contact us at:
740-622-2032


 

 

Coshocton County Board of
Mental Retardation and Developmental Disabilities

Policy: HIPAA Privacy Policy
Policy Number: 19.0
Ohio Revised Code Reference:
Ohio Administrative Code Reference:
Board Adopted: 04-10-2003
Board Amended:

HIPAA PRIVACY POLICY

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) grants individuals the right to receive notice of the uses and disclosures of their protected health information that may be made by the Coshocton County Board of MRDD, and sets forth the individual's rights and the Coshocton County Board of MRDD's legal obligations with respect to protected health information. The purpose of this policy is to assist the Coshocton County Board of MRDD in complying with the HIPAA privacy standards, to ensure that individuals receive adequate notice of the Coshocton County Board of MRDD's practices with regard to the dissemination and use of protected health information, and to protect the confidentiality and integrity of protected health information.

Definitions
For the purposes of this policy, the following definitions shall apply:

Individually Identifiable Health Information is a subset of health information, including demographic information collected from an individual and is created or received by a health care provider, health plan, employer, or health care clearinghouse; relates to past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected Health Information is individually identifiable health information that is transmitted by electronic means; maintained in any electronic medium, such as magnetic tape, disc, or optical file; or transmitted or maintained in any other form or medium, such as paper, verbal, email, or fax.

Covered Functions means those functions of the Coshocton County Board of MRDD the performance of which makes the Coshocton County Board of MRDD a health plan, health care provider, or health care clearinghouse.

Designated Record Set is a group of records maintained by or for the Coshocton County Board of MRDD that is medical records and billing records about individuals; the enrollment, payment, claims adjudication, and case or medical management systems; or used in whole or in part by the Coshocton County Board of MRDD to make decisions about individuals.

Business Associate is a person or entity that provides certain functions, activities, or services for or on behalf of the Coshocton County Board of MRDD involving the use and/or disclosure of protected health information.

Confidentiality of Individually Identifiable Health Information
All officers, employees, and agents of the Coshocton County Board of MRDD shall preserve the confidentiality and integrity of individually identifiable health information pertaining to any individual. Individually identifiable health information is protected health information and shall be safeguarded to the extent possible in compliance with the requirements of the security and privacy rules and standards established by the HIPAA.

The Coshocton County Board of MRDD and its officers, employees, and agents will not use or disclose an individual's protected health information for any purpose without the properly documented consent or authorization of the individual or his/her authorized representative unless required or authorized to do so under state or federal law or this policy, unless an emergency exists, or unless the information has been sufficiently de-identified that the recipient of the information would be unable to link the information to a specific individual.

All officers, employees, and agents of the Coshocton County Board of MRDD are expected to comply with and cooperate fully with the administration of this policy. The Coshocton County Board of MRDD will not tolerate any violation of the HIPAA privacy or security standards or this policy. Any such violation shall constitute grounds for disciplinary action up to and including termination of employment.

Any officer, employee, or agent of the Coshocton County Board of MRDD who believes that there has been a breach of these privacy and security policies and procedures or a breach of the integrity or confidentiality of any person's protected health information shall immediately report such breach to his or her immediate supervisor or the Privacy/Security Officer. The Privacy/Security Officer shall conduct a thorough and confidential investigation of any reported breach and notify the complainant of the results of the investigation and any corrective action taken.

The Coshocton County Board of MRDD will not retaliate or permit reprisals against any employee who reports a breach to the integrity or confidentiality of protected health information. Any employee involved in retaliatory behavior or reprisals against another individual for reporting an infraction of this policy shall be subject to disciplinary action up to and including termination of employment.

Security Provisions
The Coshocton County Board of MRDD shall take reasonable steps to limit the use and/or disclosure of and requests for protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request and to determine the extent to which various classifications of employees need access to such information. The Coshocton County Board of MRDD shall also implement reasonable administrative, technical, and physical safeguards to protect individually identifiable health information from any intentional or unintentional use or disclosure and that mitigate, to the extent practicable, any harmful effect that is known to the Coshocton County Board of MRDD as a result of a use or disclosure of protected health information in violation of this policy or the HIPAA privacy and security standards. The Coshocton County Board of MRDD's security measures shall include the following:

A. Administrative procedures to guard data integrity, confidentiality, and availability, including documented, formal practices to manage the selection and execution of security measures to protect data and to manage the conduct of personnel in relation to the protection of data;

