HomeMy WebLinkAbout20122812.tiff WELD COUNTY
CODE ORDINANCE 2012-10
IN THE MATTER OF REPEALING AND REENACTING, WITH AMENDMENTS, CHAPTER 3
HUMAN RESOURCES, OF THE WELD COUNTY CODE
BE IT ORDAINED BY THE BOARD OF COUNTY COMMISSIONERS OF THE COUNTY OF
WELD, STATE OF COLORADO:
WHEREAS, the Board of County Commissioners of the County of Weld, State of
Colorado, pursuant to Colorado statute and the Weld County Home Rule Charter, is vested with
the authority of administering the affairs of Weld County, Colorado, and
WHEREAS, the Board of County Commissioners, on December 28, 2000, adopted Weld
County Code Ordinance 2000-1, enacting a comprehensive Code for the County of Weld,
including the codification of all previously adopted ordinances of a general and permanent
nature enacted on or before said date of adoption, and
WHEREAS, the Weld County Code is in need of revision and clarification with regard to
procedures, terms, and requirements therein.
NOW, THEREFORE, BE IT ORDAINED by the Board of County Commissioners of the
County of Weld, State of Colorado, that certain existing Chapters of the Weld County Code be,
and hereby are, repealed and re-enacted, with amendments, and the various Chapters are
revised to read as follows:
CHAPTER 3
HUMAN RESOURCES
ADD the following: Article XV
HIPAA Policies and Procedures
Sec. 3-15-10 Purpose, authority and applicability.
Sec. 3-15-20 Definitions.
Sec. 3-15-30 Privacy Officer and Privacy Policy.
Sec. 3-15-40 Authorization for disclosure of PHI.
Sec. 3-15-50 Disclosure of PHI without Authorization or Objection of Individual.
Sec. 3-15-60 Disclosure of PHI required by law.
Sec. 3-15-70 Requests for disclosure of PHI.
Sec. 3-15-80 Notice of disclosure of PHI.
Sec. 3-15-90 Personal representatives.
Sec. 3-15-100 Business associates.
Sec. 3-15-110 Confidential communications of PHI.
Sec. 3-15-120 Requests for restricted use of PHI.
Sec. 3-15-130 Requests to access, inspect and/or obtain copy of PHI.
Sec. 3-15-140 Requests to amend PHI.
Sec. 3-15-150 Accountings of disclosures of PHI.
Sec. 3-15-160 Complaints regarding these policies and procedures.
PAGE 1 2012-2812
ORD2012-10
Sec. 3-15-170 Policy prohibiting retaliation.
Sec. 3-15-180 Security of PHI.
Sec. 3-15-190 Breach of Security.
Sec. 3-15-200 Destruction and Disposal of PHI.
Sec. 3-15-210 Transmittal of PHI.
Sec. 3-15-10. Purpose, authority and applicability.
A. On August 14, 2002, the U.S. Department of Health and Human Services ("HHS")
published final regulations for Standards for Privacy of Individually Identifiable Health
Information ("the Privacy Rule"). The Rule was established to provide national
standards for the protection and privacy of Protected Health Information. The purpose of
this Article XV is the establishment of the Health Insurance Portability and Accountability
Act Policies and Procedures ("HIPAA Policies and Procedures") for the employees of the
Covered Department(s) of Weld County (collectively, the "Covered Employees").
B. This Article XV provides a comprehensive outline of Weld County's responsibilities for
compliance with Federal HIPAA Privacy Regulations. Any policies, procedures, or forms
promulgated by state or Federal health grant programs which are equal to or more
stringent than Weld County's policies will take precedence over Weld County's. The
Weld County policies in this Article XV are the minimum standard for Covered
Employees; however, state or Federal grant programs may choose or require additional
or alternative policies, procedures, or forms to accomplish the same HIPAA compliance
requirement. In those instances, to insure that grant requirements are met and to avoid
redundant effort the state or Federal grant policies, procedures, and forms may be used
as long as they meet the minimum standards specified in this Article XV. Alternative
grant policies, procedures, and forms must be approved by the HIPAA Privacy Officer.
