That the Board adopt the following policy regarding the privacy of the health-related information it maintains pertaining to employees and students.
PURPOSE:
To ensure that the Chicago Board of Education (“Board”) complies with the Health Insurance Portability and Accountability Act (“HIPAA”) privacy provisions pertaining to the protection of individually identifiable medical information of CPS employees and students.
Present Policy: None
History of Board Action: None
POLICY TEXT:
Introduction
In 1996, Congress enacted HIPAA, a law designed, in part, to protect the privacy and confidentiality of individual health information. HIPAA’s Privacy Rule applies to the Board, as both a health care provider and a sponsor of health care plans, and requires it to take a number of steps to ensure the privacy and confidentiality of health-care related information it maintains that is not covered by the Family Educational Rights Privacy Act or kept in employment records. This policy presents the Privacy Rule requirements in a manner that allows Board employees working with individually identifiable medical information to know how to comply with the law. This policy also sets forth the procedures and rules that will allow the Chicago Public Schools (“CPS”) to establish and maintain the privacy and confidentiality of individually identifiable health information as required by HIPAA.
I. Definitions
For purposes of this policy alone, the terms listed below shall be defined as follows:
- “Business Associate” means a person or an entity that is not an employee and performs or assists in the performance of: (1) an activity involving the use or disclosure of individually identifiable health information including claims processing or administration; data analysis; processing or administration; utilization review; quality assurance; billing; benefits management; and repricing; or (2) legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation or financial services which involves the disclosure of individually identifiable employee or student health information maintained by the Board.
- “Covered entity” means a health plan, a health care clearinghouse or a health care provider that transmits any health information in electronic form in connection with financial or administrative activities related to health care.
- “De-identified information” means health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.
- “Designated record set” means a group of records maintained by or for the Board that includes: (1) medical records and billing records about individual employees or students; (2) the enrollment, payment and claims adjudication records, and (3) the case or medical management records that are used by or for the Board.
- “Disclosure” means releasing, transferring, providing access to or divulging information in any other manner to an entity or individual other than and outside of the Board.
- “Health care provider” means a provider of medical or health services and any other person or organization that furnishes, bills or is paid for health care in the normal course of business.
- “Hybrid entity” means a single legal entity that is a covered entity whose business activities include both covered and non-covered functions that designates those functions that are covered functions.
- “Individual” means a Board employee or student who is the subject of protected health information, or an authorized personal representative of a Board employee or student.
- “Individually identifiable health information” means information collected from an individual that is created or received by a health care provider, health plan or employer that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual and that identifies the individual or which reasonably can be used to identify the individual.
- “Marketing” means making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service that includes arrangements whereby a covered entity receives compensation for providing another entity with protected health information.
- “Protected health information” means individually identifiable health information transmitted or maintained by electronic media or any other form or medium excluding individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act and employment records held by the Board in its role as employer.
- “Use” means with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
II. Individual Privacy Rights of CPS Employees and Students
The Privacy Rule establishes a number of rights for individuals pertaining to the use and disclosure of protected health information (“PHI”). These rights accorded to all CPS employees and students by the Privacy Rule include the following:
- Right to Notice of Privacy Practices
Individuals have a right to notice regarding the uses and disclosures of PHI that the Board may make, an individual’s privacy rights pertaining to PHI and the Board’s duties regarding PHI. - The Right to Request Privacy Protection for Protected Health Information
Individuals have the right to request that the Board restrict the uses and disclosures of their PHI. The Board, as a covered entity, is not required to agree to a restriction request. If the Board does agree to a requested restriction, then the restricted PHI may not be used or disclosed unless the individual who made the restriction request needs emergency treatment and the restricted information is needed to provide emergency treatment. - The Right to Confidential Communications
Individuals have the right to request that they receive communications of PHI by alternative means or at alternative locations and the Board shall accommodate any such reasonable request. - The Right of Access to Protected Health Information
Individuals have the right to inspect and obtain a copy of their PHI for as long as such information is retained by the Board in a designated record set, except in situations set forth by the Privacy Rule at 45 CFR § 164. 524. - The Right to Amend Protected Health Information
Individuals have the right to request that the Board amend PHI or a record about the individual in a designated record set for as long as the PHI is maintained in the designated record set. - The Right to an Accounting of Disclosures of Protected Health Information
Individuals have the right to receive an accounting of any disclosures of their PHI that the Board or any of its business associates has made during the six years prior to the date when the request for accounting was made. The Board shall not be required to provide an accounting for disclosures of PHI made for any of the reasons set forth by the Privacy Rule at 45 CFR § 164.528.
