HIPAA GENERAL POLICIES & PROCEDURES Index 1. Introduction 2. Amendments 3. Privacy Notice 4. Business Associate Agreements 5. Access 6. Risk Analysis 7. Risk Management 8. Privacy and Security Officer 9. Training 10. Privacy and Security Incidents 11. Sanctions 12. Mitigation 13. Documentation 14. Administrative Requirements 1. Introduction The District s HIPAA Policies and Procedures (Code nos. 424.1 424.6) are designed to comply with the privacy and security standards under the Health Insurance Portability and Accountability Act (HIPAA), and apply to the District s group health plans (the covered entities ). All of the District s HIPAA Policies and Procedures shall at all times be interpreted consistent with the HIPAA privacy and security standards set forth in 45 CFR Parts 160 and 164, and any new or amended HIPAA statutes and regulations. Nothing in the District s Policies and Procedures shall be interpreted as granting any additional rights to individuals, or placing any additional obligations on the District s group health plans, other than those required by the Privacy and Security Rules or any other applicable law. Nor shall the Policies and Procedures be considered contractual in nature. 2. Amendments The District s Policies and Procedures may be revised at any time in accordance with the HIPAA Privacy and Security Rules and any new or amended HIPAA statutes and regulations, and shall be revised if necessitated by any change in law. The Policies & Procedures shall be reviewed periodically, and update as needed, in response to environmental or operational changes affecting the privacy or security of protected health information. The group plans must provide their business associates with all relevant changes to the Polices and Procedures. WEST DES MOINES COMMUNITY SCHOOL BOARD OF EDUCATION Page 1 of 6
3. Privacy Notice The covered entities shall adopt a Privacy Notice regarding potential uses and disclosures of protected health information (PHI) and individuals rights and the covered entities legal duties with respect to PHI. Where the covered entity is a group health plan which provides benefits solely through an insurance contract with a health insurance issuer or HMO, the covered entity shall maintain a Privacy Notice and shall provide the Privacy Notice to any person upon request. If the covered entity is a group health plan which does not provide benefits solely through an insurance contract, the Privacy Notice must be provided to individuals as follows: At the time of enrollment, to new enrollees; Within 60 days of a material revision to the Privacy Notice, to individuals covered by the plan; To any person upon request; and At least once every three years, the health plan must notify individuals covered by the plan of the availability of the Privacy Notice and how to obtain it. The Privacy Notice and its terms may be revised, and the revisions may be effective for all PHI maintained by the covered entities, to the full extent allowed by the Privacy Rules. If the covered entities maintain a web site providing information about their benefits, they must post the Privacy Notice on the web site and make the notice available electronically through the web site. 4. Business Associate Agreements The covered entities must, on a continuous basis, identify all business associates, who are those persons or entities who perform certain functions or activities that involve the use or disclosure of protected health information on behalf of, or which provides services to, a covered entity. Employees of covered entities are not business associates. Business associate functions and activities include: claims processing or administration; data analysts, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services include: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. The covered entities may permit a business associate to create, receive, maintain, or transmit electronic protected health information on their behalf only if the covered entities obtain satisfactory assurances that the business associate will appropriately safeguard the information and comply with the privacy and security rules. The covered entities shall therefore require all current and future business associates to execute a business associate agreement, or an amendment to a business associate agreement, which provides that the business associate will comply with HIPAA and notify the covered applicable covered entity of any privacy or security incidents or breaches. WEST DES MOINES COMMUNITY SCHOOL BOARD OF EDUCATION Page 2 of 6
If the covered entities learn of a pattern of activity or practice of the business associate that constitutes a material breach or violation of the business associate s obligations under the contract, the covered entities must take reasonable steps to cure the breach or end the violation, as may be applicable. If such steps are unsuccessful, the covered entities must terminate the contract if feasible, or if termination is not feasible the covered entities must report the problem to the Department of Health and Human Services (HHS). 5. Access The covered entities will create, change, and safeguard passwords with regard to employees whose duties involve the benefit plan(s) at issue, as necessary to protect electronic protected health information (EPHI). The covered entities will provide for password protection for the work computers of those employees whose duties involve the benefit plan(s) at issue, and for the computer system(s) used by such individuals. The passwords will be changed following termination of the employee or other significant change in circumstances. The covered entities will, with regard to those employees whose duties involve the benefit plan(s) at issue, implement one or more of the following procedures if possible using their current hardware and software capabilities: limit the number of log-in attempts; provide notice to the security official if the maximum number of attempts is exceeded; lock the system to prevent access with that particular user s name if the maximum number of attempts is exceeded; etc. 6. Risk Analysis The Covered entities shall assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the entities, if any. The risk analysis shall be overseen and directed by the designated security official. The goal of risk analysis is to identify potential security risks, the probability of occurrence, and the magnitude of the risk. The Covered entities shall periodically review and update their risk analysis, annually or more often if there are significant changes in the operating practices or procedures, personnel, physical environment, or computer hardware or software systems. All risk analysis documentation shall be retained for six (6) years. 7. Risk Management The Covered entities shall implement security measures sufficient to reduce risks and vulnerabilities to EPHI held by the entity, if any, to a reasonable and appropriate level. Risk management involves eliminating or reducing unacceptable risks to reasonable levels, and maintaining the lower acceptable level of risk over time. The goal of risk management is to: WEST DES MOINES COMMUNITY SCHOOL BOARD OF EDUCATION Page 3 of 6
