The United States Department of Health and Human Services issued
the Privacy Rule to implement the requirement of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule
standards address the use and disclosure of individually identifiable
health information by organizations subject to the Privacy Rule. It
also addresses standards for individual privacy rights to understand
and control how an individual's health information is used. The Office
of Civil Rights within the United States Department of Health and
Human Services has the responsibility for implementing and enforcing
the Privacy Rule. It is the policy of the City of Millville to comply
with the HIPAA Privacy Rule.
The Privacy Rule protects all individually identifiable health
information held by the City in any form or media, whether electronic,
paper or oral. The Privacy Rule calls this information "protected
health information" (PHI).
The City Administrator must take reasonable steps to safeguard
the protected health information of an employee from any intentional
or unintentional use or disclosure that is in violation of the HIPAA
Privacy Rule. All protected health information of employees or family
members of employees shall be maintained in a file separate from the
official personnel file of the employee and stored in a locked cabinet
during periods of the day and night when access is not required.
The major purpose of the Privacy Rule is to define and limit
the circumstances in which the protected health information of an
employee may be used or disclosed by the City. The City may not use
or disclose protected health information except:
A. As the Privacy Rule permits or requires; or
B. As the employee who is the subject of the information authorizes
in writing.
The authorization must be written in specific terms. All authorizations
must be in plain language and contain specific information regarding
the health information to be disclosed or used, the person disclosing
and receiving the information, the expiration date of the authorization,
the right of the employee to revoke the authorization in writing,
and any other data required by federal law.
A central aspect of the Privacy Rule is the principle of minimum
necessary use and disclosure. The City must make reasonable efforts
to use, disclose and request only the minimum amount of protected
health information needed to accomplish the intended purpose of the
use, disclosure or request. The minimum necessary requirement is not
applicable in any of the following circumstances:
A. Disclosure to or a request by a health care provider for treatment;
B. Disclosure to an individual who is the subject of the information,
or the individual's personal representative;
C. Use or disclosure made pursuant to an authorization;
D. Disclosure to federal officials for complaint investigation, compliance
review or enforcement;
E. Use or disclosure that is required by law; or
F. Use or disclosure required for compliance with HIPAA Transaction
Rule or other HIPAA Administration Simplification Rules.
The City Administrator is designated as the person responsible
for implementing the Workplace Health Information Privacy Policy.
The City Administrator also is the contact person responsible for
receiving employee complaints and providing employees with information
on the privacy practices of the City.
Any employee who believes that their privacy rights have been
violated has the right to complain to the Federal Office of Civil
Rights and to the City Administrator. The employee shall comply with
the Employee Complaint Policy when filing or making a complaint to
the City Administrator.