Page 24 - Privacy_Program
P. 24

NOTICE OF PRIVACY PRACTICES REGARDING PRPI [DP120B]
        Back to Table of Contents


        Scope: Enterprise
        Distribution: Executive Leadership Team; Director of Information Technology, Privacy and Data Security; All Services and
        Programs employees and others with access to privacy‐ restricted information
        Purpose: To meet obligations with regard to informing participants of their privacy rights.
        External Regulation or Standard: Minnesota Government Data Practices Act


        Who is Responsible     Statement    Policy, Standard, or Procedure Statement
                                Number
        Employees with access   DP120B.1    The organization will give adequate notice to participants regarding the use or
        to Privacy‐Restricted               disclosure of their Privacy‐Restricted Participant Information (PRPI), their rights
        Participant Information             with respect to such use or disclosure, and the organizations’ legal duties
                                            pursuant to the MGDPA.

        Director of Information   DP120A.2   The content of the notice regarding the use and disclosure of PHI pursuant to
        Technology, Privacy and             45 C.F.R. §164.520 shall comply with the policies and procedures that are
        Data Security                       described herein.


        Director of Information   DP120A.3   Notice given to a participant regarding the use and disclosure of PHI must be
        Technology, Privacy and             written in plain language and contain the statement prominently displayed: "THIS
        Data Security                       NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED
                                            AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
                                            PLEASE REVIEW IT CAREFULLY."

        Director of Information   DP120A.4   The notice must contain descriptions in sufficient detail to place the individual on
        Technology, Privacy and             notice of the uses and disclosures that are permitted or required by HIPAA and
        Data Security                       other applicable laws, including:
        Director of Information   DP120A.4a   (a)  A description and at least one example of the types of uses and disclosures
        Technology, Privacy and             that the organization is permitted by law to make for each of the following
        Data Security                       purposes: treatment, payment, and health care operations.

        Director of Information   DP120A.4b   (b)  A description of each of the other purposes for which the organization is
        Technology, Privacy and             permitted or required by the privacy regulations to use or disclose PHI without
        Data Security                       the individual’s written authorization including, if applicable:

        Director of Information   DP120A.4b.i   •   uses and disclosures required by law;
        Technology, Privacy and
        Data Security
        Director of Information   DP120A.4b.ii   •   uses and disclosures for public health activities;
        Technology, Privacy and
        Data Security
        Director of Information   DP120A.4b.iii   •   disclosures about victims of abuse, neglect or domestic violence;
        Technology, Privacy and
        Data Security
        Director of Information   DP120A.4b.iv   •   uses and disclosures for health oversight activities;
        Technology, Privacy and
        Data Security



         GES CONFIDENTIAL                                                                                    21
   19   20   21   22   23   24   25   26   27   28   29