|
Privacy Policy Statement
Purpose: The following privacy policy is adopted to
ensure that Texas Agricultural Cooperative Trust complies with all
federal and state privacy protection laws and regulations. Protection of
plan participant/member privacy is of paramount importance to this
organization. Violations of any of these provisions will result in severe
disciplinary action including termination of employment and possible
referral for criminal prosecution.
Effective Date: This policy is in effect as of December 27, 2003
Expiration Date: This policy remains in effect until
superseded or
cancelled.
Policy Owner: Texas Agricultural Cooperative Trust (TACT)
-Chairman
-Secretary
-Executive Director
-Assistant Director
Assigning Privacy and Security Responsibilities
It is the policy of TACT that specific individuals within our workforce
are assigned the responsibility of implementing and maintaining the
HIPAA Privacy and Security Rule’s requirements. Furthermore, it is the
policy of TACT that these individuals will be provided sufficient
resources and authority to fulfill their responsibilities. At a minimum
it is the policy of TACT that there will be one individual or job
description designated as the Privacy Official.
Uses and Disclosures of Protected Health Information
It is the policy of TACT that protected health information may not be
used or disclosed except when at least one of the following conditions
is true:
-
The individual who is the subject of the information has authorized the
use or disclosure.
-
The individual who is the subject of the information has received our
Notice of Privacy Practices (or if a dependent the named insured has
received Notice), thus allowing the use or disclosure and the use or
disclosure is for treatment, payment or health care operations.
-
The individual who is the subject of the information agrees or does not
object to the disclosure and the disclosure is to persons involved in
the health care of the individual.
-
The disclosure is to the individual who is the subject of the
information or to HHS for compliance-related purposes.
-
The use or disclosure is for one of the HIPAA “public purposes” (i.e.
required by law, etc.).
It is the policy of this organization that disclosure of protected
health information to the plan sponsor will only occur after the plan
sponsor has provided a certification to this organization.
Deceased Individuals
It is the policy of TACT that privacy protections extend to information
concerning deceased individuals.
Notice of Privacy Practices
It is the policy of TACT that a notice of privacy practices must be
published, that this notice and any revisions to it be provided to all
individuals at the earliest practicable time, and that all uses and
disclosures of protected health information be done in accord with this
organization’s notice of privacy practices. This organization will
always provide the notice of privacy practices to new plan participants,
and as of the compliance date to established plan participants. This
organization shall maintain the notice and if there are material
revisions, revise the notice. The notice shall be available upon request
to any named insured.
Restriction Requests
It is the policy of TACT that serious consideration must be given to all
requests for restrictions on uses and disclosures of protected health
information as published in this organization’s notice of privacy
practices. It is furthermore the policy of this organization that if a
particular restriction is agreed to, then this organization is bound by
that restriction.
Minimum Necessary Disclosure of Protected Health Information
It is the policy of TACT that (except for disclosures made for treatment
purposes) all disclosures of protected health information must be
limited to the minimum amount of information needed to accomplish the
purpose of the disclosure. It is also the policy of this organization
that all requests for protected health information (except requests made
for treatment purposes) must be limited to the minimum amount of
information needed to accomplish the purpose of the request.
Access to Protected Health Information
It is the policy of TACT that access to protected health information
must be granted to each employee or contractor based on the assigned job
functions of the employee or contractor. It is also the policy of this
organization that such access privileges should not exceed those
necessary to accomplish the assigned job function. It is the policy of
this organization that appropriate firewalls are in place to prevent
access to protected health information maintained by the health plan by
employees in this organization who do not perform health plan job
functions. It is the policy of this organization that protected health
information will not cross this firewall and be used for employment
related decisions.
Access to Protected Health Information by the Individual
It is the policy of TACT that access to protected health information
must be granted to the person who is the subject of such information
when such access is requested, or at the very least within the
timeframes required by the HIPAA Privacy Rule. It is the policy of TACT
to inform the person requesting access, of the location of protected
health information if we do not physically possess such PHI but have
knowledge of its location.
Amendment of Incomplete or Incorrect Protected Health Information
It is the policy of TACT that all requests for amendment of incorrect
protected health information maintained by this organization will be
considered in a timely fashion. If such requests demonstrate that the
information is actually incorrect, this organization will allow amending
language to be added to the appropriate document and this addition will
be done in a timely fashion. It is also the policy of this organization
that notice of such corrections will be given to any organization with
which the incorrect information has been shared.
Access by Personal Representatives
It is the policy of TACT that access to protected health information
must be granted to personal representatives of individuals as though
they were the individuals themselves, except in cases of abuse where
granting said access might endanger the individual or someone else. We
will conform to the relevant custody status and the strictures of state,
local, case, and other applicable law when disclosing information about
minors to their parents. It is the policy of this organization to verify
that a personal representative has the appropriate legal authority.
Confidential Communications Channels
It is the policy of TACT that confidential communications channels be
used, as requested by the individuals, to the extent possible. It is the
policy of this organization to consider all reasonable requests and not
to ask the reason for the request.
Disclosure Accounting
It is the policy of TACT that an accounting of all disclosures subject
to such accounting of protected health information be given to
individuals whenever such an accounting is requested.
Marketing Activities
It is the policy of this TACT that any uses or disclosures of protected
health information for marketing activities will be done only after a
valid authorization is in effect. It is the policy of this organization
to consider marketing any communication to purchase or use a product of
service where an arrangement exists in exchange for direct or indirect
remuneration, or where this organization encourages purchase or use of a
product or service. This organization does not consider the
communication of alternate forms of treatment, or the use of products
and services in treatment to be marketing such as Q Elements or Medco
Health.
