5.02    HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

A. DEFINITIONS

1. Applicable Requirements: applicable federal and Ohio law and the contracts between the Board and other persons or entities which conform to federal and Ohio Law.

2. Business Associate (BA): a person or entity which creates, uses, receives or discloses PHI held by a covered entity to perform functions or activities on behalf of the covered entity. The requirements are set forth more fully in 45 CFR 160.103.

3. Covered Entity: a health plan, a health care clearinghouse or a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA privacy rules.

4. Disclosure: the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

5. Health Care Clearinghouse: a public or private entity, including a billing service, community health management information system or community health information system that either 1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction; or 2) receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.

6. Health Oversight Agency: an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

7. Health Plan: an individual or group plan that provides, or pays the cost of medical care. Health plan includes the following, singly or in combination: The Medicaid program under title XIX of the Act, 42 U.S.C. § 1396, et seq. or any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care.

8. HIPAA: The Health Insurance Portability and Accountability Act of 1996, codified in 42 USC §§ 1320 - 1320d-8.

9. Incidental Use or Disclosure: a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule.

10. MOU: A Memorandum of Understanding between governmental entities which incorporates elements of a business associate contract in accordance with HIPAA rules.

11. Personal Representative: a person who has authority under applicable law to make decisions related to health care on behalf of an adult or an emancipated minor, or the parent, guardian, or other person acting in loco parentis who is authorized under law to make health care decisions on behalf of an un-emancipated minor, except where the minor is authorized by law to consent, on his/her own or via court approval, to a health care service, or where the parent, guardian or person acting in loco parentis has assented to an agreement of confidentiality between VentureLINX and the minor.

12. PHI: Protected Health Information individually; i.e., identifiable information relating to the past, present or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual.

13. Provider: a person or entity which is licensed or certified to provide services, including but not limited to health care services, to persons with disabilities, in accordance with applicable requirements. A Covered Provider is a Health Care Provider who transmits any health information in electronic form.

14. Public Health Authority: an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.

15. TPO: treatment, payment or health care operations under HIPAA rules. Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. Workforce Member means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the Board, is under the direct control of the Board, whether or not they are paid by the Board.

B. GENERAL POLICY ON PRIVACY AND CONFIDENTIALITY

VentureLINX shall conform to all requirements for privacy and confidentiality set forth in HIPAA and other applicable law. This policy shall apply whether VentureLINX is acting as a covered health care provider or a Health Plan under HIPAA. If VentureLINX is acting in more than one capacity, VentureLINX shall be subject to the requirements applicable to that function and shall use or disclose PHI only for purposes related to the function being performed. In general, use, disclosure or requests of records must be limited to the minimum which is reasonably necessary to accomplish the purpose of the use, disclosure or request.

1. Mitigation

1. VentureLINX shall mitigate, to the extent practicable, any harmful effect that is known to VentureLINX of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of applicable requirements and VentureLINX policies and procedures by the VentureLINX Board or its business associate.

2. Protection Against Retaliation or Intimidation

1. No office, program, facility or employee of VentureLINX shall intimidate, threaten, coerce, discriminate against, or take other retaliatory action against:

1. Any individual for the exercise of their rights or participation in any process relating to HIPAA compliance

2. Against any person for filing a complaint with the Secretary of the U.S. Department of Health and Human Services, participating in a HIPAA related investigation, compliance review, proceeding or hearing, or engaging in reasonable opposition to any act or practice that the person in good faith believes to be unlawful under HIPAA regulations as long as the action does not involve disclosure of PHI in violation of the regulations.

3. Prohibition of Waiver of Rights

1. No office, program, facility or employee of VentureLINX shall require associates to waive any of their rights under HIPAA as a condition of treatment, payment, and enrollment in a health plan or eligibility for benefits.

3. HIPAA ADMINISTRATION

1. VentureLINX shall designate and record designations of the following:

1. Privacy Officer. The CEO will be responsible for the development and implementation of VentureLINX’s policies and procedures relating to the safeguarding of PHI.

2. HIPAA Committee. The managers and supervisors will serve as the HIPAA Committee which will represent each program area of the agency.

3. Complaint Officer. The CEO shall act as the agency’s complaint officer and will be responsible for receiving complaints relating to PHI and for providing information about the office’s, facility’s or program’s privacy practices. The Privacy Officer will be advised of all complaints and assist the Complaint Officer in resolution of the complaint as needed.

2. VentureLINX shall carry out and record provision of the following training:

1. All VentureLINX employees must receive initial and ongoing training on applicable policies and procedures relating to PHI as necessary and appropriate for such persons to carry out their functions within the Board.
2. Each employee whose functions are impacted by a material change in the policies and procedures relating to PHI, or by a change in position or job description, must receive training within a reasonable time after the change becomes effective.
3. Training shall include the VentureLINX Board’s policy on imposing sanctions for violations of the HIPAA rules.

3. Changes in Policies and Procedures

VentureLINX shall change its policies and procedures as necessary and appropriate to comply with changes in applicable requirements. Changes shall apply to existing PHI effective on the date of notice of the change.

VentureLINX shall document material changes in policies and notices which reflect such changes. VentureLINX shall retain such documentation for six years or as otherwise mandated by applicable requirements.

4. PERMISSIBLE USES AND DISCLOSURES

In compliance with 45 CFR Part 164 and Ohio law, all uses and disclosures of PHI beyond those otherwise permitted or required by law in Section V below require a signed authorization which conforms to applicable laws. Authorization may be revoked at any time by the person served or legal guardian as applicable if the request to revoke is in writing and to the extent that VentureLINX has not already taken action in reliance thereon.

1. Personal Representative. A personal representative may authorize release of information if proper documentation is present and clearly denotes the enrolled individual’s choice of personal representative.

2. Conditioning Authorizations. VentureLINX may not put conditions on providing treatment, payment, enrollment in the health plan, or eligibility for benefits to an individual based on the provision of an authorization, except:

1. VentureLINX may require an authorization for release of PHI as a condition of determining eligibility and enrollment for services. Conditioning services on the use or disclosure of psychotherapy notes is not permitted.

3. Combining Authorizations. An authorization can permit combining disclosure for more than one type of PHI and purpose except PHI related to psychotherapy notes. Requests exclusively related to psychotherapy notes, however, may be combined. An authorization which has been improperly combined with another authorization or document is invalid.

4. Scope of Disclosure – Minimum Necessary

1. In general, use, disclosure or requests of records must be limited to the minimum which is   reasonably necessary to accomplish the purpose of the use, disclosure or request. The following are exceptions to this general principle:

1. The minimum necessary standard does not apply to disclosures to the individual.

2. When an individual has authorized disclosure, the scope of disclosure shall be in accordance with the authorization.

3. Disclosures required by law or for monitoring purposes shall be made in accordance with the authority seeking the information.

5. USES AND DISCLOSURES FOR WHICH NO RELEASE OR AUTHORIZATION IS REQUIRED

VentureLINX may use or disclose PHI without written release or authorization of the individual as follows and as further set forth in VentureLINX’s procedures:

1. Treatment, Payment, Operations: VentureLINX or its business associates may use PHI for treatment, payment and health care operations without an individual’s release or authorization to the extent that such activities occur within VentureLINX’s programming and provision of services. Access to PHI by staff is permitted when it is necessary:

1. To carry out duties for oversight or management of the program.

2. To ensure health and safety of persons served by VentureLINX’s programs

3. To call upon the staff’s background to develop, review or monitor the individual’s program

4. To assist in the investigations of MUI’s and UI’s

5. To carry out services defined in the individual’s plan

6. As requested by the individual or the authorized representative of the individual

When access is permitted under this policy, the staff will be able to access only the information which is essential to achieve the purpose of the access.

2. Incidental Use or Disclosure: As long as VentureLINX has applied a minimum necessary standard and has developed reasonable safeguards to minimize the occasions of incidental uses and disclosures which might occur as a result of another use or disclosure that is permitted by the rule, such incidental disclosures are permitted.

3. Incidental use or disclosure is not permitted if it is a byproduct of an underlying use or disclosure which violates applicable requirements and VentureLINX’s procedures.

4. Discussions of PHI shall be done in a way that prevents inadvertent disclosure.

5. Other Uses or Disclosures:

1. When required by law.

2. For public health purposes such as reporting communicable diseases, work-related illnesses, or other diseases and injuries permitted by law; reporting births and deaths, and reporting reactions to drugs and problems with medical devices

3. To protect victims of abuse, neglect, or domestic violence.

4. For health oversight activities such as investigations, audits, and inspections.
5. For judicial and administrative proceedings.

6. To coroners, medical examiners, and funeral directors.

7. To reduce or prevent a serious threat to public health and safety.

8. For workers’ compensation or other similar programs if applicable.

6. FORMAL NOTICE OF USES AND DISCLOSURES

VentureLINX shall give and post adequate notice of the uses and disclosures of PHI that may be made by the VentureLINX Board, and of the individual’s rights and the VentureLINX’s legal duties with respect to PHI.

1. An acknowledgement of each individual’s receipt of such notice will be maintained on file.

2. VentureLINX shall retain copies of the notices issued by VentureLINX and any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgment. Copies of such notices and other documentation shall be retained for a period of at least six years from the later of the date of creation of the notice or the last effective date of the notice.

3. The notice of privacy practices must be written in plain language and must contain the required elements as specified by the privacy rule.

