Skip to content

400.60 HIPAA – Appropriate Uses and Disclosures

All staff with access to protected health information (PHI) will follow the procedures outlined below:

Firewall Security:

  • Only use health plan data for health plan related decisions
  • Provide secure storage and computer access to records held by the health plan to minimize inappropriate access
  • Ensure that health plan data will not be used for employment-related decisions or transferred to any non-health plan without prior written authorization by the covered individual
  • Designate specific individuals and job classes who will have access to PHI held by the health plan. As allowed and required by law, only those individuals will have access to this information without explicit authorization by the member or written authorization by a person duly designated to have access

Information Requests:

  • Respond in writing to requests for information
  • Only respond to information requests as allowed by the regulations (treatment, payment and operations for workers’ compensation or with a properly documented request by law enforcement), when a properly completed and executed authorization form has been submitted for the specific information, recipient and time period requested, or if the request can be satisfied through fully de-identified data.
  • Maintain appropriate documentation of all requests. Requests for purposes of treatment, payment, and operations (TPO) do not require specific documentation.
  • Always provide only the minimum information necessary to satisfy the specific request.
  • Never release an entire medical record when, in the professional judgment of designated staff, a lesser amount of data would suffice.
  • Verify the source of the request and make appropriate and reasonable efforts to determine the identity of the requestor.
  • Follow protocols that may have been established regarding routine disclosures and confer with the Privacy Officer on any other or non-routine disclosures.
  • The Privacy Officer is responsible for ensuring that appropriate education and procedures are in place and enforced to assure Superintendent or designee that information requests are being handled properly and in accordance with all policies and the relevant statutes.

Self-Initiated Uses and Disclosures:

  • Without proper authorization by the member, the district will not initiate or allow disclosure of PHI held by the health plan for:
    • Employment-related decisions including, but not limited to, hiring, terminating, job selection and promotion decisions.
    • Use by non-health plan benefits, except as specifically allowed by law (i.e. worker’s compensation).


  • Always obtain a properly signed and dated authorization form whenever needed from each covered person after the date that the Health Insurance Portability and Accountability Act (HIPAA) is implemented. Information requests not included under treatment, payment or healthcare operations or otherwise allowed by the regulations (disclosures for workers’ compensation, pursuant to a properly documented law enforcement request, and required disclosures, among others) require an authorization.
  • Not retaliate nor discriminate against covered persons who refuse to sign an authorization form.
  • Keep a copy of all completed information requests that are authorized by an authorization form in the member’s file.
  • Maintain authorization forms on file for 6 years after their expiration date or event.
  • The Privacy Officer is responsible for ensuring that appropriate education and procedures are in place and enforced to assure Superintendent or designee that authorization forms are being obtained and handled properly and in accordance with district policies and the relevant statutes.


  • Always fulfill requests with de-identified data when, in professional judgment, de-identified data can satisfy the request.
  • Always ensure that all 18 elements below have been properly removed and that any remaining identifying elements cannot be used to directly retrieve member data from any other available source:
  1. Names
  2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geo-codes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census.
    1. The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
    2. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
  4. Telephone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code

The Privacy Officer is responsible for ensuring that appropriate education and procedures are in place and enforced to assure Superintendent/designee that de-identified data requests are being handled properly and in accordance with our policies and the relevant statutes.

Violation of any of these policies can carry serious consequences for the health plan, and possible disciplinary actions for anyone violating this policy.

Privacy Officer:
Jessica Dirks
Chief Officer of Human Resources & Legal Affairs
306 SW School Street
Ankeny, Iowa 50023

June 21, 2010

March 23, 2015
March 25, 2019
June 20, 2021

March 23, 2015
March 25, 2019
July 6, 2021