the following but not be limited to:
     
    1. Overview of Minnetonka ISD #276’s privacy policies and procedures.
       
    2. Applicability of the policies and procedures to the employees work duties.
       
    3. Familiarity with all privacy documents such as the business associate contracts and authorizations.
       
    4. Knowledge of the employee sanctions for violations of the privacy policies and procedures.
       
    5. The complaint and grievance process.
       
    6. Individual employee rights with regards to the use and disclosure of their protected health information.
       
    7. Employee signature on an acknowledgement of training form.
       
  4. Appropriate training documentation will be kept in each employees file and maintained by the Human Resource Department.
     
  5. The training will be updated annually by the Privacy Officer to encompass the most recent changes in regulations (federal and state), and to reflect any organizational policy and procedure changes.
     
  6. Each training module will reflect the necessary differences in state law as required by the privacy regulation.

Ref:    §164.530(b)

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004


 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.6 HIPAA – Complaint and Grievance Process

Complaint and Grievance Process

Objective:    Provide a process in which individuals can submit privacy complaints and have appropriate actions taken.

Policy:    Minnetonka ISD #276 will provide an employee complaint process that enables employees to submit their complaints and receive timely response to their submissions.

Procedure:

  1. All individual privacy complaints must be submitted to the Privacy Officer in writing. A complainant has 180 days to file a complaint from the time when the complainant knew or should have known that the act or omission occurred, unless the government waives the time limit.
     
  2. All documentation of the event will be kept by the Privacy Officer, including the protected health information affected and what other covered entities and business associates it has affected. The Privacy Official will take the appropriate actions in regards to business associates and other covered entities if the complaint involves actions or omissions of those entities.
     
  3. The Privacy Officer will determine whether there has been a breach of privacy policy and procedures and will determine the appropriate response to the complainant with the aid of legal counsel if necessary.
     
  4. The Privacy Officer will determine the need for changes to the existing policies and procedures, operational duties revised, or the need for new policies and procedures to be established.
     
  5. The Privacy Officer will respond to all complaints within 30 days and will close out the complaint noting the actions taken and the dates.
     
  6. If the complainant has gone to the Secretary of Health and Human Services (HHS) as per the privacy regulation, the Privacy Officer will conduct all necessary investigation and correspondence with the governmental agency.
     
  7. If the complaint necessitates sanctions against employees for violations of Minnetonka ISD #276’s policies and procedures, please refer to the employee sanction policy and procedure for appropriate actions.
     
  8. All privacy complaints will be documented with at least the following information:
     
    1. Identification of the complainant,
       
    2. Location of occurrence,
       
    3. Date received,
       
    4. Protected health information affected,
       
    5. Description of the acts believed to be in violation of their privacy rights,
       
    6. Any affected entities or business associates,
       
    7. Investigative actions and results,
       
    8. Actions taken to resolve the complaint,
       
    9. Documentation of any necessary employee sanction activities, and
       
    10. f a complaint has been made to the Secretary, the Privacy Officer will keep all correspondence to that entity with the complaint file.
       
  9. A complaint log will be initiated by Minnetonka ISD #276 for documentation purposes.
Ref:    
§§160.306; 160.310(b); 160.312;
164.530(a)(1)(ii); 164.530(d); 164.530(g);
164.520(b)(vi); 164.524(d)(2)(iii); 164.526(d)(iv)
 
Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004

 

 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.7 HIPAA – Accounting for Disclosures

Accounting for Disclosures

Objective:    Define Minnetonka ISD #276’s responsibility with regards to complying with request for an accounting of all use and disclosures of PHI.

Policy:    Upon the individual’s or the Personal Representative’s request, Minnetonka ISD #276 will provide the requestor with an accounting of all disclosures in accordance with this policy. That is any disclosure of protected health information (PHI) about the individual made by Minnetonka ISD #276 or a business associate of Minnetonka ISD #276 on or after April 14, 2003.

Procedure:

  1. An individual or his or her Personal Representative may request an accounting of all disclosures of the individual’s PHI. Any individual who contacts Minnetonka ISD #276 to obtain an accounting will be asked to submit the request in writing.
     
