400.71 Safeguarding PHI
The District will take all reasonable and legally required steps to safeguard protected health information (PHI). To maintain the confidentiality of health data, the District will follow the Minimum Necessary Information principle, which minimizes the amount of protected health information used and disclosed and the number of persons who have access to this information.
To that end, the Privacy Officer will develop and enforce rules and regulations to ensure that PHI is handled in accordance with law and policy and that the following expectations are met:
- Employees may only access current and/or archived, paper and/or electronic member records for which they have a legitimate, assigned business need; the employees authorized to access such information will be limited to the greatest extent possible.
- Employees may not discuss and/or share any PHI with any unauthorized person.
- Current and/or archived, paper and/or electronic employee PHI is reasonably safeguarded from unauthorized view, including by unauthorized employees.
- Current and/or archived, paper and/or electronic employee PHI is maintained separately from all employee records and not commingled with employment records of any kind.
- When disposal of current and/or archived, paper and/or electronic employee PHI is warranted, reasonable safeguards must be taken to prevent unauthorized view of said PHI, including by unauthorized employees.
- No health information obtained by and in relation to the health plan will be used in any employment-related decision.
- With respect to requests for PHI from the District’s associates, including but not limited to insurance companies and third-party administrators, limit the use and/or disclosure of and/or requests for protected health information to the minimum necessary to accomplish the intended purpose.
- Train all employees on how to protect their own health information.
- Train employees with access to PHI of others on data privacy laws, policies, and district expectations.
This policy does not limit the District’s ability to take the following action(s) with regard to PHI provided that such action(s) are otherwise authorized by law:
- Disclosures of PHI to and/or requests for PHI from a health care provider for treatment purposes
- Disclosures of PHI to the individual who is the subject of the information
- Uses and/or disclosures made pursuant to any valid authorization received by the health plan
- Uses and/or disclosures required for compliance with standardized Health Insurance Portability and Accountability Act (HIPAA) transactions
- Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the rule for enforcement purposes
- Uses or disclosures that are required by other law
Any employee violating these policies may face disciplinary actions up to and including suspension without pay or termination.
Chief Officer, Human Resources & Legal Affairs
306 SW School Street
Ankeny, Iowa 50023
Health Insurance Portability & Accountability Act (HIPAA) of 1996 Public Law 104-191
400.60 HIPAA – Appropriate Uses and Disclosures
400.66 Individual HIPAA Rights
400.69 HIPAA Non-Discrimination
406.10 Employee Physical Examination
400.30 Employee Records
405.21 Personnel Records Management
June 21, 2010
March 23, 2015
February 15, 2021
March 23, 2015
February 15, 2021