HomeMy WebLinkAbout6.c. HIPPA ProgramAGENDA ITEM: HIPAA Program
AGENDA SECTION:
Consent
PREPARED BY: Emmy Foster, Assistant City
Administrator
AGENDA NO. O.`
ATTACHMENTS: HIPAA Resolution
HIPAA Policies, Procedures Forms
APPROVED BY:
RECOMMENDED ACTION: Motion to approve the HIPAA policy, the attached re olution,
and the designation of the Privacy Officer.
4 ROSEMOUNT
CITY COUNCIL
City Council Regular Meeting: February 6, 2007
EXECUTIVE SUMMARY
ISSUE
HIPAA (Health Insurance Portability and Accountability Act of 1996) requirements have been developed
and now have to be implemented by the City This federally mandated, unfunded program requires
covered entities (Health Plans) to implement policies and procedures with respect to protected health
information (PHI) Health plans include major medical, dental, medical reimbursement, and EAP
(Employee Assistance Program). The City is a covered entity because we have a health reimbursement
plan PHI is individually identifiable information which is created, modified, received or maintained by a
covered entity that relates to an individual's past, present or future physical or mental condition, treatment
or payment for care. This mformation is protected if transmitted m electromc, written, or oral form. The
insurance companies and insurance broker that we work with are considered Business Associates of the
City and have also implemented these HIPAA regulations
The League of Minnesota Cities (LMNC) had a policies and procedures template developed for it's
member cities This material was created by Darcy Hitesman of Haynes Hitesman law firm for the
League of Minnesota Cities It was intended to be a template for each city to use in developing their own
individual HIPAA pohcies and procedures. This template was used to prepare the City of Rosemount's
HIPAA policy. Our City Attorney's office, our health insurance broker (CBIZ) and a League of MN
Cities representative (Erin Rian) have all reviewed our proposed pohcy. Due to the extensive length of the
policy (118 pages), it was emailed to each of the City Council members on Friday, February 2, 2007 In
addition, the proposed resolution adopting a HIPAA policy and appointing a privacy official is attached to
this summary.
Once the resolution has been approved by the Council.
A Nonce of Privacy Practice will be sent via regular mail to each individual subject to our Health
Plan(s) and will be mailed out every three years afterward
A link will be added to our website under the admuustration department webpage so that the
pohcy is readily accessible in electronic format.
Staff members with official business duties who must handle the confidential information will be
given written documentation on how to handle Private Health Information (PHI)
Separate PHI files will be maintained on each employee and stored in a locked cabinet.
BACKGROUND
The City of Rosemount has been in the practice of following these pohcies and procedures over the last
few years; however it officially needs to be approved by Council, a resolution adopted, and a pnvacy
officer designated.
SUMMARY
Staff recommends approval of the HIPAA pohcy, the attached resolution, and the designation of the
Assistant City Administrator position as the Privacy Officer.
2
ATTEST:
Amy Domeier, City Clerk
CITY OF ROSEMOUNT
DAKOTA COUNTY, MINNESOTA
RESOLUTION NO. 2007-
A RESOLUTION ADOPTING THE HIPAA POLICY AND
APPOINTING A PRIVACY OFFICIAL
WHEREAS, The City of Rosemount recognizes that it offers the following health plans: Health
Reimbursement Account, Medical, Dental, and Employee Assistance and is a covered entity under
the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 CFR 164 530 (a), for
purposes of HIPAA's privacy mandates, and
WHEREAS, the City of Rosemount recognizes that as a covered entity under HIPAA that it is
required to appoint a privacy official (the Assistant Co) Administrator):
to develop, implement and coordinate policies and procedures for protected health
information under HIPAA's privacy rules,
to momtor and decide any issues that occur under the rules
to receive complaints about any failure to comply with either the policies and procedures or
the privacy rules in general, and
WHEREAS, the Rosemount City Council shares concerns over privacy of health data protected by
the Act and wishes to comply with the requirements of the law, and
NOW THEREFORE, IT IS HEREBY RESOLVED by the City Council of the City of
Rosemount to adopt the HIPAA pohcy and appointment the Assistant City Admuustrator position
as the Pnvacy Official.
Adopted by the City Council of the City of Rosemount this day of 2007.
William H Droste, Mayor
Motion by Second by:
Voted in favor:
Voted against:
Member(s) absent:
fea WVIDA/
HIPAA POLICIES PROCEDURES AND ADMINISTRATIVE FORMS
TABLE OF CONTENTS
1. HIPAA Privacy Policies Procedures Overview (Policy Procedure)
2. HIPAA Privacy Officer (Policy Procedure)
3. Notice of Privacy Practices (Policy/3. Procedure)
a. Notice of Privacy Practice for Organized Health Care Arrangement (Administrative
Form)
4. Use of Disclosure of PHI for TPO Purposes (Policy Procedure)
5. Minimum Necessary Standard (Policy/3. Procedure)
6. Individual's Rights to Access and Copy PHI (Policy Procedure)
a. Request to Access Own PHI (Administrative Form)
b. Grant of Request to Access Own PHI (Administrative Form)
c. Notification of Additional Time to Respond to Access to Own PHI (Administrative
Form)
d. Denial of Request to Access Own PHI (Administrative Form)
e. Access Request Tracking Log (Administrative Form)
7. Amendment of PHI (Policy /3. Procedure)
a. Request for Amendment of PHI Request (Administrative Form)
b. Grant of Amendment of PHI Request (Administrative Form)
c. Notification of Additional Time to Respond to Amendment of PHI (Administrative
Form)
d. Denial of Request for Amendment of PHI (Administrative Form)
e. Notice to Others of Amendment of PHI (Administrative Form)
f. Requestor's List of Person's or Entities to Be Notified of
Amendment (Administrative Form)
g. Amendment Request Tracking Log (Administrative Form)
8. Accounting of Disclosures of PHI (Policy Procedure)
a. Request for An Accounting of Disclosures (Administrative Forrn)
b. Accounting of Disclosures of PHI (Administrative Form)
c. Notification of Additional Time to Respond to Accounting Request (Administrative
Form)
d. Notification of Charges for Second Request in 12 Month Period (Administrative
Form)
e. Accounting Request Tracking Log (Administrative Form)
f. Disclosure Tracking Log (Administrative Form)
League of Minnesota Cities HIPAA Policies 5 Procedures Guide. Copyright O 2004 by League of
Minnesota Cities. All rignts reserved.
9. Verification Prior to Disclosure of PHI (Policy Procedure)
a. Disclosure Tracking Log (Administrative Form)
10. Individual Requested Restrictions of Use or Disclosure of PHI (Policy Procedure)
a. Request to Restrict Certain Uses and Disclosures (Administrative Form)
b. Response to Request to Restrict Certain Uses and Disclosures (Administrative
Form)
11. Individual Requested Restrictions on Confidential Communications (Policy Procedure)
a. Request for Confidential Communications (Administrative Form)
b. Restricted Uses and Confidential Communication Request
Tracking Log (Administrative Form)
12. Privacy Complaint Procedure (Policy Procedure)
a. Privacy Complaint Form (Administrative Form)
b. Response to Privacy Complaint (Administrative Form)
c. Complaint Tracking Log (Administrative Form)
13. Authorization for Use or Disclosure of PHI (Policy Procedure)
a. Authorization for Use or Disclosure (Administrative Form)
14. Revocation of an Authorization (Policy Procedure)
a. Revocation by Subject of Protected Health Information (Administrative Form)
15. Business Associates and Business Associate Agreements (Policy Procedure)
16. Retention of PHI Documentation (Policy Procedure)
17. HIPAA Privacy Training Program (Policy Procedure)
a. Acknowledgment of Training Attendance (Administrative Form)
18. Personal Representative (Policy Procedure)
a. Designation of Personal Representative (Administrative Form)
19. Coordination with Other Laws (Policy Procedure)
20. Disclosures to Plan Sponsor (Policy Procedure)
21. Duty to Mitigate (Policy Procedure)
22. Discipline Policy (Policy Procedure)
23. Administrative Safeguards (Policy Procedure)
1. Computer Terminals /Workstations (Policy Procedure)
2. Electronic Mail System (E -mail) (Policy Procedure)
3. Facsimile Machines (Policy Procedure)
4. Copy Machines (Policy Procedure)
5. Mail Internal and External (Policy Procedure)
6. Storage of Documents (Policy Procedure)
League of Minnesota Cities HIPAA Policies Procedures Guide. Copyright 2004 by League of
Minnesota Cities. All rights reserved.
HIPAA Privacy Policies and Procedures Overview
Policy Statement
HIPAA requires covered entities to have policies and procedures reflecting HIPAA's privacy mandates.
The Health Plan, as a covered entity, has developed administrative policies and procedures reflecting the
Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations.
Policy Interpretation and Implementation
HIPAA Policies and Procedures
Health Plan
Revisions to HIPAA Policies and
Procedures
Distribution of Revisions to
HIPAA Policies and Procedures
Policy Inquiries
Specific Policies and Procedures
Organized Health Care
Arrangement (OHCA)
1. HIPAA requires covered entities to have policies and
procedures to ensure compliance with HIPAA's
regulations. A health plan is a "covered entity" under
HIPAA. Consequently, the Health Plan is responsible for
the research, development, implementation, monitoring
and maintenance of the Health Plan's HIPAA privacy
policies and procedures.
2. HIPAA defines a "health plan" as an individual or group
health plan that provides or pays the cost of medical care,
including, but not limited to, employee welfare benefit
plans covered by ERISA, health insurers, HMOs, group
health plans, and many public benefit programs
(Medicaid, Medicare, et.).
3. The Health Plan's HIPAA privacy policies and procedures
may be revised at any time, in order to comply or
enhance compliance with HIPAA.
4. Any revisions to the Health Plan's HIPAA privacy policies
and procedures will be distributed to individual's family
members, representatives, employees, business
associates, etc., within five (5) working days of the
release of such revisions.
5. Inquiries relative to HIPAA policies and procedures should
be directed to the HIPAA Privacy Officer.
6. The Health Plan's specific policies and procedures have
been created in order to satisfy HIPAA's requirements.
7. HIPAA recognizes Organized Health Care Arrangements
(OHCAs). An OHCA can exist when an employer sponsors
more than one health plan that is a covered entity. Being
part of an OHCA allows the covered entities to satisfy the
HIPAA privacy requirements together, as if they are a
single covered entity. The following covered entities are
designated as an OHCA:
City of Rosemount
For purposes of these HIPAA privacy policies and
procedures, "Health Plan" means the OHCA designated
above.
Form 1 HIPAA Privacy Policies Procedures Overview. League of Minnesota Cities HIPAA Policies Procedures
Guide. Copyright 2009 by League of Minnesota Cities. All rights reserved
Third Party Service Providers
Other Laws
Record Retention
HIPAA Privacy Officer
Effective Date 13. April 14, 2004
References:
45 C.F.R. 164.501
8. Nothing precludes the Health Plan from contracting with a
third party service for assistance in complying with the
Health Plan's HIPAA privacy policies and procedures.
9. In addition to HIPAA, covered entities may be subject to
other laws that address the privacy of health information,
including, but not limited to, the Minnesota Data Practices
Act. HIPPA establishes a floor the minimum
requirements with which a covered entity must comply.
To the extent the requirements of any other law provide
more protection to the subject of the health information,
those requirements will apply.
10. A copy of all HIPAA covered information and any revisions
shall be maintained for a period of at least six (6) years.
Such retention may be in printed or electronic format, or
both.
11. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints regarding
HIPAA. If you have a question or concern about your
HIPAA rights contact the HIPAA Privacy Officer at 651-
423 -4411.
Violations 12. Violations of this policy will be subject to discipline.
Form 1 HIPAA Pnvacy Policies Procedures Overview. League of Minnesota Cities HLPAA Policies Procedures
Guide. Copyright 2009 by League of Minnesota Cities. All rights reserved.
Appointment of HIPAA Privacy
Officer
Delegation
HIPAA Privacy Officer
Policy Statement
A HIPAA Privacy Officer has been designated by this Health Plan to be responsible for the development
and implementation of this Health Plan's HIPAA policies and procedures.
Policy Interpretation and Implementation
1. The Health Plan has appointed the Assistant City
Administrator, as the Health Plan's HIPAA Privacy
Officer.
HIPAA Privacy Officer's 2. The HIPAA Privacy Officer's responsibilities include:
Responsibilities
a. Assisting management in the development,
implementation, and updating of the Health Plan's
HIPAA policies and procedures;
b. Performing periodic privacy risk assessments;
c. Development of security procedures and guidelines
for the protection of the Health Plan's information
systems;
d. Assisting management in the assigning of passwords
and user identification codes for access to protected
health information (PHI) by authorized users;
e. Receiving complaints concerning the Health Plan's
HIPAA policies and procedures;
f. Receiving complaints concerning the Health Plan's
compliance with its established policies and
procedures;
g. Maintaining a complaint tracking log;
h. Assisting in obtaining use and disclosure of PHI
authorizations;
1. Assisting in the development of training materials
and training to ensure that relevant staff are well
trained in matters relating to the use and disclosure
of protected health information (PHI);
Providing staff, individuals, business associates,
government agencies etc., with information relative
to the Health Plan's HIPAA policies and procedures;
and
k. Working with the Health Plan's legal counsel on
matters relative to HIPAA.
J•
3. The HIPAA Privacy Officer may delegate certain job
functions to be performed by other individuals; however,
the ultimate responsibility for compliance with HIPAA
Form 2— HIPAA Pnvacy Officer (Policy Procedure). League of Minnesota Cities HIPAA Policies Procedures
Guide. Copyright 2009 by League of Minnesota Cities. All rights reserved.
Record Retention
HIPAA Privacy Officer
Effective Date 7. April 14, 2004.
References:
45 C.F.R. 164.530(a)
remains with the HIPAA Privacy Officer.
4. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least six
(6) years. Such retention may be in printed or electronic
format, or both.
5. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints
regarding HIPAA. Questions or concerns about HIPAA
rights should be directed to the HIPAA Privacy Officer at
651- 423 -4411.
Violations 6. Violations of this policy will be subject to discipline.
FORD 2 HIPAA Privacy Officer (Policy Procedure). League of Minnesota Cities HIPAA Policies Procedures
Guide. Copy right 2009 by League of Minnesota Cities. All rights reserved.
Notice of Privacy Practices
Policy Statement
Each individual that is the subject of Protected Health Information (PHI) must receive a Notice of Privacy
Practices (NPP) describing (1) the uses and disclosures of his /her PHI that may be made by or on behalf
of the Health Plan, (2) the individual's rights, and (3) the Health Plan's legal duties with respect to the
individual's PHI.
Policy Interpretation and Implementation
Issue of NPP
Content of NPP
1. Individuals who are covered under the Health Plan will
be provided with a copy of the Health Plan's NPP;
2. NPPs must be prepared in easy to read language and
contain, as a minimum, the following elements:
a. A statement indicating how medical information
about the individual may be used and disclosed
and how the individual can obtain access to such
information;
b. A description, including at least one example, of
the types of uses and disclosures that the Health
Plan is permitted to make for purposes of
treatment, payment and healthcare operations,
with sufficient detail to place an individual on
notice of the uses and disclosures permitted or
required;
c. A description of each of the other purposes for
which the Health Plan is permitted or required to
use or disclose PHI without the individual's
consent or authorization, with sufficient detail to
place an individual on notice of the uses and
disclosures permitted or required;
d. A statement that other uses or disclosures will be
made only with the individual's written
authorization, and that the authorization may be
revoked in accordance with the policy on
authorization;
e. A statement of the individual's rights with respect
to his /her PHI, and a brief description of how the
individual may exercise those rights, including:
i. The right to request restrictions on certain
uses /disclosures of PHI, and the fact that the
Health Plan does not have to agree to such
restrictions;
ii. The right to receive confidential
communications of PHI;
iii. The nght to inspect and copy PHI;
Form 3— Notice of Privacy Practices (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2009 by League of Minnesota Cities. All rights reserved.
g.
iv. The right to amend PHI;
v. The right to receive an accounting of
disclosures of PHI; and
vi. The right to receive a paper copy of the
privacy notice.
f. A statement of the Health Plan's duties with
respect to PHI, including statements:
I. That the Health Plan is required by law to
maintain the privacy of PHI and to
provide individuals with notice of its legal
duties and privacy practices;
ii. That the Health Plan is required to abide
by the terms of its current effective
privacy notice; and
id. That the Health Plan reserves the right to
change the terms of the notice and make
a new notice provision effective for all
PHI maintained, along with a description
of how the Health Plan will provide
individuals with the revised notice.
A statement that individuals may complain to the
Health Plan and to the Secretary of the U.S.
Department of Health and Human Services about
privacy rights violations, including a brief
statement about how a complaint may be filed
and an assurance that the individual will not be
retaliated against for filing a complaint;
h. The name, or title, and telephone number of the
Health Plan's HIPAA Privacy Officer to contact for
further information;
The name, telephone number and address of the
person designated by the Health Plan to receive
complaints regarding the Health Plan's privacy
practices; and
J. The effective date of the NPP, which may not be
earlier than the date printed or published.
Distribution of NPP 3. The Health Plan will distribute the NPPs at the times
specified below:
a. On the Health Plan's initial compliance date;
b. At the time of enrollment in the Health Plan for
new enrollees; and
c. Within sixty (60) days of a material revision of the
NPP to individuals covered by the Health Plan.
4. The NPP will be distributed no less frequently than once
every three (3) years.
Fonn 3— Notice of Pnvacy Practices (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
Effective Date 10. April 14, 2004.
References:
45 C.F.R. 164.520
5. The NPP will be delivered by first class U S. Mail to the
address of record on file with the Health Plan. The NPP
will be addressed to the individual, spouse and all
dependents covered by the Health Plan.
Posting of NPP 6. A copy of the NPP will be posted on the web page, if
one, of the employer sponsoring the Health Plan. The
HIPAA Privacy Officer is responsible for prompt
distribution of changes to the privacy notice.
Record Retention 7. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least six
(6) years. Such retention may be in printed or electronic
format, or both.
HIPAA Privacy Officer 8. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints
regarding HIPAA. Questions or concerns about HIPAA
rights should be directed to the HIPAA Privacy Officer at
651- 423 -4411.
Violations 9. Violations of this policy will be subject to discipline.
Form 3 Notice of Privacy Practices (Policy Procedure). League of Minnesota Cities RIPAA Policies
Procedures Guide. Copyright 2004 oy League of Minnesota Cities. All rights reserved.
City of Rosemount
ORGANIZED HEALTH CARE ARRANGEMENT
NOTICE OF PRIVACY PRACTICES
This Notice Describes How Medical Information About You May Be Used and Disclosed and
How You Can Get Access To This Information. Please Review It Carefully.
If you have any questions about this notice, please contact the Privacy Officer:
Who Will Follow This Notice
This notice describes the medical information practices of the City of Rosemount organized health care
arrangement OHCA') and third parties that assists in the administration of OHCA Plan.
For purposes of HIPAA and this notice, the OHCA includes the following:
Health Reimbursement Account
Employee Assistance Program
Medical Insurance
Dental Insurance
Effective April 14, 2004
Assistant City Administrator
City of Rosemount
2875 145th Street West
Rosemount, MN 55068
651- 423 -4411
Our Pledge Regarding Medical Information
We understand that medical information about you and your health is personal. We are committed to
protecting medical information about you. This notice applies to all of the medical records maintained by
an OHCA Plan. Your personal doctor or health care provider may have different policies or notices
regarding the doctor's use and disclosure of your medical information created in the doctor's office or
clinic.
This notice tells you about the ways in which we may use and disclose medical information about you. It
also describes our obligations and your rights regarding the use and disclosure of medical information.
We are required by law to:
make sure that medical information that identifies you is kept private;
give you this notice of our legal duties and privacy practices with respect to medical
information about you; and
follow the terms of the notice that are currently in effect.
How We May Use and Disclose Medical Information About You
The following categories describe different ways that we use and disclose medical information. For each
category of uses or disclosures, we will explain what we mean and present some examples. These
examples are not exhaustive. Not every use or disclosure in a category will be listed. However, all of the
ways we are permitted to use and disclose information will fall within one of the categories.
Form 3a Notice of Privacy Practice for Organized Health Care Arrangement (Administrative Form) League of Minnesota
Cities HIPAA Policies Procedures Guide Copyright 2004 by League of Minnesota Cities. All
rights reserved
Please note: In most instances, how information is used and disclosed has not changed. The
descriptions reflect how the Health Plans that make up the OHCA have traditionally operated.
For Treatment (as described in applicable regulations). We may use or disclose medical
information about you to facilitate medical treatment or services by providers. We may disclose medical
information about you to providers, including doctors, nurses, technicians, medical students, or other
hospital personnel who are involved in taking care of you.
For Payment (as described in applicable regulations). We may use and disclose medical
information about you to determine eligibility for benefits, to facilitate payment for the treatment and
services you receive from health care providers, to determine benefit responsibility under an OHCA Plan,
or to coordinate OHCA Plan coverage. For example, we may tell your health care provider about your
medical history to determine whether a particular treatment is experimental, investigational, or medically
necessary or to determine whether the OHCA Plan covers the treatment. We may also share medical
information with a utilization review or pre certification service provider. Likewise, we may share medical
information with another entity to assist with the adjudication (legal actions) or subrogation (third party
reimbursements) of health claims or to another health plan to coordinate benefit payments.
For Health Care Operations (as described in applicable regulations). We may use and disclose
medical information about you for other OHCA Plan operations. These uses and disclosures are necessary
to run the OHCA Plan. For example, we may use medical information in connection with: conducting
quality assessment and improvement activities; underwriting, premium rating, and other activities relating
to OHCA Plan coverage; submitting claims for stop -loss (or excess loss) coverage; conducting or
arranging for medical review, legal services, audit services, and fraud and abuse detection programs;
business planning and development such as cost management; and business management and general
OHCA Plan administrative activities.
As Required By Law. We will disclose medical information about you when required to do so by
federal, state or local law. For example, we may disclose medical information when required by a court
order or subpoena.
To Avert a Serious Threat to Health or Safety. An OHCA may use and disclose medical information
about you when necessary to prevent a serious threat to your health and safety or the health and safety
of the public or another person. However disclosure would be limited to someone able to help prevent
the threat.
Special Situations
Disclosure to Health Plan Sponsor. Information may be disclosed to another health plan for
purposes of facilitating claims payments under that plan. In addition, medical information may be
disclosed to City of Rosemount personnel solely for administering benefits under the OHCA Plan.
Organ and Tissue Donation. If you are an organ donor, we may release medical information to
organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ
donation bank, as necessary to facilitate organ or tissue donation and transplantation.
Military and Veterans. If you are a member of the armed forces, we may release medical information
about you as required by military command authorities. We may also release medical information about
foreign military personnel to the appropriate foreign military authority.
Workers' Compensation. We may release medical information about you for workers' compensation
or similar programs. These programs provide benefits for work related injuries or illness.
Form 3a Notice of Privacy Practice for Organized Health Care Arrangement (Administrative Form). League of Minnesota
Cities HIPAA Policies Procedures Guide Copyright 2004 by Leagae of Minnesota Cities. All
rights reserved.
Public Health Risks. We may disclose medical information about you for public health activities. These
activities generally include the following:
to prevent or control disease, injury or disability;
to report births and deaths;
to report reactions to medications or problems with products;
to notify people of recalls of products they may be using;
to notify a person who may have been exposed to a disease or may be at risk for
contracting or spreading a disease or condition;
to notify the appropriate government authority if we believe an individual has been the
victim of abuse, neglect or domestic violence. We will only make this disclosure if you
agree or when required or authorized by law.
Health Oversight Activities. We may disclose medical information to a health oversight agency for
activities authorized by law. These oversight activities include, for example, audits, investigations,
inspections, and licensure. These activities are necessary for the government to monitor the health care
system, government programs, and compliance with civil rights laws.
Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose medical
information about you in response to a court or administrative order. We may also disclose medical
information about you in response to a subpoena, discovery request, or other lawful process by someone
else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain
an order protecting the information requested.
Law Enforcement. We may release medical information if asked to do so by a law enforcement official:
In response to a court order, subpoena, warrant, summons or similar process;
to identify or locate a suspect, fugitive, material witness, or missing person;
about the victim of a crime if, under certain limited circumstances, we are unable to
obtain the person's agreement;
about a death we believe may be the result of criminal conduct; and
in emergency circumstances to report a crime; the location of the crime or victims; or the
identity, description or location of the person who committed the crime.
Coroners, Medical Examiners and Funeral Directors. We may release medical information to a
coroner or medical examiner. This may be necessary, for example, to identify a deceased person or
determine the cause of death. We may also release medical information about patients of the hospital to
funeral directors as necessary to carry out their duties.
National Security and Intelligence Activities. We may release medical information about you to
authorized federal officials for intelligence, counterintelligence, and other national security activities
authorized by law.
Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement
official, we may release medical information about you to the correctional institution or law enforcement
official. This release would be necessary (1) for the institution to provide you with health care; (2) to
protect your health and safety or the health and safety of others; or (3) for the safety and security of the
correctional institution.
Your Rights Regarding Medical Information About You
You have the following rights regarding medical information we maintain about you:
Form 3a Notice of Privacy Practice for Organized Health Care Arrangement (Administrative Form). League of Minnesota
Cities HIPAA Policies Procedures Guide. Copyright 0 2004 by Leagae of Minnesota Cities. All
rights reserved
Right to Inspect and Copy. You have the right to inspect and copy medical information that may be
used to make decisions about your OHCA Plan benefits. To inspect and copy the medical information that
may be used to make decisions about you, you must submit your request in writing to the Privacy Officer.
If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other
supplies associated with your request.
We may deny your request to inspect and copy in certain very limited circumstances If you are denied
access to medical information, you may request that the denial be reviewed.
Right to Amend. If you feel that medical information we have about you is incorrect or incomplete, you
may ask us to amend the information. You have the right to request an amendment for as long as the
information is kept by or for the OHCA Plan.
To request an amendment, your request must be made in writing and submitted to the Privacy Officer. In
addition, you must provide a reason that supports your request.
We may deny your request for an amendment if it is not in writing or does not include a reason to
support the request. In addition, we may deny your request if you ask us to amend information that:
is not part of the medical information kept by or for the OHCA Plan;
was not created by us, unless the person or entity that created the information is no
longer available to make the amendment;
is not part of the information which you would be permitted to inspect and copy; or is
accurate and complete.
Right to an Accounting of Disclosures. You have the right to request an "accounting of disclosures"
where such disclosure was made for any purpose other than treatment, payment, or health care
operations.
To request this list of accounting of disclosures, you must submit your request in writing to Privacy
Officer. Your request must state a time period which may not be longer than six years and may not
include dates before April, 2004. Your request should indicate in what form you want the list (for
example, paper or electronic). The first list you request within a 12 month period will be free. For
additional lists, we may charge you for the costs of providing the list. We will notify you of the cost
involved and you may choose to withdraw or modify your request at that time before any costs are
incurred.
Right to Request Restrictions. You have the right to request a restriction or limitation on the medical
information we use or disclose about you for treatment, payment or health care operations. You also
have the right to request a limit on the medical information we disclose about you to someone who is
involved in your care or the payment for your care, like a family member or friend. For example, you
could ask that we not use or disclose information about a surgery you had. We are not required to agree
to your request.
To request restrictions, you must make your request in writing to the Privacy Officer. In your request,
you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure
or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.
Right to Request Confidential Communications. You have the right to request that we
communicate with you about medical matters in a certain way or at a certain location. For example, you
can ask that we only contact you at work or by mail. To request confidential communications, you must
make your request in writing to the Privacy Officer. We will not ask you the reason for your request. We
Form 3a Notice of Privacy Practice for Organized Health Care Arrangement (Administrative Form). League of Minnesota
Cities HIPAA Policies Procedures Guide. Copyright 2004 by League of Minnesota Cities All
rights reserved
will accommodate all reasonable requests. Your request must specify how or where you wish to be
contacted.
Right to a Paper Copy of This Notice. You have the right to a paper copy of this notice. You may ask
us to give you a copy of this notice at any time. Even if you have agreed to receive this notice
electronically, you are still entitled to a paper copy of this notice.
You may obtain a copy of this notice at our website, www.mendota heights.com.
To obtain a paper copy of this notice, contact the Privacy Officer.
Changes to This Notice
We reserve the right to change this notice. We reserve the right to make the revised or changed notice
effective for medical information we already have about you as well as any information we receive in the
future. We will post a copy of the current notice on the OHCA Plan website. The notice will contain on the
first page, in the top right hand corner, the effective date.
Complaints
If you believe your privacy rights have been violated, you may file a complaint with the OHCA Plan or
with the Secretary of the Department of Health and Human Services. To file a complaint with the OHCA
Plan, contact the Privacy Officer. All complaints must be submitted in writing.
You will not be penalized for filing a complaint.
Other Uses of Medical Information
Other uses and disclosures of medical information not covered by this notice or the other applicable laws
will be made only with your written permission. If you provide us permission to use or disclose medical
information about you, you may revoke that permission, in writing, at any time. If you revoke your
permission, we will no longer use or disclose medical information about you for the reasons covered by
your written authorization. You understand that we are unable to take back any disclosures we have
already made with your permission, and that we are required to retain our records of the care that we
provided to you.
Form 3a Notice of Privacy Practice for Organized Health Care Arrangement (Administrative Form). League of Minnesota
Cities HIPAA Policies Procedures Guide. Copyright 2004 by League of Minnesota Cities. All
rights reserved
Use or Disclosure of PHI
Policy Statement
In order for the Health Plan to use or disclose (including obtaining) protected health information (PHI),
the use or disclosure must either (1) fall under the enumerated uses and disclosures allowed without an
individual authorization, or (2) the Health Plan must obtain an individual authorization.
Policy Interpretation and Implementation
Definition of PHI 1. Protected Health Information (PHI) means individually
identifiable information relating to:
a. The past, present or future physical or mental
health or condition of an individual;
b. The provision of health care to an individual;
c. The past, present or future payment for health
care provided to an individual.
Use and Disclosure not 2. PHI may only be used or disclosed without an Individual
Requiring an Individual authorization for treatment, payment, or health care
Authorization operations (TPO). These purposes Include:
a. The Health Plan may use or disclose PHI for its
own TPO;
b. The Health Plan may disclose PHI to another
covered entity for the payment activities of that
entity;
c. The Health Plan may disclose PHI to another
covered entity for health care operations activities
of the entity that receives the information, if each
entity either has or had a relationship with the
individual who Is the subject of the PHI, the PHI
pertains to such relationship, and the disclosure
is:
i. For health care operations regarding
conducting quality assessment and
Improvement activities, population -based
activities relating to improving health or
reducing health care costs, protocol
development, case management and care
coordination, contacting of health care
providers and patients with information about
treatment alternatives, and related functions
that do not include treatment, reviewing the
competence or qualifications of health care
professionals, evaluating practitioner and
provider performance, health plan
performance, credentialing activities; or
11. For the purpose of health care fraud and abuse
detection or compliance;
Form 4 Use or Disclosure of PHI for TPO Purposes (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 0 2004 by League of Minnesota Cities. All rights reserved.
Definition of TPO
d. If the Health Plan participates in an organized
health care arrangement (OHCA), it may disclose
PHI about an individual to another covered entity
that participates in the OHCA for any health care
operations activities of the OHCA.
Nothing in paragraph 2 prevents the Health Plan from
obtaining an individual authorization for use and disclosure
of PHI for TPO purposes.
3. Treatment, Payment and Health Care Operations (TPO)
includes all of the following:
a. Treatment means the provision, coordination, or
management of health care and related services,
consultation between providers relating to an
individual or referral of an individual to another
provider for health care.
b. Payment means activities undertaken to obtain or
provide reimbursement for health care, including
determinations of eligibility or coverage, billing,
collection activities, medical necessity
determinations and utilization review.
c. Health Care Operations includes functions such as
quality assessment and improvement activities,
reviewing competence or qualifications of health
care professionals, conducting or arranging for
medical review, legal services, and auditing
functions, business planning and development,
and general business and administrative activities.
Form 4 Use or Disclosure of PHI for TPO Purposes (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2009 by League of Minnesota Cities. All rights reserved
Use and Disclosure for Public
Policy Reasons
Use and Disclosure Requiring an
Individual Authorization
Record Retention
4. PHI may be used or disclosed without an individual
authorization as required by law and for other public
policy reasons when specific requirements are met. The
situations in which PHI may be disclosed for public policy
reasons include, but are not limited to, situations
involving:
a. serious threats to health or safety;
b. disclosures to health plan sponsor;
c. organ and tissue donation;
d. military and veterans;
e. workers' compensation;
f. public health risks;
g. health oversight activities;
h. lawsuits and disputes;
1. law enforcement;
I. coroners, medical examiners and funeral
directors;
k. national security and intelligence activities; and
I. inmates.
5. An individual authorization is required for any use or
disclosure of PHI that is not specifically allowed by the
HIPAA privacy regulations (without the individual
authorization). These uses and disclosures include, but
are not limited to:
a. Use or disclosure of psychotherapy notes;
b. Use or disclosure of PHI for purposes of
marketing, except if the communication is in the
form of:
i. Face -to -face communication made by the
Health Plan to an individual; or
li. A promotional gift of nominal value provided
by the Health Plan.
6. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least six
(6) years. Such retention may be in printed or electronic
format, or both.
Form 4 Use or Disclosure of PHI for TPO Purposes (Policy Procedure) League of Minnesota Cities HPPAA Policies
Procedures Guide. Copyright 0 2004 by League of Minnesota Cities All rights reserved.
HIPAA Privacy Officer
Violations 8. Violations of this policy will be subject to discipline.
Effective Date 9. April 14, 2004.
References:
45 C.F.R. §164.506, 164.508, 164.512
7. The HIPAA Privacy Officer is responsible for the
development and Implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints
regarding HIPAA. Questions or concerns about HIPAA
rights should be directed to the HIPAA Privacy Officer at
651- 423 -4411.
Form 4 —Use or Disclosure of PHI for TPO Purposes (Policy Procedure) League of Minnesota Cities HIPAA Policies
Procedures Guide Copyright 2004 by League of Minnesota Cities. All rights reserved
Policy Statement
Whenever practical /feasible, the Health Plan will make reasonable efforts to limit use and disclosure of
protected health information (PHI) to the minimum necessary to accomplish the appropriate intended
purpose.
Policy Interpretation and Implementation
Minimum Necessary Standard
Access to PHI
Where Minimum Necessary 3. Limiting use, disclosure or request of PHI to the minimum
Standard Does Not Apply necessary does NOT apply in the following situations:
a. Disclosures or requests by a health care provider
for treatment;
b. Uses or disclosures made to the individual or
requested and authorized by the individual;
c. Disclosures made to the Secretary of Health and
Human Services (HHS) or to the Office of Civil
Rights (OCR);
d. Uses or disclosures required by law; and /or
e. Uses or disclosures required for compliance with
the Privacy Rule.
Disclosures of PHI by
Health Plan
Form 5— Minimum Necessary Standard (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
Minimum Necessary Standard
1. When using, disclosing or requesting PHI, the Health Plan
shall make reasonable efforts to limit PHI to the minimum
necessary to accomplish the purpose.
2. The Health Plan requires relevant staff to have access
only to the minimum necessary PHI required by their job
functions.
It is the responsibility of the HIPAA Privacy Officer to limit
the access of relevant staff to only the minimum
necessary PHI required by their job function. The HIPAA
Privacy Officer may delegate certain job functions to be
performed by other individuals; however, the ultimate
responsibility for compliance with HIPAA remains with the
HIPAA Privacy Officer.
4. From time to time relevant staff of the Health Plan will be
asked to disclose PHI to other Covered Entities, regulatory
agencies, law enforcement authorities and others. Many
of these disclosures are permitted or required by law and
do not require authorization of the individual. Others may
require authorization of the individual whose PHI is to be
disclosed. Except for those instances identified previously,
the Health Plan will apply the minimum necessary
standard to all disclosures.
Requests for PHI
by Health Plan
Entire Medical Record
Record Retention
HIPAA Privacy Officer
Effective Date 10. April 14, 2004.
References:
45 C.F.R. 164.502(b), 164.514(d)
Relevant staff of the Health Plan may treat a request for a
disclosure as being for the minimum necessary PHI when
the request is:
A permitted disclosure to a public official who
states that the disclosure is the minimum
necessary;
From another Covered Entity;
From a professional who is a member of the
Health Plan or is a Business Associate of the
Health Plan if he /she states that the information
is the minimum necessary needed; and
For research purposes when the required
documentation is provided.
5. Relevant staff of the Health Plan must limit requests
made by them for PHI to that which is reasonably
necessary to accomplish the purpose of the request.
6. The Health Plan will not use, disclose or request an entire
medical record unless the entire medical record is
specifically justified as reasonably necessary. Unjustified
use, disclosure or request of an entire medical record will
be considered a violation of this policy. The only
exception regarding the entire medical record is when the
information is provided to persons involved in the
treatment of the individual.
7. A copy of all HIPAA covered information and any revisions
shall be maintained for a period of at least six (6) years.
Such retention may be in printed or electronic format, or
both.
8. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints regarding
HIPAA. Questions or concerns about HIPAA rights should
be directed to the HIPAA Privacy Officer at 651 -423 4411.
Violations 9. Violations of this policy will be subject to discipline.
Form 5 Minimum Necessary Standard (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities All rights reserved.
Policy Statement
Individuals have the right to access and copy their own protected health information (PHI)
maintained /retained by the Health Plan, including any business associates on behalf of the Health Plan, in
their designated record set (DRS).
Policy Interpretation and Implementation
Definition of DRS 1. A group of records maintained by the Health Plan that are:
a. Medical records and billing records about
individuals maintained by or for the Health Plan;
b. The enrollment, payment, claims adjudication,
and case or medical management record systems
maintained by or for the Health Plan; or
c. Used by or for the Health Plan to make decisions
about individuals.
Individual's Right to Access and
Copy PHI
Written Request
Time Frame for Retrieval of
Requested PHI
Denial of Access
Service Fees
Individual's Rights to Access Copy PHI
2. The term "record" as used above means any item, collection,
or grouping of information that includes PHI and is
maintained, collected, used, or disseminated by or for the
Health Plan.
3. An individual generally has a right to access and copy his /her
PHI maintained in the DRS.
4. Request for inspection and copying of PHI must be submitted
to the HIPAA Privacy Officer in writing.
5. Insofar as practical, the individual should allow at least thirty
(30) days for the Health Plan to obtain requested information.
Should an extension be necessary, the individual will be
notified of such request. In no case may the extension
exceed thirty (30) days.
6. Should the individual be denied access to requested records, a
written notice must be provided to the individual indicating
such denial and the reason(s) for the denial.
7. Postage and labor charge(s) may be assessed for copying and
mailing services. These charges are based on the City's Fee
Schedule.
Form 6— Indiwdual's Rights to Access and Copy PHI (Policy Procedure). League of Minnesota Cities HIPAA
Policies Procedures Guide. Copyright O 2004 by League of Minnesota Cities. All rights reserved.
Exceptions
Denial of Access Without Right
of Review
Denial in Accordance with Other
Applicable Law
Denial of Access With Right of
Review
Individual's Right to Review by
Another Licensed Professional
Time Frame for Facility to Act
Upon Individual's Request for
Access
8. Individuals may be denied access to (1) psychotherapy notes,
and (2) information compiled in reasonable anticipation of, or
for use in, a civil, criminal, or administrative action or
proceeding.
9. Denial of access without a right of review may occur:
10 Access may also be denied in accordance with other
applicable law.
11. Denial of access with a right of review may occur:
a. Where access is determined by a licensed
professional to be likely to endanger life or safety
of the Individual or another person; and
b. Where access is required by the individual's
representative and a licensed professional
determines that such access is reasonably likely to
cause substantial harm.
12. If the basis for denial of access gives the individual a right to
review, the individual has the right to have the denial
reviewed by a licensed professional who did not participate in
the original denial decision. Such review will be completed
within thirty (30) days of such request. The Health Plan will
provide the individual with a notice of the reviewer's decision
and will comply with the determination to either provide the
requested information or deny access to such requested
information.
13. The Health Plan will act upon an individual's request for
access to his /her DRS no later than thirty (30) days after
receipt of such request, unless the time period is extended as
described below:
Form 6 Individual's Rights to Access and Copy PHI (Policy Procedure) League of Minnesota Cities HIPAA
Policies Procedures Guide Copyright O 2004 by League of Minnesota Cities. All rights reserved
a. Where information was compiled in anticipation of
litigation;
b. Where care was provided under the direction of a
correctional institution and provision of access
would jeopardize health, safety, or rehabilitation;
and
c. Where Information was collected in the course of
research that includes treatment of the Individual
and the individual agreed to a suspension of the
right of access during the research period.
Denial of Access Notice
Access to Requested
Information
Access to Information
Maintained Off Premises
Record Retention
HIPAA Privacy Officer
a. If the information to be accessed is not
maintained or accessible on premises, the Health
Plan will act upon such request within sixty (60)
days of receipt of such request.
b. If the Health Plan is unable to act on the request
within the applicable thirty (30) or sixty (60) day
period, the Health Plan may extend the time for
response by thirty (30) days, provided that the
individual is given a written notice of the
reason(s) for the delay and the date by which a
responsive action will be taken.
14. The Health Plan will provide a timely, written denial of access
to the individual when such denials occur. Denial notices will
be written in easy -to -read language and will include, as a
minimum, the following information:
a. The basis for the denial of access;
b. Any right of review (as applicable);
c. How to file a complaint with the Health Plan;
d. The name and telephone number of the person to
whom the complaint may be filed; and
e. The address of the U.S. Secretary of Health and
Human Services.