  2. Upon receipt of the written request for accounting of disclosures. Minnetonka ISD #276 shall provide the requestor with an accounting of disclosures during the six (6) year period immediately prior to the date of the request for an accounting. Minnetonka ISD #276 shall provide an accounting for a period of less than six (6) years only if the six (6) year period includes dates prior to April 14, 2003 or the request specifies a shorter period.

    Minnetonka ISD #276 is not required to provide an individual an accounting of disclosures of PHI that were made for the following purposes:
     
    • To carry out Treatment, Payment and health care Operations (TPO).
       
    • To the individual.
       
    • Pursuant to an Authorization
       
    • For national security or intelligence purposes;
       
    • To correctional institutions.
       
    • Any disclosure that occurred prior to April 14, 2003.
       
  3. Minnetonka ISD #276 must provide the individual with a written accounting that includes all of the following with respect to each disclosure that was made by Minnetonka ISD #276 or any of its Business Associates during the accounting period (six years from the date of the individual’s request, unless the individual requests a shorter time period):
  • Date of the disclosure;
     
  • Name of the entity or person who received the PHI and, if known, the address of such entity or person;
     
  • A brief description of the PHI disclosed; and
     
  • One of the following, as applicable:
     
  • A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure; or
     
  • A copy of a written request (if any) from the Secretary of Health and Human Services (“Secretary’s Request”) to investigate or determine the Minnetonka ISD #276’s compliance with the Privacy Rule (if such Secretary’s Request relates to Accountable Disclosures during the accounting period); or
  1. Within ten (10) days after Minnetonka ISD #276’s receipt of a written request for an accounting, Minnetonka ISD #276 must provide the individual one of the following:
    • A written accounting as described above.
       
    • If Minnetonka ISD #276 is unable to provide the written accounting within ten (10) days of Minnetonka ISD #276’s receipt of the individual’s written request, then a written statement of the reasons for the delay and the date by which Minnetonka ISD #276 will provide the accounting (which under no circumstance may be later than ninety (90) days from the date of Minnetonka ISD #276’s receipt of the patient’s initial written request.
       
  2. Minnetonka ISD #276 shall retain each written accounting that it creates in accordance with this policy and each written response it provides to an individual for a period of six (6) years from the date that the written accounting other written response, as applicable, is created.
     

Ref:    §§164.508;164.512;164.528;164.530(j)

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004


 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.8 HIPAA – Inspect and Copy

Inspect and Copy

Objective:    Establish guidelines regarding an individual’s right to inspect or copy their protected health information.

Policy:    Minnetonka ISD #276 will allow individuals to inspect and copy their protected health information unless otherwise prohibited by this policy or law. Minnetonka ISD #276 may deny access to protected health information as prohibited by this policy or law, but will allow an individual to appeal the denial.

Procedure:

  1. Minnetonka ISD #276 will allow an individual to inspect and copy their protected health information.
     
  2. The Privacy Officer should be contacted if there is any doubt as to whether an individual has the right to inspect or copy their record or if there is any concern the individual is not the appropriate person to release the information to.
     
  3. All requests for copying or inspection of their record must be fulfilled within 10 days of the request unless an extension has been filed. The extension will allow 30 more days to honor the request if the individual is provided a written statement explaining the reasons for the delay and the date by which Minnetonka ISD #276 will complete the request. The extension has to be given to the patient within the first 30 days of receipt of the request to be valid. Only one extension per request is allowed.
     
  4. A signed release form with the employee signature is required before release of any protected health information.
     
  5. Minnetonka ISD #276 will only provide the minimum requested information in the format as agreed upon by both parties.
     
  6. A summary of the requested information may be provided to the individual if they agree in advance to such a summary or explanation, and for any fees imposed for the summary or explanation.
     
  7. Fees charged to the individual for the copying or inspection of medical records (if necessary) will be limited to the following:
     
    1. The actual cost of supplies for copying and the labor costs involved for copying.
       
    2. Postage, if mailed.
       
    3. Costs of the preparation of any explanation or summary creation.
       
  8. All requests for inspection and copying will be kept in the employee’s file along with the content of the health information affected and the titles and name of the person responsible for the receipt and processing of the requests.

