Privacy Issues in the Community College Workplace

 Adopt and implement internal privacy policies and procedures.

 Train employees to understand these policies and procedures as appropriate for their functions in carrying out duties related to the employer’s capacity as a health plan or health provider.  Designate individuals who are responsible for implementing these policies and procedures, and who will receive privacy-related complaints.  Establish privacy requirements in contracts with business associates that perform functions related to the employer’s capacity as covered entity.  Implement appropriate administrative, technical, and physical safeguards to protect the privacy of health information, so that it is not readily available to those who do not need it.  Meet obligations concerning the exercise by individuals of their rights under the Privacy Rule. 230

An agency must designate an employee to serve as the privacy officer. HIPAA does not specify any particular qualifications, but an employer should consider selecting someone with knowledge of the agency as a whole from a management perspective and a familiarity with benefits administration. Additionally, covered entities must require business associates to comply with HIPAA’s Privacy Rule. A business associate is a person or entity that performs certain functions on behalf of a covered health plan or health care provider which involve the use or disclosure of information protected by HIPAA’s Privacy Rule. Examples of functions carried out by business associates include claims processing, quality assurance, and billing. Although HIPAA does not regulate business associates, a covered entity that contracts with a business associate must require that the business associate comply with HIPAA’s Privacy Rule. Use and disclosure by business associates of information protected under HIPAA’s Privacy Rule is further described below. K. D ISCLOSING M EDICAL I NFORMATION As previously noted, under the CMIA the general rule is that an employer may not disclose medical information unless written authorization is obtained from the subject employee. 231 Exceptions to the rule requiring written authorization include:

 when disclosure is compelled by judicial or administrative process or by any other specific provision of law;  when the information is relevant to a lawsuit, arbitration, grievance or other proceeding to which the employer and employee are parties and the employee has placed his or her medical history, mental or physical condition or treatment at issue;

Privacy Issues in the Community College Workplace ©2021 (c) Liebert Cassidy Whitmore 72