C. Weld County's policy on confidential information applies in addition to any HIPAA
policies on breach of privacy or confidentiality. Any HIPAA policies on personnel
discipline for breach of privacy or confidentiality as set forth in this Article XV apply in
addition those cited in Weld County's Personnel Policies set forth in Chapter 3 of this
Code. If there is conflict in any provision of the HIPAA policies concerning personnel
discipline and Weld County's Personnel Policies concerning discipline and grievance,
Weld County's Personnel Policies shall take precedence.
D. All members of Covered Departments shall be trained regarding HIPAA privacy policies
and procedures with respect to PHI, as necessary and appropriate to carry out their
duties and responsibilities.
Sec. 3-15-20. Definitions.
"Covered Departments" mean those departments of Weld County, or any programs
under the authority of such departments, which constitute a covered health care component
under HIPAA. This includes the following departments:
a. The Weld County Department of Public Health and Environment ("Health").
b. The Weld County Department of Human Resources ("HR").
PAGE 2 2012-2812
ORD2012-10
c. The Weld County Department of Accounting ("Accounting").
d. The Weld County Jail ("Jail").
e. The Area Agency on Aging ("Area Agency").
"De-identified information" means Health information that does not identify an individual
and with respect to which there is no reasonable basis to believe that the information can be
used to identify an individual is not individually identifiable health information.
"HIPAA" means the Health Insurance Portability and Accountability Act of 1996, 42
U.S.C. § 1320d — 1320d8, as amended, and the regulations thereunder, 45 C.F.R. Parts 160
and 164.
"Business associate" means a person or entity (not a member of a covered entity's
workforce) that helps a covered entity with a function or activity involving the use or disclosure
of Individually Identifiable Health Information, or offers service to the covered entity which
involves the disclosure of Individually Identifiable Health Information.
"Health information" means any information, whether oral or recorded in any form or
medium, that:
a. Is created or received by a covered department or other covered entity, and
b. Relates to the past, present, or future physical or mental health or condition of an
individual; the provision of health care to an individual; or the past, present, or
future payment for the provision of health care to an individual.
"Individually identifiable health information" means a subset of health information,
collected from an individual that:
a. Is created or received by a health care provider, health plan, employer, or health
care clearinghouse; and
b. Relates to the past, present, or future physical or mental health or condition of an
individual; the provision of health care to an individual; or the past, present, or
future payment for the provision of health care to an individual; and
c. Identifies the individual; or
d. With respect to which there is a reasonable basis to believe the information can
be used to identify the individual. Routine health information meeting the above
definition will be automatically designated as PHI immediately upon its creation
or receipt by the Covered Employees.
"Payment"means the activities undertaken by:
(i) A health plan to obtain premiums or to determine or fulfill its responsibility for
coverage and provision of benefits under the health plan; or
PAGE 3 2012-2812
ORD2012-10
(ii) A health care provider or health plan to obtain or provide reimbursement for
the provision of health care.
"Protected health information (PHI)"means individually identifiable information, including
demographic information collected from an individual, about a person's past, present, or future
health care or payment for health care, maintained in any form or medium, or transmitted
electronically.
"Psychotherapy notes"means notes recorded (in any medium) by a health care provider
who is a mental health professional documenting or analyzing the contents of conversation
during a private counseling session or a group, joint, or family counseling session and that are
separated from the rest of the individual's medical record. Psychotherapy notes excludes
medication prescription and monitoring, counseling session start and stop times, the modalities
and frequencies of treatment furnished, results of clinical tests, and any summary of the
following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and
progress to date.
"Treatment" means the provision, coordination, or management of health care and
related services by one or more health care providers, including the coordination or
management of health care by a health care provider with a third party; consultation between
health care providers relating to a patient; or the referral of a patient for health care from one
health care provider to another.
Sec. 3-15-30. Privacy Officer and Privacy Policy.
