Inside City Government

City of Sarasota Home

Submit Requests, Concerns, Feedback & Report Graffiti

Van Wezel Performing
Arts Hall

Sports Facilities—Bobby Jones
Ed Smith Stadium

Human Resources

Employment Opportunities \| Employment Services \| HR Management
Employee Development \| Benefits \| Benefits Focus Group
Employee of the Month/Year \| Major Documents

HIPAA (Health Insurance Portability
and Accountability Act of 1996)
Privacy Policy And Guidelines
Effective April 14, 2003

HIPAA Release Form

TABLE OF CONTENTS

1. City of Sarasota HIPAA Privacy Policy

2. Reporting Illness and the HIPAA guidelines

3. Frequently Asked Questions

4. Forms

a. Employee Confidentiality Agreement
b. Authorization for Release of Health Information
c. Individual Request not to Use or Disclose Health Information
d. Individual Request to Correct or Amend a Record
e. Response to Amendment or Correction Health Information Request
f. Individual Request to Inspect Health Information
g. Response to Inspection Request

5. Appendix

a. Notice of Privacy Practices
b. Privacy Officer Responsibilities

CITY OF SARASOTA HIPAA PRIVACY POLICY

Purpose: The following privacy policy is adopted to ensure that the City of Sarasota Employee Health Benefit Plan complies fully with all federal and state privacy protection laws and regulations. Employees' Protected Health Information (PHI) is of paramount importance to the City of Sarasota. Violations of any of these provisions may result in disciplinary action up to and including termination of employment and possible referral for criminal prosecution.

Effective Date: This policy is in effect as of April 14, 2003.

Expiration Date: This policy remains in effect until superceded or cancelled.

Definitions:

Business Associate (BA): A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity's workforce. A business associate can also be a covered entity in its own right. Also see Part II, 45 CFR 160.103.

Covered Entity (CE): A covered entity is a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a HIPAA transaction. Also see Part II, 45 CFR 160.103.

Disclosure: Release or divulgence of information by an entity to persons or organizations outside of that entity. Also see Part II, 45 CFR 164.501.

Group Health Plan: Under HIPAA this is an employee welfare benefit plan that provides for medical care and that either has 50 or more participants or is administered by another business entity. Also see Part II, 45 CFR 160.103.

Health and Human Services (HHS): The federal government department that has overall responsibility for implementing HIPAA.

Health Insurance Portability and Accountability Act of 1996 (HIPAA): A Federal law that allows persons to qualify immediately for comparable health insurance coverage when they change their employment relationships. Title II, Subtitle F, of HIPAA gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information. This law is also known as the Kennedy-Kassebaum Bill, the Kassebaum-Kennedy Bill, K2, or Public Law 104-191.

Hybrid Entity: A voluntary designation for a single covered entity that performs both covered and non-covered functions. A covered entity may designate itself a hybrid entity to avoid the imposition of the privacy rules on its non-health care related functions.

Office for Civil Rights: The HHS entity responsible for enforcing the HIPAA privacy rules.

Plan Sponsor: A plan sponsor is an entity that sponsors a health plan. This can be an employer, a union, or some other entity. Also see Part II, 45 CFR 164.501.

Privacy Officer: The individual who is responsible for maintaining, and revising when necessary, the privacy policies and procedures of the covered entity, or covered components of a hybrid entity.

Protected Health Information (PHI): Individually identifiable information, whether it is in electronic, paper or oral form that is created or received by or on behalf of a covered entity or its health care component.

Workforce: Under HIPAA, this means employees, volunteers, trainees, and other persons under the direct control of a covered entity, whether or not they are paid by the covered entity. Also see Part II, 45 CFR 160.103.

Uses and Disclosures of Protected Health Information

It is the policy of the City of Sarasota that protected health information (PHI) may not be used or disclosed except when at least one of the following conditions is true:

1. The use or disclosure is for treatment, payment or health care operations.
2. The individual who is the subject of the information (i.e. the "subject individual") has authorized the use or disclosure.
3. The individual who is the subject of the information has consented to the use or disclosure.
4. The individual who is the subject of the information does not object to the disclosure and the disclosure is to persons involved in the health care of the individual.
5. The disclosure is to the individual who is the subject of the information or to the Department of Health and Human Services for compliance-related purposes.
6. The use or disclosure is for one of the HIPAA "public purposes" (i.e. required by law, etc.).

Deceased Individuals

It is the policy of the City of Sarasota that privacy protections extend to information concerning deceased individuals.

Notice of Privacy Practices

It is the policy of the City of Sarasota that a notice of privacy practices must be published. This notice and any revisions to it will be provided to all subject individuals at the earliest practicable time, and all uses and disclosures of protected health information will be done in accord with this organization's notice of privacy practices.

Restriction Requests

It is the policy of the City of Sarasota that serious consideration must be given to all requests for restrictions on uses and disclosures of protected health information as published in this organization's notice of privacy practices. It is furthermore the policy of this organization that if a particular restriction is agreed to, then this organization is bound by that restriction.

Minimum Necessary Disclosure of Protected Health Information

It is the policy of the City of Sarasota that all disclosures of protected health information must be limited to the minimum amount of information needed to accomplish the purpose of the disclosure. It is also the policy of this organization that all requests for protected health information must be limited to the minimum amount of information needed to accomplish the purpose of the request.

