In its capacity as a Covered Entity or a Business Associate, System shall limit access to PHI to those persons that require access to the PHI in order to carry out their duties as permitted by HIPAA and this Manual.
4.2(1) Persons With Access to PHI
System has been designated as a Hybrid Entity. Only authorized Workforce members of OEB and the other designated Offices within the System Administration who have received the training required by this Manual are entitled to access PHI collected or held by System as a Covered Entity or Business Associate. All such Workforce members are specifically required to comply with this Manual.
4.2(2) OEB Workforce Members
OEB Workforce member permitted to access PHI consists of the following and shall have access to PHI as follows:
- OEB Staff: Current OEB Workforce members (referred to here as “Staff”), including employees but excluding Business Associates and their subcontractors, or persons employed by a Business Associate, shall have access to PHI in order to conduct any permissible Use or Disclosure of PHI in accordance with the terms of this Manual. Staff whose duties require access to the entire Medical Record shall have access to an Individual’s entire Medical Record to the extent the entire Medical Record may be Used or Disclosed under the terms of this Manual. Otherwise, Staff shall have access only to the minimum necessary PHI relating to the specific duties to which they are assigned. All Staff shall have access to PHI only during the time periods they are on duty in the capacity for which they require the Use of the PHI. No Staff shall request, or without a signed Authorization, Use or Disclose PHI for any non-Self-funded Group Health Plan related purpose of any kind, even if the Staff’s specific job duties include both Self-funded Health Plan and non-Self-funded Group Health Plan related functions, regardless of whether the PHI would be of use in performing the non-Self-funded Group Health Plan duties. No Staff shall re- identify De-identified PHI unless it is part of the Staff’s specific duties with regard to that particular PHI and only as approved by the Privacy Officer as set forth in Section 4.13 of this Policy. The various functions of OEB staff and additional detail regarding type of access are:
- Benefits staff shall have access to all PHI (including the entire Medical Record) maintained in any medium by OEB during the time periods staff is performing job-related functions, which functions may include but are not limited to claims review and adjudication; resolution of appeal issues; requests for proposals and plan development; and resolving enrollment, coverage and eligibility issues.
- Financial staff shall have access only to minimum PHI necessary for performing job-related functions, which functions may include but are not limited to, payment of claims, adjustment of claims, and premium payments.
- Other staff shall have access to all PHI they maintain in any medium, during the time periods staff is performing job-related functions. PHI may be contained or stored in the various computer systems and magnetic media managed by the Staff. Access to PHI maintained in other mediums by OEB shall be permitted to the extent required for staff to perform duties as assigned, which may include, but are not limited to, reporting functions, analysis functions, reconciliation functions, maintenance and repair functions, testing, addressing enrollment and eligibility issues, billing and payment.
- The Director of OEB shall have the same access rights as set out above for all OEB functions, to the extent necessary to carry out the responsibilities of their positions, which include but are not limited to, oversight of all OEB functions and appeals resolution.
- Medical Director: Any licensed physician employed by System who is specifically appointed to act as a Medical Director on behalf of OEB or to provide a professional medical opinion to OEB staff in the performance of staff’s duties in relation to a Plan offered by OEB a member of the OEB workforce and have access to PHI in order to provide the services he or she is appointed to provide. Such access shall be limited to the PHI, necessary in the professional judgment of the physician, to perform a service, including, if necessary, an Individual’s entire medical record. Any licensed physician employed by OEB as a Medical Director shall be considered OEB staff and may have the same access to PHI that is granted to the Director in Paragraph (a) of this Subsection. If OEB employs a Medical Director who is not a System employee or official, that person must execute a Business Associate Agreement with System.
- Complaint Review Committee: Any licensed physician who is employed by System and is designated by OEB to serve on EGI’s Complaint Review Committee shall be considered a Workforce member of OEB and may have access to an entire medical record to the extent that access is necessary to ensure a complete and accurate evaluation of the claim under review. A physician serving on the Committee shall not be considered to be providing Treatment in connection with such services. If OEB employs a Committee member who is not a System employee or official, the person must execute a Business Associate Agreement with System.
- Privacy Officer: The Privacy Officer shall be considered part of the Workforce of OEB and have access to PHI in order to conduct any permissible Use or Disclosure of PHI in accordance with the terms of this Manual. The Privacy Officer shall have access to an Individual’s entire medical record to the extent (i) the entire medical record may be Used or Disclosed under the terms of this Manual, or (ii) such PHI must be reviewed in order to determine whether a Use or Disclosure is permissible under the terms of this Manual.
4.2(3) Non-OEB Workforce Members within the System Health Care Component
- Office of General Counsel: Officials and staff of the Office of General Counsel (OGC) is the Business Associates of the Office of Employee Benefits to the extent that the office if required to access OEB PHI to provide legal services to OEB. OGC can access any and all PHI reasonable required to provide the required legal services. The Minimum Necessary Standard shall apply to all such access. All such PHI shall be accessed and Used by OGC in accordance with this Manual and the NOPP.
- Office of Employee Services: Employees of the System Office of Employee Services are the Business Associate whose duties specifically require the employee to access PHI on behalf of OEB for the purpose of providing Administrative Services to the Plan shall be considered a Business Associate of OEB. Such employees may have access to an Individual’s entire medical record to the same extent the entire medical record may be Used or Disclosed under the terms of this Manual by OEB staff. The Minimum Necessary Standard shall apply to all such access. All such PHI shall be accessed and Used by OGC in accordance with this Manual and the NOPP.
- Office of Information Resources: Office of Information Resources (OIR) employees shall be considered a Business Associate of OEB and shall have access to all PHI contained in System Administration’s computer system for maintenance and repair purposes. Access to paper or other types of PHI shall be granted to department supervisors only when necessary to complete a specific function for the information management system. The Minimum Necessary Standard shall apply to all such access. All such PHI shall be accessed and Used by OGC in accordance with this Manual and the NOPP.
- Office of Systemwide Compliance Information Resources: Other than the Privacy Officer, Office of Systemwide Compliance employees shall be considered a Business Associate of OEB and shall have access to all OEB PHI contained for assisting and/or investigating OEB’s compliance duties. In addition, employees within the Information Security section within that office may have access for assisting with security investigations or other related activities that requires access to OEB PHI. The Minimum Necessary Standard shall apply to all such access. All such PHI shall be accessed and Used by OGC in accordance with this Manual and the NOPP.
- The Audit Office: The Audit Office shall be considered to be to be a Business Associate of OEB and shall have access to all OEB PHI contained for conducting audits that the office is required by applicable law or System policy to conduct. The Audit Office shall consult with the Privacy Officer and the Director of OEB prior to accessing PHI in connection with any audit. The Minimum Necessary Standard shall apply to all such access. All such PHI shall be accessed and Used by OGC in accordance with this Manual and the NOPP.
4.2(4) Access to PHI by Other Persons, Including System Employees and Officers
If a person not identified in Subsection 4.2(2) or 4.2(3) of this Section desires to access PHI, including an official or employee of any other System office, such access shall be treated as a Use or Disclosure of PHI, as applicable. The determination of whether a Use or Disclosure of PHI is permissible shall be made under the applicable provisions of this Manual and HIPAA, unless the person is a Business Associate or the employee of a Business Associate of System; a person with a Limited Data Set agreement with OEB; or, another Covered Entity in which case the determination shall be made under the applicable provisions of Policy 6 of this Manual.
REFERENCES/CITATIONS
45 C.F.R. §§ 164.502(b), 164.504(a)-(c), 164.514(d)(2)
65 Fed. Reg. at 82,543-45, 82,712-16 (Dec. 28, 2000)