The URL can be used to link to this page

Home My WebLink About081 - HIPPA Y CITY OF PASCO ADMINISTRATIVE ORDERS '-' Administrative Order No. 81 Personnel Policies & Procedures Subject: HI Initial Effie ate:PAA Privacy Policy and Security Plan 12/0 Revised Approved 1. PURPOSE The purpose of this plan is to ensure that the City of Pasco is in compliance with the Federal Health Insurance Portability and Accessibility Act of 1996 and ensure employee, customer and retiree confidence in the confidentiality of protected health information (PHI). IL DEFINITIONS Ambulance Service: Emergency Medical Health Insurance Plan: A medical/ dental Service provided by the City of Pasco Fire service plan provided by the City of Pasco to Department. employees and to help the City meet its Business Associate: A business, agent or obligation to LEOFF I members. • corporation that assists the City of Pasco HIPAA: Health Insurance Portability and administer, plan, invoice or insure benefits, Accessibility Act of 1996. services and obligations incumbent on the LEOFF I: Those Firefighters and Police City. Officers who are eligible under the LEOF I Flexible Spending: A Flexible Spending retirement plan of the State of Washington. Account authorized under section 125 of PHI: Protected Health Information. the IRS code. 111. POLICY All PHI, whether in electronic, paper or other format, shall be securely maintained, with access limited to specified individuals. Electronic (maintained as computer files) PHI shall be password protected. All other PHI (maintained as paper or other non-electronic format) shall be kept in locked files or locations. This Administrative Order adopts the security plan defined in Appendix A. Appendix B lists City of Pasco employees and business associates who shall be permitted access to PHI and who shall be responsible for maintaining the confidentiality of PHI. Those authorized to work with PHI shall maintain the security of PHI and the data it contains and shall take reasonable steps to prevent unauthorized observation of or access to PHI. The City will assist employees to maintain the security of PHI by providing lockable files and making reasonable modifications to workstations, equipment, furniture, document storage, and 10 A.O. 81 : page 2 electronic processing equipment. The City Manager, with the advice of the Privacy Officer, shall determine which requests for modifications may be authorized. IV. PROCEDURE A. The procedures defined in Appendix A shall be implemented immediately upon this Administrative Order (A.O.) being issued. B. All City employees shall receive training in the principles and procedures specified within this Administrative Order. Employees identified in Appendix B shall receive special training on appropriate handling and distribution of PHI. C. Individuals and organizations identified in Appendix B shall be named by the City Manager with the advice of the Privacy Officer. From time to time, it may be necessary for the City Manager to revise or amend this A.0. or appendices. D. Employees and others authorized to access PHI shall not intentionally disclose, reveal, allow unauthorized access to or transmit PHI (verbally, electronically or in written form) except as necessary to complete duties assigned or authorized under Federal or State Law, City Ordinance, job classification or appointed capacity. E. Each Business Associate shall adhere to the provisions of its Business Associate Agreement filed with the City Clerk. • V. RESPONSIBILITY A. The Human Resources Manager is designated the City Privacy Officer. B. Complaint Process: Individuals who wish to submit: • complaints about how PHI is handled, or • complaints about the proper implementation of this policy, or • proposed changes to this policy may do so following the process described in Appendix A, Section D, of this Administrative Order. C. The Privacy Officer will maintain a log of complaints or proposals received. D. The Privacy Officer will review the log monthly, investigate and address the complaints or proposals and make necessary changes to current policies or practices as necessary. E. Training: Within 30 days of the implementation of this Administrative Order, or upon beginning employment with the City, all employees will receive a copy of this Administrative Order with appendices and will receive training on the purpose of the HIPAA privacy rule and the right of employees to control their personal health information. A.O. 81 : page 3 VI, DISCIPLINARY ACTION • City of Pasco employees who fail to comply with the procedures of this administrative order (including appendices) shall be subject to appropriate disciplinary action, up to and including termination. Others, including business associates and members of boards and commissions who fail to comply with procedures for maintaining the privacy of PHI shall be subject to sanction by the City, up to and including termination of their relationship with the City of Pasco. • • ADMINISTRATIVE ORDER NO 81 • APPENDIX A: PLAN DOCUMENT THE USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION A. Use and Disclosure of Protected Health Information (PHI) Those City of Pasco employees, board members, and Business Associates listed in Appendix B shall use protected health information (PHI) only to the extent and in accordance with the uses and disclosures permitted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). They shall only be permitted limited use of PHI or to disclose specific PHI for reasons that permit or require such limited, specific use or disclosure, including but not limited to, for purposes related to health care treatment, payment of health care costs, emergency services and health care operations/services. 