Judicial and Administrative Proceedings
It is the policy of TACT that information be disclosed for the purposes
of a judicial or administrative proceeding only when: accompanied by a
court or administrative order or grand jury subpoena; when accompanied
by a subpoena or discovery request that includes either the
authorization of the individual to whom the information applies,
documented assurances that good faith effort has been made to adequately
notify the individual of the request for their information and there are
no outstanding objections by the individual, or a qualified protective
order issued by the court. If a subpoena or discovery request is
submitted to us without one of those assurances, we will seek to notify
the individual, obtain his or her authorization, or obtain a qualified
protective order before we disclose any information. In no case will we
disclose information other than that required by the court order,
subpoena, or discovery request.
De-Identified Data and Limited Data Sets
It is the policy of TACT to disclose de-identified data only if it has
been properly de-identified by a qualified statistician or by removing
all the relevant identifying data. We will make use of limited data
sets, but only after the relevant identifying data have been removed and
then only to organizations with whom we have adequate data use
agreements and only for research, public health, or health care
operations purposes. It is the policy of this TACT that summary
information will be released to the plan sponsor.
Authorizations
It is the policy of TACT that a valid authorization will be obtained for
all disclosures that are not for: treatment, payment, health care
operations, to the individual or their personal representative, to
persons involved with the individuals care, to business associates in
their legitimate duties, to facility directories or for public purposes.
This authorization will include all the mandatory elements and any
authorizations generated from outside this organization will be checked
to see if they are valid.
Complaints
It is the policy of TACT that all complaints relating to the protection
of health information be investigated and resolved in a timely fashion.
Furthermore, it is the policy of this TACT that all complaints will be
addressed to the TACT Plan Manager who will be duly authorized to
investigate complaints and implement resolutions if the complaint stems
from a valid area of non compliance with the HIPAA Privacy and Security
Rule.
Prohibited Activities
It is the policy of TACT that no employee or contractor may engage in
any intimidating or retaliatory acts against persons who file complaints
or otherwise exercise their rights under HIPAA regulations. It is also
the policy of this organization that no employee or contractor may
condition treatment, payment, enrollment or eligibility for benefits on
the provision of an authorization to disclose protected health
information.
Responsibility
It is the policy of TACT that the responsibility for designing and
implementing procedures to implement this policy lies with the chief
privacy officer.
Verification of Identity
It is the policy of TACT that the identity of all persons who request
access to protected health information be verified before such access is
granted.
Mitigation
It is the policy of TACT that the effects of any unauthorized use or
disclosure of protected health information be mitigated to the extent
possible.
Safeguards
It is the policy of TACT that appropriate physical safeguards will be in
place to reasonably safeguard protected health information from any
intentional or unintentional use or disclosure that is in violation of
the HIPAA Privacy Rule. These safeguards will include physical
protection of premises and PHI, technical protection of PHI maintained
electronically and administrative protection. These safeguards will
extend to the oral communication of PHI. These safeguards will extend to
PHI that is removed from this organization.
Business Associates
It is the policy of TACT that business associates must be contractually
bound to protect health information to the same degree as set forth in
this policy, and that all business associates have been contractually
bound by the compliance date. It is also the policy of this organization
that business associates who violate their agreement will be dealt with
first by an attempt to correct the problem, and if that fails by
termination of the agreement and discontinuation of services by the
business associate.
Training and Awareness
It is the policy of this TACT that all members of our workforce have
been trained by the compliance date on the policies and procedures
governing protected health information and how TACT complies with the
HIPAA Privacy and Security Rule. It is also the policy of TACT that new
members of our workforce receive training on these matters within a
reasonable time after they have joined the workforce. It is the policy
of TACT to provide training should any policy or procedure related to
the HIPAA Privacy and Security Rule materially change. This training
will be provided within a reasonable time after the policy or procedure
materially changes. Furthermore, it is the policy of TACT that training
will be documented indicating participants, date and subject matter. It
is the policy of this organization that members of the workforce who are
not directly involved in the health plan activities and administration
will receive basic training on confidentiality and privacy.
Sanctions
It is the policy of TACT that sanctions will be in effect for any member
of the workforce who intentionally or unintentionally violates any of
these policies or any procedures related to the fulfillment of these
policies. Intentional violations will result in the most severe
sanctions including dismissal and possible referral for criminal
prosecution. Unintentional violations will be dealt with based on the
severity of the violation and could include dismissal, a formal warning
or other action. The sanctions this organization imposes for a HIPAA
violation will be described in this organization’s employee manual.
Retention of Records
It is the policy of TACT that the HIPAA Privacy Rule records retention
requirement of six years will be strictly adhered to. All records
designated by HIPAA in this retention requirement will be maintained in
a manner that allows for access within a reasonable period of time. This
records retention time requirement may be extended at this
organization’s discretion to meet with other governmental regulations or
those requirements imposed by our professional liability carrier.
Cooperation with Privacy Oversight Authorities
It is the policy of TACT that oversight agencies such as the Office for
Civil Rights of the Department of Health and Human Services be given
full support and cooperation in their efforts to ensure the protection
of health information within this organization. It is also the policy of
this organization that all personnel must cooperate fully with all
privacy compliance reviews and investigations. |
