• Health Insurance Portability and Accountability Act of 1996 for Healthcare Flexible Spending Program

    Office of the General Counsel

    Monmouth University, pursuant to the Health Insurance Portability and Accountability Act (HIPAA) law and regulations, is required to take reasonable steps to ensure the privacy of your Protected Health Information. Protected Health Information is individually identifiable health information related to the past, present, or future physical or mental health or condition of an individual, or provision of healthcare to an individual, or past, present, or future payment for the provision of healthcare to an individual. Protected Health Information includes, but is not limited to, information such as name, address, five-digit zip code, Social Security number, driver’s license number, date of birth, and medical record. Employees are expected to adhere to the University’s rules and regulations. Those employees who disregard University policies and/or federal laws and/or New Jersey State laws will be subject to sanctions and penalties.

    Notice of Privacy Rights

    Pursuant to applicable law and regulations, you have the following rights regarding your Protected Health Information (PHI):

    • the right to receive a copy of the “Notice of Privacy Practices” (contact the Office of Human Resources);
    • the right to request restrictions on disclosures for treatment, payment of benefits, and/or healthcare operations;
    • the right of access to inspect your own Protected Health Information,
    • the right to an accounting of all uses and disclosures of your Protected Health Information in the previous six years, except for treatment, payment, or health care operations; the right to amend your Protected Health Information (created by Health Plan);
    • the right to confidential communications about Protected Health Information;
    • the right to file a complaint if you believe your rights have been violated.

    Security

    The University will limit the use and disclosure of protected individually identifiable health information to anyone other than a covered entity or business associate, if applicable. Such disclosure will be for the purpose of payment of benefits, claim resolution, enrollment/disenrollment, and FSA healthcare operations and pursuant to legal process.

    Information deemed to be Protected Health Information will be secured in authorized offices only (i.e., Human Resources, Provost’s Office, Controller’s Office, and Payroll Department) and will be accessible to only those individuals who need access to or may come in contact with Protected Health Information, who have been trained in HIPAA compliance, and who have signed confidentiality agreements with Monmouth University.

    All Protected Health Information will be kept in secured file cabinets in offices that are locked overnight. If any employee who is not authorized has access to the office(s) during non-working hours, then the Protected Health Information must be kept in locked file cabinets and/or safe, with access limited to authorized personnel only.

    Protected Health Information pertaining to the University’s health care FSA will pertain to employee enrollment, employee disenrollment, and employee contribution amounts for offices other than Human Resources. Human Resources may receive claim information from an employee, with the appropriate signed authorization form from the employee, in cases of resolving claim issues. The information will remain confidential and be kept in a secured file cabinet housed in the Office of Human Resources.

    The University has appointed a privacy official (Director of Human Resources) to ensure compliance with HIPAA laws and regulations. Additionally, the University has appointed a complaint official (Manager of Employee Benefits) to ensure compliance with the HIPAA complaint procedure process.

    Training

    The privacy official will schedule HIPAA compliance training for all current employees and any new employees who may assume such responsibilities and are authorized to have access to, or may come in contact with, Protected Health Information.

    Additional training will be provided for authorized employees when and if any changes are made to the privacy rules within a reasonable period of time after the material change becomes effective.

    All authorized employees who may have access to, or may come in contact with, Protected Health Information, will be required to sign a University HIPAA Confidentiality Agreement.

    Complaints

    If an employee believes his/her rights have been violated, he/she may file a complaint utilizing the University’s HIPAA complaint procedure.

    An employee may complain in writing to the complaint officer in Human Resources. (For more information, contact the Office of Human Resources.)

    Complaints may also be made in writing to the Secretary of the U.S. Department of Health and Human Services. (For more information, contact the Office of Human Resources.)

    Complaints must be made within 180 days after the employee knows or should have known about the act or omission that is the subject of his/her complaint.

    The FSA Healthcare Plan and the employer may not intimidate, threaten, coerce, discriminate against, or take any retaliation against any employee who exercises any right under the Privacy Rule; files a complaint with the secretary of HHS; testifies, assists, or participates in an investigation or other proceeding under the Privacy Rule; or opposes any unlawful practice under the Privacy Rule in good faith.

    Sanctions

    Any employee who fails to comply with HIPAA laws and regulations as detailed in the University HIPAA policy and procedure will be subject to disciplinary action up to and including termination.

    Record Retention

    The University will maintain the policies and procedures, all communication, documentation of any action, activity, or designation that are required by the Privacy Rule to be in writing, in written or electronic form, for six years from the date of its creation or the date when it last was in effect, whichever was later.