15. To the extent practical, the individual will be given access to
any information requested after excluding the information for
which the Health Plan has grounds for denying access.
16. Should the information for which access has been requested
be maintained off premises or the Health Plan does not
maintain /retain such information, but knows where the
information is located, the Health Plan will either (a) notify the
individual where to direct his /her request for access, or (b)
otherwise make arrangements for the individual to access
such information. This includes, but is not limited to,
information maintained by a business associate on behalf of
the Health Plan.
17. A copy of all HIPAA covered information and any revisions
shall be maintained for a period of at least six (6) years. Such
retention may be in printed or electronic format, or both.
18. The HIPAA Privacy Officer is responsible for the development
and implementation of the HIPAA policies and procedures.
The HIPAA Privacy Officer is also the contact person for any
questions or complaints regarding HIPAA. Questions or
concerns about HIPAA rights should be directed to the HIPAA
Privacy Officer at 651- 423 -4411.
Violations 19. Violations of this policy will be subject to discipline.
Form 6 Individual's Rights to Access and Copy PHI (Policy Procedure). League of Minnesota Cities HIPAA
Policies Procedures Guide. Copyrcght 2004 by League of Minnesota Cities. All rights reserved.
Effective Date 20. April 14, 2004.
References:
45 C.F.R. 164.524
Form 6 Individual's Rights to Access and Copy PHI (Policy Procedure). League of Minnesota Cities HtPAA
Policies Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
REQUEST TO ACCESS OWN PHI
Please note This Administrative Form relates to the Health Plan's Policy Form 6, Individual's Right to
Access Copy PHI.
You have a right to request access to inspect and to receive copies of your protected health information
"PHI Please see the Health Plan's Notice of Privacy Practices or contact the Health Plan's Privacy
Officer at 651 -423 -4411 for more information.
Please submit this form to: Assistant City Administrator
2875 145th Street West, Rosemount, MN 55068
Your name:
Address:
Daytime phone number:
Please select one:
I participate in or am covered under the Health Plan.
I am the personal representative of an individual participating in or covered under the Health
Plan (p /ease attach completed Designation of Persona/ Representative form).
Access is requested to the following information:
Please provide me with the above information dated between and
I prefer to review the information in the following manner (please select one):
Mailed copy View at City of Rosemount business offices
Electronic copy (if available) Other (describe on a separate sheet)
I agree to accept a summary of the above requested information and to pay a reasonable charge
for the costs incurred by the Health Plan in preparing the summary.
Form 6a Request to Access Own PHI (Administrative Form). League of Minnesota Cities RTPAA Policies
Procedures Guide Copyright o 2004 by League of Minnesota Cities. All rights reserved.
Please Read Carefully and Sign
I understand that the Health Plan will provide the requested inspection or copies if required to do so under
applicable law. I also understand that I may be charged for copying and postage in accordance with the
Health Plan's Notice of Privacy Practices.
Signature Date
Please note: Applicable law requires us to respond to you within 30 days after receiving your request,
unless the information requested is not maintained at our primary business address, in which case we will
respond within 60 days. We are entitled, in certain circumstances, to an additional 30 days in which to
respond. We will send you written notice if we determine we will need the additional 30 days.
For office use only:
Received by: Date:
Form 6a Request to Access Own PHI (Administrative Form). League of Minnesota Cities HIPAA Policies
Procedures Guide. Ccpyright 0 2009 by League of Minnesota Cities. All rights reserved.
GRANT OF REQUEST TO ACCESS OWN PHI
Please note: This Administrative Form relates to the Health Plan's Policy Form 6, Individual's Right to
Access Copy PHI.
Dear [participant, beneficiary, or personal representative]:
We received your request to access and /or copy your own protected health information ("PHI') on
[date].
ACCESS
COPIES
The information to which you requested access will be available as of [date] for your review
at City of Rosemount, 2875 145th Street West, Rosemount, MN 55068.
There are questions regarding your request for access. Please call us at 651- 423 -4411 so
we may discuss the nature and scope of your request.
We have enclosed copies of the information you requested. We are permitted under federal
law to recover our reasonable copying and postage costs of Please remit payment
[by check or money order] to:
City of Rosemount
2875 145th Street West
Rosemount, MN 55068
The records you requested are voluminous or are not in a format that is easily copied and
mailed. Please call us at 651- 423 -4411 so we may discuss the scope and format of your
request, as well as a convenient time and place for you to inspect or obtain a copy of the
requested information.
Please call us at 651- 423 -4411 if you have any questions.
Form 6b Grant of Request to Access Own PHI (Administrative Form). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
NOTIFICATION OF ADDITIONAL TIME TO RESPOND TO ACCESS
TO OWN PHI
Please note This Administrative Form relates to the Health Plan's Policy Form 6, Individual's Rights to
Access Copy PHI.
Dear [participant, beneficiary, or personal representative]:
We received your request to access and /or copy your own protected health information "PHI on
[date]. We have been unable to respond due to [give reason for delay]. We will respond to your
request by [specific date no more than 30 days from original response due date].
Please call us at 651- 423 -4411 if you have any questions.
Thank you for your patience.
Forrn 6c Notification of Additional Time to Respond to Access Own PHI (Administrative Form). League of Minnesota Cities
HIPAA Policies Procedures Guide. Copyright 2004 by League of Minnesota Cities All rights
reserved
DENIAL OF REQUEST TO ACCESS OWN PHI
Please note This Administrative Form relates to the Health Plan's Policy Form 6, Individual's Rights to
Access Copy PHI.
Dear [participant, beneficiary, or personal representative]:
We have reviewed your request to access and /or copy your own protected health information "PHI
We are denying your request for the following reasons:
We do not maintain [part of] the information you requested. That information is
maintained by [insert description]. You have no right to appeal this denial.
[Part of the <or> The] information you requested is not contained in our designated
record sets. This means that we do not use the information you requested to make decisions
relating to your health benefits. Accordingly, we are not required to provide it under the
federal Privacy Rule. [We will provide you with access to the part of the information
you requested that is in our designated record sets.] You have no right to appeal this
denial.
The Privacy Rule exempts the information you requested from access requests. You have no
right to appeal this denial.
We have determined that release of the information you request may result in harm to you
or someone else. You may appeal this basis of denial. If you would like to appeal this
determination, you may write to us at:
City of Rosemount
2875 145th Street West
Rosemount, MN 55068
Complaints. You may submit a complaint about this denial to us. If you choose to do so, please direct
your complaint as indicated below. Please note that your complaint is not considered an appeal of our
denial.
You may also submit a complaint about this denial of access to the head of the U.S. Department of
Health and Human Services. Your complaint must be in writing, either on paper or electronically, and
must include the following information: (1) our name, and (2) a description of the acts or omissions that
you believe violate our responsibilities under the Privacy Rule. Your complaint must be filed within 180
days from the date of this letter.
Please call us at 651- 423 -4411 if you have any questions.
Form 6d Denial of Request to Access Own PHI (Administrative Form). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
Privacy Officer
2875 145th Street West
Rosemount, MN 55068
651- 423 -4411
a
a)
N
0
el
(6
O
c
O
N
4)
0
N
D
N
N
O
c
0_
U)
L
O
U
N
a
U
C
O
N
m
0
w
(6
N
L
Ul
N
N
P_
U
N
a)
m
c
0)
N
0)
c
0
m
c
U)
0
0
N
c
0
0)
N N
L
E
3
O
w
a) a)
N
U d
a
c
N
6
N
a0
r a
Policy Statement
An individual may amend his /her protected health information (PHI).
Policy Interpretation and Implementation
Amendment of PHI
Written Amendment Request
Time Frame for Acting Upon a
Request for Amendments
Acceptance of Amendment
Amendment of the PHI
1. An individual may amend his /her PHI except as outlined
below:
a. The originator of the record is no longer available;
b. The information the individual wishes to amend
was not created by the Health Plan;
c. The information is not part of the health
information record;
d. The information contained in the record is
accurate and complete; and /or
e. The amended information would not be available
as provided by current law.
2. All requests for amendments to PHI must be submitted
to the HIPAA Privacy Officer in writing.
3. The Health Plan will act upon the individual's request for
an amendment no later than sixty (60) days after receipt
of such request. Should the Health Plan be unable to
act upon the request within the sixty (60) day period,
the individual will be provided with a written notice of
the reasons for the delay and the date by which the
Health Plan will complete such action. In no case will
such extension extend beyond thirty (30) days.
4. When the Health Plan accepts the amendment, in whole
or in part, the Health Plan will:
a. Make the requested amendment(s) to the PHI or
record that is subject to the amendment(s) or
provide a link to the location of such
amendment(s);
b. Inform the individual that the amendment(s) are
accepted and have been made;
c. Notify persons /entities authorized by the
individual that such amendments have been made
and provide copies of such amendments as
requested; and
d. Notify business associates that such amendments
have been made and provide copies of such
amendments to business associates as requested.
Form 7 Amendment of PHI (Policy Procedure). League of Minnesota Cities HIPAA Policies Procedures
Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
Denial of Amendment Requests 5. Should the Health Plan deny a requested amendment,
in whole or in part, the Health Plan will:
a. Notify the individual in writing of the denial to
make an amendment to his /her PHI. Such denial
will include the following information:
1. The reason(s) for the denial;
ii. Information relative to how the individual may
submit a written statement disagreeing with
the denial;
111. Information relative to how the individual may
request that the amendment and the denial
become part of the individual's permanent
records; and
iv. Information relative to how the individual may
file a complaint with the HIPAA Privacy Officer
or to the U.S. Secretary of Health and Human
Services.
b. Include on all notices to the individual the name,
title, and telephone number of the contact person
or office designated to receive complaints.
Record Retention
HIPAA Privacy Officer
Effective Date 9. April 14, 2004.
References:
45 C.F.R. 164.526
6. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least six
(6) years. Such retention may be in printed or electronic
format, or both.
7. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints
regarding HIPAA. Questions or concerns about HIPAA
rights should be directed to the HIPAA Privacy Officer at
651- 423 -4411.
Violations 8. Violations of this policy will be subject to discipline.
Form 7 Amendment of PHI (Policy Procedure). League of Minnesota Cities HIPAA Policies Procedures
Guide. Copyright O 2009 by League of Minnesota Cities All rights reserved.
Please note: This Administrative Form relates to the Health Plan's Policy Form 7, Amendment of PHI
You have a right to request an amendment of your own protected health information ("PHI Please see
the Notice of Privacy Practices or contact the Health Plan's Privacy Officer at 651- 423 -4411 for
more information.
Your name:
Address:
Daytime phone number:
REQUEST FOR AMENDMENT OF PHI
Please submit this form to:
Privacy Officer, City of Rosemount
2875 145th Street West
Rosemount, MN 55068
Please select one:
I participate in or am covered under the Health Plan [City of Rosemount].
I am the personal representative of an individual participating in or covered under the Health Plan
(please attach completed Designation of Personal Representative form if one is not already on
file).
I would like to request an amendment to the following information:
The information should be amended in the following manner:
I believe this information should be amended because (required):
Form 7a Request for Amendment of PHI (Administrative Form). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2009 by League of Minnesota Cities. All rights reserved.
Please Read Carefully and Sign
I understand that the Health Plan will agree to my requested amendment unless it may deny the request
under applicable law.
Signature Date
Please note: Applicable law requires us to respond to you within 60 days after receiving your request,
unless we send you notification that we will need an additional 30 days to respond.
For office use on /y:
Received by: Date:
Form 7a Request for Amendment of PHI (Administrative Form). League of Minnesota Cities HIPAA Policies s
Procedares Guide. Copyright 0 2009 by League of Minnesota Cities. All rights reserved.
GRANT OF AMENDMENT OF PHI REQUEST
Please note This Administrative Form relates to the Health Plan's Policy Form 7, Amendment of the
PHI.
Dear [participant, beneficiary, or personal representative]:
We received your request for amendment of your own protected health information ("PHI on [date].
We have agreed to comply with your request. Accordingly, we will [append or link the corrected
information to the PHI in our possession].
If you like, we will notify persons you believe have received the PHI that is the subject of your
amendment request. Please fill out and return the enclosed form listing the names and, if known,
addresses, of those persons or entities. Please note that you must sign the form, giving us written
permission to disclose this amended information to the people you have listed.
Please call us at 651- 423 -4411 if you have any questions.
Enclosure
Form 7b Grant of Amendment of PHI Request (Administrative Form). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 0 2004 by League of Minnesota Cities. All rights reserved.
NOTIFICATION OF ADDITIONAL TIME TO RESPOND TO
AMENDMENT OF PHI
Please note: This Administrative Form relates to the Health Plan's Policy Form 7, Amendment of the
PHI.
Dear [participant, beneficiary, or personal representative]:
We received your request for an amendment to your own protected health information "PHI on
[date]. We have been unable to respond due to [give reason for delay]. We will respond to your
request by [specific date no more than 30 days from original due date of response].
Please call us at 651 423 -4411 if you have any questions.
Thank you for your patience.
Form 7c— Notification of Additional Time to Respond to Amendment of PHI (Administrative Form). League of Minnesota
Cities 31PAA Policies Procedures Guide. Copyright O 2004 by Leagae of Minnesota Cities. All
rights reserved.
DENIAL OF REQUEST FOR AMENDMENT OF PHI
Please note: This Administrative Form relates to the Health Plan's Policy Form 7, Amendment of the
PHI.
Dear [participant, beneficiary, or personal representative]:
We have reviewed your request for amendment of your own protected health information ("PHI'). Your
request is denied for the following reason:
We believe the records identified in your request are accurate and complete.
[Part of the <or> The] information you requested is not contained in our designated
record sets. This means that we do not use the information you requested to make decisions
relating to your health benefits. Accordingly, we are not required to amend it under the
federal Privacy Rule.
We did not create the records identified in your request. If you believe the person or entity
that created the record is no longer available to respond to a request for amendment, please
notify us and we will reconsider your request.
We have determined that the records you identified in your request would not be available
for inspection under the "right of access" provisions of the federal Privacy Rule, and therefore
are not subject to amendment.
If you disagree with our denial, you may submit a written statement setting forth the basis for your
disagreement. Your statement may be no longer than 1 page. If you choose not to file a statement of
disagreement, you may ask that we include your request for amendment and our denial of your request
with any future disclosures of the records at issue. If you wish to pursue either option, please submit in
writing (1) your statement of disagreement, or (2) your request that we include in future disclosures your
amendment request and our denial of that request to:
City of Rosemount
2875 145th Street West
Rosemount, MN 55068
You may submit a complaint about this denial to us. If you choose to do so, please direct your complaint
as indicated below. Please note that your complaint is not considered an appeal of our denial.
Privacy Officer, City of Rosemount
2875 145th Street West
Rosemount, MN 55068
651- 423 -4411
You may also submit a complaint about this denial to the head of the U.S. Department of Health and
Human Services. Your complaint must be in writing, either on paper or electronically, and must include
the following information: (1) our name, and (2) a description of the acts or omissions that you believe
violate our responsibilities under the Privacy Rule. Your complaint must be filed within 180 days of the
date of this letter.
Please call us at 651 423 -4411 if you have any questions.
Form 7d Denial of Request for Amendment of PHI (Administrative Form). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
NOTICE TO OTHERS OF AMENDMENT OF PHI
Please note: This Administrative Form relates to the Health Plan's Policy Form 7, Amendment of the
PHI.
Dear [person or entity in possession of amended protected health information "PHI
Please note that you may have in your records the following protected health information "PHI relating
to [name of participant or beneficiary]:
We have amended that PHI as follows:
[description of PHI]
[describe amendment]
Please make a note of it in your records. This notice is being given as required by 45 CFR 164.526,
which is part of the Privacy Rule issued by the U.S. Department of Health and Human Services pursuant
to the Health Insurance Portability and Accountability Act of 1996 "HIPAA').
[Add when notice goes to a business associate.] Under your contract with us, you are a business
associate, and as such are required to append or link this notice or, if you choose, the amendment
described above, to the PHI described.
Please call us at 651- 423 -4411 if you have any questions.
Form 7f— Requestor's List of Persons or Entities to Be Notified of Amendment (Administrative Form). League of Minnesota
Cities HIPAA Policies s Procedures Guide. Copyright O 2004 by League of Minnesota Cities All
rights reserved
REQUESTOR'S LIST OF PERSONS OR ENTITIES TO BE NOTIFIED
OF AMENDMENT
Please note: This Administrative Form relates to the Health Plan's Policy Form 7, Amendment of the
PHI.
PERSONS OR ENTITIES TO BE NOTIFIED OF AMENDMENT
I authorize the Health Plan to notify the persons or entities listed below of the amendment the Health
Plan has made to my protected health information "PHI
NAME OF PERSON OR ENTITY
ADDRESS
(Please attach additional pages, if needed.)
Date: Signature:
Printed name:
Please submit this form to:
Privacy Officer, City of Rosemount, 2875 145th Street West, Rosemount, MN 55068
Form 7f— Requestor's List of Persons or Entities to Be Notified of Amendment (Administrative Form). League of Minnesota
Cities H?PAA Policies Procedures Guide. Copyright 2004 by League of _9innesota Cities All
rights reserved.
C
O
C w
C O
O v
CO rn
m
v
O
C T
T A
O d'
0
0
C N
Co s
-P
L O A
1
me fl i
a) u
I 6 a
a) o
L 111
0
C v
n o 9
N H
O
a) O 0
a7 O-
a,
0 6 N
7
~O C v
C N O
O a a
03 73 a
E N m
O v
c o 3
t H
3 H
9 N a
al O
C C
d O 2
E w y
0 0 m
a Cr ti
C 2 o
CO i
Y
N O
L V) h
D N C
H
m
CU N
N
W
C O 0
Q W
a7 al 0.
E L 0
v
p w a
O
m 0 ,Q
a) N
N -5 A
C N co
'O O E
C C
C O Q d
N O v
E J y
ct 2 Q g 54
C) C_ .6 N
C_ )p K
3 F b,
O V Ynu
O N
1
a N Q
rt
N
a O a 0
2 O E ti
U N
CU
E
15 a E U
N m
N
CO C
a) 4,
d g
N U u_ E
Request for an Accounting of
Disclosures of PHI
Time Frame of Accounting
Reports
Content of Accounting of
Disclosures Record
Accounting of Disclosures of PHI
Policy Statement
Individuals have the right to receive an accounting of disclosures of protected health information (PHI)
made by the Health Plan, including any business associate on behalf of the Health Plan.
Policy Interpretation and Implementation
1. An individual or his /her representative may request an
accounting of disclosures of his /her PHI made by the
Health Plan, including any business associate on behalf
of the Health Plan, during a specified time period of up
to six (6) years prior to the date of the request of an
accounting. Disclosures must be tracked by the Health
Plan for purposes of an accounting except the following
disclosures:
a. To carry out treatment, payment or healthcare
operations (TPO) as permitted under current law;
b. To the individual about his /her own PHI;
c. To persons involved in the individual's care;
d. For national security purposes;
e. Pursuant to the individual's authorization;
f. To federal /health department officials as
permitted under current law; and
g. Those disclosures that occurred prior to April 14,
2004.
2. Other than the exceptions noted above, the accounting
record must include disclosures of PHI that occurred
during the six (6) years (or shorter time period as is
specified in the request) prior to the date of such
request, including disclosures made by or to any of the
Health Plan's business associates.
3. The content of the written accounting of disclosures
record must contain, at a minimum, the following
information:
a. Date of the disclosure;
b. Name of the entity or individual who received the
PHI
c. The address of the person receiving the PHI (if
known)
d. A brief description of the PHI disclosed; and
Form 8 Accounting of Disclosures of PHI (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2009 by League of Minnesota Cities. All rights reserved.
Multiple Disclosures
Time Frame for Providing
Accounting of Disclosure Data
Log
Record Retention
HIPAA Privacy Officer
Effective Date 10. April 14, 2004.
References:
45 C.F.R. 164.528
e. A brief statement of the purpose of the disclosure
that reasonably informs the individual of the basis
for the disclosure, or in lieu thereof, a copy of the
individual's authorization or the request for the
disclosure.
4. If, during the time period for the accounting, multiple
disclosures have been made to the same entity or
individual for a single purpose, or pursuant to a single
authorization, the accounting may provide the
information as set forth in paragraph 3 above for the
first disclosure, and then summarize the frequency of
number of disclosures made during the accounting
period and the date of the last disclosure during the
accou nting period.
5. An individual's request for an accounting of PHI
disclosures must be provided to the individual or
representative within sixty (60) days of such request. If
unable to provide the accounting within the sixty (60)
day time frame, a one time thirty (30) day extension
may be provided if:
a. The individual is notified in writing of the delay;
b. The notice includes the reason(s) why the delay is
necessary; and
c. The notice includes the date by which the
accounting will be provided.
6. The Health Plan will keep a log of all disclosures required
by paragraph 1 above which will include all necessary
information.
7. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least six
(6) years. Such retention may be in printed or electronic
format, or both.
8. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints
regarding HIPAA. Questions or concerns about HIPAA
rights should be directed to the HIPAA Privacy Officer at
651- 423 -4411.
Violations 9. Violations of this policy will be subject to discipline.
Form 8 Accounting of Disclosures of PHI (Policy Procedure). League of Minnesota Cities HLPAA Policies
Procedures Guide Copyright 2004 by League of Minnesota Cities. All rights reserved
REQUEST FOR AN ACCOUNTING OF DISCLOSURES
Please note. This Administrative Form relates to the Health Plan's Policy Form 8, Accounting of
Disclosures of PHI.
You have a right to request that the Health Plan provide you with an accounting of certain disclosures
that it has made of your protected health information 'PHI'). Please see the Health Plan's Notice of
Privacy Practices or contact the Health Plan's Privacy Officer at 651- 423 -4411 for information.
Please submit this form to: Privacy Officer, City of Rosemount, 2875 145th Street West,
Rosemount, MN 55068
Your name:
Address:
Daytime phone number:
Please select one:
I participate in or am covered under the Health Plan [City of Rosemount].
I am the personal representative of an individual participating in or covered under the Health
Plan [City of Rosemount] (p /ease attach proof of personal representative status).
I would like an accounting of covered disclosures of my PHI made by the Health Plan
between the following dates:
and
Note: We are not required to provide an accounting of disclosures we made prior to the effective date
of the federal privacy rules (April 14, 2004).
Please Read Carefully and Sign
I understand that the Health Plan will provide the requested accounting of disclosures If required to do
so under applicable law. If this is not my first request for an accounting within a 12 -month period, I
understand that the Health Plan will notify me of its reasonable costs for complying with my request and
provide me with the opportunity to agree to pay those charges in order to receive the requested
accounting.
Signature Date
Please note: Applicable law requires us to respond to you within 60 days after receiving your request,
unless we send you a notification that we will need an additional 30 days to respond.
Form 8a Request for An Accounting of Disclosures (Administrative Form). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
For office use only:
Received by: Date:
Form 8a Request for An Accounting of Disclosures (Administrative Form). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 0 2004 by League of Minnesota Cities. All rights reserved.
Information
Disclosed
Date Disclosed
Disclosed To:
Purpose of Disclosure
[Note: For multiple
disclosures to the same
entity, include all
information for first such
disclosure, how often or
when subsequent
disclosures were made,
and the date of the last
disclosure.
[Note: Include contact
information, if known.]
[Note: If disclosure was
made pursuant to a written
request, you may include
copies of the written request
instead of describing the
purpose of the disclosure.]
ACCOUNTING OF DISCLOSURES OF PHI
Please note: This Administrative Form relates to the Health Plan's Policy Form 8, Accounting of
Disclosures of PHI.
Dear [participant, beneficiary, or personal representative]:
We received your request for an accounting of disclosures of your protected health information 'PHI')
on [date]. We set forth below an accounting of those disclosures that, by law, must be provided in
response to your request.
There is no charge for this accounting. However, if you request additional accountings within the next 12
months, there may be a charge to you for our costs in complying with your requests.
Please call us at 651 423 -4411 if you have any questions.
Form 8b Accounting of Disclosures of PHI (Administrative Form). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2009 by League of Minnesota Cities. All rights reserved.
NOTIFICATION OF ADDITIONAL TIME TO RESPOND TO
ACCOUNTING REQUEST
Please note: This Administrative Form relates to the Health Plan's Policy Form 8, Accounting of
Disclosures of PHI.
Dear [participant, beneficiary, or personal representative]:
We received your request for an accounting of disclosures of your protected health information "PHI
on [date]. We have been unable to respond due to [give reason for delay]. We will respond to your
request by [specific date no more than 30 days from original due date of response].
Please call us at 651- 423 -4411 if you have any questions.
Thank you for your patience.
Form 8c Notification of Additlonal Time to Respond to Accounting Request (Administrative Forrn). League of Minnesota
Cities HIPAA Policies Procedures Guide Copyright O 2004 by League of Minnesota Cities All
rights reservea.
NOTIFICATION OF CHARGES FOR SECOND REQUEST IN 12
MONTH PERIOD
Please note: This Administrative Form relates to the Health Plan's Policy Form 8, Accounting of
Disclosures of PHI.
Dear [participant, beneficiary, or personal representative]:
We received your request for an accounting of disclosures of your protected health information "PHI
on [date]. We responded to a prior request from you for an accounting on [date]. You are entitled to
one accounting without charge during any 12 month period. Because this is your second request within
12 months, we will charge you for our reasonable costs in putting together the accounting.
These costs include the time and expense of reviewing our records.
If we do not hear from you within [30] days from the date of this letter, we will assume that you have
withdrawn your request. If you do not wish to withdraw your request, please sign the acknowledgement
at the bottom of this letter and return it within [30] days.
Please call us at 651 423 -4411 if you have any questions.
Thank you for your patience.
ACKNOWLEDGMENT
I understand that I am being charged for my most recent
request for an accounting of disclosures of my protected health information "PHI because I have
requested more than one accounting within a 12 month period. I agree to pay all reasonable charges
prior to receiving the accounting. A check or money order is enclosed.
Name (print)
Telephone Number
Signature
Date
Return acknowledgement to:
Privacy Officer, City of Rosemount, 2875 145th Street West, Rosemount, MN 55068
Form Sd Notification of Charges for Second Request in 12 Month Period (Administrative Form). League of Minnesota
Cities HI ?AA Policies s Procedures Guide. Copyright O 2004 by League of Minnesota Cities. All
rights reserved
Accounting Provided
C
0
y
C
d
N
X
W
CD U to
C o
f0 U
u U te
Q o
Notification
of Charges
(more than
one request
in 12
months)
Request
Forwarded
to Business
Associates
N ts
CO U
CI re
Name of Requestor
[and ID Number]
Please note: This Administrative Form relates to the Health Plan's Policy Form 8, Accounting of Disclosures of PHI.
ACCOUNTING REQUEST TRACKING LOG
es Guide. Copyright d) 2004 by League of
0
E
L
O
LL
T
O
0
C
f0
H
a
0
0
0
En
0
0
N
b
L
0
0
E
O
T
V_
0
0..
C
a
0
O
Y
O
J-�
U
J-�
E
L
O
U..
0
L
L
L
C 0
E c
o O
Q CL
a C
a
W O
w
Oa in
ea Q
q
Responsibility For Obtaining
Verifications
Verification of Identity and
Authority
Request for Information In
Person
Request for Information By
Telephone
Verification Prior to Disclosure of PHI
Policy Statement
Prior to disclosing PHI, the Health Plan must verify the identity of the recipient and the recipient's
authority to have access to PHI, unless the identity and authority are known to the Health Plan. In
addition, when it is a condition of disclosure, prior to the disclosure of PHI, the Health Plan must obtain
any documentation, statements, or representations of the recipient as required by the Privacy Rule.
P /ease note: This Policy relates to Form 4, Use and Disclosure of PHI, Form 6, Individual's Right to
Access Copy PHI, and Form 19, Disclosures to the Plan Sponsor.
Policy Interpretation and Implementation
1. The HIPAA Privacy Officer or his /her designee will be
responsible for obtaining verifications when disclosure of
PHI is necessary.
2. Before releasing PHI, sufficient information must be
obtained from the person requesting the information to
reasonably conclude, under the circumstances, that the
person is who he /she says he /she is and has authority to
have access to the PHI. The type of information required
will depend on the nature of the request, from whom it is
made, and the method in which it is made.
3. When a request for PHI is made in person, identity may
generally be verified by inspecting some form of photo
identification. If photo identification is unavailable,
identity may be verified by inspection of some other form
of government issued identification.
In addition, in cases of disclosure for public policy
purposes, authority to have access to PHI may generally
be verified by receipt of the full name, date of birth, and
one other additional piece of information (i.e., SSN, other
identification number, address, or telephone number) of
the subject of the PHI and:
a. A written statement of the authority under which the
PHI is requested (or if a written statement is
impracticable, an oral statement); or
b. A legal document, such as a warrant, subpoena,
court order, or other legal process.
4. When a request for PHI is made by telephone, identity
may generally be verified by receipt of information that
identifies the person requesting the information. For
instance, if the person requesting the PHI is the subject of
the PHI, then identity may be established by providing
his /her full name, date of birth, and one other additional
piece of information (i.e., SSN, other identification
number, address, or telephone number). When the
Form 9 Venficaton Prior to Disclosure of PHI (Policy Procedure). League of Minnesota cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
Request for Information By Mail
or Email
Verification of Documentation,
Statements, or Representations
Record Retention
person requesting the information is a third party (i.e.
health care provider), identity may be established by
obtaining the caller's telephone number and calling
him /her back, making sure the area code and exchange
matches a listed telephone number for the
company /agency. In order to verify authority to access
the PHI when it is requested by someone other than the
subject, obtain the full name, date of birth, and one other
additional piece of information (i.e., SSN, other
identification number, address, or telephone number)
regarding the subject of the PHI and a statement of the
authority under which the PHI is requested.
Please note: The Health Plan is not required to release
PHI when the request for release is made by telephone.
5. If a request for PHI is received by mail, identity may
generally be verified by receipt of some unique piece of
information that identifies the person requesting the
information or by receipt of the request in a format that
tends to establish the identity of person making the
request. For instance, if the person requesting the PHI is
the subject of the PHI, then a written request containing
the person's social security number or other unique
identification number will be sufficient. When the person
requesting the information is a health care provider or a
public agency, receipt of the request on appropriate
letterhead will be sufficient.
6. The person verifying the documentation, statements, or
representations provided by the recipient as required by
the Privacy Rule may, when doing so is reasonable under
the circumstances, rely on documentation, statements,
and representations that, on their face, meet the
applicable requirements. Such reliance will not be
reasonable when information is known by the person that
tends to indicate the documentation, statement, or
representation is not authentic. In such situations,
additional steps to verify the authenticity of the
documentation, statement, or representation shall be
taken.
Log 7. The Health Plan will keep a log of all verifications, which
will include all necessary information.
8. A copy of all HIPAA covered information and any revisions
shall be maintained for a period of at least six (6) years.
Such retention may be in printed or electronic format, or
both.
HIPAA Privacy Officer 9. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPM policies
and procedures. The HIPAA Privacy Officer is also the
Form 9 Verification Prior to Disclosure of PHI (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
Violations 10. Violations of this policy will be subject to discipline.
Effective Date 11. April 14, 2004.
References:
45 C.F.R. 164.508(b)
contact person for any questions or complaints regarding
HIPAA. Questions or concerns about HIPAA rights should
be directed to the HIPAA Privacy Officer at 651- 423 -4411.
Form 9—Verification Prior to Disclosure of PHI (Policy Procedure) League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities All rights reserved.
0
N
E
O
LL
T
U
O
a
2
a
w
O
1
N
to
0
u
0
1-
O
0
N
r-i
d
O
LL O
u N
in
O in
a o
0
U
C p
rcs
o
L o
rcs L
C
B
O L
a-1
Cr)
a)
1
E
L
E
T
LL U
0
N d
C
JJ
L
0 O
C
Q Q
L C
EC
3 O
N
w
W N
y o
I
4
N
d
U
ra
4-)
0
N
c
0
0
rO
N
a
E
0
0
N
E
0
O
J N
m
C N j
1.4
N
4
0
6 4
10 N
O1
E
1-)
IL U
Individual Requested Restrictions on Use or Disclosure of PHI
Policy Statement
Individuals have the right to request restrictions on uses and disclosures of protected health information
(PHI) relative to treatment, payment, or health care operations (TPO).
Policy Interpretation and Implementation
Request for Restriction on use
or Disclosure of PHI
1. A request for restriction of use or disclosure of
information must be submitted in writing to the HIPAA
Privacy Officer. Such request must specify the type of
information to be included in the restriction and to
whom the restriction applies.
2. Upon receipt of an individual's request that a restriction
be placed on the use or disclosure of PHI, the HIPAA
Privacy Officer will:
a. Determine the reasonableness of the request
based on the administrative capability of the
Health Plan to comply with such request;
b. Identify the means and location the individual
wishes the information to be communicated; and
c. Notify the individual whether or not the Health
Plan agrees to the restriction within sixty (60)
days of the date of such request unless an
extension is necessary. Such extension will not
exceed thirty (30) days.
Exceptions to Restrictions 3. Should the Health Plan agree to the restriction, the
Health Plan and its business associates will honor such
request except when:
a. The restriction is terminated by the Health Plan or
the individual, and /or
b. There is an emergency treatment situation.
The HIPAA Privacy Officer will be responsible for
notifying any impacted business associates.
Emergency Treatment 4. When emergency treatment is necessary, the provider of
the treatment may not use or disclose PHI or
information which a restriction has been placed, except
for what is necessary to provide appropriate emergency
care for the individual. The emergency health treatment
provider may not further disclose the restricted
information beyond what is needed for the emergency
treatment.
Termination of a Restriction 5. The Health Plan may terminate a restriction:
Form 10 Indiv dual Requested Restrictions on Use or Disdosure of PHI (Policy Procedure). League of Minnesota Cites
HIPAA Policies ProcedLres Guide Copyright Cl 2004 by League of Minnesota Cities. All rights
reserved.
Termination Notices
Record Retention
HIPAA Privacy Officer
Effective Date 10. April 14, 2004.
References:
45 C.F.R. 164.522
a. When the individual requests the termination;
and /or
b. When the Health Plan informs the individual of
the termination.
6. Termination notices must be in writing and must indicate
the effective date such termination and the reason(s) for
such termination.
7. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least six
(6) years. Such retention may be in printed or electronic
format, or both.
8. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints
regarding HIPAA. Questions or concerns about HIPAA
rights should be directed to the HIPAA Privacy Officer at
651- 423 -4411.
Violations 9. Violations of this policy will be subject to discipline.
Form 10 Individual Requested Restrictions on Use or Disclosure of PHI (Policy Procedure) League of Minnesota Cities
HIPAA Policies Procedures Guice. Copyright 2004 by League of Minnesota Cities All rights
reserved.
REQUEST TO RESTRICT CERTAIN USES AND DISCLOSURES
Please note: This Administrative Form relates to the Health Plan's Form 10, Individual Requested
Restrictions on Use or Disclosure of PHI.
You have a right to request the Health Plan restrict:
Uses or disclosures of your protected health information ("PHI in carrying out payment or
health care operations activities.
Disclosures to family members or friends involved in your health care or payment relating to your
health care.
Use this form to request such a restriction. THE HEALTH PLAN IS NOT REQUIRED TO COMPLY
WITH YOUR RESTRICTION REQUEST.
IMPORTANT IF YOU BELIEVE YOU WILL BE ENDANGERED IF YOUR PHI IS DISCLOSED THROUGH A
COMMUNICATION WE MIGHT MAKE TO YOU OR SOMEONE IN YOUR HOUSEHOLD, PLEASE SUBMIT THE
FORM ENTITLED "REQUEST FOR CONFIDENTIAL COMMUNICATION."
Please submit this form to:
Privacy Officer, City of Rosemount, 2875 145th Street West, Rosemount, MN 55068
Your name:
Address:
Daytime phone number:
Please select one:
I participate in or am covered under the Health Plan [City of Rosemount].
I am the personal representative of an individual participating in or covered under the Health
Plan (please attach completed Designation of Persona/ Representative form).
I request the Health Plan to restrict its uses or disclosures of my PHI for purposes of payment or
health care operations. Specifically, I request the following restrictions (describe):
(If more space needed, please attach separate sheet)
Form 10a Request to Restrict Certain Uses and Disclosures (Administrative Forms). League of Minnesota Cities HIPAA
Policies Procedures Guide Copyright CO 2004 by League of Minnesota Cities. All rights reserved
I request the Health Plan to not make disclosures to the following family members or friends who
may be involved in my health care or payment with respect to my health care (list names):
(If more space needed, please attach separate sheet)
Please Read Carefully and Sign
I understand that the Health Plan is not required to agree to my requested restriction. I also understand
that if the Health P /an agrees to the requested restriction, it may stop doing so prospectively so long as it
informs me that the restriction is removed.
Signature Date
For office use only:
Received by: Date:
Form 10a Request to Restrict Certain Uses and Disclosures (Administrative Forms). League of Minnesota Cities HIPAA
Policies Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
RESPONSE TO REQUEST TO RESTRICT CERTAIN USES AND
DISCLOSURES
Please note: This Administrative Form relates to the Health Plan's Polity Form 10, Individual Requested
Restrictions on Use or Disclosure of PHI.
Dear [participant, beneficiary, or personal representative]:
We received your request that we restrict certain uses and disclosures of your protected health
information ("PHI As you know, the law does not require us to agree to your requested restriction.
We will not be able to agree to your restriction. However, if you believe you will be
endangered if your PHI is disclosed through a communication we might make to you or
someone in your household, please submit the form entitled "Request For Confidential
Communication."
We will agree to restrict uses and disclosures of your PHI as you requested. Specifically,
[describe uses and disclosures that will not be made, including specifically the
names of family members /friends to whom disclosures will not be made.]
Please note that we may remove this restriction prospectively at any time upon providing notice to you.
Please call us at 651- 423 -4411 if you have any questions.
Form lob Response to Request to Restrict Certain Uses and Disclosures (Administrative Form). League of Minnesota
Cities HIPAA Policies Procedures Guide. Copyright 2004 by League of Minnesota Cities. All
rights reserved.
Individual Requested Restrictions on Confidential
Communications
Policy Statement
Individuals have the right to request an alternate means of communication of the individual's protected
health information (PHI) from the Health Plan to the individual. The restrictions apply only to
communications to the individual by the Health Plan or communications that would otherwise go to the
subscriber of the policy under which the individual has coverage. The effect of this is to ensure a family
member who is not the subscriber can receive communications of PHI at the individual's workplace or
other alternate address or phone number, so that other family members are unaware of the information.
Policy Interpretation and Implementation
Request for Confidential
Communications
Consideration of Request
1. A request for confidential communications must be
submitted in writing to the HIPAA Privacy Officer. Such
request must specify the type of information to be
covered by the confidential communication's restriction,
and to whom the restriction applies, the alternate
address or other method of contact requested, and how
payment will be handled (if applicable). The Health Plan
may require evidence that if the information is disclosed
other than the manner requested it could endanger the
individual.
2. Upon receipt of an individual's written request for
confidential communications of PHI, the HIPAA Privacy
Officer will:
a. Determine the reasonableness of the request
based on the administrative capability of the
Health Plan to comply with such request;
b. The determination of reasonableness will not
include an evaluation of the merits of the
individual's reason for making the request;
c. Identify the alternate means by and /or location to
which the individual requests the information to
be communicated and how payment will be
handled; and
d. Notify the individual whether or not the Health
Plan agrees to the request within sixty (60) days
of the date such request was received unless an
extension is necessary. Such extension shall not
exceed thirty (30) days.
Form 11 Individual Requested Restrictions on Confidential Communications (Policy Procedure). League of Minnesota
Cities HIPAA Policies Procedures Guide Copyright 20C4 by Leagua of Minnesota Cities. All
rights reserved
Exceptions to confidential
communications
3. Should the Health Plan agree to the confidential
communications, the Health Plan and its business
associates will honor such request except when the
confidential communication request is terminated by the
Health Plan or the individual. The HIPAA Privacy Officer
will be responsible for notifying any impacted business
associates.
Termination of confidential 4. The Health Plan may terminate confidential
communications communications:
a. When the individual requests the termination;
and /or
b. When the Health Plan informs the individual of
the termination.
Termination Notices
Record Retention
HIPAA Privacy Officer
Effective Date 9. April 14, 2004.
References:
45 C.F.R. 164.522(b)
5. Termination notices must be in writing and must indicate
the date such termination is to become effective and the
reason(s) for such termination. The termination notice
must be provided before the effective date of the
termination notice. A copy of the termination notice
must be filed in the individual's records maintained for
HIPAA purposes.
6. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least six
(6) years. Such retention may be in printed or electronic
format, or both.
7. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints
regarding HIPAA. Questions or concerns about HIPAA
rights should be directed to the HIPAA Privacy Officer at
651 423 -4411.
Violations 8. Violations of this policy will be subject to discipline.
Form 11 Individual Requested Restrictions on Confidential communrcabons (Policy Procedure). League of Minnesota
Cities HIPAA Policies Procedures Guide. Copyright C 2004 by League of Minnesota Cities All
rights reserved.
REQUEST FOR CONFIDENTIAL COMMUNICATIONS
Please note: This Administrative Form relates to the Health Plan's Policy Form 11, Individual Requested
Restrictions on Confidential Communications.
You have a right to request that the Health Plan provide alternative means or alternative locations for you
to receive communications of your protected health information "PHI We must agree to your request
for a confidential communication only if (1) you provide a reasonable alternative means or locations for
the communication, and (2) you believe that a disclosure of the information could endanger you.
