INDIVIDUAL HIPAA RIGHTS (Health Insurance Portability and Accountability Act) All staff with access to protected health information will follow the procedures below: Alternate Communications: The district will provide alternate locations or alternate means to accommodate a member s written request to receive communications involving Protected Health Information (PHI), as defined by HIPAA. The request must be in writing, signed, and dated by the member or their legal guardian. All reasonable requests will be honored. If the request is unreasonable or unable to be fulfilled, the member will be notified immediately. Once the request is accepted, all communications to the member involving PHI must be made to the alternate location or by the alternate means requested until modified by the member. Non-Routine Disclosures: A covered person s written request to obtain a history of non-routine disclosures of their protected health information will be accommodated. This accounting will, at a minimum, include the types of disclosures and information for each as detailed under HIPAA. No additional accounting will be maintained by the district for valid authorizations (as defined within the HIPAA Privacy regulations) that have been received by the district. A copy of each valid authorization will be kept on file as evidence that no non-routine disclosures have been made by the district. If an authorization was received in relation to research disclosures, the covered person s request for disclosure will be met by providing a list of all protocols for which the member s PHI may have been disclosed for research pursuant to a waiver of authorization under the HIPAA privacy regulations as well as the researcher s name and contact information. The request must be in writing, signed, and dated by the covered person or their legal guardian, preferably using the History of Non-Routine Disclosures Request form. Every attempt will be made to satisfy the request in 30 days and no longer than 60 days. If more time is needed, the district will notify the requestor in writing of the delay and the reason. The report provided to satisfy the request will use the format shown in the History of Non-Routine Disclosures Report, or contain all these data elements. The Privacy Officer is responsible for ensuring that all requests are fulfilled in a timely manner in accordance with the law and the district s policies. Records Access: The district will accommodate an individual s written request to see or copy his or her medical record. The request must be in writing, signed, and dated by the covered individual or their personal representative. WEST DES MOINES COMMUNITY SCHOOL BOARD OF EDUCATION Page 1 of 5
If the request is to see the record, the individual may have immediate access within the office, business operations permitting. A place to review the records away from others will be provided, but a staff member will be present while the member is reviewing the record to ensure that the record remains intact and unaltered. If the request is for a copy of the record or a portion thereof, a copy will be made available within five business days of receiving payment from the member. The copy may be picked up in person or mailed (return receipt requested) if requested in writing. If the district uses or maintains an electronic health record, an individual may request to access information in electronic format. The individual may also direct the District to transmit a copy of the electronic health record directly to an entity or person designated by the individual, provided that direction is clear, conspicuous, and specific. An electronic health record is an electronic record of health related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. Such requests may be denied only if the life of either the covered person or another would be endangered by such disclosure. All district procedures regarding processing records access requests will be followed. Records Amendment: The district will accommodate a covered person s written request to amend his or her medical record. The request must be in writing, signed, and dated by the individual or their legal guardian. A decision to permit or deny the amendment will be made within five business days. If a decision to deny the amendment is made, a written explanation will be returned to the requesting person via US Mail no more than two business days following the decision. If the amendment is to be allowed, the record will be amended within five business days. The amendment will be maintained as long as the record itself. The original request, including the decision to amend, will be included as well. If a response to the amendment is added to the record, a copy of the response will be mailed to the requesting person by US Mail within two business days of the response being placed in the file. All district procedures regarding processing records access requests will be followed. Restriction of Records: The district will accommodate a covered person s written request to restrict some or all of the protected health information (PHI) in his or her medical record. The request must be in writing, signed, and dated by the covered person or their legal guardian. A decision to permit or deny the restriction will be made within five business days. If a decision to deny the restriction is made, a written explanation will be returned to the requestor via US Mail no more than two business days following the decision. If the restriction is to be allowed, a notation as to this restriction will be entered into the record within five business days and maintained as long as the record itself. The original request, including the decision to restrict, will be included as well. WEST DES MOINES COMMUNITY SCHOOLS BOARD OF EDUCATION Page 2 of 5
