Jerome Joint School District No. 261

NONINSTRUCTIONAL OPERATIONS 8610

Health Insurance Portability and Accountability Act

The Board has determined that it meets the definition of a hybrid of covered entities under the Health Insurance

Portability and Accountability Act (HIPAA) since the district offers health-care provider programs and services that

include electronic billing for the reimbursement of services under Idaho Medicaid programs, or contracts with

another entity to provide such services, it is subject to HIPAA. In all electronic transactions involving student

education records information, the district will adhere to the transaction requirements of HIPAA and the

confidentiality requirements of the Family Education Rights and Privacy Act (FERPA).

Additionally, because the district self-insures a health plan and self-administers an Internal Revenue Service

Section 125 plan it also meets the health plan definition under HIPAA. Accordingly, the district will safeguard the

protected health information of employees from use or disclosure that may violate standards and implementation

specifications to the extent required by law.

As a covered entity, the district will meet the national electronic transaction standards and applicable

requirements of federal law designed to ensure the security of projected health information of employees and

student education record information created or received by the district.

In order to meet the notice requirements under the health-care provider provisions of the law, information will be

provided to students and parents of their rights under FERPA in accordance with established procedures.

The superintendent will designate an individual responsible for responding to HIPAA inquires, complaints and for

providing adequate notice of employee rights and district duties under the health plan provisions of the Act.

Notice will include the privacy provisions of the law, and uses of employee protected health information and

disclosures that may be made by the district.

Training will be provided to all current staff and new employees determined by the district to have access to the

protected health information of employees and student education records. Training will be provided within a

reasonable period of time after the individual’s hiring, and to those employees when their duties may be impacted

by a change in the district’s policy and/or procedures.

Individuals who believe their privacy rights have been violated may file a complaint in accordance with established

district procedures. Employee complaints may also be filed directly with the U.S. Secretary of Health and Human

Services. There shall be no retaliation by the district against any person who files a complaint or otherwise

participates in an investigation or inquiry into an alleged violation of an individual’s protected privacy rights. All

complaints received will be promptly investigated and documented, including their final disposition.

The superintendent will ensure that satisfactory assurance has been obtained from any business associate

performing HIPAA-covered activities or functions on behalf of the district that the protected health information it

receives from the district will be protected. Such assurance will be in the form of a written agreement, or may be

included as a part of the district’s contract with the business associate.

Employees in violation of this policy or procedures established to safeguard student education records information

and the projected health information of employees will be subject to discipline up to and including dismissal.

The superintendent is directed to ensure an assessment of district operations is conducted to determine the

extent of the district’s responsibilities as a covered entity under HIPAA and to develop internal controls and

procedures necessary to implement this policy and meet the requirements of the law. The procedures shall include

provisions for record keeping, documentation of the district’s compliance efforts and appropriate administrative,

technical and physical safeguards to protect the privacy of student education records and employee protected

health information and to ensure that any request is limited to information reasonably necessary to accomplish

the purpose for which the request is made.

In the event of a change in the law that may impact this policy or established district procedures, the

superintendent shall ensure appropriate revisions are recommended for Board approval, necessary changes are

implemented and notification is made to staff and others, as appropriate.

This policy and any other policies, procedures, or directions relating to the implementation of the Health Insurance

Portability and Accountability Act of 1996 are to be documented in written form. This documentation may be

electronic. Such records are to be retained for at least six (6) years following their creation or last date effective,

whichever is later. These documents will be made available to those responsible for implementing the procedures

to which the documentation pertains.

This documentation shall be reviewed periodically, and updated as needed, in response to environmental or

operational changes affecting the security of the electronic protected health information.

Legal Reference: Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, 42 U.S.C. 1320d-

1320d-8; 45 CFR Parts 160 and 164.

Health Insurance Portability and Accountability Act of 1996 regulations, 45 C.F.R 164.316

Family Educational Rights and Privacy Act, 20 U.S.C. Section 1232g; 34 CFR Part 99 (2000).

Policy History:

Adopted on: 12/19/2006

Revised on: 12/18/2012