A. The HIPAA Privacy Officer ("Privacy Officer") shall be the Director of Human Resources,
or his or her designee. The Privacy Officer's primary responsibilities include:
1. Development of the HIPAA Privacy Policies and Procedures. This shall include
an annual review to ensure compliance with Federal and state law.
2. Oversight of the HIPAA Privacy Policies and Procedures implementation.
3. Preparation and oversight of distribution of the HIPAA Privacy Notice.
4. Providing assistance to Covered Departments in determining potential risks and
vulnerabilities to the integrity of PHI.
5. Development, coordination and participation in the education and training for the
Covered Employees.
6. Development of an atmosphere to encourage staff to report possible
noncompliance by Weld County, health insurance carriers and/or Third Party
Administrators ("TPA").
7. Acting on matters related to privacy compliance. This includes the design and
coordination of internal reviews and any needed corrective action (e.g., revisions
to HIPAA Privacy Policies and Procedures, institution of additional training, etc.).
PAGE 4 2012-2812
ORD2012-10
8. Coordination of disciplinary sanctions associated with violations of the HIPAA
Privacy Policies and Procedures.
9. Coordination of mitigating efforts in the event of a violation to the Privacy Rules.
10. Review and accommodation, if appropriate, of individual requests for confidential
communications of PHI.
11. Review and accommodation, if appropriate, of individual requests for restrictions
on use and disclosure of their own PHI.
12. Review and accommodation, if appropriate, of individual requests for
amendments to their own PHI. This includes notification of approval or denial of
the amendment to the individual and/or any relevant Business Associate, as
necessary.
13. Preparation of PHI summaries, upon an individual's request for access to their
own PHI records, in accordance with Section 3-15-120.
14. Periodic revision of the HIPAA Privacy Policies and Procedures as a result of
changes of Federal and state law.
15. Receiving complaints against Covered Departments.
B. General Privacy Policy. It is the policy of Weld County to protect the privacy and
confidentiality of patients' PHI by following the requirements of Federal and State law
and Weld County's policies and procedures. The policy provides the basics of Weld
County's privacy compliance framework. The policy should be provided to each
individual as necessary to make informed decisions about their own PHI, and shall be
generally available from the Privacy Officer.
1. Required disclosures. Weld County may make disclosures without consent or
authorization as required by law, as required for public health purposes, for
certain health oversight activities, for certain judicial and administrative
proceedings, for certain law enforcement activities, to coroners or medical
examiners.
2. Unique restrictions on disclosures. A patient's request for a particular restriction
on the use or disclosure of his or her PHI shall be referred to the Privacy Officer.
3. Potential violations. Any person believing that Weld County has violated a policy
or provision of law related to privacy issues must contact the Privacy Officer
immediately. Weld County will not retaliate against employees who report in
good faith. Weld County will take all reasonable steps to mitigate any damages
caused by an improper use or disclosure of PHI.
C. Minimum necessary information. Covered Employees shall follow proper procedures to
ensure that only the minimum amount of PHI necessary to accomplish the specific
purpose of a use or disclosure is actually used or disclosed.
PAGE 5 2012-2812
ORD2012-10
D. Covered Employees shall request only the minimum amount of PHI necessary to
accomplish the specific purpose of the request. This includes routine and/or recurring
requests.
1. This policy does not apply to the following uses or disclosures:
a. Disclosure to or requests by a provider for treatment.
b. Uses or disclosures made to the individual who is the subject of the
information.
c. Uses or disclosures pursuant to an Authorization.
d. Disclosures made to the Covered Departments.
e. Uses or disclosures required by law, or for compliance with applicable
laws and regulations, as determined by the Privacy Officer.
2. All proposed uses or disclosures of PHI shall be reviewed by persons having an
understanding of these privacy policies and practices, and sufficient expertise to
understand and weigh the necessary factors.
3. Covered Department employees shall only use, disclose, or request an entire
medical record when the entire medical record is specifically justified as being
reasonably necessary to accomplish the purpose of the use, disclosure, or
request. Covered Employees shall document the request and justification for
disclosure of the entire medical record, except when the entire medical record is
disclosed to a provider for purposes of providing care.
4. Within the Covered Departments, only appropriate personnel shall have access
to PHI, as determined by the department director in conjunction with the Privacy
Officer. Such individuals require shall maintain the appropriate levels of access to
PHI on a routine basis to appropriately accomplish their duties and
responsibilities:
5. The following criteria shall be used in limiting the amount of PHI requested
(disclosed) by the Covered Employees:
a. Do the individuals who are requesting or disclosing the PHI have a
complete understanding of the purpose for the use or disclosure of the
PHI?
b. Are all of the individuals identified for whom the requested use or
disclosure of the PHI required?
c. A request for an entire medical record requires the requestor to justify
disclosure of the entire medical record to be reasonably necessary.
6. Requests for disclosures of PHI shall be reviewed on an individual basis in
accordance with criteria listed in the policy.
PAGE 6 2012-2812
ORD2012-10
7. Covered Department employees may reasonably rely on requests by:
a. Public health and law enforcement agencies in determining the Minimum
Necessary information for certain disclosures;
b. Other Covered Entities in determining the Minimum Necessary
information for certain disclosures; or
c. A professional who is a member of its workforce or is a Business
Associate of a Covered Department for the purpose of providing
professional services to the Covered Department, if the professional
represents that the information requested is the Minimum Necessary for
the stated purpose.
8. Knowledge of a violation or potential violation of this policy must be reported
directly to the Privacy Officer.
E. De-identified information shall not be disclosed if those Covered Department employees
creating or disclosing the information, or any other employees of Covered Department,
have actual knowledge that the information could be used alone or in combination with
other information to identify an individual who is a subject of the information. De-
identification requires the removal of names, addresses, birthdates, age, telephone/fax
numbers, social security numbers, account numbers, license numbers, fingerprints, full
face photographs, or any other unique identifier. Such de-identified information may be
used or disclosed as a limited data set for research, public health, or health care
operations, and may be provided to Business Associates pursuant to a written
agreement.
F. Covered Departments, with the assistance of the Privacy Officer, shall comply with any
other duty required by the Secretary of DHHS.
Sec. 3-1540. Authorization for disclosure of PHI.
A. For all uses and disclosures of an individual's PHI, Covered Department shall obtain a
signed authorization from the individual, unless the use or disclosure is required, or
otherwise permitted without an authorization for treatment, payment or health care
operations or as otherwise permitted by 45 C.F.R. Part 164 (the Privacy rule). Covered
Department shall be permitted, but not required, to obtain consent for disclosure related
to treatment, payment, or healthcare operations.
B. Covered Department shall comply with the requirements set forth in 45 C.F.R. §
164.508, to obtain authorization to use or disclose PHI.
C. Covered Department shall not condition treatment, payment, or enrollment in the health
plan, or eligibility for benefits on the provision of an authorization, unless the
authorization sought is for the health plan's eligibility or enrollment determinations
relating to the individual or for its underwriting or risk rating determinations
PAGE 7 2012-2812
ORD2012-10
D. Covered Department shall obtain a signed authorization from all individuals before using
or disclosing their PHI for purposes other than treatment, payment, or health care
operations. Additionally, PHI may be disclosed without a signed authorization under
certain circumstances, as listed in the Privacy Policy.
E. Authorization is required for the disclosure of psychotherapy notes, except to the
originator of the notes for treatment, payment, or health care operations.
F. The authorization shall be written in plain language, and shall allow individuals to
request that their PHI be used or disclosed for specific purposes.
G. When Covered Department initiates an authorization to use or disclose PHI for its own
purposes, Covered Department shall provide individuals with any facts they need to
make an informed decision as to whether to allow release of the information.
H. The authorization shall not be combined with another document to create a compound
authorization, unless:
1. The other document is a similar authorization;
2. If the authorization is for the disclosure of psychotherapy notes, the other
document is also an authorization for the disclosure of psychotherapy notes; or
I. Whenever a Covered Department requests an authorization from an individual, Covered
Departments shall use a form which complies with this policy and with HIPAA generally.
