Privacy Policy Statement

NWFSC
About NWF
Human Resources
Privacy Policy Statement

Human Resources

Privacy Policy Statement

Purpose:

The following privacy policy is adopted by the Florida Community Colleges Risk Management Consortium (FCCRMC) Health Program and its member colleges. FCCRMC functioning as the Group Health Plan and the member colleges functioning as the employer/plan sponsor complies fully with all federal and state privacy protection laws and regulations. Protection of patient privacy is of paramount importance to this organization. Violations of any of these provisions may result in severe disciplinary action including termination of employment and possible referral for criminal prosecution.

Effective Date:

This policy is in effect as of April 14,2003

Expiration Date:

This policy remains in effect until superceded or cancelled.

Policy Owner:

FCCRMC Privacy Officer: Executive Director

Assigning Privacy and Security Responsibilities

It is the policy of FCCRMC and its member colleges that specific individuals within our workforce are assigned the responsibility of implementing and maintaining the HIPAA Privacy requirements. Furthermore, it is the policy of FCCRMC and its member colleges that these individuals or their designee will be provided sufficient resources and authority to fulfill their responsibilities. At a minimum it is the policy of FCCRMC that there will be one individual, Executive Director as the Privacy Officer and one Privacy Contact at each member college.

Uses and Disclosures of Protected Health Information

It is the policy of FCCRMC and its member colleges that protected health information may not be used or disclosed except when at least one of the following conditions is true:

The individual who is the subject of the information has authorized the use or disclosure.
The individual who is the subject of the information has received the Notice of Privacy Practices developed and distributed by Blue Cross Blue Shield of FL thus allowing the use or disclosure and the use or disclosure is for treatment, payment or health care operations.
The individual who is the subject of the information agrees with the disclosure via the authorization form or a signed copy of this Privacy Policy and the disclosure is to persons involved in the processing or assistance of health care claims.
The disclosure is to the individual who is the subject of the information or to HHS for compliance-related purposes.
The use or disclosure is for one of the HIPAA "public purposes" (i.e. required by law, etc.).

It is the policy of FCCRMC and its member colleges that PHI will not be used to make employment related decisions (e.g. hiring, terminations, promotions).

Deceased Individuals

It is the policy of FCCRMC and its member colleges that privacy protections extend to information concerning deceased individuals.

Notice of Privacy Practices

Blue Cross Blue Shield of FL as the Group Health Plan Third Party Administrator will publish and distribute a Notice of Privacy Practices to all the Group Health Plan participants for Blue Cross Blue Shield of FL, Health Options Inc., and Florida Combined Life.

Minimum Necessary Disclosure of Protected Health Information

It is the policy of FCCRMC and its member colleges that (except for disclosures made for treatment or healthcare operation purposes) all disclosures of protected health information must be limited to the minimum amount of information needed to accomplish the purpose of the disclosure. It is the policy of FCCRMC and its member colleges that individuals have a right to request that no disclosure be made of PHI. FCCRMC and the member colleges are not obligated to grant the request. It is also the policy of this organization that all requests for protected health information will be directed to Blue Cross Blue Shield of FL as the Third Party Administrator and must be limited to the minimum amount of information needed to accomplish the purpose of the request.

Access to Protected Health Information

It is the policy of FCCRMC and its member colleges that access to protected health information may be granted to authorized employee(s) or contractor(s) based on the assigned job functions of the employee or contractor. It is also the policy of this organization that such access privileges should not exceed those necessary to accomplish the assigned job function.

Access to Protected Health Information by the Individual

It is the policy of FCCRMC and its member colleges that access to protected health information must be granted to the person who is the subject of such information when such access is requested. Access requests should be directed to and will be processed by Blue Cross Blue Shield of FL, for Blue Cross Blue Shield of FL, Health Options Inc. and Florida Combined Life as the Group Health Plan Third Party Administrator.

Amendment of Incomplete or Incorrect Protected Health Information

It is the policy of FCCRMC and its member colleges that all requests for amendment of incorrect protected health information will be directed to and processed by Blue Cross Blue Shield of FL for Blue Cross Blue Shield of FL, Health Options Inc. and Florida Combined Life as the Third Party Administrator and maintainer of the Protected Health Information.

Access by Personal Representatives

It is the policy of FCCRMC and its member colleges that access to protected health information must be granted to personal representatives of individuals as though they were the individuals themselves. Personal representatives may include legal designations such as Power of Attorney or parent to a minor child. It is the policy of FCCRMC and its member colleges that all requests for access to protected health information will be directed to and processed by Blue Cross Blue Shield of FL, for Blue Cross Blue Shield of FL, Health Options, Inc., and Florida Combined Life as the Third Party Administrator and maintainer of the Protected Health Information.

Alternative Communications Channels

It is the policy of FCCRMC and its member colleges that all requests for alternative communication channels will be directed to and processed by Blue Cross Blue Shield of FL for Blue Cross Blue Shield of FL, Health Options Inc. and Florida Combined Life as the Third Party Administrator and maintainer of the Protected Health Information and that alternative communications channels be used, as requested by the individuals, to the extent possible.

