MS 269: HIPAA Administration

Table of Contents

Attachments

Table of Contents

4.1      Designation of Health Care Component

4.2      Peace Corps Notice of Privacy Practices

4.3      Protection of Health Information

4.3.1        Peace Corps Staff

4.3.2        Business Associates

4.4      Authorizations for Use of Medical Information

4.5      Access of Individuals to their Medical Information

4.6      Requests to Amend Medical Files

4.7      Complaint Process

4.8      Recordkeeping 

Attachments

Attachment A    Designation of Peace Corp's Health Care Component
Attachment B    Peace Corps Notice of Privacy Practices

1.0      Authority

2.0      Purpose

3.0      Policy

4.0      Administration Requirements

4.1      Designation of Health Care Component

According to the U.S. Department of Health and Human Services, the Peace Corps is a hybrid entity under HIPAA because its activities include both covered functions (e.g., providing and paying the cost of medical care for Peace Corps Trainees and Volunteers) and a large number of other activities that do not involve provision of or payment for medical care or otherwise constitute covered functions.

 

As a hybrid entity, Peace Corps specifically designates which parts of Peace Corps are included in its health care components that are subject to the HIPAA regulations. See Attachment A for Peace Corps' Designation of Peace Corps' Health Care Component for Purposes of the Health Insurance Portability and Accountability Act (HIPAA).

 

4.2      Peace Corps Notice of Privacy Practices

As a covered entity under HIPAA, Peace Corps is required to have a Notice of Privacy Practices (Notice) that meets the requirements in 45 CFR 164.520. Peace Corps' Notice must be made available to applicants and Volunteers, as well as to anyone who requests it. See Attachment B for Peace Corps' Notice. The Notice must be accessible on Peace Corps' Internet site, and a copy shall be made available to applicants in connection with the application for Peace Corps service.

 

4.3      Protection of Health Information

4.3.1        Peace Corps Staff

Peace Corps' policies on protecting the confidentiality of personal health information are set forth in MS 268, Medical Confidentiality. All staff who receive, create, use, disclose or otherwise transmit protected health information are required to comply with such policies. Peace Corps staff includes all employees and personal services and other contractors. Any Peace Corps employee who fails to comply with the provisions of this manual section, MS 268, or other Office of Medical Services operating procedures relating to the protection of medically confidential information, is subject to appropriate disciplinary action. Any contractor who fails to comply with the provisions of this manual section, MS 268, or other Office of Medical Services operating procedures relating to the protection of medically confidential information, is subject to action consistent with the terms of the relevant contract.

4.3.2        Business Associates

Peace Corps shall enter into a business associate agreement with any entity in the United States that creates, receives, maintains or transmits protected health information on its behalf. Such an agreement will provide satisfactory assurances that the business associate will properly safeguard such information.

4.4      Authorizations for Use of Medical Information

 

As set forth in MS 262, Health Services for Trainees, Volunteers and Dependents, all applicants for Peace Corps service are required to sign an authorization that permits Peace Corps staff and contractors, including the Inspector General, to use protected health information for medical screening and placement purposes and as needed to administer the Peace Corps program. See MS 262, Attachment A.

 

4.5      Access of Individuals to their Medical Information

Medical information in the custody of Peace Corps is maintained in a system of records subject to the Privacy Act. An individual has the right to inspect and obtain a copy of his or her medical record in the U.S. consistent with HIPAA regulations ( see 45 CFR 164.524(a )). Consistent with those regulations, an individual's access to his or her medical information may be denied for any reason it could be denied by Peace Corps pursuant to the Privacy Act. Requests under HIPAA by an individual for access to his or her medical records will be handled consistent with requests for access under the Privacy Act. See MS 897. All requests for medical records in the U.S. that are subject to HIPAA should be acted upon within 30 days.

 

4.6      Requests to Amend Medical Files

Individuals whose medical information is in the custody of Peace Corps have the right to request an amendment to their files under the Privacy Act and Peace Corps' Privacy Act regulations at 22 CFR 308.16, and under HIPAA and its regulations at 45 CFR 164.526. Requests to Peace Corps for amendment pursuant to HIPAA shall be handled consistent with requests for amendment under the Privacy Act. See MS 897; 22 CFR 308.16.

4.7      Complaint Process

An individual who wants to make a complaint about Peace Corps' policies and procedures relating to HIPAA, or its compliance with such procedures, may do so by filing a written complaint with the Deputy Director, Office of Medical Services. A written response to such a complaint is required.

 

The individual may also file a complaint with the U.S. Department of Health and Human Services, Office of Civil Rights. Retaliatory action against anyone filing a complaint is prohibited.

4.8  Recordkeeping 

Notwithstanding other Agency recordkeeping requirements, all Peace Corps procedures and policy documents relating to HIPAA administration must be retained for at least 6 years.  See 45 CFR 164.530. 

5.0  Effective Date