Ref: §164.524

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004
 

 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.9 HIPAA – Request Amendment

Request Amendment

Objective:    Establish guidelines regarding an individual’s right to request amendments to their protected health information.

Policy:    Minnetonka ISD #276 will allow individuals to request amendments to their protected health information unless otherwise prohibited by this policy or law.

Procedure:

  1. Minnetonka ISD #276 will act on a request by an employee to amend their PHI within 60 days of the receipt of the request.
     
  2. Amendments Minnetonka ISD #276 will make to PHI would include, but is not limited to the following data:
     
    1. Patient demographic information.
       
    2. Insurance information.
       
  3. If the 60-day requirement cannot be met, the office will submit a written statement of the reasons for the delay and the completion date by which the request will be honored to the patient. This will extend the deadline for an additional 60 days.
     
  4. If an amendment is made to the PHI of an individual (change in demographics, addition to the demographic information, etc.), the employee will notify the patient of the completion of the change within a timely manner. The employee will also identify to the employee those individuals or entities with which the amendment will be shared.
     
  5. All other entities affected by the change in the PHI as determined by Minnetonka ISD #276 and shared with the employee will be notified of the amendment. Those individuals and entities as identified by the employee will also be notified. This includes but is not limited to:
     
    1. Medical groups.
       
    2. Hospitals, imaging centers, outpatient centers.
       
    3. Collection agencies.
       
    4. Statement processing companies.
       
    5. Affected insurance companies.

      If Minnetonka ISD #276 is notified by another covered entity per an amendment to patients PHI, they will affect the amendment within the employee file as per 164.526(e).
       
  6. If the request for amendment involves other than the above list in number (2), the employee will be directed to the originator of the PHI. Minnetonka ISD #276 will direct the employee back to the hospital, the business associate, or other appropriate third party to request amendments to their PHI. Examples of such would be as follows:
     
    1. Amendments to consent forms: Hospital, business associate or center where the consent was completed.
       
    2. Amendments to medical records or diagnostic reports: Hospitals or medical facility as appropriate.
       
  7. If, notwithstanding all of the above, Minnetonka ISD #276 receives a request for an amendment to the PHI of an employee, and none of the above applies, and a denial appears probable, the Privacy Officer should be notified of the situation.
     
  8. Per the regulation, a denial on the request can only be made when it is determined the PHI affected:
     
    1. Was not created by Minnetonka ISD #276.
       
    2. It is for information that is not part of the designated record set.
       
    3. Is accurate and complete.
       
  9. If a statement of disagreement has been submitted, Minnetonka ISD #276 will, after notification from the business associate, append that information to any future disclosure of the PHI to which the disagreement relates. If no statement of disagreement was submitted, the request for amendment and denial will be included with any future disclosure of PHI that relates to the disagreement, only if the individual has requested that action.
     
  10. All of the above actions relating to the business associates submission of a denial will be handled with the assistance of the Privacy Officer.

Ref:    §164.524

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004


 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.10 HIPAA – Request Confidential Information

Request Confidential Information

Objective:    Establish guidelines regarding an individuals right to request protected health information be given by means of confidential communications.

Policy:    Minnetonka ISD #276 will allow individuals to request PHI be given to an individual by means of confidential communications as per the privacy standard.

Procedure:

  1. Minnetonka ISD #276 will act on a request by an employee to receive communications in a confidential manner (by alternative locations, or communications) by contacting the business associate. Minnetonka ISD #276 will not directly act on any request of this nature by an individual concerning the release of their PHI.
     
  2. Minnetonka ISD #276 will follow the directions of the business associate once the request for confidential communications has been submitted.
     
  3. Minnetonka ISD #276 will follow all directions per the business associate, such that the requirements of the privacy regulation are met:
     
    1. Minnetonka ISD #276 may ask the individual to make a request for a confidential communication in writing. A memorandum of the request will be kept by Minnetonka ISD #276 and recorded on the employee record. No explanation as to their reason for the request can be required.
       
    2. Minnetonka ISD #276 will determine the reasonableness of the request in terms of administrative difficulty. Minnetonka ISD #276 will follow all directions per the employee on alternative methods of communications for the employee. Employees will refer all requests to the Provacy Officer.

