Skip to content

400.66 Individual HIPAA Rights

All staff with access to protected health information will follow the procedures below:

Alternate Communications:

  • The District will provide alternate locations or alternate means to accommodate a member’s written request to receive communications involving Protected Health Information (PHI), as defined by HIPAA.
  • The request must be in writing, signed, and dated by the member or their legal guardian.
  • All reasonable requests will be honored. If the request is unreasonable or cannot be fulfilled, the member will be notified immediately.
  • Once the request is accepted, all communications to the member involving PHI must be made to the alternate location or by the alternate means requested until modified by the member.

Non-Routine Disclosures:

  • A covered person’s written request to obtain a history of non-routine disclosures of their protected health information will be accommodated. This accounting will, at a minimum, include the types of disclosures and information for each as detailed under HIPAA.
  • No additional accounting will be maintained by the District for valid authorizations (as defined within the HIPAA Privacy regulations) that have been received by the District . A copy of each valid authorization will be kept on file as evidence that no non-routine disclosures have been made by the district.
  • If an authorization was received in relation to research disclosures, the covered person’s request for disclosure will be met by providing a list of all protocols for which the member’s PHI may have been disclosed for research pursuant to a waiver of authorization under the HIPAA privacy regulations as well as the researcher’s name and contact information.
  • The request must be in writing, signed, and dated by the covered person or their legal guardian, preferably using the History of Non-Routine Disclosures Request form.
  • Every attempt will be made to satisfy the request in 30 days and no longer than 60 days. If more time is needed, the District will notify the requestor in writing of the delay and the reason.
  • The report provided to satisfy the request will use the format shown in the History of Non-Routine Disclosures Report, or contain all these data elements.
  • The Privacy Officer is responsible for ensuring that all requests are fulfilled in a timely manner in accordance with the law and the District’s policies.

Records Access:

  • The District will accommodate an individual’s written request to see or copy his or her medical record.
  • The request must be in writing, signed, and dated by the covered individual or their personal representative.
  • If the request is to see the record, the individual may have immediate access within the office, business operations permitting. A place to review the records away from others will be provided, but a staff member will be present while the member is reviewing the record to ensure that the record remains intact and unaltered.
  • If the request is for a copy of the record or a portion thereof, a copy will be made available within five business days of receiving payment from the member.
  • The copy may be picked up in person or mailed (return receipt requested) if requested in writing.
  • Such requests may be denied only if the life of either the covered person or another would be endangered by such disclosure.
  • All District procedures regarding processing records access requests will be followed.

Records Amendment:

  • The District will accommodate a covered person’s written request to amend his or her medical record.
  • The request must be in writing, signed, and dated by the individual or their legal guardian.
  • A decision to permit or deny the amendment will be made within five business days. If a decision to deny the amendment is made, a written explanation will be returned to the requesting person via US Mail no more than two business days following the decision.
  • If the amendment is to be allowed, the record will be amended within five business days. The amendment will be maintained as long as the record itself. The original request, including the decision to amend, will be included as well.
  • If a response to the amendment is added to the record, a copy of the response will be mailed to the requesting person by US Mail within two business days of the response being placed in the file.
  • All District procedures regarding processing records access requests will be followed.

Restriction of Records:

  • The District will accommodate a covered person’s written request to restrict some or all of the protected health information (PHI) in his or her medical record.
  • The request must be in writing, signed, and dated by the covered person or their legal guardian.
  • A decision to permit or deny the restriction will be made within five business days. If a decision to deny the restriction is made, a written explanation will be returned to the requestor via US Mail no more than two business days following the decision.
  • If the restriction is to be allowed, a notation as to this restriction will be entered into the record within five business days and maintained as long as the record itself. The original request, including the decision to restrict, will be included as well.
  • If the restriction is allowed, protected health information in violation of this restriction will not be used or disclosed, except in emergency situations or to public health, government or law enforcement officials with the proper documentation.
  • If the requestor cancels this restriction, a notation to this effect will be added to the record. If this cancellation is in writing, this will be included in the medical record as well. If the cancellation is oral, the time, date, and person taking the cancellation will be noted in the medical record.
  • All District procedures regarding processing member records access requests will be followed.