If the restriction is allowed, protected health information in violation of this restriction will not be used or disclosed, except in emergency situations or to public health, government or law enforcement officials with the proper documentation. If the requestor cancels this restriction, a notation to this effect will be added to the record. If this cancellation is in writing, this will be included in the medical record as well. If the cancellation is oral, the time, date, and person taking the cancellation will be noted in the medical record. All district procedures regarding processing member records access requests will be followed. Restriction of certain disclosures to the District s health plans: Except as otherwise required by law, the District will accommodate an individual s written request to restrict the disclosure of PHI of the individual to a health plan of the District for purposes of carrying out payment or health care operations (not treatment) when the PHI pertains solely to a health care item or service for which the health care provider involved has been paid by the individual out of pocket in full. Accounting of Disclosures: The District will accommodate an individual s written request for an accounting of disclosures of protected health information. In most cases this information will be available for six years from the date of disclosure (three years in the case of disclosures from an electronic health record to carry out treatment, payment, and health care operations). An electronic health record is an electronic record of health related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. An accounting of disclosures from electronic health records for treatment, payment, or health care operations will not be mandatory until required by regulation on or after January 1, 2011. Member Grievance: The Privacy Officer is responsible for investigating all reported incidents of alleged violation of health information privacy, regardless of source or severity. All staff will encourage any individual who feels that his/her privacy has been violated to discuss the matter with the Privacy Officer. The Privacy Officer will maintain a Privacy Incident File, and produce a monthly report summarizing the status of every open file regarding alleged health information privacy violations, regardless of discovering source. The Privacy Incident File will contain: 1. The completed Member Grievance Tracking form. 2. The written documentation of the alleged violation by the covered person, staff member or other reporting entity. 3. A Plan of Action, documenting the planned course of the investigation. 4. Complete documentation of the investigation, including transcripts of all interviews. 5. Documentation of all correspondence regarding the alleged violation, including all correspondence with legal counsel, such correspondence to be specifically marked as privileged communication. WEST DES MOINES COMMUNITY SCHOOLS BOARD OF EDUCATION Page 3 of 5
6. Documentation of the decision regarding whether or not a violation actually occurred, and any resolution regarding the alleged violation, regardless of determination. The resolution may include (upon review and approval by the Superintendent or designee): o An apology o A description of a process change that will prevent reoccurrence o o An invitation to discuss the situation further Addresses of appropriate professional, state and federal offices to which the complaint may be escalated The Privacy Officer will log all complaints in the Privacy Incident File and if the complaint can be resolved informally also document the resolution. If the complaint cannot be resolved informally, the individual will be asked to provide a written complaint, signed and dated. Follow up with the person filing the grievance until he/she is satisfied or the problem is escalated. If the problem is escalated, the order of escalation will be: 1. The Privacy Officer 2. Fiduciary and/or officer of the sponsoring organization 3. Appropriate external professional, state or federal offices Current policy governing the Privacy Grievance Process will be followed. If a change is warranted, the policy documentation will be modified to reflect the change and the changes will be communicated to all affected staff. The district will cooperate fully with all state, federal, or professional investigating bodies. Documentation of all reported incidents will be maintained for six years following the last action, as required by law. Preserving HIPAA Rights: A member exercising any of his/her rights under HIPAA will not be intimidated, threatened, coerced, discriminated against, nor have other retaliatory actions taken. These include: o The right to complain to the Department of Health and Human Services if he/she feels that privacy or security rights had have been violated. o The right to testify in an investigation, compliance review or other hearing. o Oppose any practice of the health plan that the individual feels is in violation of HIPAA regulations. Individuals will not be required to waive their HIPAA as a condition of enrollment or eligibility for benefits. Notice of Privacy Practices: In order to notify and inform all members of their HIPAA rights and the district s responsibilities regarding their health information, a Notice of Privacy Practices will be maintained and distributed as appropriate. To that end the district will: Adopt and maintain on file the current Notice of Privacy Practices. Make available upon request paper copies of the current Notice of Privacy Practices. WEST DES MOINES COMMUNITY SCHOOLS BOARD OF EDUCATION Page 4 of 5
Modify the Notice of Privacy Practices as needed, with approval of the Superintendent or designee. The Privacy Officer will replace the file copy and re-distribute if a material change is made. Retain each version for not less than six years following the last use of that version. Violation of any of these policies can carry serious consequences for the health plan. Disciplinary actions for anyone violating this policy may include suspension without pay or termination. Privacy Officer: Security Officer: Donna Gregory Director of Business Services, WDMCSD 3550 Mills Civic Pkwy., West Des Moines, IA 50265 Phone: 515-633-5078 Donna Gregory Director of Business Services, WDMCSD 3550 Mills Civic Pkwy., West Des Moines, IA 50265 Phone: 515-633-5078 Approved 03-14-05 Reviewed 11-11-14 Revised 11-11-14_ WEST DES MOINES COMMUNITY SCHOOLS BOARD OF EDUCATION Page 5 of 5