Ref:    §164.522(b);164.502(h)

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004


 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.11 HIPAA – Request Restriction of Disclosures

Request Restriction of Disclosures

Objective:    Establish guidelines regarding an individual’s right to request restrictions on disclosures of PHI for treatment, payment, and healthcare operations.

Policy:    Minnetonka ISD #276 will allow individuals to request PHI be restricted on disclosures for treatment, payment, and healthcare operations per the privacy standard.

Procedure:

  1. Minnetonka ISD #276 will act on a request by an employee to restrict disclosure(s) of PHI only after forwarding the request or referring the employee to the business associate for approval of the request.
     
  2. Minnetonka ISD #276 will follow the directions of the business associate once they have resolved the request for restrictions of disclosures.
     
  3. Minnetonka ISD #276 will follow all directions per the business associate, such that the requirements of the privacy regulation are met in accordance with 164.522(a) and 164.510(b) as determined by the Privacy Officer of Minnetonka ISD #276. Minnetonka ISD #276 will document all restrictions of disclosures in the employee's file. The request for restriction of disclosure itself will not be made available to any external party in this case unless directed by the business associate. Minnetonka ISD #276 will only forward the necessary revised PHI to all applicable external parties it deals with including: collection agencies, statement processing companies, insurance companies, etc.
     
  4. Minnetonka ISD #276 will honor directly requests of restrictions of disclosures that pertain to:
     
    1. The individual requesting the restriction requests restriction of billing information and demographic information to external parties if it will not affect reimbursement. (i.e., patient statements or bills will only be sent to a certain address, etc.). The Minnetonka ISD #276 billing office will then assure that only the pertinent information will be sent to the external parties such as the collection agencies and the statement processing company. The request for restriction of disclosures itself will not be passed on to any external party directly, other than directed by the business associate or the employee.

             If both parties agree upon the restriction of disclosure, Minnetonka ISD #276 and the employee, it will be documented in the employee's file.
       
  5. If an employee requests a termination of a restriction of a disclosure that does not involve the information as above in item number 4, the business associate will be forwarded the termination request. Minnetonka ISD #276 will then follow all directions from the business associate as per the privacy regulation 164.522(a)(2). Documentation of the termination will be kept in the employee's file.
     
  6. If an employee requests a termination of a restriction of disclosures regarding PHI included in #4 above, Minnetonka ISD #276 will ask for the termination in writing from the employee and documentation of the restriction will be placed in the employee's file.

Ref:    §164.522(a)

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004


 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.12 HIPAA – Minimum Necessary Information

Minimum Necessary Information

Objective:    Establish guidelines on limitations regarding the uses of the amount of PHI accessible to individuals within Minnetonka ISD #276.

Policy:    Minnetonka ISD #276 will only allow access to the minimum amount of PHI necessary for an individual to perform their intended task or responsibility.

Procedure:

  1. Minnetonka ISD #276 will allow only the necessary amount of PHI to flow to different departments and categories of personnel to perform their specified tasks. Personnel will have access to the following information necessary to perform their duties:
     
    1. Patient demographic information.
       
    2. Claims form information and attachments.
       
    3. Reports and medical records obtained from a business associate and covered entities that are necessary to code and to bill the third party payors.
       
    4. Explanation of benefits and other third party payor correspondence, including workman’s compensation, automobile insurance companies, etc.
       
    5. Employee correspondence regarding reimbursement issues.
       
    6. Bank deposit correspondence.
       
    7. Reimbursement correspondence from collection agencies, statement processing companies, and external coding companies

      Employees whose duties involve any preparation, resolution or implementation of reimbursement activities will be allowed access to the above information.
       
  2. The Privacy Officer will have access to the above information to carry out his/her intended managerial and reimbursement related duties for payment and healthcare operations activities on behalf of Minnetonka ISD #276.
     
  3. If there is an issue in which the access to PHI is in question, the Privacy Officer will be notified and the decision made as to the elements of PHI that are necessary for an employee to view. If there is a question about access, legal counsel will be sought.
     
  4. If an intentional violation of the minimum necessary policy is suspected by an individual or individuals, the Privacy Officer will be notified. Depending on the extent and the intent of the violation, the employee sanction policy and procedures will be followed.

Ref:    §164.502(b);164.514(d)

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004


 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.13 HIPAA – Personnel Representative

Personal Representative

Objective:    Establish guidelines for the disclosure of PHI to individuals and those designated as personal representatives.

Policy:    Minnetonka ISD #276 will allow disclosures of PHI to the affected individuals or those designated as a personal representative of the individual according to law.

Procedure:

  1. Minnetonka ISD #276 will allow PHI to be given to the individual who is the subject of the PHI.
     
  2. PHI given to an individual by an employee of Minnetonka ISD #276 will be limited to the elements of information in their employee file. This includes but is not limited to: patient demographic information, insurance information, status of an employee account, financial information and reimbursement status of their account, services rendered. The individual will be referred to the business associate or other entity as appropriate for inquiries regarding clinical reports and diagnoses, and other medical record matters.
     
  3. To verify the identity of the individual before any PHI or account information is given over the telephone or by other means, the flowing elements will be obtained to verify the identity:
    1. Date of birth, or
       
    2. Social security number, and
       
    3. Date of service in question.

            If the identity cannot be verified through these means, no information will be given.
       
  4. Personal representatives will only be given the PHI or account information of an individual per the regulation at 164.502(g), and with appropriate signed authority in evidence. If under state law a person has the authority to act on behalf of an individual who is a(n):
     
    1. Adult or emancipated minor,
       
    2. Deceased individual,
       
    3. Authorized representative as defined per state law, then PHI or account information will be given to the above personal representatives only with the appropriate documentation and only the information listed in number two above.
       
  5. If an employee has any questions as to the appropriateness of giving of any PHI or account information to a designated personal representative, the Privacy Officer should be notified.

Ref:    §§164.502(g); 164.524; 164.528; 164.510(b)

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004


 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.14 HIPAA – Business Associates

Business Associates

Objective:    Establish the implementation of business associate contracts with entities that performs functions involving the utilization of PHI on Minnetonka ISD #276’s behalf.

Policy:    Minnetonka ISD #276 will enter into business associate contracts with all individuals and entities that utilize and have access to individuals PHI to perform activities on Minnetonka ISD #276’s behalf.

Procedure:

  1. The attached business associate contract will be utilized to enter into a contractual agreement with all external entities that perform functions for Minnetonka ISD #276 involving the use or access to individuals PHI. The contract can only be modified after review by the following personnel: The Privacy Officer or the Chairman of the Board of Minnetonka ISD #276.
     
  2. All business associate contracts will be reviewed and have the signature of level of management as deemed appropriate by the Privacy Officer.
     
  3. A copy of the business associate contract will be kept in the business office of Minnetonka ISD #276.
     
  4. If a Minnetonka ISD #276 employee suspects any breach of the business associate contract by the business associate, the employee will contact the Privacy Officer, who will take the necessary steps as required by 164.504(e)(1)(ii).
     
  5. If there is any question as to whether an entity needs to sign a business associate contract, the Privacy Officer will be notified and will determine the business associate status as per the definition in 160.103.
     
  6. If Minnetonka ISD #276 is asked to enter into a business associate contract with another covered entity or other entity, all inquiries and contracts will be the ultimate responsibility of the Privacy Officer. Once a business associate contract is signed by Minnetonka ISD #276, all employees who deal with the business associate will become knowledgeable about the provision of such contract and abide by those provisions.

Ref:    §§164.504(f); 164.510(b)(2);164.510; 164.504(e)

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004


 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.15 HIPAA – Authorizations and Authorization Forms

Authorizations and Authorization Forms

Objective:    Secure authorization when needed from an employee.

Policy:    Minnetonka ISD #276 will obtain individuals authorization in writing, signed and dated by the individual, for any use or disclosure of protected health information that is not for payment, treatment, or healthcare operations purposes and is not a public policy exception as listed in §164.512.

Procedure:

  1. All Minnetonka ISD #276 employees must utilize the appropriate authorization form for release of protected health information as included within this policy. The authorization cannot be included on a page with any other document.
     