Access to Protected Health Information

It is the policy of the City of Sarasota that access to protected health information must be granted to each employee, contractor or business associate based on the assigned job functions of the employee, contractor or business associate. It is also the policy of this organization that such access privileges should not exceed that necessary to accomplish the assigned job function.

Access to Protected Health Information by the Subject Individual

It is the policy of the City of Sarasota that access to protected health information may be granted to the person who is the subject of such information when such access is requested. The Privacy Officer may deny access in certain limited instances.

Amendment of Incomplete or Incorrect Protected Health Information

It is the policy of the City of Sarasota that incorrect protected health information maintained by this organization should be corrected in a timely fashion. It is also the policy of this organization that notice of such corrections will be given to any organization with which the incorrect information has been shared. There are certain limited instances in which information may not be amended by this organization.

Access by Personal Representatives

It is the policy of the City of Sarasota that access to protected health information shall be granted to personal representatives of subject individuals as specified by subject individuals.

Confidential Communications Channels

It is the policy of the City of Sarasota that confidential communications channels be used, as requested by subject individuals, to the extent possible.

Disclosure Accounting

It is the policy of the City of Sarasota that an accounting of all disclosures of protected health information, with the exception of disclosures for treatment, payment and Health Plan operations, be given to subject individuals whenever such an accounting is requested.

Complaints

It is the policy of the City of Sarasota that all complaints relating to the protection of health information be investigated and resolved in a timely fashion. Complaints shall be directed to the Privacy Officer.

Prohibited Activities

It is the policy of the City of Sarasota that no employee, contractor or business associate may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under HIPAA regulations. It is also the policy of this organization that no employee, contractor or business associate may condition treatment, payment, enrollment or eligibility for benefits on the provision of an authorization to disclose protected health information.

Responsibility

It is the policy of the City of Sarasota that the responsibility for designing, implementing, maintaining and revising when necessary procedures to execute this policy lies with the Privacy Officer.

Verification of Identity

It is the policy of the City of Sarasota that the identity of all persons who request access to protected health information is verified before such access is granted.

Mitigation

It is the policy of the City of Sarasota that the effects of any unauthorized use or disclosure of protected health information be mitigated to the extent possible.

Business Associates

It is the policy of the City of Sarasota that business associates must be contractually bound to protect health information to the same degree as set forth in 45 CFR 160 and 164 and in this policy.

Cooperation with Privacy Oversight Authorities

It is the policy of the City of Sarasota that oversight agencies such as the Office for Civil Rights of the Department of Health and Human Services be given full support and cooperation in their efforts to ensure the protection of health information within this organization. It is also the policy of this organization that all personnel must cooperate fully with all privacy compliance reviews and investigations.

Employment Purposes

It is the policy of the City of Sarasota that PHI will not be used for any employment-related purpose other than those related to treatment, payment or health care operations.

EXHIBIT A

PRIVACY PROCEDURES

Effective Date: These procedures are in effect as of April 14, 2003.

Expiration Date: These procedures remain in effect until superceded or cancelled.

Procedures to accomplish the Privacy Policy

o All forms, policies and procedures will be available on the City of Sarasota Internet site, through the Human Resources representatives or the Privacy Officer.

o Reasonable safeguards must be used to protect the security of written, electronic and oral PHI. To that end, employees should:

§ Use password protected screen savers;
§ Do not leave written PHI in plain view of those who do not need access;
§ Do not discuss PHI in the presence of those who are not authorized to possess the PHI
§ Store PHI in locked cabinets or other secure areas when not in use;
§ Use cross-cut shredder to destroy PHI when necessary;
§ Maintain a secure facsimile location;
§ Email and facsimile communications containing PHI should contain a confidentiality statement

Access, Inspection and Copying

1. The Human Resources representative or Privacy Officer will provide an original form for an employee to complete when an employee desires to access, inspect or copy his or her PHI.

2. The Human Resources representative will respond to employees' requests and questions concerning access, inspection and copying PHI. In addition, the Human Resources representative will distribute the form to the employee upon request. At any point the Human Resources representative may refer the employee to the Privacy Officer for additional information.

3. Once the employee has submitted the request in writing (using the City's form is optional), the Human Resources representative must verify that the employee's signature matches the signature on file. Alternatively, the employee may sign the request in the presence of the Human Resources representative.

4. Upon receipt of the verified written request, the Human Resources representative should forward the request to the Privacy Officer for review.

5. The Privacy Officer must review the employee's request and respond to the employee within thirty (30) days from the date of the request. The Privacy Officer can request an additional thirty (30)-day extension as long as the request is made to the employee in writing with the reason for the delay clearly explained.

6. The Privacy Officer shall agree to all reasonable requests. If access is denied, the Privacy Officer must provide the employee with a written explanation for the denial as well as a description of the employee's right to appeal.

7. When the employee has requested to access, inspect or copy his or her PHI and the request has been accepted, the Privacy Officer or other authorized City representative should accompany the employee to a private area to inspect the records. After the employee inspects the records, the Privacy Officer, or other authorized City representative, will note in the record the date and time of the inspection, and whether the employee made any requests for amendments or changes to the record.

