search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
clearly states that life, disability, workers’ compensation, and stop-loss insurance coverage are not considered health plans governed by HIPAA privacy compliance. Interestingly, however, documents and correspon- dence held by the school district office relative to such plans may include a great deal of health information about individuals; in fact, files for these plans may likely include significantly more individual health information than do the health plan files! We could write a book on the regulations and respon- sibilities for HIPAA privacy compliance. But briefly, HIPAA privacy compliance requires health plan spon- sors (school districts) to do the following: • Limit the sharing of health plan information to only those people who are necessary for the payment of claims, treatment (which has to do with the medical providers), and operations (the administration) of the plans. Any use of data other than for payment, treat- ment, or operations requires the authorization of the data’s owner.


• Restrict file access to those who need to know this information. Be aware of who has access to the health plan files in your district.


• Separate health plan data from non-health-plan data. School districts often include both health plan and non-health-plan information in employees’ files. It’s important to separate the data into two files to avoid all information being subject to HIPAA privacy regulations.


• Disclose the minimum necessary when sharing data for plan purposes. For HIPAA privacy, less is better.


• Provide training and refresher training on the regula- tions and school practices pertaining to HIPAA Pri- vacy Rules to everyone in the district who sees and uses PHI. If data are shared with those outside the dis- trict, a business associate agreement or confidentiality agreement must be in place before providing any PHI.


• Assign a privacy officer to oversee all the privacy practices and to address issues that may arise. In school districts, it is common practice to assign the privacy officer responsibilities to a district-level staff member (e.g., director of business services) to coor- dinate training and procedures and to ensure that all business associate agreements are obtained.


HIPAA Security


Probably the most important aspect of HIPAA compli- ance is securing the data. Most commonly, the data are maintained in electronic files on the school district’s computer system, which should be managed in accor- dance with HIPAA security regulations. The files should be locked such that only those who should have access do, and information technology securities should be in place, monitored, and updated as necessary to avoid


asbointl.org


unauthorized parties from obtaining these data. The HIPAA security regulations require the plan spon- sor to assign a security officer to oversee all the security practices and address all vulnerabilities, threats, and breaches. One person may fulfill both positions, but because of responsibilities, the positions will more likely be separate.


Family Educational Rights and Privacy Act (FERPA)


FERPA has been around longer than HIPAA; we like to think of them as federal siblings. Whereas HIPAA guide- lines pertain to individuals’ private health information covered by a health plan—that would be school employ- ees and their families—FERPA pertains to protecting the privacy of student education records.


The law applies to all schools that receive funds under an applicable program of the U.S. Department of Educa- tion. It gives parents certain protections regarding their children’s education records, such as report cards, tran- scripts, disciplinary records, contact and family informa- tion, and class schedules.


A school may disclose personally identifiable informa- tion from a pupil’s record under three circumstances: • With written consent from a parent or guardian, or if the student is an adult.


• Under a court order. • By authority of statute.


States may also have student records laws, so familiar- ize yourself with your state’s requirements. For example, according to Wisconsin state law, personal records, psychological treatment records, and law enforce- ment unit records are not considered an education (or pupil) record.


McKinney-Vento Act


The McKinney-Vento Homeless Assistance Act is a federal law that ensures immediate enrollment and educational stability for homeless children and youth. McKinney-Vento provides federal funding to states to support school programs that serve homeless students. Each state provides resources and services to ensure that all children living in homeless situations in that state can enroll in, attend, and succeed in school. Find out how your state defines McKinney-Vento components. Concerning confidentiality of information, the school is responsible for ensuring that no barriers exist to full educational participation for homeless children and that homeless students are not segregated or stig- matized. Consequently, sensitivity and confidential- ity are extremely important in this process. Divulging McKinney-Vento status when corresponding with staff


SCHOOL BUSINESS AFFAIRS | APRIL 2022 31


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48