Nothing in this policy prohibits a Covered Department from jointly using any form with
other Covered Departments or other treatment providers in which the Covered
Department shares information pursuant to an Organized Health Care Arrangement. The
form must be completed in full, including a description of the information to be used or
disclosed that identifies the information in a specific and meaningful fashion.
J. In the event that the authorization is signed by a personal representative of the
individual, the authorization shall contain a description of the representative's authority to
act for the individual.
K. Covered Department shall provide the individual with a copy of the signed authorization.
L. Covered Department shall invalidate the authorization if:
1. Any material information in the authorization is known by Covered Department to
be false or revoked.
2. The requirements of the authorization have not been filled out completely.
3. The expiration date has passed or the expiration event is known by Covered
Department to have occurred.
PAGE 8 2012-2812
ORD2012-10
M. Covered Department shall document and retain the signed authorization for a period of
at least six years from the date of its creation or the date when it last was in effect,
whichever is later.
N. Covered Department shall not condition an individual's treatment, payment, enrollment
or eligibility for benefits on the provision of an authorization to use or disclose PHI. All
authorization forms for the use or disclosure of PHI shall include a statement that the
individual's treatment and payment for services shall not be conditioned on provision of
the authorization, except as permitted by law.
O. Covered Department shall allow an individual to revoke an authorization to use or
disclose their PHI, except in situations where:
1. Covered Department has taken action in reliance thereon.
2. The authorization was obtained as a condition of obtaining insurance coverage
and state law provides the insurer with the right to contest a claim under the
policy or the policy itself.
P. Covered Department shall take all necessary steps to honor and comply with an
individual revocation of an authorization to use or disclose PHI, unless stated otherwise
in this policy. Covered Department shall not impose a time restriction on when an
individual may revoke authorization to use or disclose their PHI. Covered Department
shall require individuals to request the revocation of authorization to use or disclose PHI
in writing.
Sec. 3-15-50. Disclosure of PHI without Authorization or Objection of Individual.
A. Covered Department may disclose PHI without a valid authorization in limited
circumstances, if the individual is given the opportunity to object to such disclosure.
B. A Covered Department which is a health care provider may, under this section:
1. Maintain a facility directory including the individual's name, location at the facility,
condition (in general terms), and religious affiliation (which is only to be provided to
members of clergy).
2. Disclose the individual's specific health information to family, close friends, or
anyone else identified by the individual to be involved in relevant care, payment, or
necessary notification.
C. The individual must be informed of the opportunity to object, unless impracticable due to
emergency circumstances. If the individual is present, PHI may be disclosed if the
individual agrees, does not object, or it can be reasonably inferred that the individual
does not object. If the individual is not present, or unable agree or object, PHI may be
disclosed if in the individual's best interests, in the provider's professional judgment.
Sec. 3-15-60. Disclosure of PHI required by law.
PAGE 9 2012-2812
ORD2012-10
A. Disclosure of PHI should first be made pursuant to an Authorization, as described in
Section 3-15-40. If no authorization exists, disclosure may be made pursuant to this
section.
1. Permitted disclosures. Weld County may disclose a patient's PHI without the
patient's signed authorization to the patient himself or herself, the patient's legally
authorized personal representative, those involved with the person's care and
treatment, to law enforcement personnel in appropriate situations, for public
policy decisions as required by law, and for purposes of a patient's treatment,
payment for services, or Weld County's health care operations. Disclosure of
PHI may also be made to business associates, or on the basis of and in
accordance with a properly executed authorization.
2. Required disclosures. Weld County may make disclosures without consent or
authorization as required by law, as required for public health purposes, for
certain health oversight activities, for certain judicial and administrative
proceedings, for certain law enforcement activities, to coroners, or medical
examiners.
3. Unique restrictions on disclosures. If a patient requests a particular restriction on
the use or disclosure of his or her PHI, refer the request to the Privacy Officer.
