The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations restrict the ability of Covered Entities (including: Health Plans, Health Care Clearinghouses and Health Care Providers) to Use and Disclose Protected Health Information.

It is the policy of the Trumbull County Insurance Consortium Member Districts ("Health Plan") to comply fully with HIPAA’s requirements. To that end, all members of Health Plan’s workforce who have access to PHI must comply with these HIPAA Privacy Policies and Procedures (these "Privacy Policy and Procedures"). For purposes of compliance with HIPAA, the term workforce includes individuals who would be considered part of the workforce under HIPAA such as employees, volunteers, trainees and other persons whose work performance is under the direct control of Health Plan, whether or not Health Plan pays them. When used herein, the term "Employee" includes all of these types of workers.

Health Plan reserves the right to amend or change these Privacy Policies and Procedures at any time (and even retroactively) without notice. These privacy policies and procedures do not address requirements under other Federal laws or under State laws. To the extent these privacy policies and procedures establish requirements and obligations above and beyond those required by HIPAA, these privacy policies and procedures shall be aspirational and shall not be binding upon Health Plan. No third party rights (including but not limited to rights of Health Plan participants, beneficiaries, covered dependents, or Business Associates) are intended to be created by these privacy policies and procedures.

Health Plan has designated the District Treasurer to act as the HIPAA privacy official for Health Plan (the "Privacy Official"). The privacy official is responsible for the implementation and updating of these privacy policies and procedures. The privacy official is also responsible for updating and distributing Health Plan’s Notice of Privacy Practices and shall serve as the contact person for employees and participants who have questions, concerns, or complaints about the privacy of PHI.

Health Plan will train all of its employees on Health Plan’s privacy policies and procedures as necessary and appropriate for employees to carry out their functions within Health Plan. The privacy official is charged with developing training schedules and programs for this purpose. Current Health Plan employees shall receive immediate training. All new employees shall be trained within a reasonable period of time after they become employees of Health Plan. Further, any employee whose job functions are affected by a material change to these privacy policies and procedures shall receive additional training within a reasonable period of time after the material change. All employee training must be documented.

Health Plan will establish appropriate administrative, technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements. Administrative safeguards include risk analysis and management to guard data integrity, confidentiality, and availability. Technical safeguards include limiting access to information by creating computer firewalls to ensure that only authorized employees will have access to PHI, that they will have access to only the minimum amount of PHI necessary for plan administrative functions, and that they will not further use or disclose PHI in violation of HIPAA’s privacy rules. Physical safeguards include locking doors or filing cabinets where PHI is maintained.

Health Plan has prepared a Notice of Privacy Practices that describes:

The Notice of Privacy Practices also provides a description of Health Plan’s complaint procedures and includes the name and contact information of the privacy official.

The Notice of Privacy Practices will be individually delivered to all participants:

Heath Plan will also provide notice of availability of the Notice of Privacy Practices to all Health Plan participants at least once every three (3) years.

An individual may make a complaint concerning these privacy policies and procedures or Health Plan’s compliance herewith by sending such complaint in writing to the privacy official at the address set forth in Section I of these privacy policies and procedures. All complaints and their disposition must be documented.

Employees who use or disclose PHI in violation of these privacy policies and procedures will be subject to appropriate sanctions imposed in accordance with the discipline policy of Health Plan or its plan sponsor, up to and including termination of employment.

Health Plan shall mitigate, to the extent possible, any harmful effects that become known to it of any use or disclosure of an individual’s PHI in violation of HIPAA or these privacy policies and procedures. If any employee becomes aware of a use or disclosure of PHI, either by an employee of Health Plan or an outside consultant/contractor, which is not in compliance with HIPAA or these privacy policies and procedures, s/he shall immediately contact the privacy official so that appropriate steps to mitigate harm to the participant(s) can be taken.

No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.

No individual shall be required to waive his/her privacy rights under HIPAA as a condition of treatment, payment, or eligibility for benefits.

Health Plan will maintain documentation of all compliance with and implementation of HIPAA’s privacy rules for at least six (6) years. Documentation of compliance with the implementation of HIPAA’s privacy rules may be maintained in either written or electronic form.

If Health Plan’s policies or procedures are changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations), any such changes must be promptly documented.

If a change in law impacts Health Plan’s Notice of Privacy Practices, the Notice must promptly be revised and redistributed to all of Health Plan’s participants. Any changes to the Notice of Privacy Practices shall be effective only with respect to PHI created or received after the effective date of the notice.

Health Plan will use and disclose PHI only as permitted under HIPAA. The terms "use" and "disclosure" are defined as follows:

All employees of Health Plan must comply with HIPAA and these privacy policies and procedures and are required to sign a confidentiality agreement for this purpose.

Employees who perform plan administration functions directly on behalf of Health Plan shall have access to PHI.

Employees who receive PHI relating to payment, health care operations, or other matters pertaining to Health Plan in the ordinary course of business, and members of the Insurance Consortium Committee.

Health Plan has identified these employees as the classes of persons who need access to PHI to carry out their duties. The privacy official is responsible for determining, for each of these employees, the category or categories of PHI to which access is needed. Reasonable effort shall be made to limit the access of these employees to the category or categories of PHI needed to carry out their duties.

PHI may be disclosed for Health Plan’s own payment purposes, and PHI may be disclosed to another covered entity for the payment purposes of that covered entity.

PHI may be disclosed for purposes of Health Plan’s own health care operations. PHI may be disclosed to another covered entity for purposes of the other covered entity’s quality assessment and improvement, case management, health care fraud and abuse detection programs, review and evaluation of professionals, plan performance or for provider training, if the other covered entity has (or had) a relationship with the participant and the PHI requested pertains to that relationship.

A participant’s PHI must be disclosed as required by HIPAA in two (2) situations:

PHI may be disclosed in certain situations without a participant’s authorization, when specific requirements are satisfied. The privacy official should be consulted for specific requirements that must be met before these types of disclosures may be made. The permissive disclosures are:

PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization. An authorization for use or disclosure of PHI form shall be provided to any participant upon request.

HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the "minimum necessary" to accomplish the purpose of the use or disclosure.

The "minimum necessary" standard does not apply to any of the following:

All other disclosures must be reviewed on an individual basis with the privacy official to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure. Whenever possible, effort should be made to obtain written representation from the party seeking disclosure that the requested PHI is the minimum necessary for the stated purpose.

When making requests for disclosure of PHI, employees should limit the amount requested to that reasonably necessary to accomplish the purpose for which the disclosure is requested. All employee requests for disclosure of PHI should be reviewed on an individual basis with the privacy official to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.

Employees may disclose PHI to Health Plan’s Business Associates and allow Health Plan’s Business Associates to create or receive PHI on Health Plan’s behalf once Health Plan has obtained satisfactory assurances from its business associates that they will appropriately safeguard PHI. If any employee is unsure whether an outside consultant or contractor has entered into a business associate agreement with Health Plan, the employee must contact the privacy official and verify that a business associate agreement is in place.

Medical Mutual of Ohio ("Plan Sponsor") is the Plan Sponsor of Health Plan. Health Plan (or any person or entity acting on behalf of Health Plan) may disclose PHI to Plan Sponsor to permit plan sponsor to carry out Health Plan administration functions, provided Health Plan has received certification by Plan Sponsor that Health Plan’s plan documents have been amended as required by HIPAA. Prior to such certification by Plan Sponsor, Health Plan may disclose summary health information to Plan Sponsor for the purpose of: (1) obtaining premium bids from insurers for providing health insurance coverage, or (2) modifying, amending, or terminating Health Plan. Health Plan may also disclose to Plan Sponsor information on whether an individual is participating in Health Plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by Health Plan.

Health Plan may freely use and disclose de-identified information. There are two (2) ways that information can be de-identified: either by professional statistical analysis or by removal of seventeen (17) specific identifiers plus any other unique identifying number, characteristic, or code.

PHI that does not fully meet the requirement for de-identification may still be a limited data set. Health Plan may use a "limited data set" or disclose it to another covered entity for purposes of research, public policy, or health care operations if Health Plan obtains satisfactory assurance, in the form of a data use agreement, that the limited data set recipient will only use or disclose the information for limited purposes. Employees must consult with the privacy official prior to disclosure when relying on the status of information as de-identified or part of a limited data set.

HIPAA gives participants the right to access and obtain copies of their PHI that Health Plan (or any business associate on behalf of Health Plan) maintains in a designated record set. HIPAA also provides that participants may request to have their PHI amended. Health Plan will provide participants access to their PHI and will consider requests for amendment that are submitted in writing by participants. Individual request to access health information and individual request to amend health record forms shall be provided to any participant upon request.

Health Plan must respond to request for access or amendment within sixty (60) days. If an employee is aware that Health Plan may be unable to address access to amendment requests within sixty (60) days, the employee should seek to extend the period by thirty (30) days, by providing the participant notice (including the reason for the delay and the date by which Health Plan will complete its action on the request) within the original sixty (60) day period.

An individual has the right to obtain an accounting of certain disclosures of his/her own PHI. This right to an accounting extends to disclosures made in the last six (6) years, other than disclosures:

Health Plan must respond to an accounting request within sixty (60) days. If any employee is aware that Health Plan may be unable to provide the accounting within sixty (60) days, the employee should seek to extend the period by thirty (30) days, by providing the participant notice (including the reason for the delay and the date the information will be provided) within the original sixty (60) day period.

Accountings must include dates of disclosures, names of the receiving party(ies), a brief description of the information disclosed; and a brief statement of the purpose of the disclosure (or a copy of the written request for disclosure, if any).

The first accounting in any twelve (12) month period shall be provided free of charge. The privacy official may impose reasonable production and mailing costs for subsequent accountings.

Participants may request to receive communications regarding their PHI by alternative means or at alternative locations. For example, participants may ask to be called only at work rather than at home. Such requests may be honored if, in the sole discretion of Health Plan, the requests are reasonable. Health Plan shall accommodate such a request if the participant clearly provides information that the disclosure of all or part of that information could endanger the participant.

A confidential communication request form shall be provided to any participant upon request. The privacy official has the responsibility for reviewing requests for receiving confidential communications and may condition the accommodation of such on the provision of payment and contact information.

A participant may request restrictions on the use and disclosure of the participant’s PHI. Health Plan may honor such a request if, in the sole discretion of Health Plan, the request is reasonable. A request to restrict use or disclosure of PHI form shall be provided to any participant upon request. The privacy official is charged with the responsibility for reviewing requests for restrictions.

Adopted 7/03