1 . Payment: Includes activities undertaken by the Plan to obtain payments for services or premiums, or determine or fulfill the Plan's responsibility for coverage and provision of employee benefits, City services or mandated obligations relating to those for whom health care is provided. These activities include, but are not limited to, the following: • determination of eligibility, coverage and cost sharing amounts (for example, costs of benefits, plan maximums and co-payments as determined for an individual' s claim); • coordination of benefits; • • adjudication of health benefit claims (including appeals and other payment disputes); • subrogation of health benefit claims; • establishing employee contributions; • adjusting amounts due based on enrollee health status and demographic character- istics; • billing, collection activities and related health care data processing; • claims management and related health care data processing, including auditing pay- ments, investigating and resolving payment disputes and responding to participant inquiries about payments; • obtaining payments under reinsurance (including stop-loss and excess loss insurance); • medical necessity or appropriateness reviews, or reviews of justification of charges; • utilization reviews, including pre-certification, preauthorization, concurrent reviews and retrospective reviews; • disclosure to consumer reporting agencies for the collection of premiums or reim- bursements (the following PHI may be disclosed for payment purposes: name and address, date of birth, Social Security number, payment history, account number and name and address of the provider and/or health plan); and • reimbursement to the plan. 2. Health Care Operations: Include, but are not limited to, the following activities: • quality assessment; • �I A.O. 81 , Appendix A: page 2 • • insured population-based activities for improving health or reducing health care costs, protocol development, case management and care coordination, disease management, contacting health care providers and patients with information about treatment alter- natives, and related functions; • rating provider and plan performance, including accreditation, certification, licensing and credentialing activities; • underwriting, premium rating and other activities related to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing or placing a contract for reinsurance of risk relating to health care claims (including stop-loss insurance and excess loss insurance); • conducting or arranging for medical reviews, legal services and auditing functions, including fraud and abuse detection and compliance programs; • business planning and development, such as conducting cost-management and plan- ning analyses related to managing and operating the Plan, including formulary development and administration, development or improvement of payment methods or coverage policies; • business management and general administrative activities of the Plan, including, but not limited to: - management activities relating to the implementation of and compliance with HIPAA' s administrative simplification requirements, or - customer service, including the provision of data analyses for policyholders, plan • sponsors or other customers; - resolution of internal grievances; and - due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a "covered entity" under HIPAA or, following completion of the sale or transfer, will become a covered entity. B. The Plan Will Use and Disclose PHI as Required by Law and as Permitted by Authorization of the Participant or Beneficiary With appropriate authorization, the City will disclose PHI to Business Associates for pur- poses related to administration of these plans. Business Associate privacy agreements may be found in the Official Records of the City of Pasco maintained by the City Clerk. C. For Purposes of This Section, The City of Pasco Is the Plan Sponsor The Plan will disclose PHI to the Plan Sponsor only upon receipt of certification from the Plan Sponsor that the plan documents have been amended to incorporate the following provisions: 1 . With respect to PHI, the Plan Sponsor agrees to: • not use or further disclose PHI other than as permitted or required by the plan • document or as required by law; A.O. 81 , Appendix A: page 3 • • ensure that any agents, including subcontractors, to whom the Plan Sponsor provides PHI agree to the same restrictions and conditions that apply to the Plan Sponsor with respect to such PHI; • not use or disclose PHI for employment-related actions and decisions unless author- ized by an individual; • not use or disclose PHI in connection with any other benefit or employee benefit plan of the Plan Sponsor unless authorized by the relevant individual; • report to the Plan if it becomes aware of any PHI use or disclosure that is inconsistent with the uses or disclosures provided for; • make PHI available to an individual in accordance with HIPAA's access require- ments; • make PHI available for amendment and incorporate any amendments to PHI in accor- dance with HIPAA; • make available information required to provide an accounting of disclosures; • make internal practices, books and records relating to the use and disclosure of PHI received from Plan available to the HHS Secretary for the purposes of determining the Plan's compliance with HIPAA; and • when feasible, return or destroy all PHI received from the Plan that the Plan Sponsor maintains in any form, and retain no copies of those PHI when no longer needed for the purpose for which disclosure was made (or if return or destruction is not feasible, • limit further uses and disclosures to those purposes that make the return or destruction infeasible). 