HIPAA PRIVACY REGULATIONS AND THE SCHOOLS



Similar documents
U.S. Department of Health and Human Services. U.S. Department of Education

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

HIPAA. HIPAA and Group Health Plans

Plan Sponsor Guide HIPAA Privacy Rule

Whitefish School District. PERSONNEL 5510 page 1 of 5 HIPAA

HIPAA or FERPA? A Primer on School Health Information Sharing in California

THE LAW. Legal Issues in School Nursing. Legal Foundations

OCHIN Position Paper. April Student Treatment Records under HIPAA vs. FERPA

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No A-94B, AFL-CIO. Notice of Privacy Practices

How To Protect Mental Health Information In Upb

NOTICE OF PRIVACY PRACTICES

The HIPAA Privacy Rule: Overview and Impact

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Notice of Privacy Practices

HIPAA Privacy For our Group Customers and Business Partners

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association

SAMPLE BUSINESS ASSOCIATE AGREEMENT

USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS [45 CFR ]

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

NOTICE OF PRIVACY PRACTICES

Business Associate Contract for Nursing Services

ELECTRONIC HEALTH RECORDS

NOTICE OF PRIVACY PRACTICES FOR PURDUE UNIVERSITY HEALTH PLANS

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

PRIVACY PRACTICES OUR PRIVACY OBLIGATIONS

RONALD V. MCGUCKIN AND ASSOCIATES Post Office Box 2126 Bristol, Pennsylvania (215) (215) (Fax) childproviderlaw.

COURTNEE A. PELTON, PSY.D.

BUSINESS ASSOCIATE AGREEMENT. Recitals

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

NOTICE OF PRIVACY PRACTICES effective April 14, 2003

Child Abuse and Neglect:

Implementing an HMIS within HIPAA

UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE. No: Supersedes Date: Distribution: Issued by:

HIPAA Notice of Privacy Practices - Sample Notice. Disclaimer: Template Notice of Privacy Practices (45 C.F.R )

Executive Memorandum No. 27

HIPAA Privacy Rule Primer for the College or University Administrator

Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA NOTICE OF PRIVACY PRACTICES

GROUP HEALTH INCORPORATED SELLING AGENT AGREEMENT

HIPAA Enforcement Training for State Attorneys General

PATIENT RECORDS PRIVACY POLICIES AND PROCEDURES FOR HIPAA COMPLIANCE (4/03)

Frequently Asked Questions About the Privacy Rule Under HIPAA

Reason(s) For Referral: Current medications:

HIPAA NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION

Business Associate Agreement

HIPAA HITECH PA Physician Practices

We are required to provide this Notice to you by the Health Insurance Portability and Accountability Act ("HIPAA")

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

FirstCarolinaCare Insurance Company Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

NOTICE OF PRIVACY PRACTICES FOR THE NORTH CENTRAL NURSING CLINICS

Notice of Privacy Practices. Human Resources Division Employees Benefits Section

SUMMARY: The Defense Health Agency proposes to alter an. existing system of records, EDTMA 02, entitled "Medical/Dental

HIPAA Privacy Rule CLIN-203: Special Privacy Considerations

SDC-League Health Fund

VALPARAISO UNIVERSITY NOTICE OF PRIVACY PRACTICES. Health, Dental and Vision Benefits Health Care Reimbursement Account

University of California Policy

NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES

Privacy Notice. The Plan s duties with respect to health information about you

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

HIPAA Business Associate Agreement

Authorization for Release of Information

Parsonage Vandenack Williams LLC Attorneys at Law

HIPAA Policy Use and Disclosure of Protected Health Information November 3, 2015

BUSINESS ASSOCIATE AGREEMENT

APPLETREE PEDIATRICS, PA NOTICE OF PRIVACY PRACTICES

650 Clark Way Palo Alto, CA

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

HIPAA Omnibus Notice of Privacy Practices Effective Date: March 03, 2012 Revised on: July 1, 2015

American Guild of Musical Artists ( AGMA ) Health Fund Privacy Notice. Plan A and Plan B

HIPAA NOTICE OF PRIVACY PRACTICES

Snake River School District No. 52 HIPAA BUSINESS ASSOCIATE AGREEMENT (See also Policy No. 7436, HIPAA Privacy Rule)

Bradley D. Powell, PhD NOTICE OF PRIVACY PRACTICES: Effective June 1, 2004

BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS

COMPLIANCE ALERT 10-12

HIPAA NOTICE OF PRIVACY PRACTICES

Notice of Patients Rights and Privacy Protections under Federal Privacy Laws (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) How it affects Nevada s workers compensation insurance coverage.

