| The Town of Shrewsbury by vote of its
Board of Selectmen will comply with the Privacy Regulations of the
Health Information Portability and Accountability Act of 1996 (HIPAA).
The Town shall limit the use of and access to Protected Health Information
which is held by the Town or its lawful agents. Protected Health Information
(PHI) is any written, oral or electronic form of information relating
to a person's past, present or future health condition, delivery or
payment of health services that identifies an individual or where
there is a reasonable basis to believe the information could be used
to identify an individual. Administrative, technical and physical
safeguards established to limit use and access to protected health
information are stated as an integral part of this policy, established
as part of daily operating procedures and will be maintained by all
responsible staff and representatives of lawful agents and business
associates of the Town of Shrewsbury. To assure this commitment
to compliance the Board of Selectmen designates Carolyn Marcotte
as Privacy Officer who shall have the responsibility:
- To keep the Board of Selectmen and Town and School Administrations
informed
of all changes, updates, requirements, responsibilities, claims,
etc. concerning the HIPAA privacy regulations
- To maintain documentation of the Town's efforts to comply with
HIPAA
privacy regulations
- To ensure that plan subscribers are sent privacy notices and
new enrollees receive said notices as required by law
- To track any protected health information disclosures
- To process authorizations for disclosure and use of protected
health information
- To resolve complaints from participants about possible privacy
violations
- To serve as the Town's liaison with the group health insurance
program third party administrator, relevant business associates,
and health insurance carriers, communicating the Town's commitment
and securing the commitment of these entities to the privacy and
security of protected health information
- To maintain all required authorizations, agreements, etc. relative
to the protected health information of group health insurance
program participants
- To monitor the Town's compliance with HWAA privacy regulations
on a regular basis
The Privacy Officer will receive the total support of the Board
of Selectmen, Town Administration and senior management. The Privacy
Officer of the Town of Shrewsbury is covered under the Town's liability
insurance in the legal performance of his/her duties and has access
to the Town's legal counsel in the same regard.
In accordance with HIPAA, only the Town of Shrewsbury Benefits
Coordinator may be given access to protected health information
in order to legally perform the position duties and administer the
Town's group health insurance program.
The Town of Shrewsbury communicates its commitment to HIPAA Privacy
Regulations through:
- Adoption of this policy by the Board of Selectmen,
- Distribution of this policy to and training of all department
heads concerning the definition, security and authorization of
protected health information,
- Posting of this policy on the Town of Shrewsbury Website, and
- Including the privacy notice in the new employee benefits package.
As an employer, the Town of Shrewsbury may use protected health
information in its possession without specific authorization from
the employee for treatment, payment, quality assessment, medical
review and auditing, studies to improve the group's health care
quality or reduce health care costs, compiling civil/criminal proceedings,
and any other use required by law for public health, communicable
disease, abuse or neglect, or food and drug administration purposes.
Information which is normally maintained in the employment record
which is not classified as protected health information includes
all forms, responses, inquiries and data relative to the family
medical leave act, drug screenings, fitness for duty, workers compensation,
disability, life insurance, the occupational safety and health act
and sick leave.
Protected health information may be released for other purposes
by the authorization of the employee submitting the established
form in person to the Privacy Officer. The use and/or disclosure
of protected health information is limited to the specific information
for the specific purpose to and from the specific individual and/or
entity for a specific time period as delineated in the authorization
form. Group health insurance program participants are allowed to
review their protected health information that is held by the Town
and to make corrections to errors. Upon request a participant will
be provided with an accounting of disclosures of protected health
information.
The Town of Shrewsbury separates protected health information from
the employment record and retains such information in a locked file
accessible only to the Benefits
Coordinator and under special circumstances other Town Officials
that have a bona fide need to know to accomplish legal town business.
All entities which could receive protected health information (Group
Benefits Strategies as the third party administrator, ambulance
billing company, fully insured plan providers, legal counsel, actuaries
and consultants) must enter into a business associate agreement
with the Town of Shrewsbury in which both parties commit to compliance
with the HIPAA Privacy Regulations and providing satisfactory assurances
that the business associate will appropriately safeguard the protected
health information.
Participants that believe they have been aggrieved by the use or
disclosure of protected health information may file a written grievance
with the Privacy Officer within sixty (60) calendar days of the
use or disclosure of the protected health information or within
fifteen
(15) calendar days of their knowledge of said use or disclosure.
The grievance must delineate the specifics of the complaint, including
but not limited to:
1. what unauthorized protected health information was released
2. who received the protected health information and/or is knowledgeable
of the protected health information
3. when was the protected health information released and/or
when did the complainant become aware of the unauthorized knowledge
of the protected health information
4. what was the result of the release of the unauthorized protected
health information
The Privacy Officer will meet with the complainant as soon as possible
after the receipt of the grievance. During this meeting the Privacy
Officer will discuss the issue brought forward with the complainant.
The Privacy Officer will investigate the allegations of the complaint
with the full support and assistance of Town and/or School Administration
and if necessary legal counsel. The Privacy Officer will provide
a written report of his/her findings and recommended action, if
warranted, to the Town Manager and the complainant within thirty
(30) calendar days from the date of the meeting with the complainant.
If for some reason the Privacy Officer is unable to conduct this
meeting and/or investigation the Town Administrator shall appoint
a Senior Manager to perform these duties.
Complainants may also contact the Federal Offices of the Department
of Health and Human Services for assistance.
The Town of Shrewsbury will comply with the Privacy Regulations
established by the Federal Government and requires its employees
to observe and comply with this policy and the use of the proper
procedures and policy documents. Employees found to have breached
protected health information security will be subject to sanctions
from verbal reprimand up to and including termination, dependent
upon the seriousness, willfulness and ramifications of the breach.
Adopted by vote of the Shrewsbury Board of Selectmen on July 14,
2003.
|