8. When the employee's request to copy his or her PHI has been accepted, the Human Resources representative should copy his or her record within fourteen (14) days. The employee shall be responsible for reasonable copy charges, which will be communicated to the employee prior to any charges being incurred.

Requesting a Restriction

1. The Human Resources representative or Privacy Officer will provide an original form for an employee to complete when an employee desires to request a restriction on certain uses and disclosures of his or her PHI.

2. Once the employee has submitted the request in writing (using the City's form is optional), the Human Resources representative must verify that the employee's signature matches the signature on file. Alternatively, the employee may sign the request in the presence of the Human Resources representative.

3. Upon receipt of the verified written request, the Human Resources representative should forward the request to the Privacy Officer for review.

4. The Privacy Officer must review the employee's request and respond to the employee within thirty (30) days from the date of the request. The Privacy Officer can request an additional thirty (30)-day extension as long as the request is made to the employee in writing with the reason for the delay clearly explained.

5. The Privacy Officer shall agree to all reasonable requests. If the restriction is denied, the Privacy Officer must provide the employee with a written explanation for the denial as well as a description of the employee's right to appeal.

Amendments

1. The Human Resources representative or Privacy Officer will provide an original form for an employee to complete when an employee desires to amend his or her PHI.

3. Upon receipt of the verified written request, the Human Resources representative should forward the request to the Privacy Officer for review.

5. If the Privacy Officer accepts the amendment request, the PHI correction shall be made and communicated to any parties to which the information was disclosed on or after April 14, 2003. The amendment shall not be communicated to any party to which the disclosure date was greater than six years prior to the amendment acceptance.

6. If the Privacy Officer denies the request, the employee may submit a short statement of dispute, which shall be included in any future disclosure of PHI.

Accounting of Disclosures

1. An employee must request an accounting of disclosures in writing.

2. Once the employee has submitted the request in writing, the Human Resources representative must verify that the employee's signature matches the signature on file. Alternatively, the employee may sign the request in the presence of the Human Resources representative.

3. Upon receipt of the verified written request, the Human Resources representative should forward the request to the Privacy Officer for review.

5. An employee may request an accounting for disclosures made up to six years before the date of the request but not for disclosures made prior to April 14, 2003. The first accounting requested within a twelve-month period will be at no charge to the employee. Any subsequent requests within the twelve-month period shall incur a reasonable charge for provision of the list. The employee shall be notified of the charges before any costs are incurred.

Request for Confidential Communications

1. An employee may request receipt of communication of PHI in a certain time or manner. The request must be in writing and must specify how or where the employee requests to be contacted.

3. Upon receipt of the verified written request, the Human Resources representative should forward the request to the Privacy Officer for review.

4. The Privacy Officer must review the employee's request and respond to the employee within thirty (30) days from the date of the request. The Privacy Officer can request an additional 30-day extension as long as the request is made to the employee in writing with the reason for the delay clearly explained.

Complaints

1. If an employee believes his or her privacy rights have been violated, the employee must submit a complaint in writing to the Privacy Officer, either directly or through the Human Resources representative.

2. The Privacy Officer will evaluate the complaint and contact the employee in writing within thirty (30) days with a response and suggested resolution of the complaint.

3. If the concern is not resolved to the employee's satisfaction, the employee should be advised of his or her right to file a written complaint with the Secretary of the United States Department of Health and Human Services.

Maintenance of Records

1. All PHI shall be maintained for a minimum of six (6) years from the date of its creation or the date when it was last in effect, whichever is later, per HIPAA regulations.

2. Any statute or law, which mandates more stringent records retention rules, shall supercede HIPAA with regard to maintaining records.

Security Provisions

1. The Privacy Officer shall be responsible for the design and implementation of policies and procedures to comply with the HIPAA Security Rules by the compliance date set forth by the Department of Health and Human Services.

Training

1. The Privacy Officer shall be responsible for developing, maintaining and delivering training to achieve HIPAA compliance. Training shall be provided to all current and newly hired employees who handle or maintain PHI, including but not limited to all employees of the Human Resources Department.

2. Training shall be provided on an on-going basis, as needed, to provide relevant information regarding HIPAA compliance rules and regulations.

Disclosure Tracking

1. The Privacy Officer shall be responsible for implementing and maintaining a PHI disclosure tracking mechanism to provide an accounting of all PHI disclosures. The Privacy Officer shall provide instruction to the Human Resources representatives regarding the process of documenting any PHI disclosures.

HIPAA Violations

1. Any employee who fails to comply with HIPAA polices or procedures shall be subject to disciplinary action as outlined in the City of Sarasota personnel policies in effect on the date of the violation.

Reporting Illness and the HIPAA guidelines

City of Sarasota employees that receive or review information regarding an employee's illness will be trained regarding HIPAA (Health Insurance Portability and Accountability Act of 1996) rules and regulations.

Training:

The following positions require training regarding HIPAA, PHI (Protected Health Information), and our illness reporting procedures.

· All Managers
· All Supervisors
· All administrative assistants
· All human resources personnel
· All payroll personnel
· All personnel that uses or has access to the benefits section of the ABRA database.