B. Physical safeguards to protect data integrity, confidentiality, and availability including the protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards and from intrusion and the use of locks, keys, and other administrative measures to control access to computer systems and facilities;

C. Technical security services to protect data integrity, confidentiality, and availability including processes put in place to protect information and to control individual access to information;

D. Technical security mechanisms including processes put in place to protect against unauthorized access to data that is transmitted over a communications network; and

E. The optional use of an electronic digital signature.

Mitigating the Effects of Unauthorized Use or Disclosure
If the Privacy/Security Officer determines that there has been a breach of this privacy policy or the procedures of the Coshocton County Board of MRDD, he/she shall make a determination of the potential harmful effects of the unauthorized use or disclosure and decide upon a course of action to minimize the harm. Any individual responsible for the unauthorized use or disclosure shall be referred to the Superintendent or designee for appropriate disciplinary action.

Use or Disclosure of Personal Health Information
The Coshocton County Board of MRDD may use and disclose personal health information, without the written consent of the individual or his/her authorized representative, both within and outside of the District, for the following purposes:

A. Treatment: The provision, coordination, or management of health care, health care services or supplies related to an individual and related services by or among providers, providers and third parties, and referrals from one provider to another.

B. Payment: Activities undertaken by a health plan to obtain premiums or determine responsibility for coverage, or activities of a health care provider or health plan to obtain reimbursement for the provision of health care. Payment activities include, but are not limited to, billing, claims management, collection activities, eligibility determination, and utilization review.

C. Health Care Operations: Activities of the Coshocton County Board of MRDD to the extent such activities are related to covered functions including quality assessment and improvement activities; credentialing health care professionals; insurance rating and other insurance activities related to the creation or renewal of a contract for insurance; conducting or arranging for medical review, legal services and auditing functions, including compliance programs; business planning such as conducting cost-management and planning analyses to managing and operating the Coshocton County Board of MRDD including formulary development and administration, development, improvements for methods of payment or coverage policies; business management and general administration activities; due diligence in connection with the sale or transfer of assets to a potential successor in interest if the potential successor is a covered entity or will become a covered entity; consistent with privacy requirements, creating de-identified health information, fundraising for the benefits of the covered entity and marketing for which an individual authorization is not required.

D. As required by law.

E. For public health activities.

F. About victims of abuse, neglect, or domestic violence.

G. To health oversight agencies in connection with health oversight activities.

H. For judicial and administrative proceedings.

I. For law enforcement purposes.

J. Regarding decedents to coroners, medical examiners, and funeral directors.

K. For research if a waiver of authorization has been obtained.

L. To prevent serious and imminent harm to the health or safety of a person or the public.

M. For specialized governmental functions.

N. Military and veterans activities.

O. National security and intelligence.

P. Protective services for the President and others.

Q. To the Department of the State to make medical suitability determinations.

R. To correctional institutions and law enforcement officials regarding an inmate.

S. Workers' compensation if necessary to comply with the laws relating to workers' compensation and other similar programs.

Prior to releasing any protected health information for the purposes set forth above, the Coshocton County Board of MRDD representative disclosing the information shall verify the identity and authority of the individual to whom disclosure is made. This verification may include the examination of official documents, badges, driver's licenses, workplace identity cards, credentials, or other relevant forms of identification or verification.

Authorization
The Coshocton County Board of MRDD shall not disclose protected health information for purpose other than those set forth above without a valid authorization. A valid authorization is a document signed by the individual that gives the Coshocton County Board of MRDD permission to use specified health information for a specified purpose and time frame. The Coshocton County Board of MRDD shall not condition the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits on an individual's provision of authorization except:

A. The Coshocton County Board of MRDD may condition the provision of research-related treatment on the provision of authorization.

B. A health plan may condition enrollment or eligibility for benefits on the provision of an authorization requested by the plan prior to enrollment.

C. The authorization is sought for the plan's eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations.

D. The Coshocton County Board of MRDD may condition provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on the provision of authorization for the disclosure of the protected health information to the third party.