Member Grievance:

  • The Privacy Officer is responsible for investigating all reported incidents of alleged violation of health information privacy, regardless of source or severity.
  • All staff will encourage any individual who feels that his/her privacy has been violated to discuss the matter with the Privacy Officer.
  • The Privacy Officer will maintain a Privacy Incident File, and produce a monthly report summarizing the status of every open file regarding alleged health information privacy violations, regardless of discovering source. The Privacy Incident File will contain:
    • The completed Member Grievance Tracking form.
    • The written documentation of the alleged violation by the covered person, staff member or other reporting entity.
    • A Plan of Action, documenting the planned course of the investigation.
    • Complete documentation of the investigation, including transcripts of all interviews.
    • Documentation of all correspondence regarding the alleged violation, including all correspondence with legal counsel, such correspondence to be specifically marked as privileged communication.
    • Documentation of the decision regarding whether or not a violation actually occurred, and any resolution regarding the alleged violation, regardless of determination. The resolution may include (upon review and approval by the Superintendent/designee):
      • An apology
      • A description of a process change that will prevent reoccurrence
      • An invitation to discuss the situation further
      • Addresses of appropriate professional, state and federal offices to which the complaint may be escalated
    • The Privacy Officer will log all complaints in the Privacy Incident File and if the complaint can be resolved informally also document the resolution.
    • If the complaint cannot be resolved informally, the individual will be asked to provide a written complaint, signed and dated.
    • Follow up with the person filing the grievance until he/she is satisfied or the problem is escalated.
    • If the problem is escalated, the order of escalation will be:
      • The Privacy Officer
      • Fiduciary and/or officer of the sponsoring organization
      • Appropriate external professional, state or federal offices
    • Current policy governing the Privacy Grievance Process will be followed. If a change is warranted, the policy documentation will be modified to reflect the change and the changes will be communicated to all affected staff.
    • The District will cooperate fully with all state, federal, or professional investigating bodies.
    • Documentation of all reported incidents will be maintained for six years following the last action, as required by law.

Preserving HIPAA Rights:

  • A member exercising any of his/her rights under HIPAA will not be intimidated, threatened, coerced, discriminated against, nor have other retaliatory actions taken. These include:
    • The right to complain to the Department of Health and Human Services if he/she feels that privacy rights had been violated.
    • The right to testify in an investigation, compliance review or other hearing.
    • Oppose any practice of the health plan that the individual feels is in violation of HIPAA regulations.
    • Individuals will not be required to waive their HIPAA as a condition of enrollment or eligibility for benefits.

Notice of Privacy Practices:
In order to notify and inform all members of their HIPAA rights and the District’s responsibilities regarding their health information, a Notice of Privacy Practices will be maintained and distributed as appropriate. To that end, the District will:

  • Adopt and maintain on file the current Notice of Privacy Practices.
  • Make available upon request paper copies of the current Notice of Privacy Practices.
  • Modify the Notice of Privacy Practices as needed, with approval of the Superintendent/designee. The Privacy Officer will replace the file copy and re-distribute if a material change is made.
  • Retain each version for not less than six years following the last use of that version.

Violation of any of these policies can carry serious consequences for the health plan. Disciplinary actions for anyone violating this policy may include suspension without pay or termination.

Privacy Officer:
Jessica Dirks
Chief Officer of Human Resources & Legal Affairs
306 SW School Street
Ankeny, Iowa 50023
515-965-9600

Approved:
June 21, 2010

Reviewed:
March 23, 2015
March 25, 2019
June 20, 2021

Revised:
March 23, 2015
March 25, 2019
July 6, 2021