Date Issued: 02-05
This policy is effective immediately to ensure that the Town of Concord will comply with the Privacy Regulations of the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996. The Town shall limit the use of and access to Protected Health Information which is held by the Town or its lawful agents. Protected Health Information is any written, oral or electronic form of information relating to a person's past, present or future health condition, delivery or payment of health services that identifies an individual or where there is a reasonable basis to believe the information could be used to identify an individual. Administrative, technical and physical safeguards established to limit use and access to protected health information are stated as an integral part of this policy, established as part of daily operating procedures and will be maintained by all responsible staff and representatives of lawful agents and business associates of the Town of Concord.
To assure this commitment to compliance the Town Manager designates a Privacy Contact who shall have the responsibility:
* To ensure that the Town Manager is kept informed of all changes, updates, requirements, responsibilities, claims, etc. concerning the HIPAA privacy regulations;
* To ensure that documentation of the Town's efforts to comply with HIPAA
privacy regulations is maintained;
* To ensure that the Town’s group health and dental plan subscribers are sent privacy notices and new enrollees receive said notices;
* To ensure that any protected health information disclosures are tracked;
* To ensure that authorizations for disclosure and use of protected health information are properly processed;
* To resolve complaints from participants about possible privacy violations;
* To ensure that appropriate Town liaisons are maintained with the group health insurance program third party administrator, relevant business associates, and health insurance carriers, communicating the Town's commitment and securing the commitment of these entities to the privacy and security of protected health information;
* To ensure that all required authorizations, agreements, etc. relative to the protected health information of group health insurance program participants are maintained; and
* To monitor the Town's compliance with HIPAA privacy regulations on a regular basis.
The HIPAA privacy contact for the Town of Concord is the Deputy Town Manager. The Deputy Town Manager may be contacted in person or by mail at 22 Monument Square, Concord MA 01742, or by telephone at (978)318-3000.
With respect to the Town's group health and dental insurance program, in accordance with HIPAA, only those Town officials with a legitimate business purpose and bona fide need to know may be given access to protected health information in order to legally perform the position duties and administer the program.
The Town of Concord communicates its commitment to HIPAA Privacy Regulations through:
* Adoption of this policy by the Town Manager;
* Distribution of this policy to and training of all relevant staff concerning the definition, security and authorization of protected health information;
* Distribution of the privacy notice to all subscribers to the group health and dental insurance plans;
* Posting of this policy on the Town of Concord Website;
* Including the privacy notice in the new employee benefits package; and
* Including the privacy notice in all relevant Town operations and business transactions.
As an employer, the Town of Concord may use protected health information in its possession without specific authorization from the employee for treatment, payment, quality assessment, medical review and auditing, studies to improve the group's health care quality or reduce health care costs, compiling civil/criminal proceedings, and any other use required by law for public health, communicable disease, abuse or neglect, or food and drug administration purposes. Information which is normally maintained in the employment record which is not classified as protected health information includes all forms, responses, inquiries and data relative to the Family Medical Leave Act, drug screenings, fitness for duty, workers compensation, disability, life insurance, the Occupational Safety and Health Act and sick leave.
Protected employee health information may be released for other purposes only by the employee’s authorization, submitting the established form in person to the Human Resources Department. The use and/or disclosure of protected health information is limited to the specific information for the specific purpose, to and from the specific individual and/or entity for a specific time period as delineated on the authorization form. Group health insurance program participants are allowed to review their protected health information that is held by the Town and to correct errors. Upon request, a participant will be provided with an accounting of disclosures of protected health information.
The Town of Concord separates protected health information from the employment record and retains such information in a locked file accessible only to the Human Resources Department and, under special circumstances, other Town Officials that have a bona fide need to know to accomplish legal Town business. All entities which could receive protected health information (third party administrator, ambulance billing company, fully insured plan providers, legal counsel, actuaries and consultants) must enter into a business associate agreement with the Town of Concord in which both parties commit to compliance with the HIPAA Privacy Regulations and providing satisfactory assurances that the business associate will appropriately safeguard the protected health information.
Participants that believe they have been aggrieved by the use or disclosure of protected health information may file a written grievance with the Privacy Contact within sixty (60) calendar days of the use or disclosure of the protected health information or within fifteen (15) calendar days of their knowledge of said use or disclosure. The grievance must delineate the specifics of the complaint, including but not limited to:
1. what unauthorized protected health information was released;
2. who received the protected health information and/or is knowledgeable of
the protected health information;
3. when was the protected health information released and/or when did the
complainant become aware of the unauthorized knowledge of the protected health information; and
4. what was the result of the release of the unauthorized protected health
The Privacy Contact will meet with the complainant as soon as possible after the receipt of the grievance. During this meeting the Privacy Contact will discuss the issue brought forward with the complainant. The Privacy Contact will investigate the allegations of the complaint with the full support and assistance of Town management and, if necessary, legal counsel. The Privacy Contact will provide a written report of his/her findings and recommended action, if warranted, to the Town Manager and the complainant within thirty (30) calendar days from the date of the meeting with the complainant. If for some reason the Privacy Contact is unable to conduct this meeting and/or investigation the Town Manager shall appoint an alternate senior manager to perform these duties.
Complainants may also contact the Federal Department of Health and Human Services for assistance.
The Town of Concord will comply with the Privacy Regulations established by the Federal Government and requires its employees to observe and comply with this policy and the use of the proper procedures and policy documents. Employees found to have breached protected health information security will be subject to sanctions from verbal reprimand up to and including termination, dependent upon the seriousness, willfulness and ramifications of the breach.