To be valid, an authorization shall contain at least the following elements:

A. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;

B. The name or other specific identification of the person(s) or class of person(s) authorized to make the requested use or disclosure;

C. The name or other specific identification of the person(s) or class of person(s) to whom the Coshocton County Board of MRDD may make the requested use or disclosure;

D. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure;

E. A statement of the individual's right to revoke the authorization in writing and the exceptions to the right to revoke together with a description of how the individual may revoke the authorization;

F. A statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and no longer be protected by this rule; and

G. Signature of the individual and date and, if the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual.

In addition to the requirements set forth above, authorization requested by the Coshocton County Board of MRDD for its own use of protected health information that it maintains, must comply with the following additional requirements:

A. A statement that the Coshocton County Board of MRDD will not condition treatment, payment, enrollment in the health plan, or eligibility for benefits upon the individual's provision of authorization for the requested use;

B. A description of each purpose of the requested use or disclosure;

C. A statement that the individual may inspect or copy the protected health information to be used or disclosed and refuse to sign the authorization; and

D. If the disclosure of the requested information will result in direct or indirect remuneration to the Coshocton County Board of MRDD from a third party, a statement that remuneration will result.

The Coshocton County Board of MRDD shall provide the individual with a copy of the signed authorization.

An authorization for the use or disclosure of protected health information may not be combined with any other document to create a compound authorization.

An authorization is not valid if the document submitted has any of the following defects:

A. The expiration date has passed or the expiration event is known to have occurred;

B. Any required element is missing or has not been filled out;

C. The authorization is known to have been revoked;

D. The authorization has been improperly combined with another document;

E. The Coshocton County Board of MRDD has violated the rules on making the authorization a condition; or

F. Any material information in the authorization is known to be false.
An individual may revoke an authorization at any time, provided the revocation is in writing.

Rights Related to Protected Health Information
Individuals shall have the following rights with regard to their protected health information:

A. Access . Individuals shall have the right to access their own protected health information that is maintained in record sets of the Coshocton County Board of MRDD and its business associates.

B. Restrictions . Individuals shall have the right to request restrictions on how the Coshocton County Board of MRDD will use or disclose their own protected health information for treatment, payment or health care operations and how their information will be disclosed or not disclosed to family members or others involved in their care. The Coshocton County Board of MRDD shall comply with the individual's reasonable request to receive communications of protected health information by alternative means or at alternative locations.

C. Amendment . Individuals shall have the right to amend erroneous or incomplete protected health information unless the information:

1. Was not created by the Coshocton County Board of MRDD;

2. Is not in a designated record set or is not otherwise available for inspection;

3. Is accurate and complete; or

4. Would not be subject to the right of access.

A request to amend protected health information must be submitted to the Privacy/Security Officer in writing. The Privacy/Security Officer shall review the request and respond in writing within thirty calendar days. If a request to amend is denied, the individual may appeal the denial using the complaint procedure set forth in this policy. The denial must be written in plain language and contain:

•  The basis for the denial;

•  A statement of the individual's right to submit a written statement disagreeing with the denial and how it may be filed;

•  A statement that, if the individual does not submit a statement of disagreement, his/her right to request that the request for amendment and its denial be provided with any future disclosure of the protected health information that is the subject of the request for amendment;

•  A description of how the individual may appeal the denial; and

•  The right of the Coshocton County Board of MRDD to reasonably limit the length of the statement of disagreement.

The Coshocton County Board of MRDD may also choose to prepare a written rebuttal to the statement of disagreement and provide a copy to the individual. All of the statements related to the amendment denial shall become part of the individual's designated record set and shall be linked to the individual's protected health information.

D. Accounting . Individuals shall have the right to an accounting of disclosures of their own protected health information that is maintained in record sets of the Coshocton County Board of MRDD and its business associates. Such accounting shall include a period of six years prior to the request, beginning on April 14, 2003 .

Business Associates
The Coshocton County Board of MRDD, its officers, employees, and agents shall not disclose protected health information to any business associate in the absence of a written contract with the business associate that assures that the business associate will use the information only for the purposes for which it was engaged by the Coshocton County Board of MRDD; will safeguard the information from misuse; and

will assist the Coshocton County Board of MRDD in complying with its duties to provide individuals with access to health information about them and a history of certain disclosures. The Coshocton County Board of MRDD shall disclose protected health information to a business associate for the sole purpose of assisting the District in completing healthcare functions, not for the independent use by the business associate.

The Coshocton County Board of MRDD shall enter into a contract with each business associate, which shall be a document separate from the service agreement. The Privacy/Security Officer shall be responsible for managing all business associate contracts and ensuring that they are current and in compliance with the requirements of this policy and the HIPAA privacy rule. Under the contract, the business associate shall be obligated to notify the Privacy/Security Officer when unauthorized uses and/or disclosures of protected health information have occurred in the business associate's organization. The Privacy/Security Officer will take appropriate steps to address the violation up to and including termination of the business associate contract.

