(A) This medical information privacy policy describes how health information about employees may be used and disclosed by the town and how employees may obtain access to this information. The townis committed to maintaining and protecting the confidentiality of our employees’ personal information in compliance with the Health Insurance Portability and Accountability Act (HIPAA). The Clerk-Treasurer is the designated privacy officer for all employee medical information.
(B) This policy of privacy practices applies to the health plans of the town that are covered by privacy regulations, e.g., the health insurance plans, (collectively referred to as the “benefit plans”). The benefit plans are required by federal and state law to protect the privacy of employees’ individually identifiable health information and other personal information and to provide employees with notice about their policies, safeguards, and practices. When the benefit plans use, or disclose employees’ protected health information, the benefit plans are bound by the terms of this policy, or a revised policy, if applicable.
(C) The benefit plans will not use employees’ protected health information or disclose it to others without the employees’ authorization, except for the following purposes:
(1) Treatment. The benefit plans may disclose an employee’s protected health information, or an employee’s covered dependents’ protected health information, to a health care provider or administrator for its provision, coordination, or management of the employee’s health care and related services. For example, prior to providing a health service to an employee, the employee’s doctor may ask for information concerning whether and when the service was previously provided to the employee. The benefit plans may use and disclose an employee’s protected health information for treatment activities of a health care provider.
(2) Payment. The benefit plans may use and disclose an employee’s protected health information to facilitate payment of premiums for an employee’s coverage, and to determine and fulfill their responsibility to provide an employee’s health insurance benefits. For example, an employee’s protected health information may be used to make coverage determinations, administer claims, and coordinate benefits with other coverage employees may have. The benefit plans may also disclose an employee’s protected health information to a health plan or administrator to determine an employee’s eligibility for coverage, or for the health care provider to obtain payment for health care services provided to the employee.
(3) Health care operations. The benefit plans may use and disclose an employee’s protected health information for their health care operations, or the health care operations of a third-party administrator of the benefit plans. For example, the benefit plans may use protected health information to conduct quality assessment and improvement activities. Other health care operations may include providing appointment reminders, or sending an employee’s information about treatment alternatives or other health-related benefits and services. The benefit plans also may disclose an employee’s protected health information to another health plan or provider that has a relationship with an employee, so that it may conduct quality assessment and improvement activities (for example, to perform case management).
(4) Disclosure to employer or operating company. The benefit plans may disclose an employee’s protected health information to the town, or to a company acting on the behalf of the town, so that it may monitor, audit, and otherwise administer the employee health benefit plan in which employees participate. The town and its operating companies are not permitted to use protected health information for any purpose other than administration of an employee’s health insurance plan benefits. The benefit plans will not disclose protected health information to the town for the purposes of employment-related actions or decisions, or in connection with any other benefit or employee benefit plan. The benefit plans will identify employees who are authorized to receive and use protected health information.
(5) Disclosure to health care vendors and accreditation organizations. The benefit plans may disclose an employee’s protected health information to companies with whom they contract, if they need it to perform requested services. For example, the benefit plans may provide protected health information to vendors who provide important information and guidance to plan members with chronic conditions such as diabetes and asthma. Protected health information may be disclosed to accreditation organizations such as the National Committee for Quality Assurance (NCQA) for quality measurement purposes. When the benefit plans enter into these arrangements, they will obtain a written agreement to protect an employee’s protected health information.
(6) Public health activities. The benefit plans may disclose an employee’s protected health information for the following public health activities and purposes:
(a) To report health information to public health authorities that are authorized by law to receive such information for the purpose of controlling disease, injury, or disability;
(b) To report child abuse or neglect to a government authority that is authorized by law to receive such reports;
(c) To report information about a product or activity that is regulated by the U.S. Food and Drug Administration (FDA) to a person responsible for the quality, safety, or effectiveness of the product or activity; and
(d) To alert a person who may have been exposed to a communicable disease, if the benefit plans are authorized by law to give this notice.
(7) Health oversight activities. The benefit plans may disclose an employee’s protected health information to a government agency that is legally responsible for oversight of the health care system or for ensuring compliance with the rules of government benefit programs, such as Medicare or Medicaid, or other regulatory programs that need health information to determine compliance.