The training will be available on the Internet or if needed, classes can be arranged.

Reporting Illness:

Each department is responsible for developing a call in procedure for employees. The procedure should contain the following:

· The procedure should identify how the employee should notify the department of an absence.

· Ideally, the contact person should be the employee's supervisor. If this is not possible, the contact person must be an individual that has been trained in HIPAA.

Absence from work is to be reported on the current payroll. Payroll records should indicate an illness but should not include any reference to cause, type or seriousness of the employee's illness. Payroll records should not include any doctor's notes or any other paperwork that would reference any PHI. Appropriate allied paperwork should be submitted to the attention of the Director of Human Resources in an envelope.

Documentation:

All documentation relating to illness must be kept in a separate file. At no time should documentation relating to illness be intermingled with an individual's personnel file in the Department or Human Resources.

It is the employee's responsibility to get the necessary medical statements or other documentation to their supervisor in a timely manner. It is the supervisor's responsibility to treat this information as confidential and to follow the guidelines in the City of Sarasota's HIPAA Privacy Policy.

Employee City Wide Communication:

One of the benefits of working at the City of Sarasota is the close-knit bond that is developed over time with co-workers. It has been commonplace for employees to send e-mails advising of births, deaths in the family, or illness. We will not be able to send out this type of communication unless we have obtained a signed authorization on an "Authorization for Release of Health Information" form. This form will be required to be signed before dissemination and the e-mail should contain the following disclosure:

"The employee mentioned in this e-mail has approved the dissemination of the following information."

The original of the authorization form must be sent to Human Resources for tracking purposes.

Frequently Asked Questions

General

Q. What is HIPAA?
A. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted by Congress to improve portability and continuity of health insurance coverage, require new safeguards to protect the security and confidentiality of protected health information and to simplify the administration of healthcare.

Q. What is protected health information?
A. Protected health information (PHI) is any medical record or other individually identifiable health information used or disclosed by a healthcare provider, health plan or healthcare clearinghouse in any form, whether written, electronic or orally.

Q. When does the HIPAA privacy rule go into effect?
A. Covered entities must comply with HIPAA by April 14, 2003.

Q. Is the City of Sarasota a Covered Entity?
A. Yes, because the City of Sarasota administers a self-insured health plan it is considered a Covered Entity and, therefore, must comply with all rules pertaining to HIPAA.

Notice of Privacy Practices

Q. Why is there a Notice of Privacy Practices?
A. The Notice of Privacy Practices (NPP) informs you how PHI may be used and disclosed. It also explains how you can get access to your PHI, what the City of Sarasota is doing to protect it , and what rights you have regarding release of your PHI.

Q. How does the NPP change how my PHI is protected?
A. Most organizations have been left to their best judgment as to what policies and/or procedures to adopt and how to apply standards for the use and sharing of PHI. The NPP does not necessarily change what is done to secure PHI but rather formalizes and educated you about the process.

Q. Where do I go in order to get this Notice of Privacy Practices?
A. The Notice of Privacy Practices will be distributed through your department. If for some reason you did not receive a copy, you may contact the Privacy Officer or download a copy from the Human Resources web site at www.sarasotagov.com. The form is listed on the Human Resources Department page under major documents in the HIPAA section.

Use and Disclosure of Protected Health Information

Q. Must I authorize the City of Sarasota to use my protected health information (PHI) for treatment, payment, and healthcare operation (TPO) purposes?
A. No. The City of Sarasota may use and disclose your PHI for treatment, payment and health plan operational purposes without getting your authorization.

Q. How do I access, inspect, amend or obtain a copy of my PHI?
A. You must submit a written request to the Privacy Officer. Forms are available from Human Resources or on-line and the above-referenced web site.

Q. Why do I need to sign an acknowledgement that I have received the NPP?
A. HIPAA regulations require that Covered Entities notify their employees of their rights and must document that they have received a copy of the NPP.

Q. Does my acknowledgement of receipt of the NPP authorize use or disclosure of my PHI?
A. No. Separate authorization must be obtained for any use of PHI that is not related to treatment, payment, or plan operations. Such instances rarely, if ever, occur.

Q. What is the difference between a "use" of my PHI and a "disclosure" of my PHI?
A. "Use" refers to the sharing of information within the health plan that maintains the PHI. A "disclosure" refers to when PHI is shared with an organization other than the health plan.

Q. Will I be told about any activity or request made by others to have my medical files?
A. Not necessarily. There are instances where prior authorization must be obtained. However, the NPP identifies several examples of situations where PHI can be released without your prior consent. Please refer to that document for specific details about these events.

Q. Will the third party claims administrator have access to my medical files?
A. Yes, in the course of treatment, payment or healthcare operations but only that amount of health information necessary to meet their requirements.

Complaints

Q. What do I do if I think my information privacy rights have been violated?
A. You must submit a written complaint to the Privacy Officer. A form is available from your Human Resources representative and on-line at the above-referenced web site.

Q: How do I identify my Privacy Officer?
A: Please contact the Human Resources Department.