2. Adequate Separation Between the Plan and the Plan Sponsor Must Be Maintained: In accordance with HIPAA, only the employees or classes of employees listed in Appendix B will have access to PHI related to: • Medical/Dental plan enrollees; • ambulance/first aid services recipients; • LEOFF I medical services reimbursement or authorization and payment. 3 . Limitations of PHI Access and Disclosure: Those listed in Appendix B may only be allowed access to, use, and disclose PHI for plan administrative functions that the Plan Sponsor performs, or as emergency service and administrative functions related to service to the public in accordance with Administrative Order 81 . D. Complaint Procedure Complaints regarding the handling of PHI or compliance with the HIPAA Privacy Rule may be submitted to the Privacy Officer if the following conditions are met: • the complaint must be in writing; and • the complaint must be submitted within 90 days of the date the alleged violation occurred. • A.O. 81 , Appendix A: page 4 • The Privacy Officer may conduct an investigation regarding the specific complaint or may request another agency to perform a compliance review to ascertain whether this plan and City operations are in compliance with the Privacy Rule. If a violation is found, the City will seek an informal resolution of the complaint whenever possible, which includes allowing the City a reasonable amount of time to come into compliance. If the complainant is not satisfied with the proposed resolution of the alleged complaint, a written complaint may be submitted to the Office of Civil Rights, United States Department of Health and Human Services. E. Noncompliance Issues If the persons or organizations listed in Appendix B fail to comply with the provisions of this document, the Plan Sponsor may implement disciplinary procedures defined in the body of Administrative Order 81 . F. Training and Documents During the life of this plan: 1 . All employees will be trained on their privacy rights and the basic protections this Plan Document offers regarding PHI. • 2. Employees not listed in Appendix B will: • receive the training defined in F. 1, above; and • sign a form similar to Appendix C confirming that they have been informed of their right to protect PHI and the City's policy to ensure that protection. 3 . Employees listed in Appendix B will receive: • training in the definition of PHI; • training on their responsibility to protect the confidentiality of all PHI, including elec- tronic, physical, and verbal. 4. Consumers of City services for whom employees handle PHI will receive a Privacy Statement as specified in Appendix E; 5 . Business Associates will receive a copy of Policy Appendices A and B and will sign a PHI privacy agreement, Appendix D, with the Plan Sponsor. These agreements will be maintained with other Official Documents by the City Clerk. • ADMINISTRATIVE ORDER NO 81 : APPENDIX B • HIPAA ACCESS TO PROTECTED HEALTH INFORMATION BY THOSE INDICATED FOR THE FOLLOWING PURPOSES CITY JOB PURPOSE OF ACCESS CLASSIFICATION/ ASSOCIATE EMPLOYEE FIRE DEPT LEOFF SENIOR FLEXIBLE PERMITTED HEALTH AMBULANCE DISABILITY HEALTH SPENDING ACCESS TO PHI INSURANCE SERVICE BOARD CARE ACCOUNT City Manager VO Information Svcs Mgr Y 40 Information Svcs Spec 40 Finance Manager VO Accounting Supervisor Senior Accountant VO Adm Corn Svcs Director Human Resources Asst YO Payroll Clerk Executive Secretary '/ Information Svcs Tech Human Resources Mgr W V 40 Fire Chief Accounts Receivable Clk Accounts Receivable Clk VO Accounts Payable Clk Accounting Clerk 40 Cncl Memb-LEOFF Bd Cncl Memb-LEOFF Bd LEOFF Ind Board Memb LEOFF Fire Bd Member LEOFF Police Bd Memb Firefighter/Paramedic Firefighter Fire Lieutenant Fire Captain Recreational Svcs Mgr Health Screen RN Health Screen Vol RN Foot Care Nurse Sr Center Rec Specialist Front Desk Volunteer Ins & Fin Consultants V 40 Insurance Prov/Admin Pointshare/Siemens • Yakima Cnty Long Term Care/Pasco Sr Cntr Staff The check ( I ) denotes Protected Health Information may be accessed for the indicated purpose. ADMINISTRATIVE ORDER NO. 81 : APPENDIX C • NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN ACCESS THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. In compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the City of Pasco is required to take reasonable steps to ensure the privacy of your personally identifiable health information and to inform you about: • Plan uses and disclosures of Protected Health Information. The term "Protected Health Information" (PHI) includes all individually identifiable health information transmitted or maintained by the Plan, regardless of form (oral, written, electronic, and others); • your privacy rights with respect to your PHI; • Plan duties with respect to PHI; • your right to file a complaint with the Plan