Documentation The privacy policies and procedures shall be documented and maintained for at least six years. Policies and procedures shall be changed as necessary or approximately to comply with changes in the law, standards, requirements, and implementation specifications (including changes and modifications in regulations). The privacy policy shall be revised and made available if a change in law impacts the privacy notice. However, such change is effective only with respect to PHI created or received after the effective date of the notice. Certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to an individual’s privacy rights shall be documented in either written or electronic form. Documentation must be maintained for at least six years. 3.0720.04 POLICIES IN USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION (“PHI”) Issue Date: 11/14/19 Use and Disclosure Defined: The District and the Plan will use and disclose PHI only as permitted under HIPAA. The terms “use” and “disclosure” are defined as follows: Use: The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within the Insurance Office of the District, or by a Business Associate of the Plan. Disclosure: For information that is protected health information, disclosure means any release, transfer provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working with the Insurance Office of the District.
Workforce Must Comply with District’s Policy and Procedures All employees with access to PHI must comply with this policy.
Access to PHI is Limited to Certain Employees The following employees have access to PHI: 1. Director of Insurance Services who performs functions directly on behalf of the group health plan. 2. Employees in the District Insurance Office who have access to PHI on behalf of the District for use while performing daily responsibilities. These employees may use and disclose PHI for Plan administrative functions, and may disclose PHI to other employees with access to plan administrative functions. Employees with access may not disclose PHI to other employees unless an authorization is in place or the disclosure is otherwise in compliance with this policy. Permitted Uses and Disclosures Payment and Health Care Operations: PHI may be disclosed to other covered entity for the payment purposes of that covered entity.
Made with FlippingBook flipbook maker