163.56 POLICIES AND PROCEDURES FOR THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT.
(a) Statement of Purpose. The following policies and procedures are established to comply with the Health Insurance Portability and Accountability Act (“HIPAA”) of 1996; 42 U.S.C. Sections 1320d-1329d-8, and its implementing regulations 45 CFR Parts 160 and 164.
In its role as an employer, the City of Youngstown provides health insurance coverage through a group health plan for its employees as required by collective bargaining agreements entered into with the various bargaining units for City employees and as provided by ordinance for non-union employees. As sponsor of a group health plan, the City of Youngstown is a covered entity under the authorities cited above in relation to functions it carries out in administering its employee health coverage.
(b) Definitions.
(1) “Protected Health Information” means individually identifiable health information transmitted, in oral or written form, via media or maintained by electronic or any other medium.
(2) “Identifiable Health Information” means information that is individually identifiable as to the current patient or applicant for health care treatment, payment or operations.
(3) “Summary Health Information” means information that summarizes the claims history, claims expenses or types of claims experienced by individuals in a group health plan from which identifying information has been deleted.
(4) “Use” means the sharing, employment, application, utilization, examination or analysis of individually identifiable health information within the City’s operations.
(5) “Disclosure” means the release, transfer, provision of access to or divulging in any other manner of individually identifiable health information outside the City’s operations.
(c) Policy.
(1) The City of Youngstown (“City”) presently provides health benefits solely through an insurance contract with a health insurance issuer and will not create or receive protected health information from its health insurance carrier other than summary health information and participation and enrollment information, which may include identifying information of an employee’s dependents for purposes of providing legally required notices.
(2) The City does not and will not participate in or access any protected health information available electronically (such as access through an insurance provider website) or otherwise, that provides individual claim, medical, billing, or payment information relative to any of its employees or their dependents.
(3) The City will receive and request from its health insurance issuer such summary health information for purposes of audits, business planning, obtaining premium bids or proposals from health plans for providing group health insurance and for modifying, amending or terminating the group health plan.
(4) The City does request, receive and retain identifiable health information on individuals from providers other than its health insurance carrier and for purposes other than administration of a group health insurance plan, when permitted or required by law, such as results of employee physicals or drug and alcohol testing and may make individual employment decisions based on this information as permitted by law.
(d) Uses and Disclosure of Protected Health Information.
(1) The City will not disclose any protected health information except as provided for herein and will use such information only for the purposes indicated herein and subject to the procedures outlined. The City will not use protected health information disclosed by its health insurance provider in making individual employment decisions.
(2) The City may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law including: disclosure to public health authorities for public health activities and purposes; disclosure to health oversight agencies for oversight activities authorized by law; disclosure in response to administrative or court orders and other lawful process; to law enforcement officials for law enforcement purposes pursuant to process and as required by law; to Worker’s Compensation carriers or other similar programs as established by law.
(3) The City may disclose protected health information with the consent or authorization of the individuals to whom it applies or to that individual’s personal representative if the individual is decreased or lacks legal capacity to give consent.
(4) The City may use protected health information to administer the provision of health care coverage for its employees.
(5) The City may disclose protected health information to its health insurance provider for health care operations activities if the City and provider either have or had a relationship with the individual who is the subject of the protected health information, the information pertains to such relationship and the disclosure is for the purpose of health care operations or health care fraud and abuse detection or compliance.
(6) The City may use protected health information, or disclose such information to a business associate, to create information that is not individually identifiable for business planning or development or advertising for health insurance bids or proposals. The City may only disclosure protected health information to a business associate or allow the business associate to create or receive such information on its behalf with satisfactory assurance that the business associate will safeguard the information and such assurance is documented through a written agreement.
(e) Individual Rights Regarding Identifiable Health Information.
(1) An individual who is the subject of protected health information, which use and disclosure is permitted as outlined herein or as otherwise permitted by law, may require restriction of uses and disclosures of said information, but the City reserves the right to deny the restrictions as requested.
(2) The individual who is the subject of protected health information in the custody of the City has the right to inspect and obtain a copy of the individual’s protected health information. A reasonable fee may be charged by the City for copies of protected health information.
(3) An individual who thinks his/her privacy rights have been violated or disagrees with a decision the City has made about access to health information may file a written complaint to the City Law Department Privacy Officer, 26 South Phelps Street, Fourth Floor, Youngstown, Ohio, 44503.
(f) Procedures.
(1) The City designates the City Risk Manager as Privacy Officer for the City.
(2) The City has identified the following employment designations as those positions that have access to protected health information and the category of health information accessed.
A. Finance Director: Summary Health Information for purposes of business planning and auditing; Identifiable Health Information for purposes of insurance enrollment, premium payments and record keeping.
B. Law Director: Summary Health Information for purposes of business planning and preparation of bid documents.
C. Risk Manager: Summary Health Information for purposes of business planning, risk assessment and competitive bid preparation. Identifiable Health Information for purposes of premium payments, record keeping and compliance with court-ordered health care coverage or legally required notices to dependents.
D. Risk Management Clerk: Summary Health Information and Identifiable Health Information for the purposes of assisting Risk Manager in health insurance enrollment, record keeping, premium payment, compliance with court-ordered health care coverage for dependents, compliance with legally required notices to dependents.
E. General Accounting Manager: Identifiable Health Information (enrollment lists and billing statements) for purposes of insurance premium payment.
F. Finance Supervisor: Identifiable Health Information (enrollment lists and billing statements) for purposes of insurance premium payment.
G. Finance Department Cashiers: Identifiable Health Information (enrollment) for purposes of processing and responding to court orders for health insurance coverage.
(3) The City will provide training on no less than a yearly basis as to these policies and procedures to all City employees having access to protected health information (PHI) as necessary and appropriate for such persons to carry out their functions within the City. Training will be provided to new or transferred employees within a reasonable time after their commencement of duties giving them access to PHI.
(4) The training will require at least the following:
A. A review of the uses and policies outlined herein with emphasis on the requirement that disclosure of PHI is prohibited with limited exceptions.
B. Using reasonable efforts to limit use only to those employees who need the PHI to carry out their duties and to limit information accessed only to that which is necessary.
C. Use of protocols to assure that routine or recurring disclosure of PHI will be limited to the amount of information reasonably necessary to achieve the purpose of the use, disclosure or request.
D. For non-routine requests for disclosure, use of a protocol that requires referral of the request to the Privacy Officer for determination of response.
(g) Prohibitions.
(1) Neither the City or any employee, officer, office or department thereof shall intimidate, threaten, coerce, discriminate against or take other retaliatory action against any individual for the exercise of his/her rights or participation in any process relating to HIPAA compliance or for filing a complaint with the Secretary of the U.S. Department of Health and Human Services for participating in a HIPAA related investigation, compliance review, proceeding or hearing or engaging in reasonable opposition to any act or practice that the person believes in good faith to be unlawful under HIPAA regulations as long as the action does not involve disclosure of PHI in violation of the regulations.
(2) Neither the City or any employee, officer, office or department thereof shall require individuals to waive any of their rights under HIPAA as a condition of treatment, payment, enrollment in a health plan or eligibility for benefits.
(h) Changes to Policies and Procedures. The City reserves the right to make changes to these policies and procedures as necessary and appropriate or to conform to changes in HIPAA or any of its implementing regulations.
(Ord. 03-229. Passed 9-17-03.)