April
1, 2003
TOWN
OF WALPOLE
HEALTH INFORMATION PORTABILITY & ACCOUNTABILITY ACT PRIVACY
POLICY
The Town of Walpole by vote of its Board of Selectmen will comply
with the Privacy Regulations of the Health Information Portability
and Accountability Act (HIPAA) of 1996. The Town shall limit the
use of and access to Protected Health Information which is held
by the Town or its lawful agents. Protected Health Information (PHI)
is any written, oral or electronic form of information relating
to a person's past, present or future health condition, delivery
or payment of health services that identifies an individual or where
there is a reasonable basis to believe the information could be
used to identify an individual. Administrative, technical and physical
safeguards established to limit use and access to protected health
information are stated as an integral part of this policy, established
as part of daily operating procedures and will be maintained by
all responsible staff and representatives of lawful agents and business
associates of the Town of Walpole.
To
assure this commitment to compliance the Board of Selectmen designates
a Privacy Officer who shall have the responsibility:
- To
keep the Board of Selectmen and Town and School Administrations
informed
of all changes, updates, requirements, responsibilities, claims,
etc. concerning the
HIPAA privacy regulations
- To
maintain documentation of the Town's efforts to comply with HIPAA
privacy regulations
- To
ensure that plan subscribers are sent privacy notices and new
enrollees receive
said notices
- To
track any protected health information disclosures
- To
process authorizations for disclosure and use of protected health
information
- To
resolve complaints from participants about possible privacy violations
- To
serve as the Town's liaison with the group health insurance program
third party
administrator, relevant business associates, and health insurance
carriers,
communicating the Town's commitment and securing the commitment
of these
entities to the privacy and security of protected health information
- To
maintain all required authorizations, agreements, etc. relative
to the protected
health information of group health insurance program participants
- To
monitor the Town's compliance with HIPAA privacy regulations on
a regular
basis
The
Privacy Officer will receive the total support of the Board of Selectmen,
Town Administration and senior management. The Privacy Officer of
the Town of Walpole is covered under the Town's liability insurance
in the legal performance of his/her duties and has access to the
Town's legal counsel in the same regard.
In
accordance with HIPAA, only the Town of Walpole Personnel &
Benefits Coordinator may be given access to protected health information
in order to legally perform the position duties and administer the
Town's group health and dental insurance program.
The
Town of Walpole communicates its commitment to HIPAA Privacy Regulations
through:
- Adoption
of this policy by the Board of Selectmen,
- Distribution
of this policy to and training of all department heads concerning
the
definition, security and authorization of protected health information,
- Distribution
of the privacy notice to all subscribers to the self-insured group
health
insurance plans,
- Posting
of this policy on the Town of Walpole Website, and
- Including
the privacy notice in the new employee benefits package.
As
an employer, the Town of Walpole may use protected health information
in its possession without specific authorization from the employee
for treatment, payment, quality assessment, medical review and auditing,
studies to improve the group's health care quality or reduce health
care costs, compiling civil/criminal proceedings, and any other
use required by law for public health, communicable disease, abuse
or neglect, or food and drug administration purposes. Information
which is normally maintained in the employment record which is not
classified as protected health information includes all forms, responses,
inquiries and data relative to the family medical leave act, drug
screenings, fitness for duty, workers compensation, disability,
life insurance, the occupational safety and health act and sick
leave.
Protected
health information may be released for other purposes by the authorization
of the employee submitting the established form in person to the
Privacy Officer. The use and/or disclosure of protected health information
is limited to the specific information for the specific purpose
to and from the specific individual and/or entity for a specific
time period as delineated in the authorization form. Group health
insurance program participants are allowed to review their protected
health information that is held by the Town and to make corrections
to errors. Upon request a participant will be provided with an accounting
of disclosures of protected health information.
The
Town of Walpole separates protected health information from the
employment record and retains such information in a locked file
accessible only to the Personnel & Benefits Coordinator and
under special circumstances other Town Officials that have a bona
fide need to know to accomplish legal town business. All entities
which could receive protected health information (Group Benefits
Strategies as the third party administrator, ambulance billing company,
fully insured plan providers, legal counsel, actuaries and consultants)
must enter into a business associate agreement with the Town of
Walpole in which both parties commit to compliance with the HIPAA
Privacy Regulations and providing satisfactory assurances that the
business associate will appropriately safeguard the protected health
information.
Participants
that believe they have been aggrieved by the use or disclosure of
protected health information may file a written grievance with the
Privacy Officer within sixty (60) calendar days of the use or disclosure
of the protected health information or within fifteen (15) calendar
days of their knowledge of said use or disclosure. The grievance
must delineate the specifics of the complaint, including but not
limited to:
-
what unauthorized protected health information was released
-
who received the protected health information and/or is knowledgeable
of
the protected health information
- when
was the protected health information released and/or when did
the
complainant become aware of the unauthorized knowledge of the
protected
health information
-
what was the result of the release of the unauthorized protected
health
information
The
Privacy Officer will meet with the complainant as soon as possible
after the receipt of the grievance. During this meeting the Privacy
Officer will discuss the issue brought forward with the complainant.
The Privacy Officer will investigate the allegations of the complaint
with the full support and assistance of Town and/or School Administration
and if necessary legal counsel. The Privacy Officer will provide
a written report of his/her findings and recommended action, if
warranted, to the Town Administrator and the complainant within
thirty (30) calendar days from the date of the meeting with the
complainant. If for some reason the Privacy Officer is unable to
conduct this meeting and/or investigation the Town Administrator
shall appoint a Senior Manager to perform these duties.
Complainants
may also contact the Federal Offices of the Department of Health
and Human Services for assistance.
The
Town of Walpole will comply with the Privacy Regulations established
by the Federal Government and requires its employees to observe
and comply with this policy and the use of the proper procedures
and policy documents. Employees found to have breached protected
health information security will be subject to sanctions from verbal
reprimand up to and including termination, dependent upon the seriousness,
willfulness and ramifications of the breach.
Adopted
by vote of the Walpole Board of Selectmen on April 1, 2003.
______________________________________
William P. Ryan, Chair
|
