282City of Anaheim Administrative Regulation
CHAPTER 2 — EMPLOYMENT PROCEDURES
Subject: Health Insurance Portability A.R. 282
And Accountability Act of 1996 Issue Date: September 17, 2003
(HIPAA) Privacy Policy Revised:
Page (1) of (4)
Purpose:
The purpose of this regulation is to establish a policy in accordance with the HIPAA.
HIPAA required the U. S. Department of Health and Human Services (HHS) to establish
rules to protect the privacy of health information. HHS issued detailed rules (HIPAA
Privacy Rule) for health plans, health care providers, and certain other health care entities
(known as covered entities). Health information covered by the HIPAA Privacy Rule is
known as Protected Health Information (PHI).
The City sponsors group health plans and the City is also a Covered Entity. Health plans
and other covered entities are required to create policies and procedures to ensure their
compliance with the HIPAA Privacy Rule.
Procedures:
The City shall comply with HIPAA by securing PHI of health plan participants. PHI
generally will be used only for health plan payment activities and operations, and in other
limited circumstances such as where required for law enforcement and public health
activities. In addition, the minimum necessary information will be used except in limited
situations specified by law. Other uses and disclosures of PHI will not occur unless the
participant authorizes them. Participants will have the opportunity to inspect, copy and
amend their PHI as required by HIPAA. Participants can exercise the rights granted to
them under HIPAA free from any intimidating or retaliatory acts.
When PHI is shared with Business Associates providing services to the City, they will be
required to agree in writing to maintain procedures that protect the PHI from improper
uses and disclosures in conformance with HIPAA.
When the City receives PHI to assist in plan administration, it will adhere to its own
stringent procedures to protect the information. Among the procedures in place are:
1. Administrative and technical firewalls that limit which groups of
employees are entitled to access PHI and the purposes for which they can
use it;
2. Safeguard PHI from improper disclosures;
3. Limit the disclosure of PHI to the minimum necessary;
4. Identify and confirm the authority of persons requesting PHI;
5. Train relevant staff; and
City of Anaheim Administrative Regulation 282
Page (2) of (4)
6. Accept and respond to complaints relating to HIPAA privacy violations.
The City may update this Policy and its procedures at any time. The City will also update
this Policy and its procedures to reflect any change required by law. Any changes to this
Policy and procedures will be effective for all PHI that the City may maintain. This
includes PHI that was previously created or received, not just PHI created or received
after the Policy and procedures are changed.
The Privacy Officer will administer the HIPAA Privacy Policy. This designated
individual is responsible for the development and the implementation of the plan's
privacy policies and procedures. The Human Resources Manager — Benefits is the
Privacy Officer for the City group health plans.
A separate procedure manual will be maintained by the Privacy Officer for technical
administration of HIPAA, as it applies to the City.
Responsibility:
The City will develop and implement administrative, technical, and physical safeguards
that will reasonably protect PHI from intentional and unintentional uses or disclosures
that violate the HIPAA Privacy Rule. In addition, the City will institute procedures to
verify the identity of any person or entity requesting PHI and the authority of that person
or entity to have access to PHI.
PHI is individually identifiable health information created or received by a covered entity
or employer. Information is "individually identifiable" if it identifies the individual or
there is a reasonable basis to believe components of the information could be used to
identify the individual. Information is protected whether it is in writing, in an electronic
medium, or communicated orally. "Health information" means information, whether oral
or recorded in any form or medium, that (a) is created or received by a health care
provider or health plan; and (b) relates to the past, present, or future physical or mental
health or condition of a person, the provision of health care to a person, or the past,
present, or future payment for health care.
Uses and Disclosures:
In general, a participant's PHI can be used or disclosed for a variety of
plan administrative activities. Common examples include paying claims, resolving
appeals, managing specialty vendors, and helping participants address problems. The
HIPAA Privacy Rule does not prohibit these activities, but it imposes the following
guidelines:
City of Anaheim Administrative Regulation 282
Page (3) of (4)
Uses and disclosures generally allowed without authorization. A person's PHI can be
used or disclosed without obtaining that person's authorization as follows:
1. For enrollment activities and (where only summary health information is
used) for premium bids and plan amendment/termination activities;
2. If requested by a health care provider for treatment;
3. If needed for payment activities such as claims, appeals, and bill
collection;
4. If needed for health care operations such as audits, customer service, and
wellness and risk assessment programs;
5. If disclosed to the participant, and in certain circumstances, to family
members and others acting on the participant's behalf; and
6. If required by law, in connection with public health activities or in similar
situations.
Information is limited to the "minimum necessary. " The City will limit uses and
disclosures of PHI to the minimum necessary to accomplish the intended purpose. This
requirement does not apply to:
1. Uses or disclosures for treatment purposes;
2. Disclosures to HHS for audits of the plan's compliance with HIPAA
Privacy Rule;
3. Disclosures to an individual of his or her own PHI;
4. Uses or disclosures required by law;
5. Uses or disclosures made pursuant to an authorization; and
6. Uses or disclosures otherwise required for compliance with the HIPAA
Privacy Rule.
De -identified information. The limits apply only to health information that is
individually identifiable. If information is de -identified, it can then be used or disclosed
without restriction.
Individual Rights:
The City provides individuals with certain rights associated with their PHI that the City
(and all covered entities) must follow. These include the rights to:
1. Access, inspect, and copy certain PHI within a designated record set;
2. Request the amendment of their PHI in a designated record set;
3. Request restriction of the use and disclosure of their PHI;
4. Request the use of alternative means or alternative locations for receiving
communications of their PHI; and
Request an accounting of PHI disclosures.
City of Anaheim Administrative Regulation 282
Page (4) of (4)
Risk Management Activities:
The City will participate in certain risk management activities including:
I. Workforce training on the policies and procedures for use, disclosure and
general treatment of PHI;
2. Developing a complaint process for individuals to file complaints about
the plan's policies and procedures, practices and compliance with the
HIPAA Privacy Rule;
3. Designing a system of written disciplinary policies and sanctions for
workforce members who violate the HIPAA Privacy Rule;
4. Mitigating damages known to the plan resulting from improper use or
disclosure of PHI; and
5. Retaining copies of its policies and procedures, written communications,
and actions or designations.
Required Legal Documents:
The City requires covered entities to use specific documents to accomplish certain tasks.
l . A Privacy Notice describing the City's practices concerning its use and
disclosures of PHI and informing participants of their rights and of the
City's legal duties, with respect to PHI;
2. A plan sponsor certification certifies that the plan sponsor has agreed to
the restrictions on the uses and disclosures of PHI;
3. A Business Associate Agreement describing the permitted uses and
disclosures of PHI by the Business Associate; and
4. A participant's authorization permitting the City to use and disclose the
participant's PHI for purposes not otherwise permitted or required by the
HIPAA Privacy Rule.
Complaints:
If a participant believes their privacy rights have been violated, they may complain to the
Privacy Officer (Human Resources Manager — Benefits) or his designee by submitting a
written explanation to: City of Anaheim, P. O. Box 3222, Anaheim, CA 92803. Attn:
Privacy Officer (Human Resources Manager).
Attachments: None