Policy 2.037

Protected Health Information Privacy Policy

1. Purpose. To ensure that the Palm Beach County School District (District) complies with the Health Insurance Portability and Accountability Act of 1996, as amended by the HITECH Act of the American Recovery and Reinvestment Act of 2009 (HIPAA), privacy and security breach notification provisions pertaining to the protection of individually identifiable health information of District employees, retirees, dependents and students.

   The District, based upon its self-administration of certain self-funded health plans, is a covered entity under HIPAA. As its business activities include both covered and primarily, non-covered functions, it has decided to designate itself a “hybrid entity” under HIPAA.

   For purposes of this policy, all health information created and maintained by the District and its agents that is considered part of a student’s educational record under the Family Educational Rights and Privacy Act (FERPA) is not subject to this policy.

2. Definitions. For purposes of this policy alone, the terms listed below shall be defined as follows:

   1. Business Associate means a person or an entity that is not an employee and performs or assists in the performance of: (1) an activity involving the use or disclosure of individually identifiable information including claims processing or administration; data analysis; processing or administration; utilization review; quality assurance; billing; benefits management; and repricing; or (2) legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation or financial services which involves the disclosure of individually identifiable employee, retiree or student health information maintained by the District.

   2. Covered entity means a health plan, a health care clearinghouse or a health care provider that transmits any health information in electronic form in connection with financial or administrative activities related to health care.

   3. Health Plan means a program that includes coverage for defined medical, dental, vision and pharmaceutical services and other health benefits including those related to wellness.

   4. Hybrid entity means a single legal entity that is a covered entity whose business activities include both covered and non-covered functions that designates those functions that are covered functions.

   5. Individually identifiable health information means information collected from an individual that is created or received by a health care provider, health plan or employer that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual and that identifies the individual or which reasonably can be used to identify the individual.

   6. Protected Health Information means individually identifiable health information transmitted or maintained by electronic media or any other form or medium excluding individually identifiable health information in education records covered by the Family Education Rights and Privacy Act (FERPA) and employment records held by the District in its role as employer.

3. Policy Statement. It is the policy and practice of the School Board to protect and safeguard individually identifiable health information of an employee, retiree, employees' dependents or a student, created, acquired or maintained by the School District consistent with the Health Insurance Portability and Accountability Act of 1996, as amended by the HITECH Act of the American Recovery and Reinvestment Act of 2009 (HIPAA), its related regulations, and any case law arising from the implementation thereof, and applicable state laws.

   1. District officials and employees shall take necessary steps to safeguard PHI from any intentional or unintentional use or disclosure that is in violation of HIPAA. These measures shall reasonably safeguard PHI to limit incidental uses or disclosures that occur during permitted or required use or disclosure of PHI.

   2. The District shall mitigate, to the extent practicable, any harmful effects of the improper use or disclosures of PHI by District employees.

   3. Under the Privacy Rule, the School District may disclose PHI to business associates pursuant to an agreement that sets forth assurances that business associates will appropriately safeguard the information. Any agreements with business associates to conduct operations that require the transmission of PHI shall comply with the Privacy Rule, and such agreements shall require compliance with the HIPAA Security and Privacy Rules and include other required and appropriate provisions of 45 CFR § 164.

   4. The District will cooperate fully with all state or federal bodies conducting investigations related to this policy.

   5. All current and future employees must preserve the security and confidentiality of the protected health information he or she has access to and uses in the performance of District duties and job responsibilities. All District employees with access to protected health information as provided for herein shall sign and be bound by the Employee Confidentiality Agreement for Handling of Personal Identification Information and Protected Health Information, PBSD Form 2345 attached and incorporated hereto.

   6. Any and all agreements with Business Associates engaged to perform services related to health information for the District shall comply with HIPAA.

