Health Insurance Portability and Accountability Act
The Board has determined that it meets the definition of a hybrid of covered entities under the Health Insurance Portability and Accountability Act (HIPAA) since RISE Charter School offers health-care provider programs and services that include electronic billing for the reimbursement of services under Idaho Medicaid programs, or contracts with another entity to provide such services, it is subject to HIPAA. In all electronic transactions involving student education records information, the Charter School will adhere to the transaction requirements of HIPAA and the confidentiality requirements of the Family Education Rights and Privacy Act (FERPA).
Additionally, because the Charter School self-insures a health plan and self-administers an Internal Revenue Service Section 125 plan it also meets the health plan definition under HIPAA. Accordingly, the Charter School will safeguard the protected health information of employees from use or disclosure that may violate standards and implementation specifications to the extent required by law.
As a covered entity, the Charter School will meet the national electronic transaction standards and applicable requirements of federal law designed to ensure the security of projected health information of employees and student education record information created or received by the Charter School.
In order to meet the notice requirements under the health-care provider provisions of the law, information will be provided to students and parents of their rights under FERPA in accordance with established procedures.
The Executive Director will designate an individual responsible for responding to HIPAA inquires, complaints and for providing adequate notice of employee rights and Charter School duties under the health plan provisions of the Act. Notice will include the privacy provisions of the law, and uses of employee protected health information and disclosures that may be made by the Charter School.
Training will be provided to all current staff and new employees determined by the Charter School to have access to the protected health information of employees and student education records. Training will be provided within a reasonable period of time after the individual’s hiring, and to those employees when their duties may be impacted by a change in the Charter School’s policy and/or procedures.
Individuals who believe their privacy rights have been violated may file a complaint in accordance with established Charter School procedures. Employee complaints may also be filed directly with the U.S. Secretary of Health and Human Services. There shall be no retaliation by the Charter School against any person who files a complaint or otherwise participates in an investigation or inquiry into an alleged violation of an individual’s protected privacy rights. All complaints received will be promptly investigated and documented, including their final disposition.
The Executive Director will ensure that satisfactory assurance has been obtained from any business associate performing HIPAA-covered activities or functions on behalf of the Charter School that the protected health information it receives from the Charter School will be protected. Such assurance will be in the form of a written agreement, or may be included as a part of the Charter School’s contract with the business associate.
Employees in violation of this policy or procedures established to safeguard student education records information and the projected health information of employees will be subject to discipline up to and including dismissal.
The Executive Director is directed to ensure an assessment of Charter School operations is conducted to determine the extent of the Charter School’s responsibilities as a covered entity under HIPAA and to develop internal controls and procedures necessary to implement this policy and meet the requirements of the law. The procedures shall include provisions for record keeping, documentation of the Charter School‘s compliance efforts and appropriate administrative, technical, and physical safeguards to protect the privacy of student education records and employee protected health information and to ensure that any request is limited to information reasonably necessary to accomplish the purpose for which the request is made.
In the event of a change in the law that may impact this policy or established Charter School procedures, the Executive Director shall ensure appropriate revisions are recommended for Board approval, necessary changes are implemented, and notification is made to staff and others, as appropriate.
This policy and any other policies, procedures, or directions relating to the implementation of the Health Insurance Portability and Accountability Act of 1996 are to be documented in written form. This documentation may be electronic. Such records are to be retained for at least six years following their creation or last date effective, whichever is later. These documents will be made available to those responsible for implementing the procedures to which the documentation pertains.
This documentation shall be reviewed periodically, and updated as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.
Legal References:
P.L. 104-191, 42 U.S.C. 1320d-1320d-8 Health Insurance Portability and Accountability Act of 1996
45 C.F.R. Subchapter C Administrative Data Standards and Related Requirements (Implementing HIPAA)
45 C.F.R. § 164.316(b) Administrative Data Standards and Related Requirements (Implementing HIPAA) - Documentation and Implementation Standards
29 C.F.R 164.316b Health Insurance Portability and Accountability Act of 1996
20 U.S.C. Section 1232g; 34 CFR Part 99 Family Educational Rights and Privacy Act
IDAPA 08.02.04.300 Public Charter School Responsibilities
Policy History
Adopted on: July 26, 2021
Revised on:
Reviewed on: