The URL can be used to link to this page

Home My WebLink AboutHIPAA privacy policy Updated: January 13, 2012 Page 1 Please replace the existing City of Iowa City HIPAA Privacy Policy & Notice of Privacy Practices with this notice effective January 13, 2012. These updated documents are being redistributed as required every three years under Federal Law. CITY OF IOWA CITY HIPAA PRIVACY POLICY This policy is intended to address privacy and security practices relating to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), specifically the Administrative Simplification components relating to privacy and security of protected health information. The City of Iowa City supports an employee's right to protect the privacy of his/her medical information and it is the City’s intent to comply fully with HIPAA’s requirements. The City has established procedures to ensure that protected health information is securely and confidentially maintained and accessed only by authorized individuals. The City has established procedures to ensure that employees have access to their protected health information as required by law. 1. Definitions: a. Covered Entity: A covered entity under HIPAA is defined as a group health plan, or a healthcare provider. The City sponsors group plans that meet this definition. The "health plans” include medical insurance, dental insurance, Section 125 flexible spending accounts, and the employee assistance program. A covered entity does not include the City's workers' compensation program, or other employment-related programs and activities of the City. These programs are governed by separate laws and regulations. b. Protected Health Information (PHI): This includes individually identifiable health information in all forms, including written, oral and electronic records and exchanges, if the uses and disclosures are made by a covered entity (see definition above). Individually identifiable health information that relates to the City's workers' compensation program, and other employment-related programs and activities of the City is not considered protected health information (PHI), and is not subject to HIPAA privacy rules. However, under separate laws and regulations, employees have a right to privacy of this information and employees having access to such information must ensure its confidentiality. c. Business Associate: A business associate is a third party that creates or receives protected health information on behalf of a covered entity. Examples of business associates include third party administrators for the City's medical plan, dental plan, Section 125 flexible spending accounts, and employee assistance program. Business Associates must comply with all HIPAA requirements. d. Authorized Representative: City staff responsible for the administration of its health plans (medical, dental, FSA’s) will be considered authorized representatives for the purpose of plan administration. Updated: January 13, 2012 Page 2 2. Permitted and required uses and disclosures of protected health information: Authorized representatives who are responsible for accessing and communicating protected health information will use the information for various plan administration activities, such as enrollment and dis-enrollment, claims inquiries if PHI is shared or authorized by the employee or personal representative, etc. The amount of information shared will be the minimum necessary to accomplish the intended use. 3. Inappropriate disclosures subject to disciplinary action: In the absence of an employee authorization to do so, no employee is allowed to disclose protected health information for purposes other than allowed for the treatment, payment and healthcare operations of its health plan. An employee who inappropriately discloses protected health information will be subject to disciplinary action, up to and including termination. 4. Authorization and Consent: HIPAA regulations provide that an authorization or consent of the affected employee be obtained if protected health information is to be shared outside the health plan as discussed above, or as otherwise permitted by law. 5. Individual Rights Under HIPAA: The addendum "Notice of Privacy Practices" details employee rights to inspect, obtain copies, request changes/corrections, obtain documentation of disclosures made by the plans for other than treatment, payment, or operations, and the right to file a complaint. Employees may make requests for information through the health plan's business associates (i.e. customer service for medical plan) or through Human Resources. The nature of the request will determine the procedure to be followed. Most requests do not involve a fee. However, a request for a "designated record set" would include all medical records held by the Plan and would be subject to a cost-based fee. 6. Security of Protected Health Information: The City has established and will maintain appropriate security measures to protect the privacy of protected health information, whether it be in electronic or paper form. This will include the transmission of electronic information within the covered plan. 7. Complaints: If an employee believes that his/her individual protected health information has been inappropriately disclosed, the employee is encouraged to contact the City's privacy officer to discuss the concern. 8. Notice of Privacy Practices: The City of Iowa City‘s Notice of Privacy Practices is included as an addendum to this policy. 9. Privacy Officer: Human Resources Administrator City of Iowa City 410 E. Washington Street Iowa City, IA 52240 Phone: 319-356-5025 Contact person: Human Resources Generalist City of Iowa City 410 E. Washington Street Iowa City, IA 52240 Phone: 319-356-5026