EHA - Health Insurance Portability and Accountability Act

Code: EHA
Adopted: 7/13/22

(For districts that self-insure a health plan and/or self-administer an Internal Revenue Service Section 125 plan)
The Board has determined that it meets the definition of a hybrid of covered entities[1] under the Health Insurance Portability and Accountability Act (HIPAA). As the district self-administers an Internal Revenue Service Section 125 plan it meets the health plan definition under HIPAA. As a covered entity, the district will meet the requirements of federal law.

Accordingly, the district will safeguard the protected health information[2] of employees from use or disclosure that may violate standards and implementation specifications to the extent required by law. The electronic exchange of financial and administrative transactions related to an employee’s protected health information will meet the requirements of HIPAA, including national standards for electronic transactions designed to ensure the security of health information created or received by the district.

The superintendent will designate an individual responsible for responding to HIPAA inquiries, complaints and for providing adequate notice of employee rights and district duties under the health plan provisions of the Act. Notice will include the privacy provisions of the law, and uses of employee protected health information and disclosures that may be made by the district.

Training will be provided to all current staff and new employees determined by the district to have access to the protected health information of employees. Training will be provided within a reasonable period of time after the individual’s hiring, and to those employees when their duties may be impacted by a change in the district’s policy and/or procedures.

Employees who believe their privacy rights have been violated may file a complaint in accordance with established district procedures. Complaints may also be filed directly with the U.S. Secretary of Health and Human Services. There shall be no retaliation by the district against any person who files a complaint or otherwise participates in an investigation or inquiry into an alleged violation of an individual’s protected privacy rights. All complaints received will be promptly investigated and documented, including their final

The superintendent will ensure that satisfactory assurance has been obtained from any business associate[3] performing HIPAA-covered activities or functions on behalf of the district that the protected health information it receives from the district will be protected. Such assurance will be in the form of a written agreement, or may be included as a part of the district’s contract with the business associate.

Employees in violation of this policy or procedures established to safeguard the protected health information of employees will be subject to discipline up to and including dismissal.

The superintendent is directed to ensure an assessment of district operations is conducted to determine the extent of the district’s responsibilities as a covered entity under HIPAA and to develop internal controls and procedures necessary to implement this policy and meet the requirements of law. The procedures shall include provisions for record keeping, documentation of the district’s compliance efforts and appropriate administrative, technical and physical safeguards to protect employee protected health information and to ensure that any request is limited to information reasonably necessary to accomplish the purpose for which the request is made.

In the event of a change in the law that may impact this policy or established district procedures, the superintendent shall ensure appropriate revisions are recommended for Board approval, necessary changes are implemented and notification is made to staff and others, as appropriate.


 1 A “covered entity” is an entity subject to HIPAA. These include those entities defined under the Act as a health plan, health-care clearinghouse, health care provider or a hybrid entity. A hybrid of covered entities is a single legal entity that is a covered entity and whose covered functions are not its primary function. Self-insured health plans and Internal Revenue Service Section 125 plans with 50 or more participants operated or maintained by public schools entities are covered health plans for HIPAA privacy rule purposes. Similarly, any provider of services, a provider of medical or health services as defined in section 1861 of the Act (42 U.S.C. § 1395X(s)), and any person or organization who furnishes, bills or is paid for health care in the normal course as defined by 45 C.F.R. § 160.103 is also subject to HIPAA requirements as a health-care provider. District’s should review their programs and services with their legal counsel in determining HIPAA applicability.

2 Protected health information” means individually identifiable health information that is: (1) transmitted by electronic media; (2) maintained in electronic media; (3) transmitted or maintained in any other form or medium. Protected health information excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, and employment records held by a covered entity in its role as employer.  

3 A “business associate” means a person who on behalf of such covered entity or of an organized health-care arrangement in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs or assists in the performance of: (1) a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing; or (2) any other function or activity regulated by HIPAA.  

Legal Reference(s):
ORS 332.107
Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. §§ 1320d to -1320d-8 (2012); 45 C.F.R. Parts 160, 164
Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g (2012); Family Educational Rights and Privacy, 34
C.F.R. Part 99 (2016).