|
|
|
|
|||
|
|
|
|
|
||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OBERLIN COLLEGE PRIVACY POLICIES AND PROCEDURES
A. Uses and Disclosures of PHI - General
Routine Access to PHI
The following describes the routine access that certain College employees
may have to PHI from the Plan:
· The Department of Human Resources: Employee Relations Manager,
Employee Programs Administrator, Information Specialist, Communication
Coordinator, Confidential Administrative Secretary.
· Vice President for Finance: Vice President, Budget Manager, Confidential
Technician
· Associate Vice President for Finance: Associate Vice President,
Confidential Technician
· Controller's Office: Controller, Assistant Controllers
· Payroll and Benefits: Compensation Manager, Benefits Administrator,
Payroll Technicians
· Student Accounts: Director, Assistant Director, Administrative
Assistants
· Financial Aid: Director, Associate Director, Assistant Directors,
Administrative Assistants (due to Banner access)
· Registrar's Office: Registrar, Associate Registrar, Administrative
Assistants (due to Banner access)
· Environmental Health & Safety Office: Departmental Assistant
· Administrative Computing Staff: Senior Programmer Analysts, Department
Support Specialist
Accessible PHI
The following describes what PHI may be accessed:
· Eligibility for and enrollment and termination information for
the Plan, e.g., an individual's name, address, social security number
or other individual identifier, date of birth, and that of spouse and
dependents as applicable, and premium amounts.
As required by administrative requirements of the Plan to provide treatment,
payment, and health care operations, the aforementioned College staff
will have access to PHI in order to:
· Make effective a participant's request for health plan benefits
or to make changes in that enrollment or to terminate coverage.
· Provide the eligibility and enrollment data to a Third Party
Administrator in order to administer the Plan and pay claims.
· Receive reports from a Third Party Administrator of Plan claims
payments to providers.
· Administer billing, payment and collections.
· Maintain the technical quality of the Banner system and the servers
as it relates to HR, payroll, and payment functions.
· Provide fiscal and budgetary planning functions for the Plan.
· Provide various other supportive functions, e.g., audit, legal,
accounting, consulting for proper administration of the Plan.
B. Disclosures of PHI Required or Permitted by Law
In addition to the purposes described above for which PHI may be used
or disclosed by the Plan, it may also be used or disclosed by the Plan
without a formal written authorization in the following circumstances:
· When disclosure to an individual is requested by that individual
in accordance with the Plan's procedures.
· When required by law.
· When permitted for certain public health purposes, such as product
recalls and control of communicable diseases, or to otherwise prevent
or lessen a serious and imminent threat to the health or safety of a person
or the public.
· When authorized by law to report information about abuse, neglect,
or domestic violence.
· To a public health oversight agency for oversight activities
authorized by law, such as investigations or disciplinary activities.
· When required for judicial or administrative proceedings.
· When required or permitted for law enforcement purposes or specialized
government functions such as military activities.
· To coroners, funeral directors, and organ procurement organizations
in accordance with such entities' needs for PHI about a particular decedent.
· For research in accordance with 45 CFR 164.512(i).
· When authorized by and to the extent necessary to comply with
a workers' compensation law or other similar programs established by law.
The Plan will also comply with additional conditions that HIPAA imposes
on some of the above-described disclosures.
C. No Disclosure of PHI for Non?Health Plan Purposes
PHI will not be used or disclosed for the payment or operations of the
College's "non?health" benefits (e.g., disability or life insurance),
unless the participant has provided an authorization for such use or disclosure
(as discussed in "Disclosures Pursuant to an Authorization").
D. Disclosures of PHI Pursuant to an Authorization
PHI may be disclosed for any purpose if an authorization that satisfies
all of HIPAA's requirements for a valid authorization is provided by the
participant. All uses and disclosures made pursuant to a signed authorization
must be consistent with the terms and conditions of the authorization.
The Privacy Officer may provide authorization forms and must approve any
form of authorization which is used.
· There will be instances when participants will be asked to complete
an "Authorization" form for the release of PHI to the provider
or the Plan. Compliance with this request is required in order to be considered
for approval under the relevant program. These routine requests will be
made for the following but not limited to:
· FMLA requests for an employee's own illness, for that of a spouse,
dependent, or parent.
· Short Term and Long Term Disability Approval
· Fitness-for-Duty/Return to Work Release
· Transitional Work Program
· Americans with Disabilities Act (ADA) Interactive Process and
Reasonable Accommodation Medical Certification
· Results of Medical Screening for OSHA
· Assistance in Claims Administration
A participant may revoke the above authorization at any time by providing
a written revocation. The Privacy Officer may provide a form for this
purpose.
E. "Minimum Necessary" Standard
HIPAA requires that when PHI is used or disclosed, the PHI disclosed generally
must be limited to the "minimum necessary" to accomplish the
purpose of the use or disclosure.
The "minimum necessary" standard does not apply to any of the
following:
· disclosures to a health care provider for treatment;
· uses or disclosures made to the individual;
· uses or disclosures made pursuant to a valid authorization;
· disclosures made to the Department of Health and Human Services;
· uses or disclosures required by law;
· uses or disclosures required to comply with HIPAA.
Release of PHI by the College will be limited to the "Minimum Necessary"
to provide College health plan benefits, leave approval, return-to-work
programs, etc., the required monitoring of these, and the payment of employees
according to each policy.
Access to PHI is controlled by HR and the positions aforementioned. PHI
communicated to these College entities is ordinarily limited to name,
social security number, and dates of leave, enrollment and termination
information, and effective dates and premiums due. PHI that is not needed
will be removed before disclosure.
F. Contracts With Business Associates
A Business Associate is an entity or person who:
· performs or assists in performing a Plan function or activity
involving the use and disclosure of PHI (such as claims processing or
administration; data analysis; underwriting; audits and others); or
· provides legal, accounting, actuarial, consulting, data aggregation,
management, accreditation, or financial services, where the performance
of such services involves giving the service provider access to PHI.
The Plan may disclose PHI to the Plan's Business Associates and allow
the Plan's Business Associates to create or receive PHI on its behalf,
but Business Associate contracts must first be put into place that require
the Business Associate to appropriately safeguard the information.
Revised 4/13/06
 |
 |
 |
 |
 |
 |