4. Privacy and Security Administration.

   1. Privacy Officer. The Director of Risk and Benefits Management is designated as the District's Privacy Officer. The Superintendent, to whom the Privacy Officer reports, is the final authority for data privacy in the District. The Privacy Officer, shall be responsible for: (i) with the Security Officer, developing and implementing administrative, technical and physical safeguards to protect the privacy of PHI; (ii) developing and implementing privacy procedures necessary to comply with this policy, including any agreements with business associates to ensure the District's and business associates' compliance with HIPAA; and (iii) with the Security Officer, establishing training for District employees on the privacy and security provisions related to HIPAA. The Privacy Officer shall be responsible for receiving HIPAA related complaints, HIPAA violations and providing notifications to affected persons as required by HIPAA.

   2. Program Unit Privacy Officers. The District's Privacy Officer may request that local privacy officers be designated as necessary to implement this policy and procedures within their program areas effectively. District work units shall promptly comply with any such request.

   3. Security Officer. The Chief Information Officer is designated to serve as the chief security officer and shall be responsible for the security of the electronic PHI, in accordance with HIPAA. For purposes of this section, electronic PHI means data transmitted or maintained in electronic media. The Security Officer may develop and implement security measures to protect electronic PHI, and may designate local security officers as necessary to facilitate the implementation of procedures and security measures. Such procedures are to include, but not be limited to, procedures to:

      1. Prevent, contain and correct any security violations related electronic PHI.

      2. Address security incidents related to electronic PHI.

      3. Create, maintain and retrieve exact copies of electronic PHI in a data backup plan.

      4. Respond to an emergency or other occasion (ex. natural disaster) that damages systems that contain electronic PHI.

      5. Restore any loss of electronic PHI data.

      6. Address the final disposition of electronic PHI, and the hardware and electronic media on which it is stored.

      7. Remove electronic PHI from electronic media before it is made available for re-use.

      8. Corroborate that electronic PHI has not been altered or destroyed in an unauthorized manner.

5. Training. The Privacy and Security Officers shall identify the District operations which require the maintenance and use of PHI and those Board employees who work with this information. Training will be provided to current employees and new employees determined by the District to have access to PHI of employees.

6. Notice of Privacy Practice. The Privacy Officer will provide a notice that describes, among other things, the uses and disclosures that the District is permitted or required to make under HIPAA, the District's obligations under HIPAA, and the rights related there for employees, students, and/or other individuals who may receive services from the District's covered components.

7. Grievances or Complaints. There shall be a complaint procedure in place whereby written complaints related to PHI and HIPAA standards may be addressed. The Privacy and Security Officers shall have ten (10) work days to rule on such complaint. If the complainant is not satisfied with the disposition of the complaint, the complainant may appeal to the Superintendent or his designee, who shall review the matter and make a final decision within fifteen (15) working days of receiving written notice of the appeal. The designated parties shall document on behalf of the Board and the District all grievances/complaints and the outcome of such grievances/complaints.

8. Non-Retaliation. The Board, through its employees and officers, shall not intimidate, threaten, coerce, discriminate against or take other retaliatory action against any individual for the exercise of any rights under the HIPAA Privacy Rule and Security Rule, or the Board's privacy and security policies and procedures, including the filing of a grievance/complaint. Individuals shall be protected from any retaliatory actions for engaging in the following activities:

   1. Filing a complaint against the Board with the Secretary of Health and Human Services.

   2. Testifying, assisting or participating in a Privacy Rule or Security Rule investigation, compliance review or audit, proceeding or hearing.

   3. Opposing any act or practice under the Privacy Rule or Security Rule when the individual has a good faith belief that the act or practice is unlawful and the manner of opposition is reasonable and does not involve a disclosure of PHI that violates the Privacy Rule or Security Rule.

9. Breach of Privacy and Security. The Privacy Officer, with the assistance of the Security Officer, shall be responsible for investigating all reported incidents of alleged violation of health information privacy or security, regardless of source or severity. In regards to such investigation, the Privacy and Security Officers shall:

   1. Maintain a privacy incident file, documenting the incident and summarizing for the Superintendent the status of every open file regarding alleged PHI privacy and security violations, regardless of discovering source.

10. Violations/Sanctions.  Employees who violate this policy, or any related procedures implementing this policy, may be subject to disciplinary action up to and including termination of employment. The Privacy Officer, in conjunction with the Superintendent, shall ensure the appropriate implementation of sanctions against those members of the workforce who fail to the comply with this policy.