|
|
|
|
|||
|
|
|
|
|
||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OBERLIN COLLEGE PRIVACY POLICIES AND PROCEDURES
Administrative Requirements
A. Privacy Officer and Contact Person
The College has designated Kim Wiggerly, Compensation Manager, as its
"Privacy Officer" to oversee the Plan's privacy compliance activities.
The College's Privacy Officer is a full?time employee who also has other
duties. The College retains the letter of appointment in its HIPAA privacy
files.
In general, the Privacy Officer has broad responsibility for developing
and implementing all of the Plan's privacy policies and procedures. Some
of the Privacy Officer's specific duties include:
· Tracking all PHI within the College and, if appropriate, minimizing
PHI available to the College;
· Coordinating HIPAA privacy obligations with other employer functions
such as FMLA leave, and establishing an authorization process where appropriate;
· Developing safeguards and firewalls to separate PHI from the
College where appropriate;
· Developing training programs for employees;
· Implementing and enforcing sanctions against employees who violate
the College's privacy policies;
· Establishing a process for individuals to exercise their rights
with respect to PHI;
· Establishing a complaint process;
· Overseeing other legal compliance, including documentation and
notice requirements;
· Developing procedures to audit the Plan's compliance on a regular
basis; and
· Keeping up to date with new legal developments.
The Privacy Officer will also serve as the primary contact person for
participants who have questions, concerns, or complaints about the privacy
of their PHI. Kim Wiggerly, Benefits Administrator, will serve as the
alternate contact person in the absence of the Privacy Officer.
B. Employee Training
The College provides appropriate HIPAA privacy training to all members
of its workforce (including persons not paid by the College but whose
work is under the direct control of the College). The Privacy Officer
is charged with developing appropriate training schedules and programs
so that all workforce members receive the training necessary and appropriate
to permit them to carry out their job duties while complying with HIPAA
privacy obligations.
The College privacy training process will consist of three main efforts:
· To train those in the aforementioned offices;
· Formal Managers and Supervisors training in those Departments
with access to PHI; and
· To provide to all current and new employees a basic overview
of the Privacy Regulations and employee rights regarding employee authorization
of release of PHI. The College Privacy Notice will be the basis of the
training.
The training will consist of:
· Distribution of the "Privacy Notice" to each Plan Participant;
· Manager, Supervisors, and employee meetings to discuss the "Privacy
Notice;"
· Posting of the "Privacy Notice" at employee time clock
bulletin boards, break room boards, and other employee boards;
· Provide "Privacy Notice" information in the Open Enrollment
packets; and
· Post "Privacy Notice" on the website; and
· Provide reminders about the issue by paper and electronic means.
C. Safeguards
The College has established appropriate technical, physical, and administrative
safeguards to prevent PHI from intentionally or unintentionally being
used or disclosed in violation of HIPAA's requirements.
Technical: The HR/Payroll and Student Accounts components of Banner
have pertinent log on/off and password protections plus limited access
by job functions. Servers in the Center for Information Technology are
locked with limited access by job functions. Transfer of information to
the Third Party Administrator is HIPAA compliant.
Physical: HR, Payroll and Controller's Offices doors are locked
each night. The file cabinets containing PHI in those offices are locked
at close of business each day. Files in other locations are padlocked
and accessible by authorized persons only. Within the HR/Payroll departments
all confidential files and paper enrollment information is kept in office
locations that do not have public access.
Administrative: Established confidentiality procedures provide
the "Minimum Necessary" information to the aforementioned departments.
Additionally, budget planning reports needed for health care benefit costing
will be provided with de-identified information as is feasible. All employees
who will be reviewing PHI will have a signed confidentiality agreement
on file.
D. Privacy Notice
The Privacy Officer is responsible for developing and maintaining a notice
of the Plan's privacy practices that describes:
· the uses and disclosures of PHI that may be made by the Plan;
· the individual's rights; and
· the Plan's legal duties with respect to the PHI.
The privacy notice describes the College's access to PHI. The privacy
notice also provides a description of the College's complaint procedures,
the name and telephone number of the contact person for further information,
and the date of the notice.
The notice of privacy practices will be individually delivered to all
participants:
· no later than April 14, 2003;
· on an ongoing basis after April 14, 2003, at the time of an individual's
enrollment in the Plan;
· upon participant request; and
· within 60 days after a material change to the notice.
The Plan will also provide notice of availability of the privacy notice
at least once every three years.
A copy of the College's notice is attached to the Policy.
Revised 4/13/06
 |
 |
 |
 |
 |
 |