HIPAA. The Privacy Rule. what you need to know now. A primer for psychologists

Schindler Elevator Corporation

JANUARY 2015 NOTICE OF PRIVACY PRACTICES

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

DALLAS ALLERGY & ASTHMA CENTER

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Business Associate Agreement Washtenaw Community Health Organization Effective Date: insert date

HIPAA Employee Compliance Program TRAINING MANUAL

TABLE OF CONTENTS. University of Northern Colorado

State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

HIPAA Business Associate Contract. Definitions

Senate Bill No. 48 Committee on Health and Human Services

BUSINESS ASSOCIATES [45 CFR (e), (e), (d) and (e)]

ADDENDUM TO ADMINISTRATIVE SERVICES AGREEMENT FOR HIPAA PRIVACY/SECURITY RULES

Effective Date: March 23, 2016

Transcription:

HIPAA PRIVACY REGULATIONS AND THE SCHOOLS by Roy H. Henley Public schools have joined countless other employers, insurance carriers, and health care providers in analyzing the impact of recent federal privacy regulations under the Health Insurance Portability and Accountability Act ("HIPAA"). Many individuals have at least a passing familiarity with Title I of HIPAA, which protects health insurance coverage opportunities for employees and their dependents in case of job change or job loss, particularly where the covered individual may have a pre-existing medical condition. In essence, Title I of that Act was intended to prevent health insurance considerations from causing "job lock." The new regulations, however, pertain to Title II of HIPAA. Title II, commonly known as the "administrative simplification provisions," requires the United States Department of Health and Human Services ("HHS") to establish, among other things, standards for the security and privacy of "individually identifiable health information" See 42 USC 1320d-2. To comply with that statutory mandate, on August 14, 2002 HHS issued its final rules and commentary setting privacy standards (the "Privacy Rule"). Since then, affected entities and their attorneys have been studying this triple column, 99-page document in an effort to determine the new regulations' effect upon their business practices, and to debate whether the term "administrative simplification" is inaccurate or merely Orwellian. Fortunately, Michigan school districts will not be required to make many of the substantial changes in business practices required of many other organizations which either directly or periphially deal with health care issues. Nevertheless, some notable changes in business practice may likely occur upon the Privacy Rule's April 2003 effective date. A discussion of some of the issues which may be of general interest to school districts follows. Q: What is the Privacy Rule? A: Entities regulated by the Rule ("covered entities") may not disclose "protected health information" without consent or authorization, except as permitted or 1

required by law. "Protected health information" is generally defined as individually identifiable health information. This definition is subject to important exceptions, which will be discussed below. Q: What are "covered entities?" A: Covered entities are "health plans, health care clearing houses, and health care providers who transmit health information in electronic form" relating to transactions concerning health claims, health plans, injury reports, and referral certification and authorization. Q: Are Michigan public school districts covered entities? A: For practical purposes, not under most readily imaginable circumstances. School districts, in the course of providing school psychological, nursing, and some special education related services fall within the definition of a "health care provider," which is a "covered entity." For purposes of the privacy regulation, a "health care provider" is any "person or organization who furnishes, bills, or is paid for health care in the normal course of business." 45 CFR 160.102. The regulations define "health care" broadly enough to include the school functions listed above. Although school districts are technically "covered entities," the vast majority of the health information they process or maintain is exempt from Privacy Rule protections. The definition of "protected health information" subject to the Privacy Rule excludes education records covered by the Family Educational Rights and Privacy Act ("FERPA"). 45 CFR 164.501. FERPA defines "education records" as including those records which are directly related to a student and maintained by an education agency or institution, or by a person acting for such agency or institution. 20 USC 1232g(a)(4)(A). This definition encompasses essentially all student health-related records. Based upon the foregoing, school districts are in the unusual position of being "covered entities" which deal almost exclusively with health information not subject to the HIPAA Privacy Rule. Despite this de facto exclusion from Privacy Rule coverage, school districts may nevertheless be significantly impacted by the Rule after it takes effect. Ms. Nadine Schwab, a Connecticut attorney specializing in school health issues, expects that HIPAA-compliant contractors which conduct Medicaid billing and other similar functions for school districts may eventually require districts to submit information to them in a HIPAA-compliant manner as a condition of doing business. Although this administrative burden may not be placed upon schools immediately, it may occur when compliance is substantially achieved with the statutory mandate to adopt standards for transactions and data elements which will enable health information to be exchanged electronically. 42 USC 1230d-2. Q: How will the Privacy Rule affect school district child immunization recordkeeping requirements? 2

