Page 7 - Privacy

Page 7 - Privacy_Program

P. 7

PROGRAM PARTICIPANT PRIVACY POLICY [DP100]
Back to Table of Contents

Scope: Enterprise
Distribution: Executive Leadership Team; Director of Information Technology, Privacy and Data Security; Directors, Managers, and
Supervisors; All Services and Programs Employees; and other employees with access to Protected Health Information (PHI) and
other Privacy‐Restricted Participant Information (PRPI)
Purpose: To define privacy leadership responsibilities in the organization.
External Regulation or Standard: GAPP Principle 1: Management, Minnesota Government Data Practices Act, Health Information
Portability, and Accountability Act

Who is Responsible Statement Policy, Standard, or Procedure Statement
Number
S&P, Finance and Other DP100.1 All employees with access to Protected Health Information for the purpose of
Staff Access to PHI performing administrative functions related to billing, document management,
Information Technology and other functions must comply with all applicable
Health Information Portability and Accountability Act (HIPAA rules) related to
Protected Health Information (PHI). See DP‐112 – DATA CLASSIFICATION POLICY
for the definition of PHI.
All Employees with DP100.2 All employees with access to Privacy Restricted Participant Information for the
Access to Privacy purpose of providing services or performing administrative functions related to
Restricted Participant billing, document management, Information Technology and other functions
Information (PRPI) must comply with all applicable Minnesota Government Data Practices Act
(MGDPA) rules related to Privacy Restricted Participant Information. This applies
to participants in S&P programs that have contracts with the State of Minnesota
or other county or local government agencies (e.g., Minneapolis Employment and
Training Program, Hennepin County, Ramsey County, Extended Employment, and
other government‐funded services) and staff in those divisions that provide
support services (e.g., Finance, Legal, Information Technology) to the extent that
they collect, store, disseminate or use “Private Data” or “Confidential Data” to
provide contracted services to the State of or other county or local government
entities

All Employees with DP100.3 “Private Data” and “Confidential Data” about program participants is considered
Access to PRPI Privacy Restricted Information as described in DP‐112 – DATA CLASSIFICATION
POLICY.
S&P Employees DP100.4 Staff members must provide a Tennessen Warning to each participant at the
time that the participant’s private or confidential information is requested. A
sample warning is included in this policy.
S&P Employees DP100.5 Staff members must obtain appropriate, signed privacy authorizations from
participants during their intake or orientation and as needed to ensure
authorizations are current. Also see DP130A – AUTHORIZATION FOR USE AND
DISCLOSURE OF PRPI and DP130B – AUTHORIZATION FOR USE AND
DISCLOSURE OF PHI.

All Employees with DP100.6a Any unauthorized release of Privacy Restricted information will be immediately
Access to Privacy‐ reported to the program manager or director upon discovery of the release,
Restricted Data and all necessary steps will be taken to mitigate any harmful effect that
disclosure may have on the individual. The unauthorized release will also be

GES CONFIDENTIAL 7

2 3 4 5 6 7 8 9 10 11 12