EMPLOYEE CONFIDENTIALITY AGREEMENT OF THE CITY OF SARASOTA

I, (PRINT NAME) __________________________, have read and understand the City of Sarasota policies regarding the privacy of individually identifiable health information (or protected health information (PHI)), as mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In addition, I acknowledge that I have received training in City of Sarasota policies concerning PHI use, disclosure, storage and destruction as required by HIPAA.

In consideration of my employment or compensation from the City of Sarasota, I hereby agree that I will not at any time - either during my employment or association with the City of Sarasota or after my employment or association ends - use, access or disclose PHI to any person or entity, internally or externally, except as is required and permitted in the course of my duties and responsibilities with the City of Sarasota, as set forth in the City of Sarasota's privacy policies and procedures or as permitted under HIPAA. I understand that this obligation extends to any PHI that I may acquire during the course of my employment or association with the City of Sarasota, whether in oral, written or electronic form and regardless of the manner in which access was obtained.

I understand and acknowledge my responsibility to apply the City of Sarasota's policies and procedures during the course of my employment or association. I also understand that unauthorized use or disclosure of PHI will result in disciplinary action, up to and including the termination of employment or association with the City of Sarasota and the imposition of civil penalties and criminal penalties under applicable federal and state law, as well as professional disciplinary action as appropriate.

I understand that this obligation will survive the termination of my employment or end of my association with the City of Sarasota, regardless of the reason for such termination.

__________________________________________ Date _________________________
Signature

AUTHORIZATION FOR RELEASE OF HEALTH INFORMATION CITY OF SARASOTA

I _______________________________ [Print Employee Name] hereby authorize the use or disclosure of my health information as described in this authorization.

(1) Specific person/organization (or classes of persons) authorized to provide the information:

_________________________________________________________________________________________

(2) Specific person/organization (or class of persons) authorized to receive and use the information:

__________________________________________________________________________________________

(3) Specific description of the information:

__________________________________________________________________________________________

(4) Purpose of the request:

(Please state the purpose of the requested below. If you do not wish to state a purpose, please state, "At the request of the individual.")

__________________________________________________________________________________________

(5) Right to revoke: I understand that I have the right to revoke this authorization at any time by notifying the City of Sarasota in writing at P.O. Box 1058, Sarasota, FL 34230. I understand that the revocation is only effective after it is received and logged by the City of Sarasota. I understand that any use or disclosure made prior to the revocation under this authorization will not be affected by a revocation.

(6) I understand that after this information is disclosed, federal law might not protect it and the recipient might re-disclose it .

(7) I understand that my initial and continued employment and position are subject to my agreement to this authorization, and any additional authorization the City of Sarasota requests.

(8) I understand that I am entitled to receive a copy of this authorization.

(9) I understand that this authorization will expire when my employment with the City of Sarasota terminates.

Signature of Employee ______________________________________ Date____________________

Privacy Officer Signature_____________________________________________Date____________________

Personal Representatives section

If a Personal Representative executes this form, that Representative warrants that he or she has authority to sign this form on the basis of:

CITY OF SARASOTA INDIVIDUAL REQUEST NOT TO USE OR DISCLOSE HEALTH INFORMATION

I understand that the City of Sarasota Employee Health Benefit Plan group health plan may use and disclose protected health information about me for purposes of health care treatment, payment and health care operations without my consent. I request to restrict use and disclosure of protected health information concerning health care treatment, payment or health care operations about me by the City of Sarasota Employee Health Benefit Plan group health plan in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Group Health Plan Not Required to Agree

I understand that the City of Sarasota Employee Health Benefit Plan group health plan is not required to agree to this restriction.

Termination of Restriction

I understand that if the City of Sarasota Employee Health Benefit Plan group health plan agrees to this restriction, either the Plan or I may terminate this restriction at any time. The termination of the restriction is only effective for future uses and disclosures.

Emergency Treatment Exception

I understand that if protected health information must be used or disclosed to provide emergency treatment for me, then this restriction is void.

Questionnaire

Requestor: Please complete all of the following questions. If the question is not applicable, mark N/A on the answer line.

(1) I request the following information be restricted [description of information]:
______________________________________________________________________________________

______________________________________________________________________________________

(2) I request that use and disclosure of the above-described information be restricted in the following manner [description of restriction]:
______________________________________________________________________________________

______________________________________________________________________________________

(3) I request that my protected health information not be disclosed to the following individuals or entities [list individuals or entities to which information would not be disclosed]:
______________________________________________________________________________________

______________________________________________________________________________________

I understand that if a restriction is not specifically listed above and agreed to in writing by the group health plan, it will not be effective.

Signature: ___________________________________ Date: _______________

CITY OF SARASOTA INDIVIDUAL REQUEST TO CORRECT OR AMEND A RECORD

I request the City of Sarasota Employee Health Benefit Plan group health plan to amend the protected health information in its designated record set.

Specific Statement of Amendment Request

________________________________________________________________________________________

Specific Reason for Amendment Request

________________________________________________________________________________________

I understand that if the protected health information was not created by the City of Sarasota Employee Health Benefit Plan group health plan, the City of Sarasota Employee Health Benefit Plan group health plan is not required to honor my request. For example, if the information I wish to amend is in the medical report created by my physician, I must ask the physician - not the plan - to amend the report. I also understand that if the information is not available for my inspection, is not part of the plan's designated record set or is already accurate and complete, I cannot amend the information.

I understand that the group health plan will respond to my request within 60 days.

Signature: _____________________________________ Date: ________________

CITY OF SARASOTA RESPONSE TO AMENDMENT OR CORRECTION HEALTH INFORMATION REQUEST

Grant

Your request to amend or correct your health information has been granted. The Plan will make an appropriate amendment to the designated record set.

You must provide the Plan with the names of any persons to which you wish to provide the amended information. The Plan then will make reasonable efforts to inform these individuals - and persons that the Plan knows may have relied or could rely on the information - of the amendment within a reasonable time.

Need for Extension of Time

The City of Sarasota Employee Health Benefit Plan group health plan received your request to amend health information on ____________________. The Plan has evaluated your request to amend health information. A delay in action is necessary for the following reason:

_________________________________________________________________________________________

The group health plan will respond to your request by _______________, no later than 60 days from the date of the request.

Denial of Amendment

The group health plan received your request to amend health information on ___________________. Your request is denied for the following reason:

_________________________________________________________________________________________

Statement of Disagreement

You have the right to file a written statement disagreeing with the denial of amendment. The statement of disagreement must be limited to two single-sided 8-1/2 x 11 pages. The statement of disagreement should be filed within 60 days of this notice with the Human Resources Department. The Plan has the right to prepare a rebuttal statement to your statement of disagreement. If it does so, you will receive a copy.

If you do not submit a statement of disagreement, you may request that the Plan provide your request for amendment and this denial of amendment with any future disclosures of protected health information that is the subject of this request.

You may file a complaint regarding this decision with the group health plan or the U.S. Department of Health and Human Services. If you file a complaint with the group health plan, please file it in writing with the Human Resources Department.

INDIVIDUAL REQUEST TO INSPECT HEALTH INFORMATION

I request to review health information held about me in the _______________________ City of Sarasota Employee Health Benefits Plan group health plan's "designated record set" in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A "designated record set" includes information such as medical records; billing records; enrollment, payment, claims adjudication and health plan case or medical management record systems; or records used to make decisions about individuals.

I understand that the group health plan has 30 days to respond to this request, and that if someone else holds the information or it is off-site, the response time is 60 days.

I request that the information be provided in the following format: (circle one)

Paper

Electronic

I agree to pay any fees for copying or summarizing my health information. Fees will be reasonable and cost-based, and include only the cost of copying, postage, and preparation of a summary (if I agree to a summary).

I understand that this request does not apply to certain health information, including: (1) information that is not held in the designated record set; (2) psychotherapy notes; (3) information compiled in reasonable anticipation of or for litigation; and (4) other information not subject to the right to access information under HIPAA.

Signature ______________________________________Date__________________

CITY OF SARASOTA RESPONSE TO INSPECTION REQUEST

Grant

Your request to access your health information has been granted. Access will be provided at the Department of Human Resources.

Need for Extension of Time

The group health plan received your request to access health information on ____________________.

The group health plan has evaluated your request to access health information. A delay in providing the information is necessary for the following reason:

________________________________________________________________________________________

The group health plan will respond to your request by ____________ [list date that is no later than 60 days from the date of the request].

Denial of Access

The group health plan received your request to access health information on __________________. Your request is denied for the following reason:

_________________________________________________________________________________________

In certain cases you are entitled to appeal the denial of access. You are entitled to an appeal if access was denied because in the opinion of a licensed health care professional, granting access is likely to endanger the life or physical safety of you or another person. If you appeal, your appeal will be reviewed by a licensed health care professional designated by the plan that did not participate in the original decision. The appeal and notice of the appeal decision will be conducted promptly.

APPENDIX

City of Sarasota
Health Plan Sponsor

HEALTHCARE SARASOTA
NOTICE OF PRIVACY PRACTICES

This Notice is effective April 14, 2003

This notice will describe how medical information about you may be used and disclosed and how you can get access to this information.

PLEASE REVIEW IT CAREFULLY

If you have any questions about this Notice, or you would like to make a request concerning your rights, please call and ask for our Privacy Officer at 951-3639 or 951-3630. The address and telephone number is repeated at the end of this Notice.

OUR RESPONSIBILITIES

This privacy notice will tell you about the lawful ways in which we may use and disclose your Protected Health Information (or PHI). It also describes your rights and the responsibilities we have regarding the use and disclosure of your PHI. PHI is information that may identify you (including your name, address, and social security number), that relates to your past, present, or future physical or mental health condition, your health care services, and payment for your health care services.

The City of Sarasota is required by law to maintain the security and privacy of your PHI and to provide you with this notice of our privacy practices and legal duties. We are required to follow the terms of this Notice. We reserve the right to change the terms of this notice and to make any new provisions effective to the entire PHI that we maintain about you. If we revise this notice, we will provide you with a revised notice by mail.

USES and DISCLOSURES of PHI (Protected Health Information)

To comply with the law only the individual's "Minimum and Necessary" PHI will be used or disclosed to accomplish the intended purpose of the use, disclosure, or request. It is the City of Sarasota's policy to limit the use or disclosure of an individual's PHI on a "need to know" basis. The following categories describe some of the different ways we may use and disclose your PHI.

