The United States Department of Health and Human Services issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule standards address the use and disclosure of individually identifiable health information by organizations subject to the Privacy Rule. It also addresses standards for individual privacy rights to understand and control how an individual's health information is used. The Office of Civil Rights within the United States Department of Health and Human Services has the responsibility for implementing and enforcing the Privacy Rule. It is the policy of the City of Millville to comply with the HIPAA Privacy Rule.
The Privacy Rule protects all individually identifiable health information held by the City in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information "protected health information" (PHI).
The City Administrator must take reasonable steps to safeguard the protected health information of an employee from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule. All protected health information of employees or family members of employees shall be maintained in a file separate from the official personnel file of the employee and stored in a locked cabinet during periods of the day and night when access is not required.
The major purpose of the Privacy Rule is to define and limit the circumstances in which the protected health information of an employee may be used or disclosed by the City. The City may not use or disclose protected health information except:
A. 
As the Privacy Rule permits or requires; or
B. 
As the employee who is the subject of the information authorizes in writing.
The authorization must be written in specific terms. All authorizations must be in plain language and contain specific information regarding the health information to be disclosed or used, the person disclosing and receiving the information, the expiration date of the authorization, the right of the employee to revoke the authorization in writing, and any other data required by federal law.
A central aspect of the Privacy Rule is the principle of minimum necessary use and disclosure. The City must make reasonable efforts to use, disclose and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure or request. The minimum necessary requirement is not applicable in any of the following circumstances:
A. 
Disclosure to or a request by a health care provider for treatment;
B. 
Disclosure to an individual who is the subject of the information, or the individual's personal representative;
C. 
Use or disclosure made pursuant to an authorization;
D. 
Disclosure to federal officials for complaint investigation, compliance review or enforcement;
E. 
Use or disclosure that is required by law; or
F. 
Use or disclosure required for compliance with HIPAA Transaction Rule or other HIPAA Administration Simplification Rules.
The City Administrator is designated as the person responsible for implementing the Workplace Health Information Privacy Policy. The City Administrator also is the contact person responsible for receiving employee complaints and providing employees with information on the privacy practices of the City.
A. 
All access to protected health information maintained on file by the City must be through the office of the City Administrator. No employees of the City shall have access to protected health information except as required to perform their official duties.
B. 
Any employee having access to protected health information shall be responsible to maintain the confidentiality of it. No employee shall discuss protected health information of another employee with anyone except those persons who are authorized to receive the information and then only in the context of performing their official duties.
C. 
Managers and supervisors shall not question employees about their medical conditions. Instead, all such inquiries and matters shall be referred to the City Administrator for appropriate processing in accordance with the policies and procedures of the City and applicable federal law, rules and regulations.
Any employee who believes that their privacy rights have been violated has the right to complain to the Federal Office of Civil Rights and to the City Administrator. The employee shall comply with the Employee Complaint Policy when filing or making a complaint to the City Administrator.