Responsibility for Maintenance: Human Resources
I. Policy Statement
The United States Department of Health and Human Services (DHHS) issued final regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that establish, among other things, certain privacy requirements that must be followed by a “Covered Entity” (Privacy Standards). Although an employer generally is not a Covered Entity under HIPAA, an employer’s group health plan is a Covered Entity.
- A group health plan may not use or disclose protected health information (PHI) without a written authorization from an individual, unless the use or disclosure is specifically related to treatment, payment or “health care operations” (as defined under HIPAA), or unless public policy exceptions apply.
- Individuals covered under group health plans are entitled to certain rights under HIPAA with regard to the uses and disclosures of PHI by a group health plan.
- At the individual’s request, Physicians may not disclose information about care the patient has paid for out-of-pocket to health plans, unless for treatment purposes or in the rare event the disclosure is required by law.
II. Reason for Policy
The College offers the following self-insured group health plans:
- Medical Insurance – the OnPoint Point of Service plan administered by Excellus, one Preferred Provider Organization plan, and one HMO plan administered by MVP.
- Dental Insurance – the two plans providing benefits to collective bargaining unit employees and management confidential administered by POMCO.
- The Health Care Flexible Spending Account administered by MVP.
III. Applicability of the Policy
IV. Related Documents
- Health Insurance Portability and Accountability Act of 1996
- Standards for Privacy of Individually Identifiable Health Information; Final Rule (45 Code of Federal Regulations Parts 160 and 164)
| Subject || Office Name || Title or Position || Telephone Number || Email/URL |
| Term || Definition |
| HIPAA || The Health Insurance Portability and Accountability Act of 1996. |
| PHI || |
Protected Health Information (PHI), as defined by HIPAA and the Privacy Standards, is individually identifiable health information, including demographic information, that is created, received, transmitted or maintained by a group health plan, regardless of form (oral, written, or electronic), that relates to:
- the past, present or future physical or mental health or condition of an individual;
- the provision of health care services to an individual; or
- the past, present, or future payment for the provision of health care to an individual.
PHI may include, but is not necessarily limited to, medical records, billing records, medical images, consultant reports, laboratory or other diagnostic testing results, and any other individually identifiable information.
PHI does not include enrollment or dis-enrollment information for the self-insured group health plans. Employees may disclose information on whether an individual is participating in a self-insured group health plan, and whether an individual is enrolled or has dis-enrolled from a self-insured group health plan.
| Covered Entity || A Covered Entity includes a health care provider, a health care plan or a health care clearinghouse. |
| Plan Sponsor || The College. |
The self-insured group health plans may disclose PHI to the Plan Sponsor for plan administration functions only in accordance with this section. For purposes of this section, plan administration functions include: claims processing, appeal, or payment; quality assurance, auditing and monitoring; and assisting enrollees with claims.
Confidentiality of Records
All PHI created, received, transmitted, or maintained by a self-insured group health plan is confidential and remains the property of the self-insured group health plan. Confidentiality extends to PHI in any medium, including information that is on paper, in the computer systems of the College, or communicated verbally.
Employees may not divulge, copy, transfer, alter, or destroy any PHI, or remove any PHI from the College, except as authorized by a self-insured group health plan. Employees must hold in strictest confidence any and all access codes, passwords, and/or authorizations provided by the College as an Employee.
Employees must strictly comply with all applicable federal and state laws and regulations and all policies and procedures established by the self-insured group health plans relating to the confidentiality and protection of PHI. The responsibility of an Employee to safeguard the confidentiality of PHI continues after termination of his or her employment or other relationship with the self-insured group health plans.
When possible, the self-insured group health plans, the College and any “Business Associate” (as defined under HIPAA) with access to PHI shall return or destroy all PHI received from a Covered Entity, or created or received by the College or a Business Associate on behalf of a self-insured group health plan. This provision shall apply to PHI that is in the possession of subcontractors or agents of a self-insured group health plan’s Business Associate. A self-insured group health plan, the College and/or any Business Associate shall retain no copies of the PHI.
In the event that a self-insured group health plan, the College and/or any Business Associate determines that returning or destroying the PHI is infeasible, the self-insured group health plan, the College and/or any Business Associate shall extend the required protections to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as the self-insured group health plan, the College and/or any Business Associate maintains such PHI.
Administrative, Technical and Physical Safeguards
Administrative safeguards include, but are not limited to, internal policies and procedures for the selection, development, implementation, and maintenance of confidentiality measures.
- A self-insured group health plan must implement reasonable measures to prevent, detect, contain, and correct confidentiality violations.
- An Employee’s access to PHI, including, but not limited to, passwords for access to PHI maintained in electronic form, is automatically and immediately terminated upon the Employee’s separation from employment.
