Purpose

The Metropolitan Library System of Oklahoma County (“Library System”) is committed to complying with all applicable provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) Standards for Privacy of Individually Identifiable Health Information (“the Privacy Rule”).  As such, the Library System has adopted a policy that is intended to protect the privacy and confidentiality of Protected Health Information (“PHI”) whenever the use or disclosure of PHI is necessary in order for the Library System to carry out its obligations as a Covered Entity.  The private and confidential use of such information will be the responsibility of all individuals with job duties requiring access to PHI in the course of their jobs.

The Library System is a “Covered Entity” only to the extent it creates, transmits or receives PHI in connection with the Library System’s self-funded Employee Benefits Plan, Flexible Benefits Plan, Medical Expense Reimbursement Plan and Employee Assistance Program (the “Plans”).  These Plans, as sponsored by the Library System, comprise an organized health care arrangement (“OHCA”).

Provisions to accomplish this purpose are far reaching and impose strict standards with considerable violation penalties.

Definitions

Business Associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.

Individually identifiable health information is information, including demographic data, that relates to:

• the individual's past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.  Individually identifiable health information includes, without limitation, many common identifiers (e.g., name, address, birth date, Social Security Number, etc.).

Protected Health Information (“PHI”) refers to individually identifiable health information created or received by the Library System’s OHCA plans or received by a health care provider, health plan or health care clearinghouse that relates to the past or present health of an individual or to payment of health care claims.  PHI information includes medical conditions, health status, claims experience, medical histories, physical examinations, genetic information and evidence of disability. The Library System has designated the Benefits Manager as HIPAA Compliance Officer (“HCO”).  Any questions or issues regarding PHI should be presented to the HCO for resolution.  The HCO is also charged with the responsibility for:

• Issuing procedural guidelines for access to PHI
• Developing a matrix for personnel who will need access to PHI
• Developing guidelines for describing how and when PHI will be maintained, used, transferred, or transmitted

Policy

Annually, or more frequently as necessary, the Library System performs enrollment, changes in enrollment and payroll deductions; provides assistance in claims problem resolution and explanation of benefits issues; and assists in coordination of benefits with other providers.  Some or all of these activities may require the use or disclosure of PHI.  All PHI generated, transmitted or received in connection with these processes will be maintained in confidence and employees will not disclose PHI from these processes for employment-related actions, except as provided by administrative procedures approved by the HCO.  General rules follow:

• Examples of permissible uses or disclosures of PHI include:
  • Disclosure of PHI to the individual employee to whom the PHI belongs.
  • Requests by health care providers for access to PHI for treatment or payment purposes.
  • Disclosures made to third parties where such disclosure is authorized in writing by the employee to whom the PHI belongs.
  • Disclosures to workers’ compensation providers and those authorized by the workers’ compensation providers.
  • For claims processing purposes, Information regarding whether or not an individual is covered by a plan is a permitted disclosure of PHI.

Disclosures of PHI made in any form or media, whether electronic, paper or oral, will be maintained for a period of six years as required by federal and/or state law.  Records that have been maintained for the maximum interval will be destroyed in a manner that ensures such data is not compromised in the future.

Any Library System employee, volunteer, workforce member or Business Associate who knowingly or intentionally uses or discloses PHI in a manner not permitted by the Privacy Rules will be subject to disciplinary action up to and including: termination of employment, discontinuance of volunteer service or termination of their services/ non-renewal of service contracts or agreements.