Please submit this form to:
Privacy Officer, City of Rosemount, 2875 145th Street West, Rosemount, MN 55068
Your Name:
Address:
Daytime phone number:
Please select one:
I participate in or am covered under the Health Plan [City of Rosemount].
I am the personal representative of an individual participating in or covered under the Health
Plan [City of Rosemount] (p /ease attach completed Designation of Personal Representative
form).
My request for confidential communications from the Health Plan applies to the following types of
communications (list):
(If more space is needed, please attach a separate sheet)
The communications identified above should be made to me in the following manner (please provide an
alternative address, telephone number, or e-mail address):
Form lla Request for Confidential Communications (Administrative Form). League of Minnesota Cities HIPAA
Policies Procedures Guide Copyright 0 2004 by League of Minnesota Cities. All rights reserved
Please Read Carefully and Sign
I believe that disclosure of my PHI in the communications described above could endanger me. I
understand that the Health P /an is not required to agree to my request for a confidential communication
if I do not provide a reasonable alternative means for the communications or if I do not believe that the
disclosure of information in the communication will endanger me.
Signature Date
For office use only:
Received by: Date:
Form lla Request for Confidential Communications (Administrative Form). League of Minnesota Cities HIPAA
Policies Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
a
u
0
a
0
a
0
0
N
0
u
5
0
O
a)
0
O
C
O
0
U
6 L
v
Q
ra
LL
ti
N
0
O
a 0 n u
c c
CO
n. E
E
o
mu
v
S �o
N
N
O C
N
C
N O
N
E o
B
C
v
K
C
E
C a
Q
N
F
i
N
N E
4L
N
b
v
v
0
u
0
N
44
W
N
O
0
O
a s
N
N
N
N
U
N
4
0
0)
N
N
w
0
W
m
0
a
E
LL
ra
E 0)
E
a v
0)
rn v
J N
on N
C
V -4
m
Yn r
0
Q
N
a'
o a
o
061
j n
E O
E 04
U c
To G
a
N 0
0 0
C
O 7
ro
N
N a
JI
d
a
U 0
i N
I G
a to
ti ti
E
a
`o O
LL U
Policv Statement
Individuals, family members, employees, the general public, or business associates have the right to file
complaints regarding Health Plan policies, procedures, or practices relative to the access, use, or
disclosure of protected health information (PHI).
Policy Interpretation and Implementation
Designation of Person to
Receive Complaints
Filing of Privacy Complaints
Submitted Complaints
Investigation Process
Results of Investigation
Dissatisfaction of
Investigation/ Resolution
Filing Complaints with the
Secretary of HHS
Privacy Complaint Procedure
1. The HIPAA Privacy Officer has been designated as the
individual responsible for receiving, processing, and
investigating all privacy related complaints. The HIPAA
Privacy Officer may in turn designate employees in
particular areas to assist.
2. Any individual, representative, family member,
employee, business associate, visitor, or the general
public may file a grievance or complaint regarding
Health Plan privacy practices (e.g., denial of access to
PHI, amendment of health records, problems with
business associates, HIPAA policy and procedure
violations, etc.) without fear or reprisal or retaliation in
any form.
3. Complaints should be submitted to the HIPAA Privacy
Officer in writing.
4. The HIPAA Privacy Officer or his /her designee will begin
an investigation into allegations within five (5) working
days of the receipt of the complaint.
5. A written report of the findings of the investigation will
be provided to the individual filing the complaint within
thirty (30) days of receiving such complaint unless an
extension is necessary to complete the investigation.
Such extension may not exceed thirty (30) days.
6. Should the individual not be satisfied with the result of
the investigation, or the recommended resolution(s),
he /she may file a complaint with the Secretary of Health
and Human Services (HHS).
7. Complaints may be filed directly with the Secretary of
HHS. Such complaints must be in writing, identify the
Health Plan, and must describe the violation.
Complaints must be filed within one hundred eighty
(180) days of the complainant learning of the alleged
violation or should have been aware of the alleged
violation.
Form 12— Pnvacy Complaint Procedure (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright (0 2004 sy League of Minnesota Cities. All rights reserved.
Address of Secretary of HHS
Retention of Complaints Log
Record Retention
HIPAA Privacy Officer
Violations 12. Violations of this policy will be subject to discipline.
Effective Date 13. April 14, 2004.
References:
45 C.F.R. 164.530(d)
8. The address of the Secretary of HHS is located in the
Notice of Privacy Practices (NPP) and /or made available
to individuals. Persons may also obtain the address
from the HIPAA Privacy Officer.
9. The HIPAA Privacy Officer or his /her designee will
maintain a log of all complaints received Copies of all
complaints, their disposition and resolutions, and our
complaint log will be maintained for a period of at least
six (6) years from the date such complaint was received.
10. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least six
(6) years. Such retention may be in printed or electronic
format, or both.
11. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints
regarding HIPAA. Questions or concerns about HIPAA
rights should be directed to the HIPAA Privacy Officer at
651 -423 4411.
Form 12 Privacy Complaint Procedure (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities All rights reserved.
PRIVACY COMPLAINT FORM
Please note This Administrative Form relates to the Health Plan's Policy Form 12, Privacy Complaint
Procedure.
You have a right to file a complaint about the Health Plan's privacy practices or the Health Plan's
compliance with the Notice of Privacy Practices, Privacy Policies and Procedures, or the federal Privacy
Rule. The Health Plan will not require you to waive any right you may have under the federal Privacy
Rule to file your complaint, nor will filing your complaint adversely affect your enrollment in the Health
Plan, your eligibility for benefits under the Health Plan, or payment of your claims under the Health Plan.
Please submit this form to:
Privacy Officer, City of Rosemount, 2875 145th Street West, Rosemount, MN 55068
Your name:
Address:
Daytime phone number:
Please provide a concise statement of your complaint:
Date: Signature:
Printed name:
For office use only:
Received by: Date:
Form 12a Pnvacy Complaint Form (Admimstrahve Form) League of Minnesota Cities HIPAA Policies
Procedures Guide Copyright 2004 by League of Minnesota Cities. All rights reserved.
RESPONSE TO PRIVACY COMPLAINT
Please note: This Administrative Form relates to the Health Plan's Policy Form 12, Privacy Complaint
Procedure.
Dear [participant, beneficiary, or personal representative]:
We received your complaint regarding the Health Plan's handling of your protected health information
"PHI'). The privacy of PHI is important to us and we take it seriously.
You stated that [brief description].
[We have investigated this matter and determined that no violation of our privacy policies and
procedures or the Privacy Rule occurred.] [Brief description of why use /disclosure was proper or
policies /procedures are appropriate.]
[We have investigated this matter and determined that a violation of [brief description] has
occurred.] [Brief description of what is being or has been done.]
Please call us at 651 423 -4411 if you have any questions.
Form 12b— Response to Privacy Complaint (Administrative Form). League of Minnesota cities EIPAA Policies
Procedures Guide. Copyright 0 2003 oy League of Minnesota Cities. All rights reserved.
W
Y
ra
l—
c
0
U
4
Date
Response
Issued to
Individual
Logging
Complaint
Investigation
Completion
Date
Start Date of
Investigation
Covered
Component
Nature of
Complaint
Date Rec'd
Name of
Individual
Logging
Complaint
v
a
N a,
t m
a
o
a
U O
t N
CO O
N y
r
C b'
N
C T
0 a
Q o
E U
O
0 N
'0 a
N a
N 0
0
O v
0 H
a
.c v
f U
3 u
2
w
o w
El? a)
.H
0
Q
0 o
0
a
c
0
E
0 v
O) H
c H
N U
Q N
u
v o
co
CO v
0 G
.c H
E
N o
v
o a
N e'
N m
C a
al
0
0 `o b
C LL v
al j H
O it, v
Y ra a
Oil E
a
.T,
CO
ao�
L H
CO m N
O
0 -I
ca
Y
0 V
N 00 F N
v
H
C H
0 u
d
N E m
O -P
CD U o
C 1 v
w
O N N G
)i a H
E E
0
CO 0 LL 0
Please note: This Administrative Form relates to the Health Plan's Policy Form 12, Privacy Complaint Procedure.
COMPLAINT TFtACKING LOG
Responsibility For Obtaining
Authorizations
Provision of Treatment,
Payment, or Eligibility
Content of Authorization
Authorization for Use or Disclosure of PHI
Policy Statement
All uses and disclosures of protected health information (PHI) beyond those otherwise permitted by
current HIPAA law, and not otherwise prohibited under another applicable law, require a signed
authorization. In addition, the Health Plan, including any business associates on behalf of the Health
Plan, may choose to obtain a signed authorization in situations where it is not required.
Policy Interpretation and Implementation
1. The HIPAA Privacy Officer or his /her designee will be
responsible for obtaining authorizations when use or
disclosure of protected health information is necessary.
2. The provision of treatment, payment, or eligibility for
benefits may not be conditioned on the individual's
provision of an authorization for the use or disclosure of
PHI.
3. Each authorization for the use or disclosure of an
individual's PHI will be written in easy to read language
and will include, at a minimum, the following information:
a. A specific and meaningful description of the
information to be used or disclosed;
b. The name or identification of the person or class
of person(s) authorized to make the use or
disclosure;
c. The name or identification of the person or class
of person(s) to whom the requested use or
disclosure may be made;
d. An expiration date, condition or event that relates
to the individual or the purpose of the use or
disclosure; the authorization shall state that it will
expire after ninety (90) days unless the individual
has opted for a shorter or longer time. An
individual may specify a longer period of time for
the duration of the authorization only if the
person:
i. Is part of an approved research study and has
given authorization for a longer period of time;
or
ii. Is expected to continue receiving services
beyond ninety (90) days and has given
authorization for a longer period of time, which
may be up to one calendar year.
e. A statement of the individual's right to revoke the
authorization in writing, and exceptions to the
right to revoke, together with a description of how
Form 13 Authorization for Use or Disclosure of PHI (Policy Procedure) League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 0 2004 by League of Minnesota Cities. All rights reserved.
Request Form
Requests to Use or Disclose
PHI for Own Purposes
Requests for PHI from Others
the individual may revoke the authorization. Upon
written notice of revocation, further ruse or
disclosure of PHI shall cease immediately except to
the extent that the facility, program or individual
has acted in reliance upon the authorization or to
the extent that use or disclosure is otherwise
permitted or required by law; (See policy entitled
Revocation of an Authorization.)
f. A statement that the information may only be re-
released with the written authorization of the
individual, except as required by law;
g. The dated signature of the individual; and
h. If the authorization is signed by a personal
representation of the individual, a description of
the representative's authority to act on behalf of
the individual.
4. The Health Plan may develop a standard form for
authorizing use and disclosure of PHI. If the Health Plan
develops a form, the form must be used for all
authorizations.
5. If the authorization is requested by the Health Plan for its
own use or disclosure of the PHI it maintains, for purposes
outside of treatment, payment or health care operations
(TPO), health care oversight or public health activities, the
following elements are required in addition to those
specified in paragraph 3 above:
a. Except in circumstances where it is allowed, a
statement that treatment, payment and eligibility for
benefits will not be conditioned upon the individual's
provision of an authorization;
b. A description of each purpose of the requested use or
disclosure;
c. A statement that the individual may refuse to sign the
authorization;
d. If applicable, a statement that the use or disclosure
will result in direct or indirect remuneration for a third
party; and
e. A copy of the signed authorization provided to the
individual.
6. If the authorization is requested for disclosures of PHI by
others, the following elements are required in addition to
those specified in paragraph 5 above:
a. A description of each purpose of the requested
disclosure;
b. Except in circumstances where it is allowed, a
Form 13 Authonzation for Use or Disclosure of PHI (Policy Procedure) League of Minnesota Cities xIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
Use or Disclosure of PHI for
Research
Record Retention
HIPAA Privacy Officer
Effective Date 12. April 14, 2004.
References:
45 C.F.R. 164.508(b)
statement that treatment, payment and eligibility for
benefits will not be conditioned upon the individual's
provision of an authorization;
c. A statement that the individual may refuse to sign the
authorization; and
d. A copy of the signed authorization provided to the
individual.
7. Use or disclosure of PHI created for research generally
requires an authorization unless such use or disclosure is
permitted by law. Such authorization must include the
basic elements specified in paragraphs 3, 5, and 6 above,
as well as the following information:
a. A description of the extent to which PHI will be used
to carry out TPO;
b. A description of any PHI that will not be used or
disclosed for purposes otherwise permitted, provided
that the limitation may not preclude disclosures
required by law or to avert serious threat to health or
safety; and
c. References to any privacy notice expected to be given
to the individual, which must include statements that
the terms outlined in the privacy notice are binding.
8. The authorization for the use and disclosure of PHI created
for research may be combined in the same document with
the consent to participate in research, or the privacy
notice.
9. A copy of all HIPAA covered information and any revisions
shall be maintained for a period of at least six (6) years.
Such retention may be in printed or electronic format, or
both.
10. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints regarding
HIPAA. Questions or concerns about HIPAA rights should
be directed to the HIPAA Privacy Officer at 651 -423 -4411.
Violations 11. Violations of this policy will be subject to discipline.
Form 13 Authorization for Use or Disclosure of PHI (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
AUTHORIZATION FOR USE OR DISCLOSURE
Please note. This Administrative Form relates to the Health Plan's Policy Form 13, Authorization for Use
or Disclosure of PHI.
Name: Date:
I hereby authorize the use and disclosure of my protected health information "PHI as indicated below.
I understand that this authorization is voluntary and that I may revoke this authorization at any time
except to the extent that action has been taken in reliance on this authorization. I also understand that if
the individual or organization authorized to receive this information is not required to comply with current
Privacy Rule, my PHI may be disclosed to others and no longer protected by the current federal Privacy
Rule.
Complete health care record(s)
History Physical Examination
Laboratory Reports
Medical /Treatment Records
Pathology Reports
X -Ray Reports
Transcribed Reports
Nurses' Notes
0
CI
Progress Notes
Care Plans
Dental Records
Photographs, Video Tapes, Digital or other
images
Billing Statements
Emergency Care Records
Consultant Reports
Discharge Summary
Other:
The information checked and /or listed above is to be released to:
for the purposes of:
Assisting with claims resolution
Insurance or other benefit eligibility or coverage
Litigation, potential litigation, or other adversarial proceedings
Fitness for duty determination, drug testing results, or other employment related purposes
Other:
This authorization, for the release of the PHI checked and /or listed above, is valid for one (1) year after
the date it is signed or upon completion of the use of the information for the purpose it was intended,
unless an earlier expiration date is indicated here:
I understand that the individual, organization, or entity receiving my PHI may receive financial or in -kind
compensation in exchange for using or disclosing the PHI described above.
I understand that I may refuse to sign this authorization and that my refusal to sign will not affect my
ability to obtain treatment or payment or my eligibility for benefits.
I understand that I may access and copy any PHI used or disclosed under this authorization. I
understand that a fee may be charged for such copying services.
I hereby release the Health Plan, its employees, officers, and health care professionals from any legal
responsibility or liability for disclosure of the above information to the extent indicated and authorized
herein.
Form t3a Authonzation for Use or Disclosure (Administrative Form) League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyrignt 2004 by League of Minnesota Cities. All rights reserved.
I understand that I may revoke this request at anytime by providing the Health Plan with my written
notice of such revocation.
Date: Signature:
Printed name:
or
Date: Signature of personal representative:
Printed name of personal representative:
Relationship to me and basis upon which can sign:
Date: Signature of witness:
Printed name of witness:
Form 13a Authonzation for Use or Disclosure (Administrative Form). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
Revocation of an Authorization
Policy Statement
Individuals have the right to revoke the authorization to access, release, use or disclose their protected
health information (PHI) at any time. (Also see policy entitled: Authorization for Use or Disclosure of
PHI.)
Policy Interpretation and Implementation
Revocation Request
1. All requests for revocation of an individual's authorization
to access, release, use, or disclose PHI must be submitted
to the HIPAA Privacy Officer in writing. The revocation
must be specific enough to permit identification of the
authorization that is being revoked. Oral requests will not
be honored.
Notification of Personnel of 2. Upon receipt of a written revocation, the HIPAA Privacy
a Revocation Officer will notify relevant staff and impacted business
associates that a revocation has been received and that
no further information may be released as specified in the
authorization, with the exception that personnel may, as a
result of relying on the authorization:
Exceptions to Revocation a. Complete the task it started (e.g., billings for
services already provided); or,
b. Submit findings from an independent medical
examiner to the person /entity requesting it.
Record Retention 3. A copy of all HIPAA covered information and any revisions
shall be maintained for a period of at least six (6) years.
Such retention may be in printed or electronic format, or
both.
HIPAA Privacy Officer 4. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints regarding
HIPAA. Questions or concerns about HIPAA nghts should
be directed to the HIPAA Privacy Officer at 651- 423 -4411.
Violations 5. Violations of this policy will be subject to discipline.
Effective Date 6. April 14, 2004.
References'
45 C.F.R. 164.508(b)(5)
Form 14— Revocation of Authorization (Policy Procedure) League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyrignt 0 2004 by League of Minnesota Cities. All rights reserved
REVOCATION BY SUBJECT OF PROTECTED HEALTH INFORMATION
Please note: This Administrative Form relates to the Health Plan's Policy Form 10 (Individual Requested
Restrictions on Use or Disclosure of PHI), Policy Form 11 (Individual Requested Restrictions on
Confidential Communications), Policy Form 13 (Authorization for Use or Disclosure of PHI), Policy Form
14 (Revocation of an Authorization), and Policy Form 18 (Personal Representative).
Name: Date:
I hereby revoke the following authorization and /or restriction, effective immediately:
Authorization for Use or Disclosure
Designation of Personal Representative
Requested Restriction on Use or Disclosure
Request for Confidential Communications
Other:
Other:
Other:
I understand that I cannot revoke any action already taken by the Health Plan in reliance upon my
authorization and /or restriction prior to the date of this revocation.
I understand that this revocation removes all authorizations and /or restrictions previously in place, and if
I want to impose future authorizations or restrictions regarding my PHI, I will have to submit a new
completed form to the Health Plan.
Date: Signature:
Printed name:
or
Date: Signature of personal representative:
Printed name of personal representative:
Relationship to me and basis upon which can sign:
Date: Signature of witness'
Printed name of witness:
Form 14a Revocation by Subject of Protected Health Information (Administrative Form). League of Minnesota Cities
HIPAA Policies Procedures Guide. Copyright 2004 by League of Minnesota Cities All rights
reserved.
For office use on /y:
Received by: Date:
Form 14a— Revocation by Subject of Protected Health Information (Administrative Form). League of Minnesota Cities
HIPAA Policies Procedures Guide Copyright O 2004 by League of Minnesota Cities. All rights
reserved
Business Associates Business Associate Agreements
Policy Statement
The Health Plan may disclose protected health information (PHI) to business associates, or allow
business associates to create or receive PHI, provided the business associate executives sign a
written agreement to appropriately safeguard such PHI.
Policy Interpretation and Implementation
Definition of Business 1. A business associate, means a person or entity who
Associate is not an employee or workforce member of the
Health Plan, who performs or assists in the
performance of a function or activity on behalf of the
Health Plan that involves the use or disclosure of
PHI, or provides legal, actuarial, accounting,
consulting, data compilation, management,
administrative, accreditation, or financial services.
Definition of 2. An employee /workforce member, for the purposes of
Employee /Workforce Member this policy, means any employee, trainee, volunteer,
or any other person(s) whose conduct, in the
performance of work for the Health Plan, is under
the direct control /supervision of the Health Plan,
regardless of payment source.
Identification of 3. It is the Health Plan's obligation to ensure that all of
Business Associates the Health Plan's business associates have a written
valid business associate agreement.
Content of Business Associate 4. The business associate agreement between the
Agreements Health Plan and the business associate establishes
permitted and required uses or disclosure of PHI.
Pursuant to the agreement the business associate
must agree to at least:
a. Not use or disclosure PHI;
b. Develop safeguards to prevent unauthorized
use or disclosure of information;
c. Promptly report unauthorized access, use or
disclosure of information to the HIPAA
Privacy Officer;
d. Require any subcontractors to adhere to the
same requirements as outlined in the
agreement between the Health Plan and
business associate;
e. Make information available for access by the
individual or his /her representative as
permitted by law;
f. Allow individuals to amend medical
information and incorporate such
Form 15a Business Associate Agreement (Administrative Form)
Record Retention
HIPAA Privacy Officer
g.
J•
Violations 7. Violations of this policy will be subject to discipline.
Effective Date 8. April 14, 2004.
References:
45 C.F.R. 164.504(e)
amendments as part of the PHI;
Develop a process that allows for an
accounting of uses and disclosures of
information in accordance with current law;
h. Make its internal practices. books and
records relating to its receipt or creation of
PHI available to the Office of the U.S.
Secretary of Health and Human Services for
purposes of determining the Health Plan's
compliance with HIPAA regulations;
Develop a process for returning or
destroying all PHI upon termination of the
business associate agreement; and
Develop a process for continuing the full
protection of PHI for as long as the business
associate retains any PHI.
5. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least
six (6) years. Such retention may be in printed or
electronic format, or both.
6. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA
policies and procedures. The HIPAA Privacy Officer
is also the contact person for any questions or
complaints regarding HIPAA. Questions or concerns
about your HIPAA rights should be directed to the
HIPAA Privacy Officer at 651- 423 -4411.
Form 15a Business Associate Agreement (Administrative Form)
HIPAA ADMINISTRATIVE SIMPLIFICATION AGREEMENT
This Agreement is entered into by and between the City of Rosemount on
behalf of City of Rosemount ("Covered Entity") and «name of business
associate» "Business Associate
SECTION 1— DEFINITIONS
1.1 Definitions. The following definitions are used by this Agreement:
a) Business Associate means «name of business associate
b) Covered Electronic Transactions shall have the meaning given to the term "transaction"
in 45 C.F.R. Section 160.103.
c) Covered Entity means City of Rosemount.
d) Covered Individual means a person who is eligible for payment of certain services or
supplies rendered or sold to the person or the person's eligible dependents under the
terms, conditions, limitations, and exclusions of a health benefit program of the Plan.
e) Data means formalized representation of specific facts or concepts suitable for
communication, interpretation, or processing by people or automatic means.
0 Data Aggregation means, with respect to Protected Health Information created or
received by Business Associate in its capacity as a business associate (as that term is
defined in 45 C.F.R. Section 160.103) of the Plan, the combining of such Protected Health
Information by Business Associate with the Protected Health Information received by
Business Associate in its capacity as a business associate of another covered entity (as
those terms are defined in 45 C.F.R. Section 160.103), to permit data analyses that relate
to the health care operations of the respective covered entities.
Data Transmission means automated transfer or exchange of Data, pursuant to the
terms and conditions of this Agreement, between the Plan and Business Associate by
means of their respective Operating Systems.
h) Designated Record Set means a group of records maintained by or for the Covered
Entity that is (1) the medical records and billing records about Individuals maintained by or
for the Covered Entity, (2) the enrollment, payment, claims adjudication, and case or
medical management record systems maintained by or for the Covered Entity, or (3) used,
in whole or in part, by or for the Covered Entity to make decisions about Individuals. As
used herein, the term "Record" means any item, collection, or grouping of information that
includes Protected Health Information and is maintained, collected, used or disseminated
by or for the Covered Entity.
i) Electronic Data Interchange (EDI) means the automated exchange of business
documents from application to application.
g)
Form 15a Business Associate Agreement (Administrative Form)
j) Envelope means the control structure in a format mutually agreeable to the Plan and
Business Associate for the electronic interchange of one or more encoded Data
Transmissions between the Plan and Business Associate.
k) HHS means the United States Department of Health and Human Services.
1) Individual shall have the same meaning as the term "individual" in 45 C.F.R. 164.501
and shall include a person who qualifies as a personal representative in accordance with
45 C.F.R. 164.502(g).
m) Operating System means the equipment, software, and trained personnel necessary for
a successful Data Transmission.
n) Han means City of Rosemount.
o) Privacy Rule means the Standards and Privacy of Individually Identifiable Health
Information at 45 C.F.R. part 160 and part 164, subparts A and E.
p)
q)
Protected Health Information shall have the same meaning as the term "protected health
information" in 45 C.F.R. 164.501, limited to the information created or received by
Business Associate from or on behalf of Covered Entity.
Provider means a hospital or professional practitioner duly certified or licensed to provide
health care services to Covered Individuals.
r) Required By Law shall have the same meaning as the term "required by law" in 45 C.F.R.
164.501.
s) Secretary means the Secretary of the Department of Health and Human Services or
his /her designee.
t) Security Access Codes means alphanumeric codes that the Plan assigns to Business
Partner to allow Business Partner access to the Plan's Operating System for the purpose of
executing Data Transmissions or otherwise carrying out this Agreement.
u) Security Incident shall have the same meaning as the term "security incident" in 45
C.F.R. Section 164.304.
v) Security Rule means the Security Standards and Implementation Specifications at 45
C.F.R. Part 160 and Part 164, subpart C.
w) Source Documents means documents containing Data that are or may be required as
part of a Data Transmission concerning a claim for payment of charges for medical
services that a Provider furnishes.
x) Standards for Electronic Transactions Rule means the final regulations issued by HHS
concerning standard transactions and code sets under the Administrative Simplification
provisions of HIPAA, 45 C.F.R. Part 160 and Part 162.
y)
Trade Data Log means the complete, written summary of Data and Data Transmissions
exchanged between the Covered Entity and Business Associate over the period of time this
Agreement is in effect and includes, without limitation, sender and receiver information,
transmission date and time, and general nature.
Form 15a Business Associate Agreement (Administrative Form)
SECTION 2 BUSINESS ASSOCIATE PROVISIONS
2.1 Introduction. Business Associate, on behalf of Covered Entity, performs or assists in the
performance of functions and activities that may involve the use and disclosure of Protected
Health Information as defined in the Health Insurance Portability and Accountability Act of 1996
(°HIPAA Parts 160 and 164 "Privacy Regulations This Section 2 is intended to meet the
requirements of the "business associate" provisions of Privacy Rule and will govern the terms and
conditions under which the Business Associate may use or disclose Protected Health Information.
2.2 Permitted Uses and Disclosures.
a) Except as otherwise limited in this Agreement, Business Associate may use or disclose
Protected Health Information to perform functions, activities, or services for, or on behalf of,
Covered Entity pursuant to any services agreement with the Business Associate and as
permitted or required by this Agreement or the Privacy Rule.
b) Except as otherwise limited in this Agreement, Business Associate may use Protected Health
Information for the proper management and administration of its business or to carry out its
legal responsibilities.
c) Except as otherwise limited in this Agreement, Business Associate may disclose Protected
Health Information for the proper management and administration of its business, if
i. the disclosures are required by law, or
ii. Business Associate obtains reasonable assurances from the person to whom the
information is disclosed that the information will be held confidentially and will be used
or further disclosed only as required by law or for the purpose for which it was
disclosed to such person, and the person will notify the Business Associate of any
instances of which the person is aware in which the confidentiality of the information
has been breached.
d) Except as otherwise limited in this Agreement, Business Associate may use Protected Health
Information to provide Data Aggregation services to Covered Entity as permitted by 42 C.F.R.
Section 164.504(e)(2)(1)(B).
e) Except as otherwise limited in this Agreement, Business Associate may use Protected Health
Information to report violations of law to appropriate Federal and State authorities,
consistent with 42 C.F.R. Section 164.5020)(1).
2.3 Limitations on Uses and Disclosures. With respect to Protected Health Information that
Business Associate creates or receives on behalf of Covered Entity, Business Associate will not
use or further disclose the Protected Health Information other than as permitted or required by
this Agreement or as Required by Law.
2.4 Additional Obligations of Business Associate. Except as otherwise specified herein, the
provisions of this Paragraph 2.4 apply only to Protected Health Information that Business
Associate creates or receives on behalf of Covered Entity.
a) Safeguards. Business Associate will use appropriate safeguards to prevent use or disclosure
of Protected Health Information other than as provided for by this Agreement.
Form 15 Business Associates Business Associate Agreements (Policy Procedure) League of Minnesota Cities HIPAA
Policies Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
b) Reporting and Mitigation. Business Associate will report to Covered Entity any use or
disclosure of Protected Health Information by Business Associate not provided for by this
Agreement within ten (10) business days of its discovery by Business Associate. Business
Associate agrees to promptly mitigate, to the extent practicable, any harmful effect that is
known to Business Associate of a use or disclosure in violation of this Agreement.
c) Agents and Subcontractors. Business Associate will ensure that any agent or subcontractor to
whom it provides Protected Health Information received from, or created or received by
Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions
that apply by and through this Agreement to Business Associate with respect to such
information.
d) Access to Designated Record Set. Within fifteen (15) days of a request by the Covered Entity
for access to Protected Health Information about an Individual, Business Associate shall
make available to the Covered Entity or, as directed by the Covered Entity, an Individual such
Protected Health Information contained in a Designated Record Set. In the event any
Individual requests access to Protected Health Information directly from Business Associate,
Business Associate shall within five (5) days forward such request to the Covered Entity. Any
denials of access to the Protected Health Information requested shall be the responsibility of
the Covered Entity.
e) Amendment of Protected Health Information. Within fifteen (15) days of receipt of a request
from the Covered Entity or an Individual for the amendment of Protected Health Information
or a record regarding an Individual contained in a Designated Record Set, Business Associate
shall provide such information to the Covered Entity for amendment and incorporate any
such amendments in the Protected Health Information as required by 45 C.F.R. Section
164.526. It shall be the Covered Entity's responsibility to promptly notify Business Associate
of the request for an amendment. Any denials, in whole or in part, of requested
amendments shall be done in accordance with 45 C.F.R. Section 164.526 and shall be the
responsibility of the Covered Entity.
0 Disclosure Accounting. Business Associate agrees to document such disclosures of Protected
Health Information and information related to such disclosures as would be required for
Covered Entity to respond to a request by an Individual for an accounting of disclosures of
Protected Health Information in accordance with 45 CFR 164.528. Within fifteen (15) days of
receipt of notice from the Covered Entity that it has received a request for an accounting of
disclosures of Protected Health Information regarding an individual during the six (6) years
prior to the date on which the accounting was requested, Business Associate shall make
available to the Covered Entity such information as is in Business Associate's possession and
is required for the Covered Entity to make the accounting required by 45 C.F.R. Section
164.528. At a minimum, Business Associate shall provide the Covered Entity with the
following information: (1) the date of the disclosure; (2) the name of the entity or person
who received the Protected Health Information, and if known, the address of such entity or
person; (3) a brief description of the Protected Health Information disclosed; and, (4) a brief
statement of the purpose of such disclosure which includes an explanation of the basis for
such disclosure. It shall be the Covered Entity's responsibility to promptly notify Business
Associate of the request for an accounting, and to prepare and deliver any such accounting
requested. Business Associate hereby agrees to implement an appropriate record keeping
process to enable it to comply with the requirements of this section.
g)
Access to Business Associate's Internal Records. Business Associate will make its internal
practices, books, and records relating to the use and disclosure of Protected Health
Information received from, or created or received by Business Associate on behalf of Covered
Form 15 Business Associates Business Associate Agreements (Policy Procedure) League of Minnesota cities RIPAI
Policies Procedures Guide Copyright 0 2004 by League of Minnesota Cities. All nights reserved.
Entity available to the Covered Entity or the Secretary, for the purposes of the Secretary's
determining Covered Entity's compliance with the Privacy Rule.
h) Return of Protected Health Information. Business Associate shall at the termination of this
Agreement with Covered Entity, if feasible, return or destroy all Protected Health Information
received from, or created or received by Business Associate on behalf of, the Covered Entity
that Business Associate still maintains in any form and retain no copies of such information
or, if such return or destruction is not feasible, extend the protection of this Agreement to
the information and limit further uses and disclosures to those purposes that make the return
or destruction of the information infeasible.
i) Electronic Transactions. In the event the Business Associate transmits or receives any
Covered Electronic Transaction on behalf of the Covered Entity, it shall comply with all
applicable provisions of the Standards for Electronic Transactions Rule to the extent Required
by Law, and shall ensure that any agents and subcontractors that assist Business Associate in
conducting Covered Electronic Transactions on behalf of the Covered Entity agree in writing
to comply with the Standards for Electronic Transactions Rule to the extent Required by Law.
2.5 Obligations of Covered Entity.
a) Notice of Privacy Practices. Covered Entity shall provide Business Associate with the
notice of privacy practices that Covered Entity produces in accordance with 45 C.F.R.
164.520, as well as any changes to such notice.
b) Requests by Covered Entity. Covered Entity shall not request Business Associate to use
or disclose Protected Health Information in any manner that would not be permissible
under the Privacy Rules if done by Covered Entity. This includes, but is not limited to,
requests for disclosure of Protected Health Information to the sponsoring employer as
other than the entity acting on behalf of the Plan as the Covered Entity. To the extent a
dispute or difference of opinion exists between the Business Associate and the
sponsoring employer as the entity acting on behalf of the Plan as the Covered Entity,
Business Associate may disclose under objection pursuant to the specific, written
direction of the Covered Entity. Any disclosures made pursuant to such specific, written
direction shall be subject to the indemnification provisions of the Agreement.
(c) Changes in Permission. Covered Entity shall notify Business Associate of any changes in,
or revocation of, permission by Individual to use or disclose Protected Health
Information, to the extent that such changes may affect Business Associate's use or
disclosure of Protected Health Information.
(d)
Restrictions. Covered Entity shall notify Business Associate of any restriction to the use
or disclosure of Protected Health Information that Covered Entity has agreed to in
accordance with 45 CFR 164.522, to the extent that such restriction may affect Business
Associate's use or disclosure of Protected Health Information.
SECTION 3 TRADING PARTNER PROVISIONS
3.1 Introduction. This Section 3 applies only if and to the extent that Business Associate and
Covered Entity conduct electronic transactions that are subject to Standards for Electronic
Transactions Rule. The Business Associate may be considered a "trading partner" of the Covered
Form 15 Business Associates Business Associate Agreements (Policy Procedure) League of Minnesota Cities KIPAA
Policies a Procedures Guide. Copyright C 2004 by League of Minnesota Cities All rights reserved.
Entity under the Standards for Electronic Transactions Rule. This Section 3 will govern the terms
and conditions under which Covered Electronic Transactions are conducted.
3.2 Mutual Obligations. The mutual obligations of the Covered Entity and Business Associate
include the following:
a) EDI Data Transmission Accuracy. The parties will take reasonable care to ensure that Data
Transmissions are timely, complete, accurate and secure.
b) Retransmission of Lost or Indeci.herable Transmissions. A party will retransmit the original
transmission within two (2) business day(s) of its discovery that a Data Transmission is a
Lost or Indecipherable Transmission.
g)
c) Equipment Cost. Each party will obtain and maintain, at its own expense, its own Operating
System necessary for timely, complete, accurate and secure Data Transmission pursuant to
this Agreement.
d) Transmission Format. All standard transactions, as defined by Social Security 1173(a) and
the Standards for Electronic Transactions Rule, conducted between the Covered Entity and
Business Associate, will only use code sets, data elements and formats specified by the
Standards for Electronic Transactions Rule.
e) Backup Files. Each party will maintain adequate backup files, electronic tapes or other
sufficient means to recreate a Data Transmission for at least six (6) years from the Data
Transmission's creation date.
0 Testing. Prior to the initial Data Transmission, each party will test and cooperate with the
other party in testing each party's Operating System to ensure the accuracy, timeliness,
completeness and confidentiality of each Data Transmission.
Data and Data Transmission Security. The Covered Entity and Business Associate will
employ security measures necessary to protect Data and Data Transmissions between them
in compliance with Social Security Act 1173(d) and any HHS implementing regulations or
guidelines.
h) Secures Access Codes. The Security Access Codes that the Covered Entity issues to
Business Associate will, when affixed to Data Transmissions, be legally sufficient to verify the
identity of the transmitter and to authenticate the Data Transmission, thereby establishing
the Data Transmission's validity.
Form 15 Business Associates Business Associate Agreements (Policy Procedure) League of Minnesota Cities HIPAA
Policies Procedures Guide Copyright CO 2004 by Leagte of Minnesota Cities. All rights reserved.
3.3 Business Associate Obligations. Business Associate will:
a) Use Data only according to the terms of this Agreement.
b) Protect and maintain the confidentiality of Security Access Codes issued to Business Associate
by the Covered Entity.
c) Limit disclosure of Security Access Codes to authorized personnel on a need -to -know basis.
3.4 The Covered Entity's Obligations. The Covered Entity will:
a) Make available to Business Associate, via electronic means, Data and Data Transmissions for
which this Agreement grants Business Associate access or authorization, or as provided by
law;
b) Provide Business Associate with Security Access Codes that will allow Business Associate
access to the Plan's Operating System. The Covered Entity reserves the right to change
Security Access Codes at any time and in such a manner as the Covered Entity, in its sole
discretion, deems necessary.
3.5 Confidentiality and Security.
a) Data Security. Business Associate will maintain adequate security procedures to prevent
unauthorized access to Data, Data Transmissions, Security Access Codes, Envelope, backup
files, Source Documents or the Covered Entity's Operating System. Business Associate will
promptly notify the Covered Entity of any unauthorized attempt to obtain access to or
otherwise tamper with Data, Data Transmissions, Security Access Codes, Envelope, backup
files, Source Documents or the Covered Entity's Operating System.
b) Operating Systems Security. Each party will develop, implement and maintain measures
necessary to ensure the security of each party's own Operating System and each party's
records relating to it Operating System and in compliance with applicable law.
3.6 Records Retention and Audit.
a) Records Retention. Business Associate will maintain complete, accurate and unaltered
copies of all Source Documents from all Data Transmissions it receives from the Covered
Entity for not less than six (6) years from the date that Business Associate receives them. All
retained records will be subject to the same security measures as Data and Data
Transmissions.
b) Trade Data Loq. The Covered Entity and Business Associate will each establish and maintain
a Trade Data Log to record all Data Transmissions between the parties during the term of
this Agreement. Each party will take necessary and reasonable steps to ensure that its Trade
Data Log constitutes a complete, accurate, and unaltered record of each Data Transmission
between the parties. Each party will retain Data Transmission records for not less than six
(6) month(s) following the date of a Data Transmission. Each party will maintain its Trade
Data Log on electronic media or other suitable means that permit timely retrieval and
presentation in readable form.
SECTION 4 ELECTRONIC SECURITY PROVISIONS
Form 15 Business Associates Business Associate Agreements (Policy Procedure) League of Minnesota Cities $IPAA
Policies Procedures Guide. Copyright 2001 by League of Minnesota Cities. All rights reserved.
4.1 Introduction. This Section 4 applies only if and to the extent electronic data will be exchanged
between the Business Associate and Covered Entity. The Business Associate may be considered
a Business Associate of the Covered Entity under HIPAA, 45 CFR Part 142 (the "Security
Regulations This Section 4 will govern the terms and conditions under which electronic data is
exchanged.
4.2 Security Regulations. In accordance with the Security Rule as it exists at the time of this
Agreement, Business Associate agrees to:
a) Implement administrative, physical and technical safeguards (including written policies and
procedures) that reasonably and appropriately protect the confidentiality, integrity and
availability of the electronic Protected Health Information that it creates, maintains or
transmits on behalf of the Covered Entity;
b) Ensure that any agent, including a subcontractor, to whom it provides such information
agrees to implement reasonable and appropriate safeguards to protect it;
c) Report to the Covered Entity any Security Incident of which it becomes aware;
d) Authorize termination of the Agreement if the Covered Entity determines that the Business
Associate has violated a material term of the Agreement.
4.3 Subsequent Modifications. In recognition that the Security Regulations are not effective until
twenty-four (24) months following publication of the final regulations, Business Associate agrees
this Agreement shall be amended as necessary to comply with the final Security Regulations, any
such changes to be subsequently incorporated into this Agreement as Exhibit A.
5.3 Effect of Termination.
SECTION 5 TERM AND TERMINATION
5.1. Term. The Term of this Agreement will begin and become effective on the compliance date
applicable to Covered Entity under the Privacy Rule, and shall terminate when all of the Protected
Health Information created or received by Business Associate on behalf of Covered Entity is
destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected
Health Information, protections are extended to such information, in accordance with the
termination provisions in this Paragraph 5.1.
5.2 Termination. In the event that Covered Entity discovers and determines
that Business Associate materially breached or violated any of its obligations
under this Agreement, Covered Entity will notify Business Associate of such
breach in writing. Covered Entity may terminate the Agreement or may provide
Business Associate with an opportunity to take reasonable steps to cure the
breach or end the violation, as applicable, within a mutually agreed upon period
of time. If Covered Entity's attempts to cure the breach or end the violation are
unsuccessful within that period without limiting the rights of the parties under
the Agreement, Covered Entity may terminate the Agreement.
Form 15 Business Associates Business Associate Agreements (Policy Procedure) League of Minnesota Cities HIPAA
Policies Procedures Guide Copyrigtt 0 2004 by League of Minnesota Cities. All rights reserved.
a) Except as provided in paragraphs (b) and /or (c) of this sub section, upon
termination of the Agreement, for any reason, Business Associate shall return
or destroy all Protected Health Information created or received by it on behalf
of Covered Entity. This provision shall apply to Protected Health Information
that is in the possession of Business Associate and /or its subcontractors or
agents. Business Associate will not retain any copies of Protected Health
Information.
b) In the event that Business Associate determines that returning or destroying
Protected Health Information is infeasible, Business Associate will notify
Covered Entity of the conditions that make return or destruction infeasible.
