Code: EHA
Adopted: 1/8/07
Health Insurance Portability and Accountability Act
(For districts that bill for Medicaid or use a contracted service – ESD or other – to bill for Medicaid and also self-ensure a health plan and/or self-administer an Internal Revenue Service Section 125 Plan)
The Board has determined that it meets the definition of a hybrid of covered entities1 under the Health Insurance Portability and Accountability Act (HIPAA). As the district offers health-care provider programs and services that include electronic billing for the reimbursement of services under Oregon Medicaid programs, or contracts with another entity to provide such services, it is subject to HIPAA. In all electronic transactions involving student education records information, the district will adhere to the transaction requirements of HIPAA and the confidentiality requirements of the Family Educational Rights and Privacy Act (FERPA).
As a covered entity, the district will meet the national electronic transaction standards and applicable requirements of federal law designed to ensure the security of protected health information of employees and student education record information created or received by the district.
In order to meet the notice requirements under the health-care provider provisions of the law, information will be provided to students and parents of their rights under FERPA in accordance with established procedures as set forth in Board policies JO - Education Records, JOA - Directory Information, JOB -Personally Identifiable Information and related administrative regulations.
The superintendent will designate an individual responsible for responding to HIPAA inquiries, complaints and for providing adequate notice of employee rights and district duties under the health plan provisions of
the Act. Notice will include the privacy provisions of the law, and uses of employee protected health information and disclosures that may be made by the district.
Training will be provided to all current staff and new employees determined by the district to have access to the protected health information of employees and student education records. Training will be provided within a reasonable period of time after the individual’s hiring, and to those employees when their duties may be impacted by a change in the district’s policy and/or procedures.
Individuals who believe their privacy rights have been violated may file a complaint in accordance with established district procedures. Employee complaints may also be filed directly with the U. S. Secretary of Health and Human Services. There shall be no retaliation by the district against any person who files a complaint or otherwise participates in an investigation or inquiry into an alleged violation of an individual’s protected privacy rights. All complaints received will be promptly investigated and documented, including their final disposition.
The superintendent will ensure that satisfactory assurance has been obtained from any business associate2 performing HIPAA-covered activities or functions on behalf of the district that the protected health information it receives from the district will be protected. Such assurance will be in the form of a written agreement, or may be included as a part of the district’s contract with the business associate.
Employees in violation of this policy or procedures established to safeguard student education records information and the protected health information of employees will be subject to discipline up to and including dismissal.
The superintendent is directed to ensure an assessment of district operations is conducted to determine the extent of the district’s responsibilities as a covered entity under HIPAA and to develop internal controls and procedures necessary to implement this policy and meet the requirements of law. The procedures shall include provisions for record keeping, documentation of the district’s compliance efforts and appropriate administrative, technical and physical safeguards to protect the privacy of student education records and employee protected health information and to ensure that any request is limited to information reasonably necessary to accomplish the purpose for which the request is made.
In the event of a change in the law that may impact this policy or established district procedures, the superintendent shall ensure appropriate revisions are recommended for Board approval, necessary changes are implemented and notification is made to staff and others, as appropriate.
END OF POLICY
Legal Reference(s):
ORS 332.107
Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, 42 U.S.C. 1320d-1320d-8; 45 CFR Parts 160 and 164.
Family Educational Rights and Privacy Act, 20 U.S.C. Section 1232g; 34 CFR Part 99 (2000).