The District will take all reasonable and legally required steps to safeguard protected health information (PHI).  To maintain the confidentiality of health data, the District will follow the Minimum Necessary Information principle, which minimizes the amount of protected health information used and disclosed and the number of persons who have access to this information.

To that end, the Privacy Officer will develop and enforce rules and regulations to ensure that PHI is handled in accordance with law and policy and that the following expectations are met:

• Employees may only access current and/or archived, paper and/or electronic member records for which they have a legitimate, assigned business need; the employees authorized to access such information will be limited to the greatest extent possible.
• Employees may not discuss and/or share any PHI with any unauthorized person.
• Current and/or archived, paper and/or electronic employee PHI is reasonably safeguarded from unauthorized view, including by unauthorized employees.
• Current and/or archived, paper and/or electronic employee PHI is maintained separately from all employee records and not commingled with employment records of any kind.
• When disposal of current and/or archived, paper and/or electronic employee PHI is warranted, reasonable safeguards must be taken to prevent unauthorized view of said PHI, including by unauthorized employees.
• No health information obtained by and in relation to the health plan will be used in any employment-related decision.
• With respect to requests for PHI from the District’s associates, including but not limited to insurance companies and third-party administrators, limit the use and/or disclosure of and/or requests for protected health information to the minimum necessary to accomplish the intended purpose.
• Train all employees on how to protect their own health information.
• Train employees with access to PHI of others on data privacy laws, policies, and district expectations.

This policy does not limit the District’s ability to take the following action(s) with regard to PHI provided that such action(s) are otherwise authorized by law:

• Disclosures of PHI to and/or requests for PHI from a health care provider for treatment purposes
• Disclosures of PHI to the individual who is the subject of the information
• Uses and/or disclosures made pursuant to any valid authorization received by the health plan
• Uses and/or disclosures required for compliance with standardized Health Insurance Portability and Accountability Act (HIPAA) transactions
• Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the rule for enforcement purposes
• Uses or disclosures that are required by other law

Any employee violating these policies may face disciplinary actions up to and including suspension without pay or termination.

Privacy Officer:

Jessica Dirks

Chief Officer, Human Resources & Legal Affairs

306 SW School Street

Ankeny, Iowa 50023

515-965-9600

Legal Reference:

Health Insurance Portability & Accountability Act (HIPAA) of 1996 Public Law 104-191

Standards for Privacy of Individually Identifiable Health Information, 45 CFR Part 160 and Part 164

Security Standards for the Protection of Electronic Protected Health Information, 45 CFR Part 160 and Subparts A and C of Part 164

 

 

Cross Reference:

400.60 HIPAA – Appropriate Uses and Disclosures

400.63 HIPAA – Breach of Privacy Policy

400.66 Individual HIPAA Rights

400.69 HIPAA Non-Discrimination

406.10 Employee Physical Examination

400.30 Employee Records

405.21 Personnel Records Management

Approved:
June 21, 2010

Reviewed:
March 23, 2015

February 15, 2021

Revised:
March 23, 2015

February 15, 2021