Policy/Memo 113

Number: Policy Memo 113
Date Issued: April 14, 2003
Policy File Ref: A1810
Subject: HIPAA Privacy Policies and Administrative Requirements Topic: General Administrative Requirements

PURPOSE:

To establish policies to protect the confidentiality of protected health information (PHI) in compliance with the administrative and organizational requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Policy:

EBD shall adhere to the following in order to comply with HIPAA administrative and organizational requirements.

Applicability: The privacy policies and procedures apply to all EBD workforce members and other staff designated as part of the EBD health care component. The EBD health care component includes staff of EBD, and other select Department staff, such as IRM, Counsel’s Office, Internal Audit, the Public Information Office and the Executive Office, that have access to protected health information in performing functions for EBD.

Plan Sponsor Designations: EBD administers several group health plans for which the use and disclosure of Protected Health Information is regulated by HIPAA. Under HIPAA, group health plans are permitted to share limited PHI with the plan sponsor of the plan, provided that certain requirements are met. The group health plans administered by EBD and the plan sponsor designations are as follows:

Group Health Plan Plan Sponsor
New York State Health Insurance Program (NYSHIP) Health Insurance Council
New York State Dental Plan Health Insurance Council
New York State Vision Plan Health Insurance Council
New York State Public Employee and Retiree Department of Civil Service
Long Term Care Program (NYPERL)

The Health Insurance Council, plan sponsor of NYSHIP and the NYS Dental Plan, is composed of the President of the Civil Service Commission, the Director of the Division of Budget, and the Director of the Governor’s Office of Employee Relations. The plan sponsor designation extends to those employees under the direct control of the Health Insurance Council members in their performance of plan administration activities.

In order to comply with HIPAA, EBD will amend all necessary plan documents and will ensure that the amendments are certified to the affected health plans and to the plans’ insurers. State agencies participating in the group health plans administered by EBD are designated as employers under HIPAA. Participating Agencies and Participating Employers are designated as employers and also are designated as plan sponsors of their local level group health plans.

Personnel Designations: EBD’s Privacy Official and Complaint Official are designated as
follows:

• Privacy Official: Responsible for the development and implementation of policies and procedures relating to the safeguarding of PHI and for providing information about EBD’s privacy practices. EBD’s Privacy Official is the Director of the Employee Benefits Division.
• Complaint Official: Responsible for receiving complaints relating to EBD’s privacy policies and procedures, its compliance with such policies and procedures, or its compliance with the HIPAA privacy regulations. The Department’s HIPAA Officer shall serve as the Complaint Official.

Policies and Procedures: EBD shall document the following actions relating to its policies and procedures:

• Responsibility: EBD Privacy Official is ultimately responsible for implementing, maintaining, revising and retaining all policies and procedures.
• Required Policies and Procedures: EBD shall implement and maintain effective policies and procedures to ensure appropriate safeguarding of PHI in its operations to be followed by all workforce members.
• Changes to Policies and Procedures: EBD shall change its policies and procedures as necessary and appropriate to conform to changes in law or regulation. EBD may also make changes to policies and procedures at other times as long as the policies and procedures are still in compliance with applicable law. Where necessary, corresponding changes to the Notice of Privacy Practices shall be made. EBD shall not implement a change in policy or procedure prior to the effective date of the revised Notice.

Training Requirements: EBD shall conduct and document the following training actions:

• On or before the effective date of the HIPAA privacy regulations [4/14/03], all Division employees and other workforce members shall receive training on applicable policies and procedures relating to PHI as necessary and appropriate for such persons to carry out their functions within EBD.
• Each new workforce member shall receive the training as described above within a reasonable time after joining the workforce. Until receiving such training, they will not be allowed to perform functions involving the use or disclosure of protected health information.
• Each workforce member whose functions are impacted by a material change in the policies and procedures relating to PHI, or by a change in position or job description, shall receive the training as described above within a reasonable time after the change is implemented.
• EBD shall modify the content of the training upon material changes to the policies, procedures or practices.
• EBD shall document and maintain records of workforce members’ completion of training requirements.

Safeguards: EBD will implement, maintain, and adhere to administrative, technical and physical safeguards to reasonably safeguard PHI from intentional or unintentional unauthorized access, use, or disclosure. Information to be safeguarded may be in any medium, including paper, electronic, and oral representations of confidential information. All EBD workforce members must use their best efforts to preserve the confidentiality of PHI and not divulge PHI in violation of Division or Department policies.

