Privacy of Medical Records (Policy 1.230)

Authority:F.S. 1001.64; Pub.L.No. 104-191, 110 Stat. 1936 (1996)
Date Adopted:4/03; Rev 12/04, 05/09



It is the policy of the Board that the College will be in compliance with federal and state medical records privacy protection laws and regulations, including the requirements of the Health Insurance Portability and Accountability Act of 1996, and the regulations of the Department of Health and Human Services implementing that Act.

  1. Assigning Privacy and Security Responsibilities

    1. Specific job positions within the College workforce shall be assigned the responsibility of implementing and maintaining the HIPAA Privacy and Security requirements and shall be provided sufficient resources and authority to fulfill their responsibilities.
    2. There shall be one individual designated by the President or designee as the Privacy Contact for compliance with HIPAA Privacy Rules at the College
  2. Protected Health Information (PHI): Protected Health Information is any individually identifiable information created or received by a health care provider, health plan or employer that relates to an individual's past, present or future physical or mental condition or the provision of or payment for that individual's health care, whether maintained in electronic, printed or spoken form. Employment records and records subject to the Family Educational Right and Privacy Act (FERPA) are not Protected Health Information.

    1. Uses and Disclosures: Protected Health Information may not be used or disclosed except when authorized by the individual who is the subject of the information, or as otherwise allowed or required by the provisions of HIPAA.
    2. Minimum Necessary Disclosure: All disclosures (except for disclosures made for treatment or healthcare operation purposes) of Protected Health Information must be limited to the minimum amount of information needed to accomplish the purpose of the disclosure.
    3. Access to Protected Health Information by the Individual: Access to Protected Health Information must be granted to the person who is the subject of such information when such access is requested. Individuals have a right to request that no disclosure be made of PHI. The College is not obligated to grant this request. All requests for Protected Health Information will be directed to the appropriate Third Party Administrators and must be limited to the minimum amount of information needed to accomplish the purpose of the request.
    4. Access by Personal Representatives: Access to Protected Health Information must be granted to personal representatives of individuals as though they were the individuals themselves. Personal representatives may include legal designations such as Power of Attorney or parent to a minor child.
    5. Access to Protected Health Information by other entities: Access to Protected Health Information may be granted to authorized employee(s) or contractor(s) based on the assigned job functions of the employee or contractor. Such access should not exceed the minimum necessary to accomplish the assigned job function.
    6. Verification of Identity: The identity of all persons who request access to Protected Health Information shall be reasonably verified before such access is granted.
    7. Mitigation: Any known harmful effects of a use or disclosure of Protected Health Information by the College or a Business Associate that violates this policy or the procedures implementing it shall be mitigated to the extent possible.
  3. Safeguards: Appropriate physical safeguards shall be in place to reasonably safeguard Protected Health Information from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule or state statutes. These safeguards shall include physical protection of premises and PHI, technical protection of PHI maintained electronically and administrative protection. These safeguards will extend to the oral communication of PHI.
  4. Notice of Privacy Practices: The College shall prepare and distribute a Notice of Privacy Practices that complies with the requirements of the HIPAA Privacy Rules. The College shall obtain and retain on record the Privacy Practices of Third Party Administrators and vendors who administer programs subject to HIPAA. Notice of Privacy Practices shall be distributed to all employees.
  5. Disclosure Accounting: An accounting of all disclosures subject to such accounting of Protected Health Information shall be given to individuals whenever such an accounting is requested.
  6. Authorizations: A valid authorization will be obtained for all disclosures that are not related to treatment, payment, health care operations, the individual or their personal representative. A signed copy of the College's Privacy Policy will serve as authorization for the College to provide assistance in resolving healthcare claims issues
  7. Complaints: All complaints relating to the protection of health information shall be investigated and resolved in a timely fashion. All complaints should be addressed to the College Privacy Contact for research and resolution. All complaints received and the disposition of each complaint shall be documented.
  8. Training and Awareness: All employees with access to Protected Health Information shall be trained on the policies and procedures governing Protected Health Information and how the College complies with the HIPAA Privacy Rule. New employees shall receive training on these matters within a reasonable time after they have joined the workforce. Training shall be provided should any policy or procedure related to the HIPAA Privacy Rule materially change. This training will be provided within a reasonable time after the policy or procedure materially changes. Training shall be documented to indicate participants, date and subject matter.
  9. Sanctions: Sanctions will be in effect for any member of the workforce who intentionally or unintentionally violates any of these policies or any procedures related to the fulfillment of these policies. Violations of any of these provisions may result in severe disciplinary action including termination of employment and possible referral for criminal prosecution. Sanctions shall be documented.
  10. Retention of Records: The HIPAA Privacy Rule records retention requirement of six years will be strictly adhered to. All records designated by HIPAA in this retention requirement will be maintained in a manner that allows for access within a reasonable period of time.
  11. Prohibited Activities: No employee or contractor may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under HIPAA regulations. No employee or contractor may condition payment, enrollment or eligibility for benefits upon the provision of an authorization to disclose Protected Health Information, or upon a waiver of the right to file a complaint.
  12. Procedures: The President or designee shall establish procedures to implement the provisions of this policy.