However, the Coshocton County Board of MRDD shall not be liable for privacy violations of a business associate, and the Coshocton County Board of MRDD is not required to actively monitor or oversee the means by which a business associate carries out safeguards or the extent to which a business associate abides by the requirements of the contract.

Privacy/Security Officer
The Treasurer shall be the privacy/security officer for the Coshocton County Board of MRDD. The privacy/security officer will be responsible for overseeing all ongoing activities related to the development, implementation, maintenance, and adherence to the Coshocton County Board of MRDD's policies and procedures concerning the security and privacy of protected health information.

Complaint Procedure
The following procedure shall be used for the processing of complaints regarding the collection, use, management, disclosure, or amendment of protected health information:

Step 1 - A written complaint must be submitted to the Privacy/Security Officer. A complaint can also be made directly to the Secretary of Health and Human Services. Upon receipt of a complaint, the Privacy/Security Officer will review the complaint, conduct any necessary investigation, and provide the complainant with a written disposition within ten working days.

Step 2 - The disposition of the Privacy/Security Officer may be appealed by the complainant to the Superintendent or designee within ten working days of receipt of the disposition of the Privacy/Security Officer. The Superintendent or designee shall meet within ten school days with the complainant, the Privacy/Security Officer, and any other necessary individuals. The Superintendent or designee will respond in writing to the complainant within ten working days following the meeting.

Step 3 - If the complaint is not satisfactorily resolved, a written appeal may be made to the Board of Education within ten school days of receipt of the Superintendent's decision. The Board of Education will meet with the complainant at its next regular meeting, and provide a written response to the complaint no later than the following regular meeting.

Notice
The Coshocton County Board of MRDD shall distribute a Notice of Privacy Practices no later than April 13, 2003 , and thereafter to individuals at the time of their enrollment in the health plan and within sixty days of any material revision. The notice shall also be posted in a clear and prominent location in each facility in the Coshocton County Board of MRDD and be printed in staff handbooks and the health plan booklet. The Coshocton County Board of MRDD will also notify individuals covered by the health plan of the availability of and how to obtain the notice at least once every three years. The notice shall adequately inform individuals of their rights to:

A. Request restrictions on certain uses and disclosures of protected health information;

B. Request the communication of confidential information by some reasonable alternative means or at an alternative location;

C. Inspect and copy records or receive a summary of specific information;

D. Request that protected health information be amended;

E. Request an accounting of certain disclosures of protected health information; and

F. Receive a paper copy of the notice upon request.

Training
All employees and business associates shall receive training regarding the Coshocton County Board of MRDD's privacy policies and procedures as necessary and appropriate to carry out their job duties. Training shall also be provided when there is a material change in the Coshocton County Board of MRDD's privacy practices or procedures.

Documentation
Documentation shall be required in support of the policies and procedures of the Coshocton County Board of MRDD and all other parts of the HIPAA privacy regulations that directly require documentation, including, but not limited to, all authorizations and revocations of authorizations and complaints and disposition of complaints. All documentation shall be kept in written or electronic form for a period of six years from the date of creation or from the date when it was last in effect, whichever is later.

Procedures to Implement this Policy
The Board authorizes the Superintendent to develop and implement written procedures consistent with Board policy and applicable rules, regulations and statues that apply.

[back to top]

Coshocton County Board of
Mental Retardation and Developmental Disabilities 

Policy Reference: HIPAA Procedures
Policy Number: 19.1
Ohio Revised Code Reference:
Ohio Administrative Code Reference:
Superintendent Approved: 04-10-2003
Superintendent Amended:

NOTICE OF PRIVACY PRACTICES

Effective Date: April 14, 2003

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

If you have any questions about this notice, please contact, Jill Lahna, Business Manager, at 740-622-2032.

Who Will Follow the Requirement of This Notice? This notice describes the Coshocton County Board of MRDD's practices and those of its employees and business associates. The Coshocton County Board of MRDD, its employees, and its business associates may share medical information with each other for the purposes of treatment, payment, or other operations of the Coshocton County Board of MRDD as described in this notice.

Privacy of Health Information. We understand that medical information about you and your health is personal. This notice will tell you about the ways in which we may use and disclose medical information about you. We will also describe your rights and certain obligations that we have regarding the use and disclosure of medical information. We are required by law to:

•  Assure the medical information that identifies you is kept private;

•  Give you this notice of our legal duties and privacy practices with respect to medical information about you; and

•  Follow the terms of the notice that is currently in effect.