(8) For research. The benefit plans may disclose an employee’s protected health information for medical research purposes, subject to strict legal restrictions.
(9) To comply with the law. The benefit plans may use and disclose an employee’s protected health information to comply with the law.
(10) Judicial and administrative proceedings. The benefit plans may disclose an employee’s protected health information in a judicial or administrative proceeding, or in response to a legal order.
(11) Law enforcement officials. The benefit plans may disclose an employee’s protected health information to the police or other law enforcement officials, as required by law or in compliance with a court order or other process authorized by law.
(12) Health or safety. The benefit plans may disclose an employee’s protected health information to prevent or lessen a serious and imminent threat to employees’ health or safety, or the health and safety of the general public.
(13) Government functions. The benefit plans may disclose an employee’s protected health information to various departments of the government such as the U.S. Military, or the U.S. Department of State.
(14) Workers’ compensation. The benefit plans may disclose an employee’s protected health information when necessary to comply with workers’ compensation laws.
(15) Other. The benefit plans may disclose an employee’s protected health information when necessary to file claims with re-insurers or stop-loss carriers, or to obtain coverage with re-insurers or stop-loss carriers. The benefit plans may also disclose an employee’s protected health information to subrogation vendors to recoup payments made by the benefit plans that were reimbursed by other insurance arrangements.
(16) Uses and disclosures with employees’ written authorization. The benefit plans will not use or disclose an employee’s protected health information for any purpose other than the purposes described in this policy without the employees’ written authorization. For example, the benefit plans will not supply protected health information to another company for its marketing purposes or to a potential employer with whom an employee is seeking employment without the employee’s signed authorization. Employees may revoke an authorization that has previously been given by sending a written request to the Clerk-Treasurer, but not with respect to any actions the benefit plans have already taken.
(D) Employees may request restrictions on the use and disclosure of the employee’s protected health information for the treatment, payment, and health care operations purposes explained in this policy. While the benefit plans will consider all requests for restrictions carefully, the benefit plans are not required to agree to a requested restriction.
(E) Employees may ask to receive communications of their protected health information from the benefit plans by alternative means of communication, or at alternative locations. While the benefit plans will consider reasonable requests carefully, they are not required to agree to all requests.
(F) Employees may ask to inspect or to obtain a copy of their protected health information that is included in certain records the benefit plans maintain. Under limited circumstances, the benefit plans may deny employees access to a portion of their records. If employees request copies, the benefit plans may charge employees copying and mailing costs.
(G) Employees have the right to ask the benefit plans to amend protected health information that is contained in the benefit plans’ records. If the benefit plans determine that the record is inaccurate, and the law permits the benefit plans to amend it, the benefit plans will correct it. If the employee’s doctor or another person created the information that the employee wants to change, the employees should ask that person to amend the information.
(H) Upon written request, employees may obtain an accounting of disclosures the benefit plans have made of their protected health information. The accounting that the benefit plans provide will not include disclosures made before April 14, 2003, disclosures made for treatment, payment or health care operations, disclosures made earlier than six years before the date of the request, and certain other disclosures that are exempted by law. If employees request an accounting more than once during any 12-month period, the benefit plans may charge those employees a reasonable fee for each accounting statement after the first one.
(I) Employees may contact the Clerk-Treasurer to obtain a paper copy of this policy, even if the employees previously agreed to receive notices electronically. Employees must also contact the Clerk-Treasurer, if they wish to make any of the requests listed above.
(J) If employees want additional information about privacy rights, do not understand their privacy rights, are concerned that the benefit plans have violated their privacy rights, or disagree with a decision that the benefit plans made about access to protected health information, they may contact the Clerk-Treasurer. Employees may also file written complaints with the Secretary of the U.S. Department of Health and Human Services. The town will not take any action against employees if they file a complaint.
(K) The town may change the terms of this policy at any time. If the town changes this policy, the town may make the new policy terms effective for all protected health information that the benefit plans maintain, including any information the benefit plans created or received before the town issued the new policy. If the town makes any changes to the medical information privacy policy, notice of the changes will be provided to employees.
(Ord. 2020-26, passed 1-12-21)