HomeMy WebLinkAboutHIPAA privacy policy
Updated: January 13, 2012 Page 1
Please replace the existing City of Iowa City HIPAA Privacy
Policy & Notice of Privacy Practices with this notice effective
January 13, 2012. These updated documents are being
redistributed as required every three years under Federal Law.
CITY OF IOWA CITY
HIPAA PRIVACY POLICY
This policy is intended to address privacy and security practices relating to the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), specifically the Administrative
Simplification components relating to privacy and security of protected health information. The
City of Iowa City supports an employee's right to protect the privacy of his/her medical
information and it is the City’s intent to comply fully with HIPAA’s requirements. The City has
established procedures to ensure that protected health information is securely and confidentially
maintained and accessed only by authorized individuals. The City has established procedures
to ensure that employees have access to their protected health information as required by law.
1. Definitions:
a. Covered Entity: A covered entity under HIPAA is defined as a group health plan,
or a healthcare provider. The City sponsors group plans that meet this definition.
The "health plans” include medical insurance, dental insurance, Section 125
flexible spending accounts, and the employee assistance program.
A covered entity does not include the City's workers' compensation program, or
other employment-related programs and activities of the City. These programs
are governed by separate laws and regulations.
b. Protected Health Information (PHI): This includes individually identifiable health
information in all forms, including written, oral and electronic records and
exchanges, if the uses and disclosures are made by a covered entity (see
definition above). Individually identifiable health information that relates to the
City's workers' compensation program, and other employment-related programs
and activities of the City is not considered protected health information (PHI), and
is not subject to HIPAA privacy rules. However, under separate laws and
regulations, employees have a right to privacy of this information and employees
having access to such information must ensure its confidentiality.
c. Business Associate: A business associate is a third party that creates or receives
protected health information on behalf of a covered entity. Examples of business
associates include third party administrators for the City's medical plan, dental
plan, Section 125 flexible spending accounts, and employee assistance program.
Business Associates must comply with all HIPAA requirements.
d. Authorized Representative: City staff responsible for the administration of its
health plans (medical, dental, FSA’s) will be considered authorized
representatives for the purpose of plan administration.
Updated: January 13, 2012 Page 2
2. Permitted and required uses and disclosures of protected health information: Authorized
representatives who are responsible for accessing and communicating protected health
information will use the information for various plan administration activities, such as
enrollment and dis-enrollment, claims inquiries if PHI is shared or authorized by the
employee or personal representative, etc. The amount of information shared will be the
minimum necessary to accomplish the intended use.
3. Inappropriate disclosures subject to disciplinary action: In the absence of an employee
authorization to do so, no employee is allowed to disclose protected health information
for purposes other than allowed for the treatment, payment and healthcare operations of
its health plan. An employee who inappropriately discloses protected health information
will be subject to disciplinary action, up to and including termination.
4. Authorization and Consent: HIPAA regulations provide that an authorization or consent
of the affected employee be obtained if protected health information is to be shared
outside the health plan as discussed above, or as otherwise permitted by law.
5. Individual Rights Under HIPAA: The addendum "Notice of Privacy Practices" details
employee rights to inspect, obtain copies, request changes/corrections, obtain
documentation of disclosures made by the plans for other than treatment, payment, or
operations, and the right to file a complaint. Employees may make requests for
information through the health plan's business associates (i.e. customer service for
medical plan) or through Human Resources. The nature of the request will determine the
procedure to be followed. Most requests do not involve a fee. However, a request for a
"designated record set" would include all medical records held by the Plan and would be
subject to a cost-based fee.
6. Security of Protected Health Information: The City has established and will maintain
appropriate security measures to protect the privacy of protected health information,
whether it be in electronic or paper form. This will include the transmission of electronic
information within the covered plan.
7. Complaints: If an employee believes that his/her individual protected health information
has been inappropriately disclosed, the employee is encouraged to contact the City's
privacy officer to discuss the concern.
8. Notice of Privacy Practices: The City of Iowa City‘s Notice of Privacy Practices is
included as an addendum to this policy.
9. Privacy Officer: Human Resources Administrator
City of Iowa City
410 E. Washington Street
Iowa City, IA 52240
Phone: 319-356-5025
Contact person: Human Resources Generalist
City of Iowa City
410 E. Washington Street
Iowa City, IA 52240
Phone: 319-356-5026