4. When there is a material change to the uses or disclosures notice, the individual's rights, VentureLINX’s legal duties, or other privacy practices described in the notice, VentureLINX shall provide a notice of such change. Except when required by law, a material change to any term may not be implemented prior to the effective date of the notice reflecting the change. Copies of acknowledgements of revised notices are not required.

5. Electronic Notice: Since VentureLINX maintains a web site, the notice shall be posted on the web site and be made available electronically through the web site.

6. VentureLINX may provide the notice required by this section to an individual by e- mail, if the individual agrees to electronic notice and such agreement has not been withdrawn. If VentureLINX knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual.

Notice which is provided in accordance with this section and in a timely manner is sufficient to meet HIPAA requirements.

The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from VentureLINX upon request.

7. INDIVIDUAL’S ACCESS TO PHI

VentureLINX has ensured protection of individual rights to access to PHI, amendment of PHI and accounting of PHI. Those protections are found in VentureLINX’s Confidentiality policy, which has been adopted in accordance with ORC 5126.044. Rights of access apply to records maintained by VentureLINX and its business associates.

8. PHI SAFEGUARDS

The Board shall adopt and implement appropriate administrative, physical, personnel and technical safeguards to reasonably safeguard PHI from intentional or unintentional, unauthorized use or disclosure.

1. VentureLINX shall define what type of PHI is accessible to each employee or position for treatment, payment, operations (TPO) in order to establish mandated clearance levels.

2. Physical safeguards, such as but not limited to locked files, and secluded areas for viewing PHI, shall be provided.

3. Confidentiality officers identified for each program area shall control clearances and access any sensitive information.

4. Technical Security Services: Since VentureLINX or its business associates use communications networks, it shall enforce security standards which include access controls to provide protection of sensitive communications transmissions over open or private networks to prevent interception and interpretation by parties other than the intended recipient.

9. INDIVIDUAL COMPLAINTS AND GRIEVANCES

VentureLINX shall permit associates to make complaints about VentureLINX’s HIPAA policies and procedures and/or VentureLINX’s compliance with those policies and procedures through VentureLINX’s Administrative Resolution of Complaints.

1. The Privacy Officer and other persons designated to receive such complaints shall be notified of each complaint filed through the due process procedures and shall participate in the review of such complaints.

2. VentureLINX shall inform associates who have made a complaint of their right to file a complaint with the Secretary of Health and Human Services. Upon request, the Privacy Officer shall assist the individual in filing a complaint with the Secretary of HHS.

10.  SANCTIONS

VentureLINX shall impose sanctions when VentureLINX is aware that an employee or Business Associate has violated applicable law or VentureLINX’s privacy policy and procedures. All sanctions shall be documented.

1. VentureLINX’s sanctions may vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern of improper use or disclosure of protected health information. Sanctions could range from warning to termination and shall be administered through VentureLINX’s progressive discipline policy.

2. Sanctions may not be applied to whistleblowers, certain victims of crime committed by associates served by VentureLINX, or in a manner which would be reasonably construed as intimidation or retaliation.

1. VentureLINX shall not impose sanctions against an employee or business associate who believes in good faith that VentureLINX has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by VentureLINX potentially endanger one or more associates, workers, or the public; and the disclosure is to:

1. A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of VentureLINX.

2. An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate.

2. VentureLINX may not impose sanctions for disclosure of PHI against an employee who is the victim of a criminal act if the victim discloses PHI to a law enforcement official, provided that:

1. The protected health information disclosed is about the suspected perpetrator of the criminal act

2. The protected health information disclosed is limited to the following information:

1. Name and address;

2. Date and place of birth;

3. Social security number;

4. ABO blood type and Rh factor;

5. Type of injury;

6. Date and time of treatment;

7. Date and time of death, if applicable; and

8. A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or mustache), scars, and tattoos.

11. BUSINESS ASSOCIATES

VentureLINX shall ensure protection of the use, disclosure and creation of associates’ PHI to other persons or entities performing activities on behalf of VentureLINX by entering into Business Associate agreements or Memoranda of Understanding which conform to requirements applicable to BA relationships, unless such disclosure is otherwise permitted under federal or Ohio law.

1. VentureLINX shall review all newly initiated and existing contracts with any person or entity outside the workforce at least annually to determine whether there is a BA relationship and whether the contract meets requirements of HIPAA. An addendum to an existing contract which identified responsibilities and obligations of a BA is permissible.
2. If VentureLINX knows of a pattern or practice of the BA that amounts to a material violation of the agreement, VentureLINX shall attempt to cure the breach or end the violation. If such attempt is unsuccessful, VentureLINX shall terminate the agreement, if feasible, or report the problem to the Office of U.S. Secretary of Health and Human Services.

CEO Signature / Board Approved Date: _____________________________________________________

Effective Date: 10/23/2019