Privacy Issues in the Community College Workplace

If a public agency has an outside administrator for its health plans, cafeteria plans or flexible spending accounts, then it is not covered by the full range of HIPAA’s Privacy Rule. However, even if it is not a covered entity, a public agency still has to meet certain lesser requirements such as:

 Ensuring that the third party administrator is complying with the Privacy Rule;

 Obtaining authorizations from employees to access information about their health claims  Ensuring that the health plan provides that employees can access their own health information.

HIPAA’s Privacy Rule imposes a number of administrative requirements on covered entities. If your agency is a covered or hybrid entity, the Rule requires it to do the following:

 Notify individuals regarding their privacy rights and how their protected health information (see Section J.3.a.iv.c. below) can be used or disclosed.

 Adopt and implement internal privacy policies and procedures.

 Train employees to understand these policies and procedures as appropriate for their functions in carrying out duties related to the employer’s capacity as a health plan or health provider.  Designate individuals who are responsible for implementing these policies and procedures, and who will receive privacy-related complaints.  Establish privacy requirements in contracts with business associates that perform functions related to the employer’s capacity as covered entity.  Implement appropriate administrative, technical, and physical safeguards to protect the privacy of health information, so that it is not readily available to those who do not need it.  Meet obligations concerning the exercise by individuals of their rights under the Privacy Rule. 228

An agency must designate an employee to serve as the privacy officer. HIPAA does not specify any particular qualifications, but an employer should consider selecting someone with knowledge of the agency as a whole from a management perspective and a familiarity with benefits administration. Additionally, covered entities must require business associates to comply with HIPAA’s Privacy Rule. A business associate is a person or entity that performs certain functions on behalf of a covered health plan or health care provider which involve the use or disclosure of information protected by HIPAA’s Privacy Rule. Examples of functions carried out by business associates include claims processing, quality assurance, and billing. Although HIPAA does not regulate business associates, a covered entity that contracts with a business associate must require that the

Privacy Issues in the Community College Workplace ©2019 (c) Liebert Cassidy Whitmore 71