About » Board of Directors » Policies and Administrative Rules

EHA - Health Insurance Portability and Accountability Act

Print
Share & Bookmark, Press Enter to show all options, press Tab go to next option
Font Size: + -

Code: EHA
Adopted: 4/18/17 

The Board has determined that it meets the definition of a hybrid of covered entities1 under the Health Insurance Portability and Accountability Act (HIPAA). As the ESD offers health-care provider programs and services that include electronic billing for the reimbursement of services under Oregon Medicaid programs, or contracts with another entity to provide such services, it is subject to HIPAA. 

As a covered entity, the ESD will meet the national electronic transaction standards and applicable requirements of federal law. In all electronic transactions involving student education records information, the ESD will adhere to the confidentiality requirements of the Family Educational Rights and Privacy Act (FERPA). 

The superintendent will ensure that training is provided to appropriate staff with access to, and responsibility for, electronic transactions of student education records information as required by HIPAA.  Notice will be provided to students and parents of their rights pertaining to the disclosure of personally identifiable information, complaint procedures and the ESD official to contact in the event of questions, as provided in established student education records related Board policies and administrative regulations. 

1A “covered entity” is an entity subject to HIPAA. These include those entities defined under the Act as a health plan, health care clearinghouse, health-care provider or a hybrid entity. A hybrid of covered entities is a single legal entity that is a covered entity and whose covered functions are not its primary function. Self-insured health plans and Internal Revenue Service Section 125 plans with 50 or more participants operated or maintained by public schools entities are covered health plans for HIPAA privacy rule purposes. Similarly, any provider of services, a provider of medical or health services as defined in section 1861 of the Act, 42 U.S.C. § 1395X(s)(5), and any person or organization who furnishes, bills or is paid for health care in the normal course as defined by 45 C.F.R. § 160.103 is also subject to HIPAA requirements as a health-care provider. ESD’s should review their programs and services with their legal counsel in determining HIPAA applicability. 

END OF POLICY 

Legal Reference(s): 

  • ORS 334.125(7)
  • Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. §§ 1320d-d-8 (2006); 45 C.F.R. Parts 160, 164 (2006). Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g (2011); Family Educational Rights and Privacy, 34 C.F.R. Part 99 (2011).