and to the U.S. Secretary of Health and Human Services; and the person or organization to contact for further information about Plan privacy practices. SECTION 1 : NOTICE OF PHI USES AND DISCLOSURES A. Required PHI Uses and Disclosures • 1 . Upon your request, the Plan is required to give you access to certain PHI to inspect or copy. 2. Use and disclosure of your PHI may be required by the Secretary of Health and Human Services to investigate or determine Plan compliance with privacy regulations. B. Uses and Disclosures To Carry Out Treatment, Payment and Health Care Operations The Plan and its business associates will use PHI without your consent, authorization or opportunity to agree or object to carry out treatment, payment and healthcare procedures. The Plan will disclose PHI to the Plan Sponsor (City of Pasco) for purposes related to treatment, payment and health care procedures. As required by federal law, the Plan Sponsor has amended its plan documents to protect your PHI. 1 . Treatment is the provision, coordination or management of health care and related services. It includes, but is not limited to, consultations and referrals between one or more of your providers. For example, the Plan may disclose the name of your family physician to a medical specialist from whom you are receiving treatment so the specialist may request your case history from your physician. 2 . Payment includes, but is not limited to, actions to make coverage determinations and payments (including billing, claims management, subrogation, plan reimbursement, reviews for medical necessity and appropriateness of care and utilization review and preauthorizations). For example, the Plan may tell a doctor whether you are eligible for coverage, or what percentage of the bill will be paid by the Plan. • 3 . Health care operations include, but are not limited to, quality assessments and improvements, reviewing competence or qualifications of health care professionals, A.O. 81 , Appendix C: page 2 • underwriting, premium rating and other insurance activities relating to creating or renewing insurance contracts. They include disease management, case management, conducting or arranging for medical review, legal services and auditing functions, including fraud and abuse compliance programs, business planning and development, business management and general administrative activities. For example, the Plan may use information about your claims to refer you to a disease or health management program, project future benefit costs, or audit the accuracy of its claims processing functions. SECTION 2: RIGHTS OF INDIVIDUALS A. Right to Request Restrictions on PHI Uses and Disclosures You may request that the Plan restrict uses and disclosures of your PHI to carry out treatment, payment or health care operations, or to restrict uses and disclosures to family members, relatives, friends or other persons identified by you who are involved in your care or payment for your care. However, the Plan is not required to agree such requests. 1 . The Plan will accommodate reasonable requests to receive communications of PHI by alternative means or at alternative locations. 2. You, or your personal representative, will be required to complete a form to request restrictions on uses and disclosures of your PHI. • 3 . Such requests should be made to the City of Pasco Privacy Officer. B. Right to Inspect and Copy PHI 1 . You have a right to inspect and obtain a copy of your PHI contained in a "designated record set' for as long as the Plan maintains the PHI. a. Protected Health Information (PHI) includes all individually identifiable health information transmitted or maintained by the Plan, regardless of form. b. Designated Record Set includes the medical records and billing records about individuals maintained by or for a covered health care provider; enrollment, payment, billing, claims adjudication, and case or medical management record systems main- tained by or for a health plan; or other information used in whole or in part by or for the covered entity to make decisions about individuals. Information used for quality control or peer review analyses and not used to make decisions about individuals is not included in the designated record set. 2. The requested information will be provided within 30 days if the information is maintained on site, or within 60 days if the information is maintained off-site. A single 30-day extension is allowed if the Plan is unable to comply with the first deadline. 3 . You or your personal representative will be required to complete a form to request access to the PHI in your designated record set. Requests for access to PHI should be made to the Privacy Officer 4. If access is denied, you or your personal representative will be provided with a written • statement setting forth the basis for the denial, a description of how you may exercise A.O. 81 , Appendix C: page 3 • review rights and a description of how you may complain to the Secretary of Health and Human Services. C. Right to Amend PHI I . You have the right to request the Plan to amend your PHI or a record about you in a designated record set for as long as the PHI is maintained in the designated record set. 2. The Plan has 60 days after the request is made to act on the request. A single 30-day extension is allowed if the Plan is unable to comply with the deadline. If the request is denied in whole or part, the Plan must provide you with a written declaration explaining the basis for the denial. You or your personal representative may then submit a written statement disagreeing with the denial and have that statement included with any fixture disclosures of your PHI. 3 . Requests for amendment of PHI in a designated record set should be made to the Privacy Officer. 