Safeguards to be employed by EBD include:

• Role-Based Access: Access to computerized systems shall be granted only to the extent necessary to perform job functions. Passwords shall be required to access systems. EBD staff should take steps to maintain the confidentiality of passwords.
• Access to secure areas of EBD will be restricted to the EBD health care component through the use of swipe cards and/or lockable doors. Access may be granted, as needed, to other persons not specifically authorized. Such persons shall be accompanied, and his/her access monitored, by an employee of the EBD health care component authorized for access.
• Files and documents awaiting disposal or destruction should be appropriately labeled, disposed of on a regular basis, and all reasonable measures should be taken to minimize access.
• EBD staff must take reasonable steps to protect the privacy of all verbal exchanges or discussions of confidential information, regardless of where the discussion occurs. Consultations should be conducted in a private area, and if not possible, an effort should be made to keep voices at a level that minimizes the risk of disclosure to unauthorized persons.
• EBD staff must take special care not to leave confidential information in areas such as fax machines, photocopiers, etc.

Violations of Safeguards

An EBD employee who is aware of a potential violation of the above safeguards or of the HIPAA regulations by a member of the EBD health care component should report the violation to his/her supervisor, who in turn should report the incident to the EBD Complaint Official. If reporting directly to the supervisor is not practicable, or if the supervisor is the person responsible for the alleged violation, the staff member should report the violation directly to EBD’s Complaint Official. Any supervisor who receives information about a potential violation of HIPAA regulations should report the incident immediately to the EBD Complaint Official. Violations will be investigated and corrective action taken, as necessary, in accordance with Policy Memorandum #114 – Complaint Process.

Sanctions: EBD shall apply and document appropriate sanctions against workforce members who fail to comply with EBD’s HIPAA privacy policies and procedures. If it is determined that an employee under the control of the Health Insurance Council has accessed, used, or disclosed PHI inappropriately, the employee may be disciplined in accordance with Civil Service Law section 75 and applicable collective bargaining agreements.

Mitigation: EBD shall lessen, to the extent practicable, any harmful effect that becomes known to EBD as a result of a use or disclosure of PHI in violation of EBD’s or the Department’s policies and procedures or applicable law. EBD will take reasonable steps to correct such errors and lessen their impacts. This will include determining where the information has been disclosed, how it may be used to cause harm, and what steps can be taken to lessen these effects. EBD staff will notify the EBD Privacy Official upon discovering the inappropriate use or disclosure and update the EBD Privacy Official of the case’s resolution as required.

For example, if protected information was inadvertently faxed or mailed to a third party, EBD may require the recipient to destroy or return the information received. Additionally, if a Business Associate released PHI to a subcontractor who, in turn, used the PHI for an unauthorized purpose, EBD would ask the Business Associate whether the subcontract sufficiently addressed appropriate uses of PHI; if not, and if the Business Associate refused to remedy, EBD could explore termination of its contract with the Business Associate. Further, if there is the potential for harm, such as in the case of domestic abuse, EBD will notify the impacted individual and any required authorities to apprise them of the potential danger.

After mitigating the immediate impact of the improper use or disclosure, the EBD Privacy Official will determine what steps are required to remediate the situation. These steps may include, but are not limited to: training; disciplinary action; policy or procedure changes; and review of contractual agreements.

Complaint Process: EBD shall provide a process for individuals to make complaints about EBD’s privacy policies and procedures and/or EBD’s compliance with those policies and procedures. EBD shall document all complaints received and their disposition, if any. [Policy Memorandum Number 114 – Complaint Process]

Prohibition on Intimidating or Retaliatory Acts: Neither EBD nor any workforce member shall intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise of his/her rights or participation in any process relating to HIPAA compliance, or against any person for filing a complaint with the Secretary of the U.S. Department of Health and Human Services, participating in a HIPAA related investigation, compliance review, proceeding or hearing, or engaging in reasonable opposition to any act or practice that the person in good faith believes to be unlawful under HIPAA regulations as long as the action does not involve disclosure of PHI in violation of the regulations.

Prohibition on Waiver of Rights: Neither EBD nor any workforce member shall require individuals to waive any of their rights under HIPAA as a condition of treatment, payment, enrollment in a health plan or eligibility for benefits.

Documentation Requirements: EBD shall maintain the required policies and procedures in written or electronic form, and maintain written or electronic copies of all communications, actions, activities or designations as are required to be documented under the HIPAA regulations for a period of six (6) years from the later of the date of creation or the last effective date or such longer period that may be required under state or other federal law. The EBD Privacy Official is responsible for establishing appropriate means to comply with the documentation requirements.