Disclosure Accounting

It is the policy of FCCRMC and its member colleges that an accounting of all disclosures subject to such accounting of protected health information be given to individuals whenever such an accounting is requested. These requests should be directed to Blue Cross Blue Shield of FL for Blue Cross Blue Shield of FL, Health Options Inc. and Florida Combined Life as the Third Party Administrator and maintainer of the Protected Health Information.

Judicial and Administrative Proceedings

It is the policy of FCCRMC and its member colleges that information be disclosed for the purposes of a judicial or administrative proceeding only when: accompanied by a court or administrative order or grand jury subpoena; when accompanied by a subpoena or discovery request that includes either the authorization of the individual to whom the information applies, documented assurances that good faith effort has been made to adequately notify the individual of the request for their information and there are no outstanding objections by the individual, or a qualified protective order issued by the court. These requests should be directed to Blue Cross Blue Shield of FL for Blue Cross Blue Shield of FL, Health Options Inc. and Florida Combined Life as the Third Party Administrator and maintainer of the Protected Health Information.

De-Identified Data and Limited Data Sets

It is the policy of FCCRMC and its member colleges to disclose de-identified data only if it has been properly de-identified by removing all the relevant identifying data. We will make use of limited data sets, but only after the relevant identifying data have been removed and then only to organizations with which we have adequate data use agreements and only for research, public health, or health care operations purposes.

Authorizations

It is the policy of FCCRMC and its member colleges that a valid authorization will be obtained for all disclosures that are not related to treatment, payment, health care operations, for the individual or their personal representative. A signed copy of this Privacy Policy will serve as authorization for FCCRMC and/or the member colleges to provide assistance in resolving healthcare claims issues. If a signed copy of this Privacy Policy is not on file, the individual requesting assistance will be asked to sign the Privacy Policy. An individual will also need to submit a signed Authorization Form in the event that they want to grant authorization to a third party (e.g. a spouse or parent). When the college is requesting claim assistance, on behalf of an employee, from FCCRMC, a copy of the employee signed policy statement or authorization form must be forwarded to FCCRMC.

Complaints

It is the policy of FCCRMC and its member colleges that all complaints relating to the protection of health information be investigated and resolved in a timely fashion. Furthermore, it is the policy of FCCRMC that all complaints will be addressed to the community college Privacy Contact for research and resolution. The Privacy Contact may involve FCCRMC and/or Blue Cross Blue Shield of FL as needed to resolve a complaint. All complaints will be forwarded to FCCRMC's Privacy Officer for tracking purposes.

Prohibited Activities

It is the policy of FCCRMC and its member colleges that no employee or contractor may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under HIPAA regulations. It is also the policy of this organization that no employee or contractor may condition payment, enrollment or eligibility for benefits on the provision of an authorization to disclose protected health information.

Responsibility

It is the policy of FCCRMC and its member colleges that the responsibility for designing and developing procedures to implement this policy lies with the Privacy Officer and/or the Privacy Contact where appropriate.

Verification of Identity

It is the policy of FCCRMC and its member colleges that the identity of all persons who request access to protected health information is reasonably verified before such access is granted.

Safeguards

It is the policy of FCCRMC and its member colleges that appropriate physical safeguards will be in place to reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule. These safeguards will include physical protection of premises and PHI, technical protection of PHI maintained electronically and administrative protection. These safeguards will extend to the oral communication of PHI.

Business Associates

It is the policy of FCCRMC and its member colleges that business associates must be contractually bound to protect health information to the same degree as set forth in this policy. It is also the policy of this organization that business associates who violate their agreement will be dealt with first by an attempt to correct the problem, and if that fails by termination of the agreement and discontinuation of services by the business associate.

Training and Awareness

It is the policy of FCCRMC and its member colleges that all members of our workforce with likely access to protected health information have been trained by the compliance date on the policies and procedures governing protected health information and how FCCRMC and its member colleges complies with the HIPAA Privacy Rule. It is also the policy of FCCRMC and its member colleges that new members of our workforce receive training on these matters within a reasonable time after they have joined the workforce. It is the policy of FCCRMC and its member colleges to provide training should any policy or procedure related to the HIPAA Privacy Rule materially change. This training will be provided within a reasonable time after the policy or procedure materially changes. Furthermore, it is the policy of FCCRMC and its member colleges that training will be documented indicating participants, date and subject matter.

Sanctions

It is the policy of FCCRMC and its member colleges that sanctions will be in effect for any member of the workforce who intentionally or unintentionally violates any of these policies or any procedures related to the fulfillment of these policies.

Retention of Records

It is the policy of FCCRMC and its member colleges that the HIPAA Privacy Rule records retention requirement of six years will be strictly adhered to. All records designated by HIPAA in this retention requirement will be maintained in a manner that allows for access within a reasonable period of time. This records retention time requirement may be extended at this organization's discretion to meet with other governmental regulations or those requirements imposed by our professional liability carrier. Blue Cross Blue Shield of FL as the Third Party Administrator will retain the health insurance records of Plan Participants.

Cooperation with Privacy Oversight Authorities

It is the policy of FCCRMC and its member colleges that oversight agencies such as the Office for Civil Rights of the Department of Health and Human Services be given full support and cooperation in their efforts to ensure the protection of health information within this organization. It is also the policy of this organization that all personnel must cooperate fully with all privacy compliance reviews and investigations.