CKD(REGULATION) - INSURANCE AND ANNUITIES MANAGEMENT: HEALTH AND LIFE INSURANCE

Privacy of Health Information

The College District expects all employees to respect and to protect the private health information of other employees, students, and patients.

The College District has the following rules about health information from which it is possible to obtain a patient's identity ("Protected Health Information" or "PHI"):

PHI may only be used within the College District or disclosed to entities outside the College District after an affected individual provides authorization to use and disclose PHI. If the College District intends to use or disclose the PHI to third parties, an Authorization to Use and Disclose Protected Health Information must be signed by the affected individual. This notice is not required in cases of emergency, where failure to use or disclose PHI would compromise patient care, or where disclosure is specifically permitted or required by law.

Access to PHI is always limited to those who have a valid business or medical need for the information or otherwise have a legal right to know the information.

Unless being used to treat an affected individual, access to the individual's PHI must, to the extent practicable, be limited to only that information necessary to accomplish the intended purpose of the approved use, disclosure, or request.

All access to physical areas/files or computer accounts/files that contain PHI must be limited to authorized personnel. This access will be revoked upon termination of employment, termination in student training programs, or when an individual no longer requires access to do the individual's job. All PHI must be: (a) returned to the College District; or (b) destroyed with a written acknowledgment of destruction; or (c) if the information cannot be returned or destroyed, subject to written agreement that the individual will keep the PHI confidential or safeguarded as long as it is in the possession of the individual.

When the College District gives PHI to a third party in order to provide services to the College District, that third party must first sign a Business Associate Agreement. PHI provided to a business associate must be pursuant to a written agreement that the business associate, and its subcontractors, will use the PHI only for the purpose intended, will restrict access to the information on a need-to-know basis, and will otherwise take appropriate measures to safeguard the information in its possession. All PHI in the possession of these individuals or entities must be returned to the College District or an attestation must be provided that the PHI has been destroyed. If that is not possible, a written agreement must state that because it is not possible to return or destroy the PHI, the PHI will remain confidential and safeguarded as long as it is in the possession of any third party.

Employees and students have the right to access to their own PHI, may add any information they choose to their own PHI, and may request that the College District give an accounting regarding any disclosures it has made of their PHI to third parties.

Scope

The College District expects that everyone employed by the College District will treat all health information in a confidential manner. The College District expects that its health centers, mental health counselors, and health occupations programs will identify those job classifications that are authorized to access, use, or disclose PHI and identify the scope of PHI to which they have access in order to do their jobs.

Protection of Health Information

An individual's PHI may be used by the health centers, mental health counselors, and health occupations programs for routine purposes (specifically defined to include treatment, payment, and health-care operations). Additionally, the College District may use or disclose an individual's PHI for nonroutine purposes upon obtaining a valid authorization from the individual giving permission for that use or disclosure. The College District may use and disclose an individual's PHI without prior permission or authorization if health information has been sufficiently redacted to hide the identity of the individual, as part of a limited data set, or for other uses where allowed by statute.

College District employees working in the health centers, as mental health counselors, or as instructors in the health occupations programs will complete appropriate training that outlines employee responsibilities and patient rights or must otherwise demonstrate knowledge of those responsibilities and rights.

Consequences of Violating This Regulation

Unauthorized access to or use or disclosure of PHI will subject the responsible person to disciplinary action, up to and including termination of employment or suspension or expulsion from any student program. This extends to the unauthorized use or disclosure of PHI that is overheard during the course of business or PHI that is otherwise learned by any College District employee or student by virtue of his or her association with the College District.

Reporting Violations or Asking Questions

The College District's Legal Counsel is designated as the College District's Privacy Officer. Anyone who becomes aware of a violation of this regulation will immediately report the incident to the Privacy Officer. The College District will try to minimize any known harm caused by the unauthorized use or disclosure of PHI.

Any questions concerning this regulation should be directed to the Privacy Officer. The Privacy Officer also has the Authorization to Use or Disclose Protected Health Information form.

Dallas College

CKD(REGULATION)-X

LDU 2012.06

DATE ISSUED: 7/3/2012