Payment:

We may use and disclose your PHI for payment activities. For example, we may use and disclose your PHI to process and pay your bill for health care services, when your health care provider requests information regarding your eligibility for coverage under our health plan, or in reviewing the medical necessity of the treatment you received, or in coordinating payment with other insurance carriers or facilities.

Treatment:

We may use and disclose your PHI so that you can receive medical treatment and other related services. For example, we may need to coordinate your care with utilization and case management personnel with regard to your health benefits.

Health Care Operations:

We may use or disclose your PHI for our business activities and health care operations. The activities include, but are not limited to: quality assessment and improvement, reviewing provider performance, reviewing Rx data for wellness and prevention materials. For example, we may also use or disclose your PHI to underwriters to obtain insurance premiums, and to auditors to make sure claims are paid correctly.

Business Associates:

We may disclose your PHI to third party "business associates" that perform various services for us. For example, we may disclose your PHI to our benefits administrator, Healthcare Sarasota, to our claims administrator, for utilization and case management purposes, to the (EAP) employee assistance program, and to our pharmacy benefits manager. Also, we may disclose your PHI to other services that provide reinsurance and healthcare support services such as dental and vision providers. We require our business associates to appropriately secure and safeguard your PHI.

Other Health-Related Benefits:

We may use and disclose your PHI to contact you about wellness and preventions programs. Also, to inform you about disease management and other educational health programs. We may use and disclose your PHI to offer you our other health-related and voluntary benefits. If you do not want us to contact you about our health-related benefits you must notify our Privacy Officer in writing.

Individuals Involved in Your Care:

We may use and disclose your PHI to a family member or other persons you identify involved in your care. We will disclose only PHI relevant to that person's involvement in your care or payment for your care. In an emergency, we may use and disclose you PHI for locating and notifying a family member, a personal representative, or another person responsible for your care. If you are unable to agree or object to this disclosure, we may disclose such information as we deem is in your best interest based on our professional judgment.

Plan Sponsor:

We may disclose your PHI to the plan sponsor of the group health plan.

Research:

We may use and disclose your PHI for research purposes in certain limited circumstances.

Required By Law: We will disclose your PHI as required by federal or state law including:

· Military and National Security. We may disclose you PHI to authorized federal officials for conducting national security and intelligence activities. We may also be required to disclose your PHI to members of the Armed Forces for activities deemed necessary by appropriate military authorities.

· Workers' Compensation. We may disclose you PHI to workers' compensation and other programs providing benefits for work-related injuries or illnesses.

· Public Health. We may disclose your PHI for public health activities. For example, we may disclose you PHI when necessary to prevent a serious threat to you or others health and safety. Public health activities generally include: (1) to prevent or control disease, injury or disability; (2) to report births and deaths; (3) to report child abuse or neglect; (4) to report reactions to medications or problems with products; (5) to notify people of recalls of products they may be using; (6) to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; or (7) to notify the appropriate government authority if we believe the individual has been the victim of abuse, neglect, or domestic violence.

· Health Oversight Activities. We may disclose your PHI to a health oversight agency for activities authorized by law such as audits, investigations, inspections, and licensure. Government oversight agencies include those agencies that oversee government benefit programs, government regulatory programs, and civil rights laws.

· Legal Proceedings. We may disclose your PHI in the course of any judicial or administrative proceeding to the extent expressly authorized by a court or administrative order. We may disclose you PHI in response to a subpoena, discovery request, or other lawful process, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.

· Law Enforcement. We may disclose your PHI to law enforcement officials for law enforcement, including: (1) in response to a court order, subpoena, warrant, summons, or similar process; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) information pertaining to a victim of a crime if, under certain limited circumstances, we are unable to obtain the person's agreement; (4) information in regard to a death we believe may be the result of criminal conduct; (5) information in regard about criminal conduct that occurs on our premises; or (6) in emergency circumstances to report a crime, the location of the crime or victims, or the identity, description, or location of the person who committed the crime.

· Coroners, Medical Examiners, and Funeral Directors. We may disclose your PHI to a corner or medical examiner for purposes of identifying a deceased person or determine cause of death. We may also disclose you PHI to a funeral director, as authorized by law, in order for the director to carry out assigned duties.

· Inmates. If you are an inmate of a correctional institution, we may disclose your PHI to the correctional institution or law enforcement official holding you in custody in order for: (1) the institution to provide you with health care; (2) your health and safety and the health and safety of others; or (3) the safety and security of the correctional institution.

Organ and Tissue Donation:
We may disclose your PHI to organizations that handle organ procurement, organ, eye or tissue transplantation, or to an organ donation bank.

OTHER USES and DISCLOSURE OF YOUR PHI

Other uses disclosures of your PHI not covered by this notice or laws that apply to our use and disclosure will be made only with your written authorization. You may revoke your authorization, in writing, at anytime. If you revoke your authorization, we will no longer use or disclose your PHI for the reasons covered by your written authorization. However, we will be unable to take back any use or disclosure that has already been made with your authorization or that has been made as described in this notice.

YOUR RIGHTS

The following is a description of your rights with respect to your Protected Health Information.

