2.00 - ADMINISTRATIVE REQUIREMENTS FOR THE IMPLEMENTATION OF HIPAA

I. Purpose:
To issue instructions regarding the ADAMH's obligations relating to the implementation of the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. 1320d-1329d-8, and regulations promulgated there under, 45 CFR Parts 160, 162 and 164.

II. Applicability:
This policy applies to all ADAMH workforce members.

III. Authority:
45 CFR Parts 160 & 164

IV. Definitions:

Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

Use means with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

Protected Health Information (PHI) means individually identifiable information relating to past, present or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual.

Workforce Members means Board of Trustee members, employees, volunteers, trainees, and other persons whose conduct, in the performance of work for ADAMH is under the direct control of the department, office, program or facility, regardless of whether they are paid by ADAMH.

Business Associate (BA) means a person or entity who, on behalf of ADAMH, but not in the capacity of a workforce member, performs, or assists in the performance of, a function or activity involving the use or disclosure of PHI, or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services involving disclosure of PHI.

Privacy Notice means the notice of privacy practices relating to an entity's use and disclosure of PHI that is mandated under HIPAA regulations for distribution to all individuals whose information will be collected by or on behalf of ADAMH.

V. Policy:

1. Personnel Designations: ADAMH must designate and document designations of the following:
   1. Privacy Officer: ADAMH must designate an individual to be the Privacy Officer, responsible for the development and implementation of agency-wide policies and procedures relating to the safeguarding of PHI. ADAMH shall have a HIPAA Oversight Committee that advises and supports the Privacy Officer.
   2. Contact Person or Office: ADAMH shall designate an individual, position title, or office that will be responsible for receiving complaints relating to PHI and for providing information about ADAMH's privacy practices.
2. Training Requirements: ADAMH and, as applicable, its offices, programs and facilities, must document the following training actions:
   1. On or before the effective date of the HIPAA privacy regulations [4/14/03], all ADAMH employees and other workforce members must receive training on applicable policies and procedures relating to PHI as necessary and appropriate for such persons to carry out their functions within ADAMH.
   2. Each new workforce member shall receive the training as described above within a reasonable time after joining the workforce.
   3. Each workforce member whose functions are impacted by a material change in the policies and procedures relating to PHI, or by a change in position or job description, must receive the training as described above within a reasonable time after the change becomes effective.
3. Safeguards: ADAMH must have in place appropriate administrative, technical, and physical safeguards to reasonably safeguard PHI from intentional or unintentional unauthorized use or disclosure.
4. Complaint Process: ADAMH must have in place a process for individuals to make complaints about ADAMH's HIPAA policies and procedures and/or ADAMH's compliance with those policies and procedures, and must document all complaints received and the disposition of each complaint.
5. Sanctions: The Human Resources Office for ADAMH must have in place, must apply and must document application of appropriate sanctions against workforce members who fail to comply with HIPAA policies and procedures. Note - there are exceptions for disclosures made by workforce members who qualify as whistleblowers or certain crime victims. [See Personnel Policies & Procedures 5.70 Corrective Action]
6. Mitigation Efforts Required: ADAMH must mitigate, to the extent practicable, any harmful effects of unauthorized uses or disclosures of PHI by ADAMH or any of its business associates.
7. Intimidating or Retaliatory Acts and Waiver of Rights Prohibited:
   1. Prohibition on Intimidating or Retaliatory Acts: Neither ADAMH nor any workforce member shall intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise of their rights or participation in any process relating to HIPAA compliance, or against any person for filing a complaint with the Secretary of the U.S. Department of Health and Human Services, participating in a HIPAA related investigation, compliance review, proceeding or hearing, or engaging in reasonable opposition to any act or practice that the person in good faith believes to be unlawful under HIPAA regulations as long as the action does not involve disclosure of PHI in violation of the regulations.
   2. Prohibition on Waiver of Rights: No workforce member of ADAMH shall require individuals to waive any of their rights under HIPAA as a condition of treatment, payment, enrollment in a health plan or eligibility for benefits.
8. Policies and Procedures: ADAMH must document the following actions relating to its policies and procedures:
   1. Required Policies and Procedures: ADAMH shall design and implement policies and procedures to assure appropriate safeguarding of PHI in its operations.
   2. Changes to Policies and Procedures: ADAMH must change its policies and procedures as necessary and appropriate to conform to changes in law or regulation. ADAMH also may make changes to policies and procedures at other times as long as the policies and procedures are still in compliance with applicable law. Where necessary, ADAMH must make correlative changes in its Privacy Notice. ADAMH may not implement a change in policy or procedure prior to the effective date of the revised Privacy Notice.
9. Documentation Requirements: ADAMH, must maintain the required policies and procedures in written or electronic form, and must maintain written or electronic copies of all communications, actions, activities or designations as are required to be documented hereunder, or otherwise under the HIPAA regulations, for a period of six (6) years from the later of the date of creation or the last effective date.