Use and Disclosure of Medical Information. The following describes the different ways that we may use and disclose medical information. Generally, private health information may be released without your authorization for the purposes of treatment, payment, or other healthcare operations of the Coshocton County Board of MRDD. Medical information may also be released for the following purposes:

•  As required by law.

•  For public health services.

•  In connection with the investigation of abuse, neglect, or domestic violence.

•  To health oversight agencies in connection with health oversight activities.

•  For judicial and administrative proceedings.

•  For law enforcement purposes.

•  To coroners, medical examiners, and funeral directors.

•  For research if a waiver of authorization has been obtained.

•  To prevent serious and imminent harm to the health or safety of a person or the public.

•  For specialized governmental functions.

•  For military and veterans activities.

•  For national security and intelligence.

•  For protective services for the President and others.

•  To the Department of the State to make medical suitability determinations.

•  To correctional institutions and law enforcement officials regarding an inmate.

•  For workers' compensation if necessary to comply with the laws relating to workers' compensation and other similar programs.

Rights Regarding Medical Information. You have the following rights regarding medical information that we maintain about you:

•  Right to Inspect and Copy . You have the right to inspect and copy medical information that may be used to make decisions about you, including medical and billing records. To inspect and copy medical information about you, you must submit your request in writing to the Treasurer. If you request a copy of this information, we may charge a fee for the costs of copying, mailing, or other supplies associated with your request. We may deny your request to inspect and copy in certain very limited circumstances, and if you are denied access to medical information, you may request that the denial be reviewed.

•  Right to Amend . If you feel that medical information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for the Coshocton County Board of MRDD. To request an amendment, your request must be made in writing and submitted to the Treasurer. In addition, you must provide a reason that supports your request. We may deny your request if it is not in writing or properly supported by a reason; or the information was not created by us; is not part of the medical record kept by the Coshocton County Board of MRDD; is not part of the information that you would be permitted to inspect and copy; or is accurate and complete.

•  Right to an Accounting . You have the right to request an accounting of disclosures. This is a list of the disclosures we have made of medical information about you. To request this list, you must submit your request in writing to the Treasurer. Your request must state a time period that may not be longer than six years and may not include dates before April 14, 2003 . Your request must also indicate in what form you want the list (for example, on paper or electronically). The first list that you request within a 12-month period will be free. For additional lists, we may charge you for the cost of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request before any cost is incurred.

•  Right to Request Restrictions . You have the right to request a restriction or limitation on the medical information that we use or disclose about you for treatment, payment, or healthcare operations. You also have the right to request a limit on the medical information that we disclose about you to someone who is involved in your care or the payment for your care. However, we are not required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide you with emergency treatment. To request restrictions, you must make a written request to the Treasurer telling us what information you want to limit; whether you want to limit our use, disclosure or both; and to whom you want the limits to apply, for example disclosures to your spouse.

•  Right to Request Confidential Communications . You have the right to request that we communicate with you about medical matters is a certain way or at a certain location, for example by mail or only at work. To request confidential communications, you must make your request in writing to the Treasurer and specify how or where you wish to be contacted. We will not ask you the reason for your request and will accommodate all reasonable requests.

•  Right to a Paper Copy of This Notice . You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy. You may obtain a copy of this notice by contacting the Treasurer's Office.

Changes to This Notice. We reserve the right to make changes to this notice, and to make the revision or change applicable to medical information we already have about you. We will post a copy of the current notice in each building in the Coshocton County Board of MRDD.

Complaints. If you believe your privacy rights have been violated, you may file a complaint with the Coshocton County Board of MRDD. To file a complaint, please contact Jill Lahna , Treasurer, Coshocton County Board of MRDD, Ohio , 740-622-2032. All complaints must be submitted in writing. You can also complain to the Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W. , Room 509F, HHH Building , Washington , D.C. 20201-0004, (800) 368-1019.

Other Uses of Medical Information. Other uses and disclosures of medical information not covered by this notice will be made only with your written permission. If you provide us with permission to use or disclose medical information about you, you may revoke that permission in writing at any time. If you revoke your permission, we will no longer use or disclose medical information about you for the reason covered by your written authorization. However, we will not be able to take back any disclosures that we already made during any period in which your permission was in effect.

[back to top]