· Right to a Request a Restriction. You have the right to request a restriction on certain uses and disclosures of your PHI, including disclosures for treatment, payment, or health care operations. You also have the right to request a restriction on the disclosure of your information to individuals involved in your care or payment for your care. The City of Sarasota will give serious consideration to your request but is not required to agree to any such restrictions. If we do agree, we will comply with the restriction unless the information is needed to provide you with emergency treatment. To request a restriction, please contact our Privacy Officer. Your request must specify: (1) the information you want to limit ; (2) whether you want to limit our use, disclosure, or both; and (3) to whom you want the limits to apply.

· Right to Access, Inspect, And Copy. You have the right to access, inspect, and obtain a copy of your PHI that may be used to make decisions about your health care benefits. This includes your medical and billing records, but may not include psychotherapy notes or other information that is subject to laws that prohibit access. We may deny your request to access, inspect, and copy in certain limited circumstances. If you are denied access, you may request that the denial be reviewed. A licensed health care provider chosen by us will review your request and denial. The person performing this review will not be the same person who denied your initial request. The outcome of the review will be final. If the denial is reversed, you will be granted access within 30 days. To inspect and copy your PHI, please contact the Privacy Officer. A fee may be charged for the cost of copying, mailing, or other supplies associated with your request.

· Right to Amend - If you believe any of your information in our possession is inaccurate you may request, in writing, that we amend or correct the information that you believe to be erroneous. To request an amendment, contact our Privacy Officer. You will be required to provide a reason that supports your request. We may deny your request if you ask us to amend information that: (1) was not created by us, unless the person or entity that created the information is no longer available to make the amendment; (2) is not part of the Protected Health Information kept by or for us; (3) is not part of the information which you would be permitted to inspect or copy; or (4) is accurate and complete. If we deny your request, you may submit a short statement of dispute, which will be included in any future disclosure of your information.

· Right to an Accounting of Disclosures. You have the right to receive an accounting of disclosures of your PHI. The accounting will take the form of a list of the disclosures of your PHI that we have made to others. The list will not include disclosures made: (1) for treatment, payment and any other health plan operations; (2) to you; (3) that are incidental disclosures; (4) in accordance with an authorization; (5) for national security or intelligence purposes; or (6) to correctional institutions or law enforcement officials for the provision of health care, safety of individual, other inmates, and officers and employees. To request an accounting, contact our Privacy Officer. You may request an accounting for disclosure made up to six years before the date of your request but not for disclosures made prior to April 14, 2003. The first accounting you request within a twelve-month period will be free. For additional accountings, we may charge you the cost of the providing the list. We will notify you of the fee before any costs are incurred.

· Right to Confidential Communications. You have the right to request that you receive communications of your Protected Health Information in a certain time or manner. For example, you may ask that we only contact you at work or by U.S. Mail. To request confidential communications contact our Privacy Officer. Your request must specify how or where you wish to be contacted.

· Right to a Paper Copy of This Notice. You have the right to a paper copy of this notice. You may request a paper copy by contacting our Privacy Officer. In addition, you may obtain a copy of this notice at our web site., www.sarasotagov.com.

COMPLAINTS

If you believe your privacy rights have been violated, please send your complaint, in writing, to our Privacy Officer. All complaints will be resolved in a timely manner. If we cannot resolve your concern, you have the right to file a written complaint with the Secretary of the United States Department of Health and Human Services. You will not be retaliated against in any way for filing a complaint.

If you would like to discuss the privacy of your Protected Health Information in detail, or if you have any concerns, please feel free to contact our Privacy Officer at:

Privacy Officer
City of Sarasota
P. O. Box 1058
Sarasota, FL 34230-1058

Tel: (941) 951-3639 or (941) 951-3630

ACKNOWLEDGMENT

Please sign and date this form indicating your receipt of this Notice of Privacy Practices.

NAME: (Please Print)________________________________________________________________

Date:_____________________________________________________________________________

Signature__________________________________________________________________________

Department________________________________________________________________________

PLEASE RETURN TO HUMAN RESOURCES AFTER SIGNING

JOB TITLE: PRIVACY OFFICER

PURPOSE OF THE POSITION: This position is responsible for compliance activities associated with the federal Health Insurance Portability and Accountability Act (HIPAA). Responsibilities include development, implementation, and maintenance of electronic and technical safeguards required by HIPAA.

MINIMUM QUALIFICIATIONS:
Bachelor degree in Health Administration, Public Administration or Business Management. Five years benefit administration. Certified Registered Health Information Administrator or Technician (RHIA or RHIT ) helpful.

SPECIAL REQUIREMENTS:
· Knowledge of HIPAA standards.
· Ability to develop and maintain standards for HIPAA.
· Knowledge of and experienced in word processing, spreadsheets and experienced with computers.
· Knowledge of ABRA or Crystal reports a plus.

ESSENTIAL FUNCTIONS:
· Develop, document, implement, and maintain administrative procedures for health data and determine whether they are sufficient to meet HIPAA privacy standards.
· Develop and maintain procedures for verifying the identity and authority of persons requesting health information.
· Perform periodic information privacy risk assessments and conduct related ongoing compliance monitoring activities.