Privacy Issues in the Community College Workplace

First page Table of contents Previous page 71 Next page Last page

3. H EALTH I NSURANCE P ORTABILITY AND A CCOUNTABILITY A CT Privacy regulations enacted by the Department of Human and Health Services (DHHS) under the Health Insurance Portability and Accountability Act (HIPAA), Title 42 United States Code section 1301 et seq . The primary thrust of HIPAA’s Privacy Rule is directed at hospitals, doctors, medical clinics, health plans and health insurers. However, under some circumstances, local public agencies may be subject to the Rule’s requirements as well. Covered entities under HIPAA are health plans, health care clearinghouses or health care providers conducting certain health care transactions electronically. 228 Also affected by HIPAA are hybrid entities whose business activities include both covered and non-covered functions, 229 and health plan sponsors.

Public employers are covered entities under two specific circumstances:

 First, if the public agency provides health care to the general public by means of a hospital, clinic or any similar method of delivering health care, it is a covered entity. Significantly, the providing of paramedic services through a Fire Department may subject the agency’s paramedic functions to HIPAA’s Privacy Rule.  Second, if the public agency has a self-administered health plan with 50 or more participants it is subject to HIPAA. Self-insured plans, cafeteria plans or flexible spending accounts with more than 50 participants (if administered by a public agency rather than a third-party administrator) are all covered by HIPAA.

If a public agency has an outside administrator for its health plans, cafeteria plans or flexible spending accounts, then it is not covered by the full range of HIPAA’s Privacy Rule. However, even if it is not a covered entity, a public agency still has to meet certain lesser requirements such as:

 Ensuring that the third party administrator is complying with the Privacy Rule;

 Obtaining authorizations from employees to access information about their health claims  Ensuring that the health plan provides that employees can access their own health information.

HIPAA’s Privacy Rule imposes a number of administrative requirements on covered entities. If your agency is a covered or hybrid entity, the Rule requires it to do the following:

 Notify individuals regarding their privacy rights and how their protected health information (see Section J.3.a.iv.c. below) can be used or disclosed.

Privacy Issues in the Community College Workplace ©2021 (c) Liebert Cassidy Whitmore 71

Made with FlippingBook Learn more on our blog