  2. The appropriate authorization forms will be utilized by the employee for internal uses of protected health information and for external disclosures of protected health information as attached. The following information will be included in the authorization form, but the content is not limited to:
     
    1. A description of the information to be used or disclosed,
       
    2. The identification of the person(s) authorized to make the requested use or disclosure,
       
    3. An expiration date or event that relates to the individual or the purpose of the use or disclosure,
       
    4. A statement of the individual’s right to revoke the authorization,
       
    5. Employee signature and date of signing,
       
    6. Must be written in plain language.
       
  3. The signature of the employee and the date signed must be present on the authorization form. All parts of the authorization form must be completed to be considered a valid authorization.
     
  4. If a patient refuses to sign, the Privacy Officer will intervene if necessary.
     
  5. A copy of the completed authorization form will be given to the employee.
     
  6. An authorization is only valid for the one occurrence (use or disclosure) so a new signed authorization is needed when any other appropriate use or disclosure of protected health information is warranted.
     
  7. An employee can revoke an authorization at any time (decide not to authorize the use and disclosure). The revocation needs to be in writing and kept in the employee's file. If the authorization was already obtained and the use or disclosure made, the Privacy Officer should be notified if a revocation comes in after. If the use or disclosure has not been made, all activities pertaining to the use and disclosure should cease, and the Privacy Officer be notified of the revocation.
     
  8. All requests for disclosures that require authorizations will be forwarded to the business associate for review and approval. Minnetonka ISD #276 will follow the business associate’s instructions when received.
     
  9. An authorization is not needed for disclosure of an individuals PHI in the following instances, but is not limited to:
     
    1. Collection agencies.
       
    2. Statement processors.
       
    3. Insurance companies and third party payors.
       
    4. Business associates.
       
    5. Automobile insurance companies.
       
    6. Clearinghouses.
       
    7. Public priority exceptions as listed in the disclosures required by law policy in this manual.
       
      1. If an authorization is in doubt as to whether it is required, the Privacy Officer should be notified.
         
      2. Authorizations will be kept in hard copy in a retrievable location, and documented when received. The documentation should consist of:
        1. Employee making the notation.
           
        2. Why the authorization was obtained.
           
        3. Documentation of the receipt of a valid authorization form.
           
        4. Actions completed due to the authorization received.
           
        5. Date of the receipt of the authorization.

Ref:    §§164.506)a); 164.512; 164.508(a-f); 164.520

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004


 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.16 HIPAA – General Disclosure with Notice

General Disclosure with Notice

Objective:    Provide guidance regarding permitted uses and/or disclosures of PHI.

Policy:    Minnetonka ISD #276 uses and discloses Protected Health Information (PHI) for treatment, payment and operations (TPO) as outlined in this policy, and consistent with the Privacy Rule.

Procedure:

  1. The Privacy Rule permits Minnetonka ISD #276 to use and disclose a member’s PHI without first obtaining the member’s Authorization to carry out TPO. The following are examples of use and disclosure of PHI:
     
    1. In connection with treatment, payment of health care operations.
       
    2. Treatment activities of a Health Care Provider.
       
    3. Another Covered Entity or a Health Care Provider for the payment activities of the entity that receives the PHI.
       
    4. Another Covered Entity for Health Care Operations of the entity that receives the PHI, if all of the following conditions are met:
       
    5. Both Minnetonka ISD #276 and the receiving entity either has or had a relationship with the member who is the subject of the PHI being requested;
       
    6. The PHI pertains to such relationship; and
       
    7. The disclosure is either for the purpose of health care fraud and abuse detection or compliance; or
       
    8. For any of the following purposes:
       
      1. Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines.
         
      2. Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, and health plan performance.
Ref:    §§164.502(a)(1);164.506; 164.510;
           164.512; 164.532
 
Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004


 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.17 HIPAA – Deceased Individuals

Deceased Individuals

Objective:    Establish the protocols in which PHI or account information can be given to personal representatives of deceased individuals.

Policy:    Minnetonka ISD #276 will allow the PHI or account information of an individual to be disclosed to a personal representative of a deceased individual per the privacy regulation at §164.502.