(1) Ensure the confidentiality, integrity, and availability of all EPHI the covered entities create, receive, maintain, or transmit; (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information; (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the HIPAA Privacy Rules; and (4) Ensure compliance with this subpart by their workforce. In deciding what security measures to use, the covered entities must take into consideration the following factors: 1. The size, complexity and capabilities of the covered entities. 2. The covered entities technical infrastructure, hardware, and software security capabilities. 3. The costs of security measures. 4. The probability and criticality (the degree of potential harm) of potential risks to EPHI. Cost cannot be the sole factor in the decision whether to implement an addressable implementation specification. The Covered entities shall periodically review and update their risk analysis, and, if warranted as a result thereof, implement reasonable and appropriate security measures to address any new or increased risks or vulnerabilities to EPHI held by the entities which are not adequately addressed by current security measures. 8. Privacy and Security Officer The covered entities shall designate privacy and security officials, who may be the same or different individuals, responsible for the development and implementation of these Policies and Procedures, and a contact person or office responsible for receiving notice of any privacy and security violations and to provide further information about matters covered by the privacy and security rules and these Policies and Procedures. The privacy and security officials and contact person functions may be fulfilled by the same or different persons. The privacy and security officials are authorized to have direct access or communication with officers, administrators and/or directors, as applicable, as necessary for compliance with these Policies and Procedures and the Privacy and Security Rules. 9. Training The covered entities shall train all members of their work force who may receive PHI on these Policies and Procedures, as necessary and appropriate for the workforce members to carry out their function within the covered entity. Training shall be provided to new workforce members who may receive PHI within a reasonable period of time after WEST DES MOINES COMMUNITY SCHOOL BOARD OF EDUCATION Page 4 of 6
joining the covered entity s workforce. Training must also be provided as needed, to each member of the workforce whose functions are affected by a material change in these Policies and Procedures, within a reasonable period of time after the change takes effect. 10. Privacy and Security Incidents The covered entities shall provide a process for individuals to identify and respond to privacy and security incidents, and to report violations of these Policies and Procedures or the Privacy or Security Rules. Privacy and security incidents and violations must be reported to the designated privacy or security official or the designated contact person. The privacy or security official or contact person shall reasonably investigate any privacy or security incident or violation and determine whether and what responsive action or remedial measures, if any, are appropriate, and shall then act on this determination. The privacy or security official shall take reasonable steps to preserve evidence; mitigate, to the extend possible, the situation that caused the incident; document the incident and the outcome; and evaluate privacy and security incidents as part of ongoing risk management. 11. Sanctions Where the privacy or security official has determined a member of its workforce has failed to comply with these Policies and Procedures or the Privacy or Security Rules, the covered entities shall apply sanctions against the workforce member. Depending on the nature and severity of the failure to comply, sanctions may include, but are not limited to, verbal warning, written warning, suspension, or termination. The determination of the appropriate sanction may take into account the severity of the breach, intent, malice, prior offenses, the effect of the breach, and other relevant circumstances. Sanctions may be initiated at any level without prior resort to lesser forms of sanction. 12. Mitigation The covered entities shall mitigate, to the extent practicable, any harmful effect known to the covered entities of a violation of these Policies and Procedures or the Privacy or Security Rules by the covered entities or their business associates. 13. Documentation The covered entities must maintain the Policies and Procedures, any documentation required by the Privacy and Security Rules to be in writing, and a record of any action, activity, or designation required by the Privacy and Security Rules to be documented, for a period of six years from the date of its creation or the date when it last was in effect, whichever is later. Documentation may be maintained in written or electronic form. The documentation must be made available to those persons responsible for implementing the procedures to which the documentation pertains. The documentation shall be reviewed periodically, and update as needed, in response to environmental or operational changes affecting the privacy or security of PHI. WEST DES MOINES COMMUNITY SCHOOL BOARD OF EDUCATION Page 5 of 6
14. Administrative Requirements a. No Retaliation: The covered entities may not intimidate, threaten, coerce, discriminate against, or take retaliatory action against individuals asserting rights under HIPAA. b. Waiver of Rights: The covered entities may not require individuals to waive their rights under HIPAA as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. c. Policies and Procedures: The covered entities must maintain and implement these Policies and Procedures. d. Group Health Plans: Group health plans which provide health benefits solely through an insurance contract and/or which do not create or receive EPHI are not necessarily subject to certain HIPAA requirements. Nothing in these Policies and Procedures shall be interpreted as granting any additional rights to individuals, or placing any additional obligations on the covered entities, other than those required by the Privacy and Security Rules. Approved 03-07-11 Reviewed 6-13-16 Revised WEST DES MOINES COMMUNITY SCHOOL BOARD OF EDUCATION Page 6 of 6