III. Privacy Rule Obligations the Board Must Satisfy as a Hybrid Entity
The Board is a hybrid entity since only some of its business operations concern the provision of health care services or the sponsoring of an employee health care plan. The Privacy Rule requires that the Board, as a hybrid entity, take a number of actions intended to protect the privacy of PHI. These actions include:
- Identifying and documenting those operations at the Board which relate to the provision of health care services and the sponsorship of a health care plan and those employees who work with PHI as part of their duties.
- Ensuring that those Board employees who do work with PHI do not disclose such information in a prohibited manner to other employees who are not involved in operations covered by the HIPAA privacy provisions.
- Maintaining records and compliance reports that allow for a determination as to whether the Board is complying with applicable provisions of the Privacy Rule.
- Cooperating with complaint investigations and compliance reviews to determine whether the Board is complying with applicable provisions of the Privacy Rule.
- Permitting access to all documents that are pertinent to determining the Board’s compliance with applicable provisions of the privacy rule.
IV. Requirements Governing the Use and Disclosure of PHI
The HIPAA Privacy Rule establishes a number of requirements governing the use and disclosure of PHI with which the Board must comply. These requirements, which are set forth below, seek to protect an individual’s privacy rights without placing an undue practical or administrative burden on covered entities like the Board.
- Obtain a Valid Authorization Before Using or Disclosing PHI
- The Board may not use or disclose individuals’ PHI without obtaining a valid authorization from an individual, unless the use is permitted or required by law. The Board’s use or disclosure of PHI after a valid authorization must be consistent with the authorization.
In order to insure the necessary validity, all authorizations executed by the Board and individuals whose PHI is maintained by the Board must comply with the standards set forth by HIPAA at 45 CFR § 164.508. - An authorization will not be valid if it has any of the defects described at 45 CFR § 164.508.
- Situations In Which Valid Authorization Must Be Obtained Prior to the Use and Disclosure of PHI.
The Board must obtain a valid authorization for the use or disclosure of any individual’s PHI in the following situations:- Before using or disclosing an individual’s psychotherapy notes.
- Before using or disclosing an individual’s PHI for marketing purposes.
- Situations In Which PHI May Be Used or Disclosed Without a Valid Authorization
Board employees are permitted to use and disclose PHI without a valid authorization for treatment, payment or health care operations purposes as long as such use or disclosure pertains to treatment, payment or health care operations activities. Additionally, PHI may be used or disclosed without valid authorization in the situations set forth by the Privacy Rule at 45 CFR §§ 164.502-164.514. - Situations In Which PHI Must Be Disclosed Regardless of Authorization
The Privacy Rule indicates that there are certain instances in which PHI must be disclosed with or without authorization. Board employees working with PHI shall comply with the provisions set forth by the Privacy Rule at 45 CFR §§ 164. 502 and 164.528. - An individual may revoke a valid authorization in writing at any time except to the extent that the Board has taken action in reliance on the authorization or the authorization was provided as a condition for obtaining insurance coverage.
- The Board shall document and retain all signed authorizations.
- Authorizations must be written in plain language.
- The Board may not use or disclose individuals’ PHI without obtaining a valid authorization from an individual, unless the use is permitted or required by law. The Board’s use or disclosure of PHI after a valid authorization must be consistent with the authorization.
- Comply With The Minimum Necessary Standard Rule
The Privacy Rule requires that those Board employees who work with PHI must make reasonable efforts to limit use or disclosure to the minimum necessary to accomplish the intended purpose of the use or disclosure. To ensure compliance with the minimum necessary standard rule, Board officials shall take the following steps:- Identify those employees or classes of employees who need access to PHI in order to carry out their duties.