A: Some additional administrative hurdles may be encountered in obtaining immunization information. The Michigan Public Health Code places the burden on parents and guardians to provide school officials with legally required immunization information regarding their children. MCL 333.9208. The HIPAA Privacy Rule generally provides parents and guardians with control over their children's health care information. 45 CFR 164.502(g). Although child immunization information may be released directly to the parent, a written release is required to allow the health care provider to give the immunization information directly to school districts. The parent must execute an authorization including a description of the information to be used or disclosed, the specific persons authorized to make the disclosure, the name of the person(s) to whom the disclosure will be made, the purpose of the disclosure, and the date upon which the authorization expires. 45 CFR 164.508(c). Any previous practices involving less formal authorization for disclosure of child immunization information must be discontinued. School officials, however, likely may continue to disclose immunization information to public health officials in accordance with previous practice. Once the immunization record is provided and maintained by the school district, the FERPA exception described above would probably apply. Q: Do school officials require written authorization before providing medical information supporting a report of suspected child abuse under the Michigan Child Protection Law? A: No authorization is required, even if the information has not been reduced to an "education record" exempt from the Privacy Rule. A covered "health care provider" need not treat a parent as a child's personal representative when abuse or harm to the child is a concern. 45 CFR 164.502(g)(5). Moreover, a covered entity may disclose protected information if necessary to prevent or lessen a serious and imminent threat to the health or safety of the involved person or the public. 45 CFR 164.512(j). Q: How does the Privacy Rule impact the school district's personnel function? A: No effect is intended. Employment records are expressly excluded from the definition of "protected health information." 45 CFR 164.501. In that regard, HHS has stated: When the individual gives his or her medical information to the covered entity as the employer, such as when submitting a doctor's statement to document sick leave, or when the covered entity as employer obtains the employee's written authorization for disclosure of protected health information, such as an authorization to disclose 3

the results of a fitness for duty examination, that medical information becomes part of the employment record, and, as such, is no longer protected health information. 67 FR 53192 (2002). Medical information used solely in a school district's personnel function is thus exempt from the Privacy Rule. Q: Will my district face increased administrative burdens with respect to employee health insurance coverage? A: Probably, yes. Those few school districts which self-insure health benefits will be required to become HIPAA-compliant. To the extent administration of that function is contracted out to the private sector, "business associate" contracts, pertaining to transfer and use of protected health information, must be executed. The vast majority of school districts which purchase health insurance policies for their employees may experience additional administrative burdens as HIPAA "plan sponsors." As "plan sponsors," employers may continue to obtain protected health information from group insurance plans to conduct administrative functions. Before the group health plan may disclose this information, however, the employer must provide a certification indicating that it agrees to: Not use or further disclose the information other than as permitted by plan documents or required by law. Ensure that all agents to which the information is re-disclosed will abide by the same restrictions. Not use or disclose the information for employment-related actions and decisions, or in connection with any of the sponsor's other benefits. Report to the group health plan any unauthorized disclosures about which the employer becomes aware. Allow individuals access to protected health information, as required by regulation. Amend the protected health information, as required by regulation. Provide an accounting of disclosures of protected health information, as required by regulation. Make its internal books and records pertaining to use and disclosure of protected health information available for audit by the appropriate governmental officials. 4

To the extent feasible, destroy or return all protected health information to the group health plan. Separate the protected health information from other administrative documents, as required by regulation. HIPAA privacy standards will become effective in April 2003. Certain entities which have applied for extensions of time will have until October 2003 to comply. Finally, "small health plans" must become compliant by April 14, 2004. Based upon those rapidly approaching dates, school districts should work with their insurance carriers and legal counsel to take necessary steps to ensure operational compliance with the privacy aspects of HIPAA's "administrative simplification." This article provides information of a general nature regarding legislative and regulatory developments. None of this information is intended as legal advice or opinion relative to specific facts, matters, situations or issues. Additional facts or future legal developments may affect the subjects addressed. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information