PRIVACY PROTECTIONS OF SELF-FUNDED GROUP HEALTH PLANS

PRIVACY PROTECTIONS OF SELF-FUNDED GROUP HEALTH PLANS

ag3419.01Adopted December 5, 2023

3419.01 - PRIVACY PROTECTIONS OF SELF-FUNDED GROUP HEALTH PLANS

The following administrative procedure applies to the self-funded group health plans maintained by the Board.

Training

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires the group health plan to train all members of the plan’s workforce on the policies and procedures with respect to protected health information, as defined by HIPAA. The Privacy Official shall ensure that the members of the plan’s workforce receive adequate and appropriate training regarding the Privacy Rule.

Safeguards

The Privacy Rule requires the group health plan to implement appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. The Privacy Official shall implement these safeguards in a reasonable and appropriate manner.

The Security Official shall seek the services of a third party to perform an information technology risk analysis to identify and protect against reasonably anticipated threats to the security or integrity of electronic protected health information, if applicable.

Participant Rights

The Privacy Rule grants health plan participants extensive rights with respect to their protected health information. The Privacy Official shall timely respond to participant requests to exercise rights afforded by the Privacy Rule.

Sanctions

The District shall apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures established by the District.

Mitigation

The District shall mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of HIPAA by the District or its business associates.

Retaliatory Acts

The District shall refrain from taking any retaliatory action against any individual for exercising any right under the plan, filing a complaint with the Department of Health and Human Services, participating in any proceeding under Part C of Title XI of the Social Security Act, or opposing any act or practice made unlawful by the Privacy Rule, provided that the individual has a good faith belief that the practice opposed is unlawful.

Waiver of Rights

The District shall not impose a requirement that participants waive their rights under the Privacy Rule as a condition of the provisions of payment, enrollment in a health plan, or eligibility for benefits.

Changes to Policy and Procedures

The District shall change its policy and procedures as necessary and appropriate to comply with changes in the law.

Documentation

The District shall retain its policy and procedures for a period of six (6) years from the date of their creation or the date when they were last in effect, whichever is later.

Amendment of Plan Documents

The Privacy Rule provides that plan documents be amended to permit information sharing between the plan and the plan sponsor. The Privacy Official shall assist other District personnel in determining whether and how plan documents should be amended and in fulfilling the requirements for implementing such amendments.

Business Associate Agreements

The Privacy Rule requires a group health plan to enter into business associate agreements with certain third-party vendors. The Privacy Official shall retain counsel to draft and negotiate these business associate agreements. In the event that the plan contracts with new business associates, the Privacy Official oversee the review of existing business associate agreements to ensure compliance with current laws. The Privacy Official shall ensure that business associate agreements are entered into with new vendors.

Complaint Procedure

Any person that believes that his/her privacy rights have been violated by the inappropriate use of his/her personal medical information in violation of HIPAA may file a complaint with the District's Privacy Official. The Privacy Protection Official will provide a copy of the District's complaint procedure to any person who files a complaint.

  1. Informal Procedures

    The complainant shall orally discuss the complaint with the District's Privacy Official, who shall in turn investigate and answer the complaint. The complainant may also initiate the formal procedure as described below.

  2. Formal Procedure

    1. Step 1

      A written statement of the complaint (including the corrective action requested) signed by the complainant shall be submitted to the Privacy Official within five (5) business days of receipt of the answer to the informal complaint (if an informal complaint was made). The Privacy Official shall investigate the complaint, meet with the complainant and other staff, as appropriate, and reply in writing to the complainant within ten (10) business days of the submission of the formal complaint.

    2. Step 2

      If the complainant wishes to appeal the decision of the Privacy Official, s/he may file a written appeal (including the corrective action requested) with the District Administrator within five (5) business days of his/her receipt of the Privacy Official's response in step one. The District Administrator shall meet with the parties within twenty (20) business days of the receipt of the appeal a copy of the District Administrator's disposition of the appeal shall be sent to each party within ten (10) business days of this meeting.

Notice of Privacy Practice

The Privacy Rule requires the group health plan to distribute a Notice of Privacy Practices to participants in the plan. The Privacy Official shall retain counsel to draft the Notice of Privacy Practices. The Privacy Official shall subsequently distribute these notices to existing group health plan participants. The Notice shall be distributed to every new participant in the health plan upon enrollment. The Privacy Official shall notify all participants in the plan of the availability of the Notice and how to obtain the Notice no less frequently than once every three (3) years. If there is a material change to the notice then the Notice shall be distributed as follows:

  1. If the group health plan posts its Notice on its website, then the plan must post the revised Notice on its website by the effective date of the material change, and then provide a hard copy of the Notice (or information about the material change and how to obtain the revised Notice) in its next annual mailing.

  2. If the group health plan does not have a website, then the plan may provide the revised Notice (or information about the material change and how to obtain the revised Notice) to individuals covered by the plan within sixty (60) days of the material revision to the Notice.

Breach Notification

The Privacy Official shall develop a breach notification policy. A breach occurs when there has been an acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule which compromises the security or privacy of the protected health information. The Privacy Official shall train workforce members on the breach notification policy.

© Neola 2014