- Determine both the category or categories of PHI which the identified employees need to access and the appropriate conditions for the access.
- Make reasonable efforts to limit access of the identified employees to the PHI they need to conduct their duties.
- Implement procedures that will limit the PHI disclosed to what is reasonably necessary to achieve the purpose(s) of the disclosure.
- Prohibit disclosure of an individual’s entire health care record unless such disclosure is reasonably necessary to accomplish the purpose(s) of the requested use or disclosure.
- To the individual.
- To a health care provider for treatment purposes.
- Required disclosures.
- Use Limited Data Set Information
Another means of protecting individuals’ PHI is the use of limited data set information. A limited data set is PHI that excludes a number of direct identifiers of an individual, employers of an individual or members of an individual’s household. Limited data set information may be used only for research, public health activities or health care operations. Before disclosing limited data set information to a recipient, the Board shall enter into an agreement that establishes:- The permitted uses and disclosures of the information by the limited data set recipient.
- Who is permitted to use or receive the limited data set information.
- The appropriate limits on the use and disclosure by the recipient of the limited data set information.
- Use of De-identified Information
Board employees are encouraged to use and disclose de-identified health information whenever it is reasonable to do so. In creating and using de-identified information, Board employees shall follow the guidelines set forth by the Privacy Rule at 45 CFR § 164.514. Business associates with whom the Board works should be encouraged to use and disclose de-identified health information whenever it is reasonable to do so as well. - Compliance With Agreed Upon Restrictions to the Use and Disclosure of PHI
Individuals have the right to propose restrictions on the Board’s use and disclosure of their PHI.
While the Board does not have to agree with proposed restrictions, it must comply with those to which it does agree except in situations and under the conditions set forth by the Privacy Rule at 45 CFR § 164.522. - Allow Access to PHI
The Board shall provide individuals with access to PHI upon written request in a timely manner, except in situations described by the Privacy Rule at 45 CFR § 164.524. If the Board denies an individual access to PHI, it shall provide him or her with a review of the decision pursuant to the requirements set forth at 45 CFR § 164.524. - Allow Individuals to Request Amendment of PHI
The Board shall allow individuals to request an amendment of their PHI. The Board may deny an individual’s request to amend PHI for the reasons set forth by the Privacy Rule at 45 CFR §164.526. If the Board does deny a request for amendment of PHI in whole or in part, it must follow the procedures established at 45 CFR §164.526. - Provide Individuals With An Accounting of Disclosed PHI
The Board shall provide individuals with a written accounting of disclosures of PHI that it has made in the six years prior to the date when the accounting is requested except in the situations set forth by the Privacy Rule at 45 CFR § 164.528. The accounting shall be conducted in accord with the procedures and include the information set forth at 45 CFR § 164.528. - Provide Individuals with Adequate Notice of HIPAA’S Privacy Provisions
The Board shall provide individuals with adequate notice of the uses and disclosures of PHI that it may make, the individual’s privacy rights and the Board’s legal duties regarding PHI. The format and content of the notice shall conform with the requirements set forth by the Privacy Rule at 45 CFR § 164.520. Further, the Board will document its compliance with its obligation to provide notice by retaining copies of the notices it issues and all written acknowledgments of receipt of notice by individuals or documentation of its good faith efforts to obtain such acknowledgment. - Establish Agreements with Business Associates Regarding the Disclosure of HPI
In the course of its activities as a health care provider or a sponsor of a health care plan, the Board may engage business associates to conduct operations that require the transmission of PHI. Under the Privacy Rule, the Board may disclose PHI to business associates pursuant to an agreement that sets forth satisfactory assurances that business associates will appropriately safeguard the information.
