Employee Benefits, Human Resources, The University of Georgia

HIPAA POLICY
(Health Insurance Portability and Accountability Act)
Applicable to the Medical Spending Account

Use & disclosure of Protected Health Information (PHI) with and without an authorization:
In general, Employee Benefits/Human Resources may use and disclose a patient's PHI without an authorization for the purposes of treatment, payment, and health care operations. Employee Benefits/Human Resources, however, must obtain a signed authorization from the individual or the individual's personal representative for all uses and disclosures of PHI that are not otherwise permitted or required by law.

Minimum necessary use, disclosure, and request for PHI:
All individuals associated with Employee Benefits/Human Resources are generally expected to limit their uses and disclosures of PHI, and requests for PHI to the minimum amount of information necessary to perform their duties. This general expectation does not mean that providers should restrict exchanges of information required in order to assist employees quickly and effectively.

Workforce training:
Employee Benefits/Human Resources will train all members of its workforce regarding the proper use and disclosure of employee's health information. Training will be appropriate for the level of staff and their duties and may include both general, specialized and advanced training. The Employee Benefits/Human Resources will be responsible for administering and documenting the training program for employees. All existing workforce members, including students, would be trained by the effective date of this policy, and all new workforce members must complete training in a reasonable time frame after the person joins the workforce.

Safeguards:
Employee Benefits/Human Resources will reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of Employee Benefits/Human Resources' patient privacy policies and applicable federal and state law. Safeguards include administrative procedure, physical measures and technical means to protect employee's health information.

Right to make a complaint:
Any individual who believes his/her rights, granted by HIPAA privacy regulations or any other state or federal laws dealing with privacy and confidentiality, have been violated may file a written complaint regarding the alleged privacy violation. Complaints should be brought to the attention of Employee Benefits/Human Resources Privacy Officer. Other staff who receive complaints from employees should inform the relevant Privacy Coordinator and/or the Privacy Officer. "Copies of all written complaints, resolved or unresolved, must be forwarded to the Privacy Officer for tracking and quality improvement purpose."

Sanctions:
Employee Benefits/Human Resources will apply appropriate sanctions against workforce members who fail to comply with Employee Benefits/Human Resources' privacy policy. Any violation of this policy must be reported to the Privacy Officer. The Privacy Officer shall maintain a record of all reported violations, and the responsive actions taken.

Mitigation:
To the extent practicable, Employee Benefits/Human Resources will mitigate any harmful effect that becomes known to Employee Benefits/Human Resources as a result of an improper use or disclosure of PHI.

Refrain from intimidating or retaliatory acts:
Employee Benefits/Human Resources will not intimidate, threaten, coerce, discriminate against or take other retaliatory action against an individual for the exercise of his/her rights to: (i) file a privacy complaint with the Secretary of the Department of Health and Human Services; (ii) testify, assist or participate in an investigation, compliance review, proceeding or hearing regarding health privacy; and (iii) oppose any act or practice made unlawful by the HIPAA privacy provisions, provided that the individual has a good faith belief that the practice opposed is unlawful and the manner of opposition is reasonable and does not involve the disclosure of PHI.

Non-waiver of rights as a condition of treatment:
UGA may not require individuals to waive their rights of privacy, as provided through HIPAA, as a condition of the provision of services.

Documentation requirements:
All records created as a result of this policy, including health records, notices of privacy, internal procedures, accounting of disclosures, etc., shall be retained until at least the later of: (1) six years from the last date the record was in effect; (2) six years from the creation of the record; or, (3) any period longer than six years if required by any other applicable law, regulation or policy of UGA, or the Board of Regents. Employee Benefits/Human Resources will incorporate into its policies, procedures, guidelines and other administrative documents any changes in law and will properly document and implement any changes to policies, procedures, and guidelines as necessary by changes in law. The Employee Benefits/Human Resources reserves the right to amend this policy, and all internal forms, polices and procedures related to this policy. All internal policies, procedures, notices of privacy practices and other documents created to comply with the policy shall specifically state that the reserves the right to amend these policies and documents.

Posted April 25, 2003