Upon mutual agreement of the parties that return or destruction of Protected
Health Information is infeasible, Business Associate will extend the
protections of this Agreement to such Protected Health Information and limit
further uses and disclosures of such Protected Health Information to those
purposes that make the return or destruction infeasible, for so long as
Business Associate maintains such Protected Health Information.
c) Should the Covered Entity notify Business Associate that the information
necessary to comply with the recordkeeping requirements under other
applicable law including, but not limited to, the Employee Retirement Income
Security Act of 1974 "ERISA includes the Protected Health Information,
Business Associate shall return or provide to Covered Entity such information,
including Protected Health Information.
SECTION 6 GENERAL PROVISIONS
6.1 Regulatory References. A reference in this Agreement to a section in the
Privacy Rule means the section as in effect or as amended.
6.2Amendment. The parties agree to take such action as is necessary to amend this
Agreement from time to time as is necessary for Covered Entity to comply with
the requirements of the Privacy Rule and the Health Insurance Portability and
Accountability Act of 1996, Pub. L. No. 104 -191.
6.3lnterpretation. Any ambiguity in this Agreement shall be resolved to permit
Covered Entity to comply with the Privacy Rule.
6.4Survival. The respective rights and obligations of Business Associate and the
Covered Entity shall under this Agreement survive the termination of this
Agreement and any related Services Agreement.
Form 15 Business Associates Business Associate Agreements (Policy Procedure), League of Minnesota Cities HIPAA
Policies s Procedures Guide. Copyright t 2004 by League of Minnesota Cities. All rights reserved.
6.5 Permissible Requests by Covered Entity. Covered Entity shall not request Business Associate to
use or disclose Protected Health Information in any manner that would not be permissible under
the Privacy Rule if done by Covered Entity, except as otherwise provided herein.
6.6 Indemnity. Business Associate will indemnify and hold harmless Covered Entity and Covered
Entity's affiliates, officers, directors, employees or agents from and against any claim, cause of
action, liability, damage, cost or expense, including attorneys' fees and court or proceeding costs,
arising out of or in connection with any non permitted or violating use or disclosure of Protected
Health Information or other breach of this Agreement by Business Associate or any
subcontractor, agent, person or entity under Business Associate's control.
6.7 Conformance with Law. Upon the effective date of any final regulation or amendment to final
regulations promulgated by the U.S. Department of Health and Human Services with respect to
Protected Health Information or Covered Electronic Transactions, this Agreement will
automatically amend such that the obligations they impose on the Business Associate remain in
compliance with these regulations.
IN WITNESS WHEREOF, the parties hereto have executed this Agreement as of the
date set forth below.
Covered Entity:
This day of
By:
on behalf of the City of Rosemount a Covered Entity
Print Name:
Title:
Business Associate:
This day of
Company Name:
By:
Print Name:
Title:
Form 15 Business Associates Busness Associate Agreements (Policy Procedure). League of Minnesota Cities HIPAA
Policies Procedures Guide. Copyright 2004 by Leagae of Minnesota Cities. All rights reserved.
Retention of PHI Documents
Retention of PHI Documentation
Policy Statement
The Health Plan shall maintain all protected health information (PHI) documentation for a period of at
least six (6) years from the date of its creation, or the date on which the document was last in effect,
whichever is later.
Policy Interpretation and Implementation
1. Certain documents classified as "privacy related
documents" must be maintained for a period of at least
six (6) years from the date of creation, or the date on
which the document was last in effect, whichever is
later.
Privacy Related Documents 2. "Privacy related documents" include:
a. Documentation that identifies the:
i. Name, telephone number and address of
the Health Plan's HIPAA Privacy Officer;
ii. Name, title, telephone number and address
of the individual responsible for receiving
complaints;
Name, title, telephone number and address
of the individual responsible for obtaining
and processing access, use, and disclosure
of PHI requests;
iv. Name, title, telephone number and address
of the individual responsible for receiving
and processing amendment of PHI requests;
v. Attempts to obtain consent when consent
could not be obtained and the reason(s)
why such consent could not be obtained;
vi. Method by which PHI will be de- identified;
vii. Sanctions imposed against Health Plan
employees, business associates, or others
who violate Health Plan policy HIPAA
regulations;
b. All signed authorizations, consents, and agreed to
restrictions;
c. Copies of all notices of privacy practices (NPPs)
including any revisions to such NPPs;
d. Accounting of disclosures logs;
e. Any privacy complaints received and their
dispositions; and
f. Copies of all HIPAA related policies and
Form 16— Retention of PHI Documentation (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide Copyright 2004 by League of Minnesota Cities. All rights reserved.
Adding /Deleting
Documentation
Identifying /Storage of PHI
Documents
Record Retention
HIPAA Privacy Officer
Effective Date 8. April 14, 2004.
References:
45 C.F.R. 164.5300)
procedures.
3. Documents may be added or deleted from the above
listing as may become necessary by law or as may be
established by Health Plan practice or policy.
4. The HIPAA Privacy Officer is responsible for identification
and storage of privacy related records, electronic files,
etc., for purposes of complying with this policy.
5. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least six
(6) years. Such retention may be in printed or electronic
format, or both.
6. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints
regarding HIPAA. Questions or concerns about HIPAA
rights should be directed to the HIPAA Privacy Officer at
651- 423 -4411.
Violations 7. Violations of this policy will be subject to discipline.
Form 16— Retention of PHI Documentation (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 0 2004 by League of Minnesota Cities All rights reserved.
HIPAA Privacy Training Program
Policy Statement
The Health Plan must train all relevant members of its workforce on HIPAA policies and procedures, as
necessary and appropriate for the members of the workforce to carry out their function within the Health
Plan.
Policy Interpretation and Implementation
HIPAA Training Program
Workforce Members
1. To ensure the confidentiality of individual's protected
health information (PHI), HIPAA training (HIPAA Training)
shall be provided for all employees of the Plan Sponsor
who have responsibilities involving the use /disclosure of
PHI, and other workforce members as deemed necessary
within the sole discretion of the HIPAA Privacy Officer. It
is the HIPAA Privacy Officer's responsibility to oversee
such HIPAA Training.
2. An employee /workforce member, for the purposes of this
policy, means any employee, trainee, volunteer, or any
other person(s) whose conduct, in the performance of
work for the Health Plan, is under the direct
control /supervision of the Health Plan, regardless of
payment source.
Content of HIPAA Training 3. The HIPAA Training shall include, but is not limited to:
Program
a. An overview of the HIPAA privacy regulations
relative to the identification and protection of PHI.
b. A review of the Health Plan's HIPAA policies and
procedures;
c. Permissible uses and disclosures of PHI;
d. Application of the Health Plan's HIPAA policies
and procedures to employee's job responsibilities;
e. The identity and location of the Health Plan's
HIPAA Privacy Officer;
f. The requirement that all employees report any
potential violations of the Health Plan's policies
and procedures or the HIPAA regulations,
whether caused by a workforce member or a
service provider, to the HIPAA Privacy Officer;
and
Other information relative to the protection and
security of PHI.
9.
Form 17— HIPAA Pnvacy Trammg Program (Policy &Procedure). League of Minnesota Cities HIPAA Policies s
Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved
Newly Hired Employees/
Business Associates
Acknowledgment of Training
Attendance
Attendance Records
Annual Training
Record Retention
HIPAA Privacy Officer
Effective Date 11. April 14, 2004.
References:
45 C.F.R. 164.530(b)
4. Before being allowed access to PHI, all newly hired
employees, and employees new to a position requiring
access to PHI, shall be required to sign and date a written
acknowledgement that the new employee has completed
HIPAA Training.
5. Department directors will be required to have a signed
and dated written acknowledgment that the new
employee has completed HIPAA Training before being
allowed access to PHI.
6. The HIPAA Privacy Officer shall maintain a record of all
personnel who attend HIPAA Training. Such records shall
be maintained in accordance with the Retention of PHI
Documentation Policy.
7. Updated training shall take place at least annually.
Should a change in the training program or security
systems occur before an annual training session occurs,
impacted employees shall receive interim training
materials or abbreviated instructions.
8. A copy of all HIPAA covered information and any revisions
shall be maintained for a period of at least six (6) years.
Such retention may be in printed or electronic format, or
both.
9. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints regarding
HIPAA. Questions or concerns about HIPAA rights should
be directed to the HIPAA Privacy Officer at 651- 423 -4411.
Violations 10. Violations of this policy will be subject to discipline.
Form 17 HIPAA PnvacyTrammg Program (Polic)( Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
ACKNOWLEDGMENT OF TRAINING ATTENDANCE
Please note: This Administrative Form relates to the Health Plan's Policy Form 17, HIPAA Privacy
Training Program.
I,
200_.
acknowledge that I have attended and completed HIPAA Training on
Name (print)
Date
Signature
Form 17a— Acknowledgment ofTraining Attendance (Administrative Form). League of Minnesota Cities HIPAA
Policies Procedures Guide Copyright 2004 by League of Minnesota Cities All rights reserved.
Personal Representative
Policy Statement
The Health Plan must treat a personal representative the same as it would the individual who is the
subject of the protected health information (PHI), unless one of the exceptions applies. In general, a
personal representative is someone who is recognized under applicable state law as a personal
representative (e.g., parent /guardian, power of attorney, executor of estate).
Policy Interpretation and Implementation
Designation as Personal 1. The person who is the subject of the PHI may designate
Representative another person as a personal representative, or a person
may seek to be recognized as a personal representative,
by filing the appropriate written documentation with the
Health Plan.
Rights of Personal
Representative
Restrictions on Personal
Representative
Record Retention
2. The personal representative must be treated the same
as the individual, except as specified below:
a. If the Health Plan reasonably believes that the
individual has been or may be subjected to
domestic violence, abuse, or neglect by the
person seeking to be treated as a personal
representative, or that treating the person as the
personal representative could endanger the
individual.
b. If the Health Plan, in the exercise of professional
judgment, decides that treating the person as the
individual's personal representative would not be
in the individual's best interest.
c. If a parent is the personal representative of a
minor child, but disclosure to the parent is
prohibited under state law.
d. If a minor child consented to the treatment, no
other consent was required, and the minor has
not requested the person be treated as the
minor's personal representative.
e. If a minor child may lawfully obtain treatment
without the consent of a parent and consent was
lawfully obtained.
f. If the parent has agreed to a confidential
relationship between the minor and the physician
with respect to that treatment.
3. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least six
(6) years. Such retention may be in printed or electronic
format, or both.
Form 18— Personal Representabve (Polity Procedure) League of Minnesota Cities HIPAA Policies Procedures
Guide. Copyright 2304 by League of Minnesota Cities All rights reserved.
HIPAA Privacy Officer
Violations
Effective Date
References:
45 C.F.R. 164.502(g)
4. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints
regarding HIPAA. Questions or concerns about HIPAA
rights should be directed to the HIPAA Privacy Officer at
651- 423 -4411.
5. Violations of this policy will be subject to discipline.
6. April 14, 2004.
Form 18— Personal Representative (Policy Procedure). League of Minnesota Cities HIPAA Policies Procedures
Guide. Copyright 0 2004 by League of Minnesota Cities. All rights reserved.
DESIGNATION OF PERSONAL REPRESENTATIVE FORM
Please note: This Administrative Form relates to the Health Plan's Policy Form 18, Personal
Representative.
Note: This form is used to confirm permission for the Health Plan to discuss with or disclose to a
person's protected health information "PHI to a particular individual who acts as the person's personal
representative. Use of this information is strictly limited to that purpose.
Subject of PHI's Name: Date:
Please complete either Part 1 or Part II below.
PART I: DESIGNATION BY SUBJECT OF PHI
I hereby authorize the following person to act as my personal representative as indicated below. I
understand that this authorization is voluntary and that I may revoke this authorization at any time
except to the extent that action has been taken in reliance on this authorization.
Name of personal representative:
Date of birth of personal representative (used for verification purposes on phone inquiries):
Social Security of personal representative (used for verification purposes on phone inquiries):
Address:
Relationship to me:
Password personal representative must provide to access protected health information "PHI about me:
Password:
Description of nature of representation and limits thereon (attach supporting documentation, if any, such
as court orders, Power of Attorney, etc):
NOTE: I understand that I have the right to limit the information that is released under this
authorization. For example, I may limit my personal representative's access to information about a
particular issue. Any such limitations must be described below in writing. I understand that by leaving
this section blank, I am imposing no limitations on disclosure.
Limitations on Disclosure:
I understand that I may revoke this authorization at anytime by providing written notice of such
revocation to the Health Plan.
I have had full opportunity to read and consider the content of this Designation of Personal
Representative form. I confirm that this authorization is consistent with my request. I understand that, by
Form 18a Designation of Personal Representative (Administrative Form). League of Minnesota cities HI PAA Policies
Procedures Guide Copyright 2004 by League of Minnesota Cities. All rights reserved.
signing this form, I am confirming my authorization that the Health Plan may use and /or disclose my PHI
to the person named as personal representative for the purpose described above.
Date: Signature:
Printed name:
Date: Signature of witness:
Printed name of witness:
PART II: THIRD PARTY DESIGNATION
Name of personal representative:
Date of birth of personal representative (used for verification purposes on phone inquiries):
Social Security of personal representative (used for verification purposes on phone inquiries):
Address:
Relationship to Subject of PHI:
Password personal representative must provide to access protected health information "PHI") about me:
Password:
Description of nature of representation and limits thereon (attach supporting documentation, if any, such
as court orders, Power of Attorney, etc):
For office use only.:
Received by: Date:
Form 18a Designation of Personal Representative (Admmistratrve Form). League of Minnesota Cities HIPAA Policies
Procedures Guide. copyright 0 2004 by League of Minnesota Cities. All rights reserved.
Policy Statement
In addition to being subject to HIPAA, the Health Plan may also be subject to other state and federal laws
regarding medical information and privacy. The Health Plan intends to comply with all applicable state
and federal laws. However if there is a conflict between the laws, the HIPAA Privacy Officer will resolve
the conflict according to this Coordination with Other Laws policy.
Policy Interpretation and Implementation
Floor
Apply Both Laws
Follow the Law that Requires
Use or Disclosure
Follow the More Specific Law
State Law Preemption
Record Retention
Coordination with Other Laws
1. The HIPAA regulations are the floor above which other
laws may create more narrow restrictions. No law,
whether federal or state, may allow less restriction than
HIPAA.
2. If a potential conflict exists, the Health Plan shall
attempt to find a way to comply with both laws. For
example, if one law permits disclosure, but HIPAA does
not, the Health Plan could obtain an individual
authorization and succeed in complying with both laws.
3. If another federal law requires disclosure or use of PHI
that HIPAA prohibits, the Health Plan may use or
disclose the PHI in accordance with the other federal
law. This is not a violation of HIPAA. HIPAA's privacy
rules allow the Health Plan to use or disclose PHI as
required by other federal laws.
4. If there is a very specific law regarding use or disclosure
of PHI that is in conflict with HIPAA, the more specific
law should be followed. For example, if HIPAA allows an
individual a right to access test results, but a specific
federal law prohibits that type of disclosure, the specific
law should be followed.
5. HIPAA provides for preemption of state laws that are
less restrictive than HIPAA. However, HIPAA does not
preempt state laws that are more restrictive. If the
Health Plan encounters a conflict between HIPAA and a
state law, the Health Plan should follow the more
restrictive law.
6. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least six
(6) years. Such retention may be in printed or electronic
format, or both.
Form 19 Coordination with Other Laws (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright O 2004 by League of Minnesota Cities. All rights reserved.
HIPAA Privacy Officer
Violations 8. Violations of this policy will be subject to discipline.
Effective Date 9. April 14, 2004.
References'
Preamble to HIPAA Regulations
7. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA policies
and procedures. The HIPAA Privacy Officer is also the
contact person for any questions or complaints
regarding HIPAA. Questions or concerns about HIPAA
rights should be directed to the HIPAA Privacy Officer at
651- 423 -4411.
Form 19 Coordination with Other Laws (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
Policy Statement
The Health Plan may not disclose protected health information (PHI) to the plan sponsor except in
specific situations recognized by HIPAA.
Policy Interpretation and Implementation
Definition of Plan Sponsor
Permitted Disclosure to Plan 2. Summary health information may be disclosed to the
Sponsor for Sett lor Functions plan sponsor for:
a. Obtaining premium bids for providing health
insurance coverage under the Health Plan;
and
Summary Health Information
Enrollment Functions
Disclosures to Plan Sponsor
1. The term "plan sponsor" means (i) the employer in
the case of an employee benefit plan established or
maintained by a single employer, (11) the employee
organization in the case of a plan established or
maintained by an employee organization, or (iii) in
the case of a plan established or maintained by two
or more employers or jointly by one or more
employers and one or more employee organizations,
the association, committee, joint board of trustees,
or other similar group of representatives of the
parties who establish or maintain the plan.
b. Modifying, amending or terminating the Health
Plan.
3. Summary health information is information that
summarizes the claims history, expenses, or types of
claims by individuals for whom the Plan Sponsor has
provided health benefits under the Health Plan.
Permitted Disclosure to Plan 4. To the extent described in the plan documents and
Sponsor for Plan Administration notice of privacy practices, the Health Plan may
Functions disclose PHI to the plan sponsor necessary to
perform plan administration activities such as:
a. Quality assurance;
b. Claims processing;
c. Auditing; and
d. Monitoring and managing carve -out plans like
vision and dental.
5. These restrictions do not affect the plan sponsor's
ability to perform enrollment functions on behalf of
its employees.
Form 20 Disclosures to Plan Sponsor (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 0 2C04 by League of Minnesota Cities. All rights reserved.
Record Retention 6. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least
six (6) years. Such retention may be in printed or
electronic format, or both.
HIPAA Privacy Officer 7. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA
policies and procedures. The HIPAA Privacy Officer
is also the contact person for any questions or
complaints regarding HIPAA. Questions or concerns
about HIPAA rights should be directed to the HIPAA
Privacy Officer at 651- 423 -4411.
Violations 8. Violations of this policy will be subject to discipline.
Effective Date 9. April 14, 2004.
References'
45 C.F.R. 164.504(0
Form 20 Disclosures to Plan Sponsor (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2009 by League of Minnesota Cities. All rights reserved.
Policy Statement
The Health Plan will mitigate, to the extent practicable, any harmful effect that is known to the Health
Plan of a use or disclosure of protected health information (PHI) in violation of its policies and procedures
by the Health Plan or its business associates.
Policy Interpretation and Implementation
Mitigation Actions
Record Retention
Privacy Officer
Effective Date 5. April 14, 2004.
References:
45 C.F.R. 164.530(f)
Duty to Mitigate
1. When a violation of the Health Plan's policies and
procedures are brought to the attention of the Health
Plan, the following action will be taken:
a. The Privacy Officer will be notified and will start
an immediate investigation into the violation;
b. The Health Plan will identify the extent of the
breach and will take reasonable steps to mitigate
or correct the violation; and
c. The Health Plan will document the steps taken to
mitigate.
2. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least six
(6) years. Such retention may be in printed or electronic
format, or both.
3. The Privacy Officer is responsible for the development
and implementation of the HIPAA policies and
procedures. The Privacy Officer is also the contact
person for any questions or complaints regarding HIPAA.
Questions or concerns about HIPAA rights should be
directed to the Privacy Officer at 651- 423 -4411.
Violations 4. Violations of this policy will be subject to discipline.
Form 21 Duty to Mitigate (Policy Procedure). League of Minnesota Cities HIPAA Policies Procedures
Guide Copyright O 2009 by League of Minnesota Cities. All rights reserved.
Policy Statement
HIPAA requires the Health Plan to discipline individuals subject to but who fail to comply with HIPAA's
requirements as reflected in the Health Plan's privacy policies and procedures. The purpose of this
Discipline Policy is to establish guidelines for the disciplinary processes.
Please note: This Discipline Policy applies exclusively to violations of the Health Plan's privacy policies
and procedures.
Policy Interpretation and Implementation
Discipline Policy
Initial Determination
Discipline Procedure
Discipline Policy
1. A failure to comply by an individual subject to the
Health Plan's policies and procedures, or with the
provisions of HIPAA, will be addressed in a timely
manner. Specific disciplinary actions to be taken will
be proportional to the severity of the infraction.
2. The HIPAA Privacy Officer, in its sole discretion, shall
make an initial determination, if true, the allegations
in the complaint constitute a violation of the Health
Plan's privacy policies and procedures.
3. Complaints or allegations against an individual will
be discussed with the individual in question by the
HIPAA Privacy Officer and, if deemed appropriate,
will be investigated by the HIPAA Privacy Officer.
4. In general, a known or intentional infraction of the
Health Plan's policies and procedures, or of HIPAA's
provisions, will result in:
a. First offense: Oral counseling by the HIPAA
Privacy Officer, and written documentation in
the individual's file.
b. Second offense: Oral counseling by the HIPAA
Privacy Officer, and a written warning.
c. Third offense: Discipline up to and including
probation, suspension or termination of
employment.
