Resources

• Benefits
• Compensation
• Employee Relations
• Employment
• JLab Registration /
  International Services
• Training and Performance Office
• Job Related Training & Education Reimbursement Procedures

Administrative Manual - 205 Benefits

205.02 Health Insurance Portability and Accountability Act (HIPAA) Polict

POLICY

GENERAL

1. It is the policy of JSA/Jefferson Lab that protected health information should be treated as privileged information, that care should be taken to protect the privacy of all health information, and that care should be taken to protect the dignity of individuals referred to in health information.
2. Federal standards effective April 14, 2004, protect the confidentiality of individually identifiable health information or protected health information, but also acknowledge that it is necessary for certain persons or entities to be able to share this information in order for patients to get health care treatment and for the plan to process claims for payment. Only certain employees are authorized to have access to this information. These employees may use and share this information with other authorized persons to facilitate treatment, payment or health care operations. Other permitted uses and disclosures of the information are explicitly defined in the Privacy Standards established under HIPAA. Uses and disclosures that are not authorized will be considered a breach of the confidentiality requirements of HIPAA.
3. Any unauthorized or improper disclosures of protected health information as defined in the Privacy Standards established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will be effectively addressed and corrected. The only JLab plan included under HIPAA is the Medical Reimbursement Plan.
4. Disciplinary action may be taken where it appears that a breach has occurred. Except in the case of the most willful and egregious breaches, employees will first be given the opportunity to demonstrate an understanding of the confidentiality requirements and to refrain from future breaches.

RESPONSIBILITIES

1. The Privacy Official appointed by the Director of the Laboratory is responsible for the provisions of this policy and its application. The Privacy Official may consult with Human Resources to assist with implementing any disciplinary action and with the Legal Department to ensure compliance with the various legal requirements.
2. The Privacy Official shall provide training on Privacy Standards, including defining what information is protected health information, what uses and disclosures of that information are permitted and the persons within the Laboratory and its business associates to whom such information may be disclosed and with whom it may be discussed.
3. All employees must recognize that unauthorized or inappropriate breaches of the confidentiality of protected health information may have serious consequences for the Laboratory and for the employee who breaches the confidentiality requirements.
4. All employees are expected to treat protected health information as privileged information, to protect the privacy of all health information, and to protect the dignity of individuals referred to in health information.
5. In order to provide a means of identifying, clarifying and rectifying problems which may arise with respect to the privacy practices and procedures of the JSA Medical Reimbursement Plan (the “Plan”), the procedures outlined in the Procedure section of this Privacy Policy shall be followed.

PROCEDURE

1. Definitions:

   "Complaint" - any allegation that there has been a violation of the Plan's privacy policies and procedures.
   
   "Complainant" - the person alleging a Complaint.
   
   "Privacy Official" - the person appointed by the Plan who is responsible for making sure that the Plan's privacy policy is followed. The Associate Director of Administration has been appointed the Lab's Privacy Official.
   
   "Respondent" - the person or persons who are alleged in the Complaint to have violated the Plan's privacy policy.
   

2. Complaint Procedure
   1. A Complainant must file a Complaint with the Privacy Official within thirty (30) days following the event giving rise to the Complaint. Complainants are encouraged to file a Complaint as soon as possible after they become aware of the event.
   2. Complaints must be made in writing. The Complainant should state clearly and concisely the alleged Complaint, giving a description of the grounds for the Complaint, including names, dates, places, times and the facts necessary for a complete understanding of the Complaint, together with the date of its submission. The Complainant may also include in the Complaint copies of any documentation related to the Complaint. If appropriate, the Complainant should propose a resolution to the Complaint.
   3. The Privacy Official shall provide to the Respondent, within ten (10) business days of the receipt of a Complaint, sufficient information and documentation about the Complaint to apprise the Respondent of the situation.
   4. The Respondent will have ten (10) business days from receipt of the information about the Complaint to respond in writing to the Complaint. Responses should be delivered to the Privacy Official and may include any documentation related to the Complaint.
   5. The Privacy Official will conduct a thorough investigation, gathering complete data as expeditiously as possible and determining a recommendation for the appropriate level of discipline, if warranted. If appropriate, the Privacy Official shall take reasonable steps to mitigate, to the extent practicable, any harmful effects of the violation of the Plan's privacy policy. The Privacy Official shall consider the views of Human Resources and the Legal Department before making a final recommendation. Human Resources will take the actions required to implement the Privacy Official's final recommendation.
   6. The complainant will remain in the workplace during the investigation, unless there are unusual circumstances that indicate the employee's presence may impede the investigation.
   7. The Privacy Official shall retain in a separate record, for a period ending no earlier than six years after the determination is issued, a copy of all written documents related to the filing of a Complaint or the occurrence of any breach, including the individuals involved (the patient whose health information was improperly disclosed, the employee who made the improper disclosure and to whom the improper disclosure was made) and the action taken to address the breach and to prevent future occurrences. Records of disciplinary actions shall also be retained by Human Resources.

Return to Administrative Manual