Health Information Portability & Accountability Act (HIPAA)

The Town of Shrewsbury by vote of its Board of Selectmen will comply with the Privacy Regulations of the Health Information Portability and Accountability Act of 1996 (HIPAA). The Town shall limit the use of and access to Protected Health Information which is held by the Town or its lawful agents.

Protected Health Information (PHI) is any written, oral or electronic form of information relating to a person's past, present or future health condition, delivery or payment of health services that identifies an individual or where there is a reasonable basis to believe the information could be used to identify an individual.

Administrative, technical and physical safeguards established to limit use and access to protected health information are stated as an integral part of this policy, established as part of daily operating procedures and will be maintained by all responsible staff and representatives of lawful agents and business associates of the Town of Shrewsbury.

To assure this commitment to compliance the Board of Selectmen designates Carolyn Marcotte as Privacy Officer who shall have the responsibility:
  • To keep the Board of Selectmen and Town and School Administrations informed
  • of all changes, updates, requirements, responsibilities, claims, etc. concerning the HIPAA privacy regulations
  • To maintain documentation of the Town's efforts to comply with HIPAA
  • privacy regulations
  • To ensure that plan subscribers are sent privacy notices and new enrollees receive said notices as required by law
  • To track any protected health information disclosures
  • To process authorizations for disclosure and use of protected health information
  • To resolve complaints from participants about possible privacy violations
  • To serve as the Town's liaison with the group health insurance program third party administrator, relevant business associates, and health insurance carriers, communicating the Town's commitment and securing the commitment of these entities to the privacy and security of protected health information
  • To maintain all required authorizations, agreements, etc. relative to the protected health information of group health insurance program participants
  • To monitor the Town's compliance with HWAA privacy regulations on a regular basis
The Privacy Officer will receive the total support of the Board of Selectmen, Town Administration and senior management. The Privacy Officer of the Town of Shrewsbury is covered under the Town's liability insurance in the legal performance of his/her duties and has access to the Town's legal counsel in the same regard.

In accordance with HIPAA, only the Town of Shrewsbury Benefits Coordinator may be given access to protected health information in order to legally perform the position duties and administer the Town's group health insurance program.

The Town of Shrewsbury communicates its commitment to HIPAA Privacy Regulations through:
  • Adoption of this policy by the Board of Selectmen
  • Distribution of this policy to and training of all department heads concerning the definition, security and authorization of protected health information
  • Posting of this policy on the Town of Shrewsbury website
  • Including the privacy notice in the new employee benefits package
As an employer, the Town of Shrewsbury may use protected health information in its possession without specific authorization from the employee for treatment, payment, quality assessment, medical review and auditing, studies to improve the group's health care quality or reduce health care costs, compiling civil/criminal proceedings, and any other use required by law for public health, communicable disease, abuse or neglect, or food and drug administration purposes.

Information which is normally maintained in the employment record which is not classified as protected health information includes all forms, responses, inquiries and data relative to the family medical leave act, drug screenings, fitness for duty, workers compensation, disability, life insurance, the occupational safety and health act and sick leave.

Protected health information may be released for other purposes by the authorization of the employee submitting the established form in person to the Privacy Officer. The use and/or disclosure of protected health information is limited to the specific information for the specific purpose to and from the specific individual and/or entity for a specific time period as delineated in the authorization form. Group health insurance program participants are allowed to review their protected health information that is held by the Town and to make corrections to errors. Upon request a participant will be provided with an accounting of disclosures of protected health information.

The Town of Shrewsbury separates protected health information from the employment record and retains such information in a locked file accessible only to the Benefits

Coordinator and under special circumstances other Town Officials that have a bona fide need to know to accomplish legal town business. All entities which could receive protected health information (Group Benefits Strategies as the third party administrator, ambulance billing company, fully insured plan providers, legal counsel, actuaries and consultants) must enter into a business associate agreement with the Town of Shrewsbury in which both parties commit to compliance with the HIPAA Privacy Regulations and providing satisfactory assurances that the business associate will appropriately safeguard the protected health information.

Participants that believe they have been aggrieved by the use or disclosure of protected health information may file a written grievance with the Privacy Officer within 60 calendar days of the use or disclosure of the protected health information or within 15 calendar days of their knowledge of said use or disclosure. The grievance must delineate the specifics of the complaint, including but not limited to:
  • What was the result of the release of the unauthorized protected health information
  • What unauthorized protected health information was released
  • When was the protected health information released and/or when did the complainant become aware of the unauthorized knowledge of the protected health information
  • Who received the protected health information and/or is knowledgeable of the protected health information
The Privacy Officer will meet with the complainant as soon as possible after the receipt of the grievance. During this meeting the Privacy Officer will discuss the issue brought forward with the complainant. The Privacy Officer will investigate the allegations of the complaint with the full support and assistance of Town and/or School Administration and if necessary legal counsel.

The Privacy Officer will provide a written report of his/her findings and recommended action, if warranted, to the Town Manager and the complainant within 30 calendar days from the date of the meeting with the complainant. If for some reason the Privacy Officer is unable to conduct this meeting and/or investigation the Town Administrator shall appoint a Senior Manager to perform these duties.

Complainants may also contact the Federal Offices of the Department of Health and Human Services for assistance.

The Town of Shrewsbury will comply with the Privacy Regulations established by the Federal Government and requires its employees to observe and comply with this policy and the use of the proper procedures and policy documents. Employees found to have breached protected health information security will be subject to sanctions from verbal reprimand up to and including termination, dependent upon the seriousness, willfulness and ramifications of the breach.

Adopted by vote of the Shrewsbury Board of Selectmen on July 14, 2003.