The Novi Community School District (the "District") is the sponsor of the Novi Community School District Health Plan (the "Plan"). The Plan is comprised of a medical flexible spending account, an employee vision plan and other health plans as may be revised from time to time. Certain employees of the District business office may have access to the individually identifiable health information of Plan participants for administrative functions of the plan.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations restrict the Plan's ability to use and disclose protected health information (PHI):

It is the District's policy to comply fully with HIPAA's requirements. To that end, the District hereby designates itself as a Hybrid Entity, within the meaning of HIPAA.

All members of the District workforce who have access to PHI must comply with this Privacy Policy and Procedures. For purposes of this Policy and Procedures, the members of the District workforce who may have access to PHI include:

For purposes of this policy, the workforce members referenced above are the health care components of the District, and may also be referred to herein as the "Plan's Operational Structure."

No third party rights (including but not limited to rights of Plan participants, beneficiaries, covered dependents, or business associates) are intended to be created by this Policy and Procedures.

The District reserves the right to amend or change this Policy and Procedures at any time (and even retroactively) without notice. To the extent this Policy and Procedures establishes requirements and obligations above and beyond those required by HIPAA, the Policy and Procedures shall be aspirational and shall not be binding upon the District. This Policy and Procedures do not address requirements under other Federal laws or State laws.

This policy is established to comply with the regulatory provisions promulgated under HIPAA, and to provide guidance for the Plan's Operational Structure.

It is the policy of the District that reasonable steps shall be taken to safeguard PHI in connection with the Plan subject to the regulations, standards, implementation specifications or other requirements of HIPAA. In that regard, the Plan shall take reasonable steps to:

Consistent with the provisions of HIPAA, the Plan shall assure the rights of individuals, including the rights to:

The Plan shall restrict its uses and disclosures of and requests for PHI to the "minimum necessary" to accomplish the purpose of the use or disclosure. The terms "use'" and "disclosure" are defined as follows:

Members of the Plan Operational Structure shall have access to PHI only to the extent minimally necessary for them to perform their functions on behalf of the Plan.

District employees who are part of the Plan's Operational Structure shall receive training enabling them to understand and fulfill their duties and obligations with respect to privacy and confidentiality of health information in their possession. Persons hired after April 14, 2004 shall receive appropriate training as soon as possible after hire. All training shall be documented in each workforce member's personnel file. Training shall be on-going as required as developments under HIPAA occur.

Employees shall report violations of the HIPAA regulations, or the District's HIPAA policies, to their supervisor or to the Privacy Officer. There shall be no retaliation against any employee who reports a violation.

The Assistant Superintendent of Business is hereby designated as the District's Privacy Officer and the contact person for participants and beneficiaries under the Plan.

The Plan shall implement the Business Associate standards established under HIPAA. Employees may disclose PHI to the Plan's business associates and allow the Plan's business associates to create or receive PHI on its behalf. However, prior to doing so, the Plan must first obtain assurances from the business associate that it will appropriately safeguard the information. Before sharing PHI with outside consultants or contractors who meet the definition of a "business associate," workforce members must contact the Privacy Officer and verify that a business associate contract is in place. Disclosures must be consistent with the terms of the business associate contract.

The Plan Operational Structure shall establish appropriate technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA's requirements. Technical safeguards may include methods for preventing unauthorized access to electronically stored health information. Physical safeguards may include locking doors and file cabinets.

The Privacy Officer shall develop and maintain a Notice of the Plan's privacy practices. The privacy notice will inform participants that the District office may have access to PHI in connection with its plan administrative functions. The privacy notice will also provide a description of the Plan's complaint procedures, the name and telephone number of the contact person for further information, and the date of the notice. The notice of privacy practices will be individually delivered to all participants. The Plan will also provide notice of availability of the privacy notice at least as often as is required by the HIPAA rules. If a change in law impacts the privacy notice, it shall promptly be revised and made available to participants. Any such change shall only be effective with respect to PHI created or received after the effective date of the revised notice.

It is the policy of the District that the members of the Plan's Operational Structure will document all actions (including authorizations, requests for information, sanctions, and complaints) relating to individuals' privacy rights. While documentation may be maintained in either written or electronic form, it shall be maintained for a period of at least six (6) years from the date of creation or last effect, whichever is later.

A Manual of Policies and Procedures will be established and maintained to implement this Policy. This Policy and the Manual of Policies and Procedures may be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in the HIPAA regulations). Any changes in policies or procedures will be promptly documented.

If a change in law impacts the privacy notice, the Privacy Policy and Procedures will promptly be revised and made available to participants. Such change is effective only with respect to PHI created or received after the effective date of the notice.

If the Plan may disclose any PHI to the District, as the Plan Sponsor, other than Summary Health Information, or enrollment and disenrollment information regarding Plan participants, then the Plan document shall be amended to include provisions to describe the limitations and the permitted and required uses and disclosures of PHI by the Plan.

The Privacy Officer shall be the Plan's contact person for purposes of receiving complaints. The Privacy Officer shall develop a process for individuals to submit complaints about the Plan's Privacy Policy and Procedures and for handling such complaints in a manner that is consistent with the HIPAA rules.

Sanctions for using or disclosing PHI in violation of this Policy will be imposed in accordance with applicable law, collective bargaining agreements and the District's personnel policies, up to and including termination.

No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.

No individual shall be required to waive his/her privacy rights under HIPAA as a condition of eligibility, enrollment or payment of benefits under the Plan.