Procedure:

  1. Minnetonka ISD #276 will allow records to be obtained by a personal representative of a deceased individual only when appropriate documentation of their status has been obtained.
     
  2. All Minnetonka ISD #276 employees will obtain records of executorship, administrator status or other applicable authority to act on behalf of a deceased individual or their estate before any account information or PHI can be given.
     
  3. All other requests for deceased individual’s information will be referred to the appropriate entity.
     
  4. If there is no evidence of executorship or other authority for the personal representative to receive the information, the employee will notify the Privacy Officer.

Ref:    §§164.502(f); 164.502(g)(4); 164.512(g)

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004


 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.18 HIPAA – Verification of Requests for PHI

Verification of Requests for PHI

Objective:    Establish the protocols in which the identity of individuals requesting PHI are authorized to receive PHI.

Policy:    Minnetonka ISD #276 will allow the PHI or account information of an individual to be disclosed to the individual only after appropriate reasonable verification of their identity.

Procedure:

  1. Minnetonka ISD #276 employees will only give account information or PHI to an individual after the appropriate verification questions have been answered:
     
    1. Date of birth, or
       
    2. Social security number, and
       
    3. Date of service(s) in question.
       
  2. If the individual in question is an adult asking on behalf of a minor, the following additional information must be obtained:
     
    1. Birthdate of the child,
       
    2. b.    Name of the person making the inquiry and parental status to the child.
       
  3. If the individual is a designated personal representative, the personal representative policy and procedure must be followed.
     
  4. PHI given to an individual will be limited to the elements included within their reimbursement activities. This includes, but is not limited to: insurance information, demographic information, status of the claim, payment inquiries, and services rendered. All requests for clinical information and other information will be referred to the appropriate entity in which the PHI originated from.
     
  5. If the individual requesting PHI is a public official, the employee will notify the Privacy Officer and their actions will be in accordance with 164.512(a). Disclosures to public officials can only be made in certain circumstances without the authorization from the individual and includes, but is not limited to:
     
    1. The request from the public official is made in person and evidence of their government status is shown.
       
    2. If the request is in writing and on the appropriate government letterhead.
       
    3. If the disclosure is to a person acting on behalf of a public official with appropriate documentation that is evidence they are working on behalf of a public official.
       
    4. If the request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury, or judicial or administrative tribunal.
       
  6. Any necessary accounting of the disclosure will be made in accordance with the accounting of disclosure policy and procedure.

Ref:    §§164.514(h);164.512(a); 164.512(f) 164.502(f); 164.510(b)

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004


 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.19 HIPAA – Use and Disclosure; Employer/Plan Sponsor

Use and Disclosure: Employer/Plan Sponsor

Objective:    In order to allow Minnetonka ISD #276 to review PHI for purposes of claim appeals, claim audits, and other administrative purposes without the need for an individual authorization, Minnetonka ISD #276 should amend self-funded plan documents to incorporate provisions required by the privacy regulations

Policy:    Minnetonka ISD #276 will amend plan documents as required by the privacy regulations and certify that such amendments have been completed before the plan (or other covered entities) may disclose PHI to it.

Procedure:

Minnetonka ISD #276 will amend its self-funded plan documents to incorporate the following provisions required by the privacy regulations.

Each of the covered plans must:

  1. Describe how the plan sponsor may (and in some cases must) use or disclose PHI. Such uses and disclosures may not be inconsistent with the privacy rules.
     
    1. Provide that the plan sponsor will not use PHI for any purpose not provided for in the plan or required by law. The plan must specifically prohibit the plan sponsor from using or disclosing PHI for employment related decisions or in connection with other plans.
       
  2. Require the plan sponsor to notify the plan when it becomes aware of misuses and inappropriate disclosures of PHI.
     
  3. Provide that individuals will be given appropriate access to their own PHI and that the plan sponsor will amend PHI when appropriate on request.
     
  4. Require the plan sponsor to maintain an appropriate accounting of disclosures of PHI.
     
  5. Require the plan sponsor to make its internal practices, books, and records available to HHS.
     
  6. Require the plan sponsor to identify the employees (or classes of employees) and other persons with access to PHI and restrict access to those employees and other persons.
     