4. You or your personal representative will be required to complete a form to request amendment of the PHI in your designated record set. D. The Right to Receive an Accounting of PHI Disclosures 1 . At your request, the Plan will also provide you with an accounting of disclosures by the Plan of your PHI during the six years prior to the date of your request. However, such • accounting need not include PHI disclosures made: (1 ) to carry out treatment, payment or health care operations; (2) to individuals about their own PHI; (3) prior to the compliance date; or (4) based on your written authorization. 2. If the accounting cannot be provided within 60 days, an additional 30 days is allowed if the individual is given a written statement of the reasons for the delay and the date by which the accounting will be provided. 3 . If you request more than one accounting within a 12-month period, the Plan will charge a reasonable, cost-based fee for each subsequent accounting. E. The Right to Receive a Paper Copy of This Notice Upon Request: To obtain a paper copy of this Notice contact the Privacy Officer. F. Personal Representatives 1 . You may exercise your rights through a personal representative. Your personal representative will be required to produce evidence of authority to act on your behalf before granted access to your PHI or allowed to take any action for you. Proof of such authority may take one of the following forms: a. a power of attorney for health care purposes, notarized by a notary public; b. a court order of appointment of the person as the conservator or guardian of the individual; or . c. an individual who is the parent of a minor child. A.O. 81 , Appendix C: page 4 • 2. The Plan retains discretion to deny access to your PHI to a personal representative to provide protection to those vulnerable people who depend on others to exercise their rights under these rules and who may be subject to abuse or neglect. This also applies to personal representatives of minors. SECTION 3 : PLAN DUTIES A. The Plan is required by law to maintain the privacy of PHI and to provide individuals (participants and beneficiaries) with notice of its legal duties and privacy practices. 1 . This notice is effective beginning April 14, 2003 and the Plan is required to comply with the terms of this notice. However, the Plan reserves the right to change its privacy practices and to apply the changes to any PHI received or maintained by the Plan prior to that date. If a privacy practice is changed, a revised version of this notice will be provided upon request following Public Notice. 2 . Any revised version of this notice will be made available within 60 days of the effective date of any material change to the uses or disclosures, the individual's rights, the duties of the Plan or other privacy practices stated in this notice. B. Minimum Necessary Standard 1 . When using or disclosing PHI or when requesting PHI from another covered entity, the Plan will make reasonable efforts not to use, disclose or request more than the minimum . amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request, taking into consideration practical and technological limitations. 2. However, the minimum necessary standard will not apply in the following situations: a. disclosures to or requests by a health care provider for treatment; b. uses or disclosures made to the individual; c. disclosures made to the Secretary of Health and Human Services; and d. uses or disclosures that are required by law or for Plan compliance with legal regulations. 3 . This notice does not apply to information that has been de-identified. De-identified information is information that does not identify an individual and for which there is no reasonable basis to believe that the information can be used to link an individual to identifiable health information. 4. In addition, the Plan may use or disclose "summary health information" to the plan sponsor for obtaining premium bids or modifying, amending or terminating the group health plan. Summary health information summarizes claim history, claim expenses or types of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan, and from which identifying information has been deleted in accordance with HIPAA. • A.O. 81 , Appendix C: page 5 • SECTION 4: YOUR RIGHT TO FILE A COMPLAINT WITH THE PLAN OR THE SECRETARY OF HEALTH AND HUMAN SERVICES A. If you believe that your privacy rights have been violated, you may complain to the Plan in care of the City of Pasco Privacy Officer. B. You may file a complaint with the U.S. Secretary of Health and Human Services, Hubert H. Humphrey Building, 200 Independence Avenue S.W., Washington, D.C. 20201 . C. The Plan will not retaliate against you for filing a complaint. SECTION 5: WHOM TO CONTACT AT THE PLAN FOR MORE INFORMATION If you have any questions regarding this notice or the subjects addressed in it, you may contact the Human Resources Manager. CONCLUSION PHI use and disclosure by the Plan is regulated by a federal law known as HIPAA (the Health Insurance Portability and Accountability Act). You