Intentional Misuse 5. In general, intentional misuse or abuse of PHI will
result in:
a. First offense: Oral counseling by the HIPAA
Privacy Officer, and written documentation in
the individual's file.
b. Second offense: Oral counseling by the HIPAA
Privacy Officer, and a written warning.
Form 22 Discipline Policy (Policy Procedure). League of Minnesota Cities HIPAA Policies Procedures
Guide Copyright 2009 by League of Minnesota Cities. All rights reserved.
Record Retention
HIPAA Privacy Officer
Effective Date 9. April 14, 2004.
References:
45 C.F.R. 164.530(e)
c. Third offense: Discipline up to and including
probation, suspension or termination of
employment.
6. Notwithstanding items 4 and 5, the HIPAA Pnvacy
Officer retains discretion to deviate based on the
particular facts and circumstances. Each infraction
will be handled on an individual basis to ensure that
disciplinary actions are proportional to the severity
of the infraction.
7. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least
six (6) years. Such retention may be in printed or
electronic format, or both.
8. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA
policies and procedures. The HIPAA Privacy Officer
is also the contact person for any questions or
complaints regarding HIPAA. Questions or concerns
about HIPAA rights should be directed to the HIPAA
Privacy Officer at 651- 423 -4411.
Form 22 Discipline Policy (Policy Procedure). League of Minnesota Cities HIPAA Policies L Procedures
Guide. Copyrignt 2009 by League of Minnesota Cities All rights reserved.
Policy Statement
The Health Plan will make reasonable efforts to maintain adequate administrative, technical and physical
safeguards to protect the privacy of protected health information (PHI) from unauthorized use or
disclosure, whether intentional or unintentional, and from theft and unauthorized alterations.
Policy Interpretation and Implementation
Implementation of Safeguards
Periodic Review
Record Retention
Privacy Officer
Violations
Effective Date
References:
45 C.F.R. 164.530
Administrative Safeguards
1. The HIPAA Privacy Officer will work with appropriate
personnel to determine and implement safeguards
to protect PHI from unauthorized use or disclosure.
2. The HIPAA Privacy Officer will complete periodic
reviews with all business units regarding the
transportation, storage, usage, disclosure, and
disposal of PHI to identify risks to the privacy and
security of the PHI. If necessary, policies and
procedures will be amended and the applicable
workforce retrained in order to maintain reasonable
efforts of safeguarding such information.
3. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least
six (6) years. Such retention may be in printed or
electronic format, or both.
4. The Privacy Officer is responsible for the
development and implementation of the HIPAA
policies and procedures. The Privacy Officer is also
the contact person for any questions or complaints
regarding HIPAA. If you have a question or concern
about your HIPAA rights contact the Privacy Officer
at 651- 423 -4411.
5. Violations of this policy will be subject to discipline.
6. April 14, 2004.
Form 23 Administrative Safeguards (Policy Procedure) League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 0 2004 by League of Minnesota Cities. All rights reserved.
Policy Statement
Computer terminals and workstations will be positioned /shielded to ensure that protected health
information (PHI) is protected from public view, view by those without a need to know whether
inadvertent or otherwise, or unauthorized access.
Policy Interpretation and Implementation
Positioning /Shielding
Workstation /Terminals
Access Limitations
Leaving Workstations or
Terminals Unattended
Clearing Terminal Screens
Securing Hard Copy Data
Sharing /Piggyback of
Password /User ID Code
Record Retention
Privacy Officer
Computer Terminals /Workstations
1. Insofar as practical /feasible, computer
terminals /workstations shall be positioned or
shielded so that screens are not visible to the public
and /or to unauthorized staff.
2. Only authorized users are granted access to
individual and Health Plan information. Such access
is limited to specific, denied, documented and
approved applications and level of access rights.
3. A user may not leave his /her workstation or terminal
unattended for long periods of time (e.g., breaks,
lunch, meetings, etc.) unless the terminal screen is
cleared and the user is logged off. Each user must
log off at the end of his /her work shift.
4. A user must clear the terminal screen if the
workstation or terminal is left briefly unattended.
5. All hard copy printed information must be positioned
in such a manner that it cannot be viewed or read
by the public and /or unauthorized staff. Such data
must be placed in designated secure areas upon
leaving the work area and at the end of the work
shift.
6. A user may not (1) share or disclose his /her
password or ID code with other staff members or
other non -staff members, or (2) allow staff members
or other non-staff members access privileges (e.g.,
piggyback access) while the user is logged onto the
information system used by the Health Plan.
7. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least
six (6) years. Such retention may be in printed or
electronic format, or both.
8. The Privacy Officer is responsible for the
development and implementation of the HIPAA
policies and procedures. The Privacy Officer is also
the contact person for any questions or complaints
regarding HIPAA. Questions or concerns about
Form 23 -1 Computer Terminals /Workstations (Policy Procedure). League of Minnesota cities HIPAA Policies
Procedures Guide. Copyright 2004 by League of Minnesota Cities All rights reserved.
HIPAA rights should be directed to the HIPAA
Privacy Officer at 651- 423 -4411.
Violations 9. Violations of this policy will be subject to discipline.
Effective Date 10. April 14, 2004.
References'
Seegenerally45 C.F.R. 164.530
Form 23 -1— Computer Terminals /Workstations (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide Copyright 2009 by League of Minnesota Cities. All rights reserved.
Policy Statement
The Health Plan utilizes electronic mail (E -Mail) in transmitting individual and Health Plan information.
Established security measures must be followed by all personnel who have the authority to access, use,
or transmit protected health information (PHI) electronically.
Policy Interpretation and Implementation
Application of Policies
Definition of Authorized User
Personal Use or E -Mail and
Internet Systems
Improper Use of Health Plan's
E -Mail or Internet Services
Electronic Mail System (E -Mail)
1. This policy applies to all usage of e-mail systems
related to the Health Plan whether or not the e-mail
is originated from or is received into the computer or
network system used by the Health Plan. Such
policies apply to all authorized users including
employees, business associates, staff or consultants.
2. For the purposes of this policy, an "authorized user"
is defined as any person who (1) has been assigned
a password and user ID code and (2) has the
authority to read, enter, or update information
created or transmitted by the Health Plan.
3. Users have the responsibility and obligation to use
e -mail and Internet systems appropriate, effectively,
and efficiently. Incidental personal use is
permissible if:
a. Personal use is limited to meal and break
times;
b. It does not interfere with the normal business
use of such services;
c. It does not interfere with the work
productivity of the user or other employees;
and
d. Passwords and user ID codes are not shared
with others.
4. Improper use of e-mail and internet services is
strictly prohibited. Examples of such improper use
include, but are not limited to:
a. Sending /forwarding harassing, insulting,
defamatory, obscene, offending or threatening
messages;
b. Gambling, surfing or downloading
pornography;
c. Downloading or sending confidential individual
or PHI without proper authorization;
d. Copying or transmission of any document,
Form 23 -2 Electronic Mail System (E -mail) (Policy Procedure). League of Minnesota Cities AIPAA Policies
Procedures Guide. Copyright 2009 by League of Minnesota Cities. All rights reserved.
software or other information protected by
copyright and /or patent law, without proper
authorization;
e. Transmission of highly sensitive or confidential
information (e.g., HIV status, mental illness,
chemical dependency, workers' compensation
claims, etc.);
f. Obtaining access to files or communication of
others without proper authorization;
Attempting unauthorized access to individual
or Health Plan data;
h. Attempting to breach any security measure on
any of the Health Plan's electronic
communication system(s);
i. Attempting to intercept any electronic
communication transmission without proper
authorization;
Misrepresenting, obscuring, suppressing, or
replacing an authorized user's identity;
k. Using e-mail addresses for marketing
purposes without permission from the
recipient(s);
I. Using e-mail system for solicitation of funds,
political messages, or any other illegal
activities; and /or
m. Releasing of passwords and user ID codes.
g.
Ownership of E -Mail Messages S. Messages whether originated or received into the
Health Plan e-mail system are considered to be the
property of the Health Plan arid, therefore, are
subject to the review and monitoring of the HIPAA
Privacy Officer. The Health Plan reserves the right
to access employee e -mail (whether present or not)
for the purposes of ensuring the protection of
individual /Health Plan information.
Inadvertent Access to E -Mail 6. During routine maintenance, upgrades, problem
resolution, etc. information systems technician(s)
may inadvertently access user e-mail
communications. Such staff, when carrying out their
assignments, will not intentionally read or disclose
content of e -mail unless such data is found to be in
violation of the HIPAA Policies and Procedures.
Protection of Information 7. Users of the e-mail system must ensure that all
information forwarded, distributed, or printed is
protected according to the HIPAA Policies and
Procedures.
Form 23 -2 Electronic Mad System (E maip (Policy Procedure). League of Minnesota Cities HIPAA Policies s
Procedures Guide. Copyright 2004 by League of Minnesota Cities. All rights reserved.
Responding to E -mail Messages
Maintaining /Archiving E -Mail
Messages
Record Retention
HIPAA Privacy Officer
Effective Date 13. April 14, 2004
References:
See generally 45 C.F.R. 164.530
8. When an e-mail message is received containing PHI,
any reply of response to that message (i.e., an
acknowledgement or receipt of the message) must
not include PHI. E -mail systems often automatically
include the sender's e-mail message when a reply is
made. When the original message includes PHI, the
function of the software must be disabled or the
original message must be manually deleted prior to
sending a reply.
9. E -mail messages may not be maintained or archived
for more than thirty (30) days, unless otherwise
approved by the HIPAA Privacy Officer.
10. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least
six (6) years. Such retention may be in printed or
electronic format, or both.
11. The HIPAA Privacy Officer is responsible for the
development and implementation of the HIPAA
policies and procedures. The HIPAA Privacy Officer
is also the contact person for any questions or
complaints regarding HIPAA. If you have a question
or concern about your HIPAA rights contact the
HIPAA Privacy Officer at 651 423 -4411.
Violations 12. Violations of this policy will be subject to discipline.
Form 23 -2— Electronic Mail System (E -mail) (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide Copyright 2004 by League of Minnesota Cities All rights reserved.
Cover Letter
Transmittal Sheets
Facsimile Machines
Policy Statement
The Health Plan utilizes facsimile (fax) machines to transmit data from one location to another on a
routine basis. The Health Plan will provide physical and procedural safeguards to minimize the possibility
of unauthorized observation or access to protected health information (PHI) during the transmission or
receipt of data via a facsimile machine. This policy outlines the required elements for a secure location of
a facsimile machine. The procedure establishes guidelines for how the Health Plan will reasonably
safeguard the transmission and receipt of PHI via a facsimile machine to limit incidental or accidental use
or disclosure of PHI.
Policy Interpretation and Implementation
Secure Location 1. Fax machines used to transmit or receive PHI shall
be placed in secure locations. Whenever possible,
fax machines used to receive PHI will not be used
regularly for other purposes.
Pre Programmed Numbers 2. Frequently used destination numbers will be pre-
programmed into fax machines and tested before
being used to transmit PHI. Each fax machine
will display a key that identifies the destination for
each pre programmed fax number.
Non Pre Programmed Numbers 3. When PHI is faxed to a destination number that is
not pre programmed, the fax machine operator will
double -check the accuracy of the number in the
machine's display before sending the fax.
4 All fax messages will include a standard cover sheet,
developed by the Privacy Officer, with the following
(or substantially similar) statement:
Confidentiality Statement: The documents
accompanying this transmission contain confidential
health information that is legally privileged. This
information is intended only for the use of the
individuals or entities listed above. If you are not the
intended recipient, you are hereby notified that any
disclosure, copying, distribution, or action taken in
reliance on the contents of these documents is strictly
prohibited. If you have received this information in
error, please notify the sender immediately and
arrange for the return or destruction of these
documents.
5. Transmittal sheets will be checked immediately after
each transmission of PHI, to assure that the
information was sent to the correct number.
Misdirected Faxes 6. If PHI has been sent to the wrong fax number, the
sender must immediately send a second fax to the
Form 23 -3 Facsimile Machines (Policy Procedure). League of Minnesota Cities HIPAA Policies a Procedures
Guide. Copyright 0 2004 by League of Minnesota Cities. All rights reserved.
Received Faxes
Record Retention
Privacy Officer
Effective Date 11. April 14, 2004.
References'
Seegenerally45 C.F.R. 164.530
number that was contacted in error, reiterating the
confidentiality message, and asking the recipient to
telephone the sender immediately to arrange proper
disposition of the information. Any instance of
transmitting PHI to the wrong destination number
must be reported to the Privacy Officer immediately.
The report must include the date, time, the wrong
number, the correct number, the intended recipient,
the identity of the member, and a brief description
of the information that was transmitted in error.
Transmission of PHI by fax to a wrong number must
be included in an accounting of disclosures of PHI.
7. Prior to distribution of a received fax message, the
fax message must be reviewed to make sure that all
pages that belong to that fax message have been
received and are together, and pages that belong to
other fax messages are riot included. The cover
sheet received with the message, if any, will be
placed on top of the message.
8. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least
six (6) years. Such retention may be in printed or
electronic format, or both.
9. The Privacy Officer is responsible for the
development and implementation of the HIPAA
policies and procedures. The Privacy Officer is also
the contact person for any questions or complaints
regarding HIPAA. Questions or concerns about
HIPAA rights should be directed to the Privacy
Officer at 651- 423 -4411.
Violations 10. Violations of this policy will be subject to discipline.
Form 23 Facsimile Machines (Policy &Procedure). League of Minnesota Cities HIPAA Policies Procedures
Guide. Copyright 2009 by League of Minnesota Cities. All rights reserved
Policy Statement
The Health Plan utilizes copy machines to copy data on a routine basis. The Health Plan also occasionally
utilizes third party copy services to copy data. The Health Plan will provide physical and procedural
safeguards to minimize the possibility of unauthorized observation or access to protected health
information (PHI) during the copying of data. This policy outlines the required elements for a secure
location of a copy machine and establishes guidelines for how the Health Plan will reasonably safeguard
PHI during copying to limit incidental or accidental use or disclosure of PHI.
Policy Interpretation and Implementation
Secure Location
Removal of Original
Removal of Copies
Erasing Memory
Destruction of Certain Copies
Unattended Copying
Outsourcing
Copy Machines
1. Copy machines used to copy PHI shall be placed in
secure locations. Whenever possible, copy machines
used to copy PHI will not be used regularly for other
purposes.
2. Following the copying of any document containing
PHI, the person making the copies will double -check
to confirm that no original documents containing
PHI are left on or at the copy machine.
3. Following the copying of any document containing
PHI, the person making the copies will double -check
to confirm that none of the copies containing PHI
are left on or at the copy machine.
4. If the copy machine is equipped with a memory that
allows the reprinting of a document previously
copied, upon completion of the copy job involving
documents containing PHI, the person making the
copies will delete the memory and double -check that
the memory has been deleted prior to leaving the
copy machine.
5. In the event a copy containing PHI is unusable
(because it is not dark enough, etc.) and is to be
destroyed, the person making the copy will destroy
the copy, regardless of whether it is legible, by
shredding it.
6. In no instance shall the person making copies of
documents containing PHI leave the copier
unattended while copies are being made.
7. To the extent possible, copies of PHI should be
made on site in accordance with the foregoing
procedures. In some instances it may, however, be
appropriate to outsource copying of documents and
data containing PHI to a third party copy service
(i.e., large volumes of documents to copy or large
numbers of copies needed). Prior to providing
Form 23 Copy Machines (Policy Procedure). League of Minnesota Cities HIPAA Policies Procedures
Guide Copyright 2004 by League of Minnesota Cities All rights reserved.
Record Retention
Privacy Officer
Effective Date 11. April 14, 2004.
References:
See generally 45 C.F.R. 164.530
documents /data containing PHI to any such copy
service for copying, the copy service must sign a
business associate agreement. Furthermore, the
Mail policy shall be followed with respect to
delivering the original documents /data to the copy
service.
8. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least
six (6) years. Such retention may be in printed or
electronic format, or both.
9. The Privacy Officer is responsible for the
development and implementation of the HIPAA
policies and procedures. The Privacy Officer is also
the contact person for any questions or complaints
regarding HIPAA. Questions or concerns about
HIPAA rights should be directed to the Privacy
Officer at 651- 423 -4411.
Violations 10. Violations of this policy will be subject to discipline.
Form 23 -4 —Copy Machines (Policy Procedure). League of Minnesota Cities HIPAA Policies Procedures
Guide Copyright 2009 by League of Minnesota Cities. All rights reserved.
Addresses
Information Contained on
Envelopes
Secure Envelopes
Receipt of Mail
Record Retention
Mail Internal and External
Policy Statement
The Health Plan utilizes both internal and external mail (i.e., postal service and delivery services) to
deliver data on a routine basis. The Health Plan will provide physical and procedural safeguards to
minimize the possibility of unauthorized observation or access to protected health information (PHI)
during the mailing of data. This procedure establishes guidelines for how the Health Plan will reasonably
safeguard PHI during mailing of data to limit incidental or accidental use or disclosure of PHI.
Policy Interpretation and Implementation
1. When PHI is mailed, whether internally or externally,
the person sending the mail will double -check the
accuracy of the address of the addressee before
sending the mail.
2. When PHI is mailed, whether internally or externally,
no PHI shall be included on the envelope, nor shall it
be visible through the envelope, including any
window in the envelope. With respect to internal
mail, only the recipients name shall be indicated on
the envelope.
3. When PHI is mailed, whether internally or externally,
it should be mailed in a sealed envelope or an
envelope that may be securely closed and it should
not be provided to unauthorized staff or third
persons (i.e., mail room staff) until properly sealed
or closed. To the extent it is impractical to place it
in a secure envelope, interoffice mail may be
transmitted without an envelope, provided that the
first page of the mail does not contain PHI (i.e., a
cover page is used or the first page is turned over)
and PHI is not otherwise visible.
4. Only authorized staff shall open mail that is
received, whether from internal or external sources,
from a subject of PHI or from any other party where
it is likely the mail contains PHI. To the extent mail
is received in an envelope that is not addressed to a
specific person, where it is unclear that it is from the
subject of PHI, or where it is unclear whether it may
contain PHI, the mail may be opened by
unauthorized staff, provided that person opening the
envelope reviews the least amount of contents
needed to determine to whom the mail is addressed
and /or that it contains PHI, at which time the mail
should be delivered to the appropriate person.
5. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least
six (6) years. Such retention may be in printed or
Form 23 -5 Mad Internal and External (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 0 2004 by League of Minnesota Cities. All rights reserved.
Privacy Officer
electronic format, or both.
References:
Seegeneral /y45 C.F.R. 164.530
6. The Privacy Officer is responsible for the
development and implementation of the HIPAA
policies and procedures. The Privacy Officer is also
the contact person for any questions or complaints
regarding HIPAA. Questions or concerns about
HIPAA rights should be directed to the Privacy
Officer at 651- 423 -4411.
Violations 7. Violations of this policy will be subject to discipline.
Effective Date 8. April 14, 2004.
Form 23 -5 Mad Internal and External (Policy Procedure). League of Minnesota Cities HIPAA Policies
Procedures Guide. Copyright 2004 ry League of Minnesota Cities. All rights reserved.
Policy Statement
Documents containing protected health information (PHI) will be stored so that they are protected from
public view, view by those without a need to know whether inadvertent or otherwise, or unauthorized
access.
Policy Interpretation and Implementation
Storage of Documents
Access Limitations
Leaving File Cabinet Unlocked
and Unattended
Sharing Key to File Cabinet
Record Retention
Privacy Officer
Violations 7. Violations of this policy will be subject to discipline.
Effective Date 8. April 14, 2004:
References:
See generally 45 C.F.R. 164.530
Storage of Documents
Form 23 -6 Storage of Documents (Policy Procedure). League of Minnesota Cities HIPAA Policies Procedures
Guide. Copyright 0 2009 by League of Minnesota Cities. All rights reserved.
1. Documents containing PHI shall be stored in locked file
cabinets separate from other documents (i.e., personnel
files) to which unauthorized staff may appropriately have
access. Insofar as practical /feasible, the file cabinets
shall be located in a secure location
2. Only authorized staff are granted access to individual
and Health Plan information. Such access is limited to
specific, denied, documented and approved applications
and level of access rights.
3. Authorized staff may not leave file cabinets containing
documents with PHI unlocked and unattended for long
periods of time (e.g., breaks, lunch, meetings, etc.). File
cabinets must be locked at the end of the work shift.
4. Authorized staff may not (1) provide the key the any file
cabinet containing PHI documents to other staff
members or other non -staff members, or (2) allow other
staff members or other non -staff members access to
said file cabinets.
5. A copy of all HIPAA covered information and any
revisions shall be maintained for a period of at least six
(6) years. Such retention may be in printed or electronic
format, or both.
6. The Privacy Officer is responsible for the development
and implementation of the HIPAA policies and
procedures. The Privacy Officer is also the contact
person for any questions or complaints regarding HIPAA.
Questions or concerns about HIPAA rights should be
directed to the HIPAA Privacy Officer at 651- 423 -4411.