In order to ensure that the Board’s agreements with business associates comply with the Privacy Rule, such agreements shall include the appropriate provisions set forth at 45 CFR § 164.504. - Use and Disclosure of PHI for Research
The Privacy Rule recognizes the importance of research to the continuing provision of quality health care. In order to facilitate research and maintain an individual’s rights to privacy with regard to his or her PHI, HIPAA sets forth, at 45 CFR § 164.512, extensive procedures that covered entities should apply to researchers’ requests for PHI. Board employees shall follow these procedures as applicable when researchers submit requests for the PHI of CPS employees or students.
V. Administrative Requirements of HIPAA’s Privacy Rule
In addition to its requirements governing the use and disclosure of PHI, HIPAA also mandates several administrative actions which covered entities must take. Pursuant to these mandates, the Board shall implement the measures described below.
- Select a Privacy Officer
The Board shall direct the Chief Fiscal Officer to select a privacy officer who is responsible for the development and implementation of the Board’s privacy policies and procedures. - Training
The Board, as a hybrid entity, must identify the operations in which it engages that requires the maintenance and use of PHI and those Board employees who work with this information. The Board shall train those employees who work with PHI regarding its policies and procedures pertaining to the Privacy Rule. Specifically, the Board shall satisfy the following training requirements:- Begin the process of training employees who work with PHI by April 14, 2003 and continue this training until all such employees have received training on the Board’s Privacy Rule policies and procedures.
- Following this initial training, each new Board employee who will be working with PHI shall receive training within a reasonable time after becoming a Board employee.
- Any Board employee whose duties are affected by material changes in the Board’s Privacy Rule policies and procedures shall receive training on the changes to these policies and procedures within a reasonable time after the changes are implemented.
- The Board shall document that it has trained its employees with regard to its Privacy Rule policies and procedures.
- Safeguards
The Board shall take necessary steps to safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the Privacy Rule. These measures also shall reasonably safeguard PHI to limit incidental uses or disclosures that occur during permitted or required use or disclosure of PHI. - Grievance Procedure
The Board shall establish a grievance procedure that employees and students may use to make complaints concerning the Board’s Privacy Rule policies and procedures and its implementation of and compliance with these policies and procedures. Additionally, the Board shall document all complaints and the outcome of these grievances, if any. - Sanctions
The Board shall establish and apply appropriate sanctions against its employees who fail to comply with its Privacy Rule policies and procedures. The Board will document any sanctions that are applied against its employees. - Duty to Mitigate
The Board shall mitigate, to the extent practicable, any harmful effect of violations of its Privacy Rule policies and procedures in the use or disclosure of PHI by its employees or by any business associate. - Non-Retaliation
The Board shall not intimidate, threaten, coerce, discriminate against or take other retaliatory action against any individual for the exercise of any rights under the Privacy Rule or the Board’s privacy policies and procedures, including the filing of a grievance. Individuals shall be protected from any retaliatory actions for engaging in the following activities:- Filing a complaint against the Board with the Secretary of Health and Human Services.
- Testifying, assisting or participating in a Privacy Rule investigation, compliance review, proceeding or hearing.
- Opposing any act or practice under the Privacy Rule when the individual has a good faith belief that the act or practice is unlawful and the manner of opposition is reasonable and does not involve a disclosure of protected health information that violates the Privacy Rule.
- Waiver of Rights
The Board shall not require employees or students to waive their privacy rights as a condition for the provision of treatment, payment, enrollment in a health plan or eligibility for benefits. - Changes to Privacy Rule Policies and Procedures
The Board shall make any changes in its policies and procedures that are necessary to comply with changes in the law and work to ensure that these revisions are properly implemented and documented. If changes to the Privacy Rule materially affect the content of the Board’s notice to individuals whose PHI it maintains, then the Board shall make timely revisions to its notice. - Documentation
The Board shall maintain its Privacy Rule policies and procedures in written or electronic form. It also shall document and record all communications and actions as required by the Privacy Rule and retain the documentation for six years from the date of its creation or the date when it was last in effect, whichever is later.
Policy References
Amends/Rescinds | |
Cross References | |
Legal References | 45 CFR §§ 160.101 - 160.312; 45 CFR §§ 164.102 - 164.534; 20 U.S.C. 1232g (Family Educational rights and Privacy Act). |
Public Comment |