  7. Establish a mechanism for resolving issues relating to noncompliance with plan document requirements.
     
  8. Require the plan sponsor to ensure that agents, including subcontractors, to whom it provides PHI agree to the same restrictions and conditions.
     
  9. Provide that, if feasible, the plan sponsor will return or destroy all PHI received from the plan when no longer needed to meet the purposes of the disclosure.
     
  10. The plan sponsor must certify that the plan documents have been appropriately amended before the plan (or other covered entities) may disclose PHI to it.

Ref:    §164.504(b)(c); 164.504(f)(1-3);
          §164.508(a); 164.508(b)(4)(A-B); 164.514(g);164.504(f)
           164.528

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004


 

MINNETONKA PUBLIC SCHOOL DISTRICT

Policy #425.20 HIPAA – Required by Law

Required by Law

Objective:    Identify instances in which use and disclosure of an individuals PHI will be given without a consent, authorization or opportunity to agree or object.

Policy:    Minnetonka ISD #276 will only allow disclosure of PHI with a consent, authorization or opportunity for the individual to agree or object if it meets the requirements of section §164.512..

Procedure:

  1. Minnetonka ISD #276 will allow the use or disclosure of PHI without an authorization or agreement from the individual with direction from the business associate for the following purposes:
     
    1. Public health activities as described by §164.512(b)(1-2).
       
    2. Victims of abuse, neglect or domestic violence per §164.512 (c).
       
    3. Law enforcement purposes per §164.512(f).
       
    4. PHI about decedents per §164.512(g).
       
    5. Organ or tissue donations per §164.512(h)
       
    6. Research Purposes per §164.512(i).
       
    7. Aversion of serious threat to health or safety per §164.512(j).
       
    8. Specialized government functions per §164.512 (k).

      Appropriate verification of the entity requesting the PHI will be obtained before disclosure (identification badge, letter on official letterhead, etc.). These “public priority exceptions” are required by law, and the business associate will determine disclosure of the PHI in these instances. All Minnetonka ISD #276 employees should consult with the Privacy Officer if they receive requests from these entities for information. All appropriate documentation will be kept in the employee's file per the accounting of disclosure policy.
       
  2. Minnetonka ISD #276 will allow the use or disclosure of PHI without an authorization or agreement of the individual in the following cases as required per §164.512:
    1. For health oversight activities. Minnetonka ISD #276 will allow PHI to a health oversight agency for activities authorized by law including:
       
      1. Audits.
         
      2. Civil, administrative, or criminal proceedings or actions; and
         
      3. Other activities to include oversight of the health care system, government benefit programs for which PHI is relevant to beneficiary eligibility, entities subject to government regulatory programs for which health information is necessary for determining compliance with programs standards.
         
    2. For judicial and administrative proceedings. Minnetonka ISD #276 will allow the disclosure of PHI in the course of any judicial or administrative proceeding with evidence of the following:
       
      1. Order of the court or administrative tribunal (only the information requested under the order).
         
      2. To a subpoena, discovery request, or other lawful process that does not have an order from the court, Minnetonka ISD #276 will direct the request to the business associate.
         
    3. Workers’ compensation. Minnetonka ISD #276 will disclose PHI to the extent necessary to comply with laws relating to workers compensation or similar programs that provide benefits for work-related injuries or illness without regard to fault.

      The Privacy Officer should handle all the above requests. These disclosures can only be made for health oversight purposes, and is not allowed for investigations or other activities in which the individual is the subject of the investigation or activity. All appropriate documentation of the disclosure will be kept in the employee's file per the accounting of disclosure policy. All appropriate verification of the identity will take place before disclosure of PHI is initiated.
       
  3. In all circumstances, only the minimum necessary PHI will be disclosed. For the entities as listed in #2, the requested information can be supposed as the minimum necessary.

Ref:    §§164.501;164.512; 164.502(b)(2)(iv);
          164.514(d)(3)(iii)(A); 164.514(h)(1)

Policy Effective Date: April 22, 2004
Procedure Effective: April 14, 2004