3419.01 AdmGuide_Privacy Protections of Self-funded Group Health Plans

 The District shall abide by the following procedures which are established to comply with the requirements of
Federal law.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires the group health plan to
train all members of the plan’s workforce on the policies and procedures with respect to Protected Health
Information, as defined by HIPAA. The Privacy Protection Officer shall ensure that the members of the plan’s
workforce receive adequate and appropriate training regarding the Privacy Rule.
The Privacy Rule requires the group health plan to implement appropriate administrative, technical, and physical
safeguards to protect the privacy of Protected Health Information. The Privacy Protection Officer shall implement
these safeguards in a reasonable and appropriate manner.
Participant Rights
The Privacy Rule grants health plan participants extensive rights with respect to their Protected Health Information.
The Privacy Protection Officer shall timely respond to participant requests to exercise rights afforded by the
Privacy Rule.
The District shall apply appropriate sanctions against members of its workforce who fail to comply with the privacy
policies and procedures established by the District.
The District shall mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use
or disclosure of Protected Health Information in violation of its policies and procedures or the requirements of
HIPAA by the District or its business associates.
Retaliatory Acts
The District shall refrain from taking any retaliatory action against any individual for exercising any right under the
plan, filing a complaint with the Department of Health and Human Services, participating in any proceeding under
Part C of Title XI of the Social Security Act, or opposing any act or practice made unlawful by the Privacy Rule,
provided that the individual has a good faith belief that the practice opposed is unlawful.
Waiver of Rights
The District shall not impose a requirement that participants waive their rights under the Privacy Rule as a
condition of the provisions of payment, enrollment in a health plan, or eligibility for benefits.
Changes to Policy and Procedures
The District shall change its policy and procedures as necessary and appropriate to comply with changes in the
The District shall retain its policy and procedures for a period of six (6) years from the date of their creation or the
date when they were last in effect, whichever is later.
Amendment of Plan Documents
The Privacy Rule provides that plan documents be made to permit information sharing between the plan and the
plan sponsor. The Privacy Protection Officer shall assist other District personnel in determining whether and how
plan documents should be amended and in fulfilling the requirements for implementing such amendments.
Business Associate Agreements
The Privacy Rule requires a group health plan to enter into business associate agreements with certain third-party
vendors. The Privacy Protection Officer shall retain counsel to draft and negotiate these business associate
agreements. In the event that the plan contracts with new business associates, the Privacy Protection Officer shall
ensure that the necessary business associate agreements are entered into by these new vendors.
Complaint Procedure
Any person that believes that his/her privacy rights have been violated by the inappropriate use of his/her personal
medical information in violation of HIPAA may file a complaint with the District's Privacy Protection Officer. The
Privacy Protection Officer will provide a copy of the District's complaint procedure to any person who files a
    A. Informal Procedures
        The complainant shall orally discuss the complaint with the District's Privacy Protection Officer, who shall in
        turn investigate and answer the complaint. The complainant may also initiate the formal procedure as
        described below.
    B. Formal Procedure
            1.  Step 1
                A written statement of the complaint (including the corrective action requested) signed by the
                complainant shall be submitted to the Privacy Protection Officer within five (5) business days of receipt
                of the answer to the informal complaint (if an informal complaint was made). The Privacy Protection
                Officer shall investigate the complaint, meet with the complainant and other staff, as appropriate, and
                reply in writing to the complainant within ten (10) business days of the submission of the formal
            2.  Step 2
                If the complainant wishes to appeal the decision of the Privacy Protection Officer, s/he may file a written
                appeal (including the corrective action requested) with the Superintendent within five (5) business day of
                his/her receipt of the Privacy Protection Officer's response in step one. The Superintendent shall meet
                with the parties within twenty (20) business days of the receipt of the appeal a copy of the
                Superintendents disposition of the appeal shall be sent to each party within ten (10) business days of
                this meeting.
Notice of Privacy Practice
The Privacy Rule requires the group health plan to distribute a Notice of Privacy Practices to participants in the
plan. The notice shall be distributed to:
    A. Each new participant in the health plan upon enrollment; and
    B. Every participant in the plan within sixty (60) days of a material revision to the notice.
The Privacy Protection Officer shall notify all participants in the Plan of the availability of the notice and how to
obtain the notice annually.
Approved/Adopted:  July 13, 2009
Revised:  August 29, 2011