may find these rules at 45 Code of Federal Regulations Parts 160 and 164. This notice attempts to summarize those regulations. In the event of a discrepancy between the information in this notice and Federal Regulations, the regulations shall control. • A.O. 81 , Appendix C: page 6 • CITY OF PASCO SUMMARY OF NOTIFICATION PRACTICES FOR PROTECTED HEALTH INFORMATION Uses and disclosures that require your written authorization: Your written authorization generally will be obtained before the Plan will use or disclose psychotherapy notes about you. Psychotherapy notes are separately filed notes about your conversations with your mental health professional during a counseling session. They do not include summary information about your mental health treatment. The Plan may use and disclose such notes when needed by the Plan to defend against litigation filed by you. Uses and disclosures that require that you be given an opportunity to agree or disagree prior to the use or release. Disclosure of your PHI to family members, other relatives and your close personal friends is allowed if 1 . the information is directly relevant to the family or friend's involvement with your care or payment for that care; and 2. you have either agreed to the disclosure or have been given an opportunity to object and have not objected. Uses and disclosures for which consent authorization or opportunity to obiect is not required: • Use and disclosure of your PHI is allowed without your consent, authorization or request under the following circumstances: 1 . When required by law. A. When permitted for purposes of public health activities, including when necessary to report product defects, to permit product recalls and to conduct post-marketing surveillance. PHI may also be used or disclosed if you have been exposed to a com- municable disease or are at risk of spreading a disease or condition, if authorized by law. B . When authorized by law to report information about abuse, neglect or domestic violence to public authorities if there exists a reasonable belief that you may be a victim of abuse, neglect or domestic violence. In such case, the Plan will promptly inform you that such a disclosure has been or will be made unless that notice would cause a risk of serious harm. For the purpose of reporting child abuse or neglect, it is not necessary to inform the minor that such a disclosure has been or will be made. Disclosure may generally be made to the minor's parents or other representatives although there may be cir- cumstances under federal or state law when the parents or other representatives may not be given access to the minor's PHI. C. The Plan may disclose your PHI to a public health oversight agency for oversight activities authorized by law. This includes uses or disclosures in civil, administrative or criminal investigations; inspections; licensure or disciplinary actions (for example, to investigate complaints against providers); and D. other activities necessary for appropriate oversight of government benefit programs (for • example, to investigate Medicare or Medicaid fraud). A.O. 81 , Appendix C: page 7 2. The Plan may disclose your PHI when required for judicial or administrative proceedings. For example, your PHI may be disclosed in response to a subpoena or discovery request provided certain conditions are met. One of those conditions is that satisfactory assurances must be given to the Plan that the requesting party has made a good faith attempt to provide written notice to you, and the notice provided sufficient information about the proceeding to permit you to raise an objection and no objections were raised or were resolved in favor of disclosure by the court or tribunal. 3 . When required for law enforcement purposes (for example, to report certain types of wounds). A. For law enforcement purposes, including for the purpose of identifying or locating a suspect, fugitive, material witness or missing person. Also, when disclosing information about an individual who is or is suspected to be a victim of a crime but only if the individual agrees to the disclosure or the covered entity is unable to obtain the individual's agreement because of emergency circumstances. Furthermore, the law enforcement official must represent that the information is not intended to be used against the individual, the immediate law enforcement activity would be materially and adversely affected by waiting to obtain the individual ' s agreement and disclosure is in the best interest of the individual as determined by the exercise of the Plan's best judg- ment. • B. When required to be given to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death or other duties as authorized by law. Also, disclosure is permitted to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. 4. The Plan may use or disclose PHI for research, subject to conditions. When consistent with applicable law and standards of ethical conduct if the Plan, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the disclosure is to a person reasonably able to prevent or lessen the threat, including the target of the threat. 5 . When authorized by and to the extent necessary to comply with worker compensation or other similar programs established by law. Except as otherwise indicated in this document, uses and disclosures shall be made only with your written authorization subject to your right to revoke such authorization. ii I