- Any suspected or known security incident will be promptly investigated, and corrective measures will be promptly taken and documented. A security incident includes, but is not limited to, an attempted or successful unauthorized access, use, disclosure, modification or destruction of PHI.
Technical safeguards include, but are not limited to, limiting access to technical information by creating computer and other electronic firewalls.
- Each Employee who has access to PHI maintained in electronic media must have a unique user name.
- Employees must hold in strictest confidence any and all access codes, passwords, and other authorizations which enable access to computer systems on which PHI is maintained. User passwords for access to electronic data systems must be changed periodically.
- Routine audits should be conducted to monitor access to computer systems on which PHI is stored.
- Workstations with access to electronic files containing PHI are protected against unauthorized use.
Physical safeguards include, but are not limited to, locking doors and/or filing cabinets.
- Documents that contain PHI may not be left exposed and unattended on an Employee’s desk or workstation.
- Paper records or files containing PHI must be kept in secure locations.
- Paper copies of records containing PHI that are no longer needed should be returned to the originating entity, shredded or disposed of in another manner that minimizes the risk of accidental disclosure.
- Computer monitors on which PHI may be displayed must be oriented in such a manner as to minimize the risk of PHI being viewed by an unauthorized employee or visitor.
- PHI must be removed from electronic media before the media is made available for re-use or disposed of.
- Paper and electronic files containing PHI may not be commingled with files that are accessible to employees who do not need to have access to such information in the performance of their duties in relation to operation of a self-insured group health plan.
Firewalls will ensure that only authorized Employees will have access to PHI, that such Employees will have access to only the minimum amount of PHI necessary for administrative activities under a self-insured group health plan, and that Employees will not further use or disclose PHI in violation of the HIPAA Privacy Standards.
Minimum Necessary Disclosure
Employees may use PHI only as necessary to perform duties as assigned by a self-insured group health plan and/or the College, or as specified in his/her job description. When using, disclosing, and/or accessing PHI, Employees may only use or access the minimum PHI necessary to perform such duties. When PHI must be shared with others, it must be shared in such a manner and with appropriate safeguards to minimize the risk of potential disclosure beyond those individuals with whom it is shared, and for the intended purpose.
Mitigation of Harmful Effects
The self-insured group health plans and the College have a duty to mitigate, to the extent practicable, any harmful effect that is known to a self-insured group health plan or the College arising out of a use or disclosure of PHI in violation of their policies and procedures or the Privacy Standards by a self-insured group health plan, the College or any Business Associates. Employees who become aware of any activity by an individual or entity that may jeopardize the confidentiality of PHI must promptly report such activity to the Office of Human Resources of the College.
Actions to be taken in mitigation may include:
- operational or procedural corrective measures to remedy violations;
- employment actions to re-train, reprimand or discipline employees;
- requiring corrective action to be taken by a Business Associate; or
- incorporating mitigation measures into the self-insured group health plan’s policies and procedures as appropriate.
Employees with access to PHI shall be trained with respect to the self-insured group health plans’ and the College’s policies and procedures for compliance with the HIPAA Privacy Standards. Such training shall take place initially upon the effective date of the policies and procedures, or upon the commencement of an Employee’s employment.
The self-insured group health plans and the College have created a complaint process for College employees and other individuals to make complaints concerning the policies and procedures of the self-insured group health plans and the College, and their compliance with such policies and procedures. Complaints regarding the inappropriate use and/or disclosure of PHI may be made in writing to the Office of Human Resources of the College. Complaints may also be made to the Secretary of the U.S. Department of Health and Human Services.
An individual is entitled to certain rights under HIPAA. Such individual rights are set forth in, and administered in accordance with, the Notice of Privacy Practices for the self-insured group health plans.
Individuals will be made aware of the availability of the Notice of Privacy Practices for the self-insured group health plans at least every three years, and will be provided with a revised Notice of Privacy Practices in the event of a material change to the Notice of Privacy Practices.
Please refer to the Notice of Privacy Practices for the self-insured group health plans for further details on an individual’s rights under HIPAA.
The self-insured group health plans and the College will not intimidate, threaten, coerce, discriminate against, or take any other retaliatory action against any individual or employee for exercising his/her right to file a complaint with the designated privacy personnel of the College, or with the Secretary of the DHHS. The College will not intimidate, threaten, coerce, discriminate against, or take any other retaliatory action against any individual or employee for testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing regarding an alleged violation under HIPAA and the Privacy Standards.
Non-Waiver of Rights
In addition, neither the self-insured group health plans nor the College may require an individual or employee to waive his/her rights under HIPAA and/or the Privacy Standards as a condition of the provision of treatment, payment, enrollment in a self-insured group health plan, or eligibility for benefits.
Approved by OCC Board of Trustees April 3, 2006