4. Deceased individuals. Covered Departments must protect the PHI of deceased
individuals. If an executor, administrator, or other person has authority to act on
behalf of a deceased patient or that person's estate, that person should be
treated as patient's personal representative. Weld County may disclose PHI,
without specific patient consent or authorization, to a coroner or medical
examiner responsible for identification of the person, determination of the cause
of death, or other duties authorized under state law. The Coroner may also
disclose PHI to a funeral director, as permitted by state law.
5. Persons involved in care or treatment. PHI may be disclosed, without the
patient's signed authorization, to persons involved in the patient's care, as
directly relevant to that care. If the patient is present when PHI is to be
disclosed, and has capacity to make health care decisions, PHI can be disclosed
to others present if it can reasonably be inferred that patient would not object. If
the patient is not present when PHI is to be disclosed, or the patient is
incapacitated, PHI may be disclosed if, in the exercise of reasonable professional
judgment, disclosure is in best interests of the patient and disclosure is limited to
PHI directly relevant to person's involvement with the patient's care.
If federal, state, and/or local law requires a use or disclosure of PHI, Covered
Department may use or disclose PHI to the extent that the use or disclosure
complies with such law and is limited to the requirements of such law.
B. In the event that two or more laws or regulations governing the same use or disclosure
conflict, Covered Department shall comply with the more restrictive laws or regulations.
C. Covered Department may use or disclose PHI to the extent that such use or disclosure
is required by law including, but not limited to:
PAGE 10 2012-2812
ORD2012-10
1. For public health activities required by law.
2, For disclosures about victims of abuse, neglect, or domestic violence.
3. In order to comply with judicial release.
4. To comply with law enforcement.
5. For a health release.
6. To avert a serious threat to health or safety.
7. To comply with special government functions or requests. Such requests shall be
referred to the Privacy Officer.
8. For purposes of workers compensation investigation and claims, as permitted or
required by law.
9. Uses and disclosures for health oversight activities.
10. Uses and disclosures for cadaveric organ, eye or tissue donation purposes.
Sec. 3-15-70. Requests for disclosure of PHI.
A. Covered Departments shall verify the identity and authority of individuals requesting PHI.
B. Once it is determined that use or disclosure is appropriate, personnel with appropriate
clearance shall access the individual's PHI using appropriate procedures.
C. The requested PHI shall be delivered to the individual in a secure and confidential
manner, such that the information cannot be accessed by employees or other persons
who do not have appropriate access clearance to that information.
D. The proper personnel shall appropriately document the request and delivery of the PHI.
E. In the event that the identity and legal authority of an individual or entity requesting PHI
cannot be verified, personnel shall refrain from disclosing the requested information and
report the case to the Privacy Officer in a timely manner.
F. Knowledge of a violation or potential violation of this policy must be reported directly to
the Privacy Officer.
Sec. 3-15-80. Notice of disclosure of PHI.
A. Covered Department shall give adequate notice to individuals regarding the use or
disclosure of their PHI, their rights with respect to such use or disclosure, and Covered
Department's legal duties pursuant to 45 C.F.R. §164.520. Covered Department shall
comply with the contents of such notice.
PAGE 11 2012-2812
ORD2012-10
B. The content of the notice regarding the use and disclosure of PHI pursuant to 45 C.F.R.
§164.520 shall comply with the policies and procedures that are described herein. The
notice shall reserve the right of Covered Department to amend the notice and any of its
privacy policies, procedures and practices.
C. Notice given to an individual regarding the use and disclosure of PHI must be written in
plain language and contain the statement prominently displayed: "THIS NOTICE
DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND
DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE
REVIEW IT CAREFULLY."
D. The Notice must contain descriptions in sufficient detail to place the individual on notice
of the uses and disclosures that are permitted or required by HIPAA and other applicable
laws, including:
1. A description and at least one example of the types of uses and disclosures that
Covered Department is permitted by law to make for each of the following
purposes: treatment, payment, and health care operations.
2. A description of each of the other purposes for which Covered Department is
permitted or required by the Privacy regulations to use or disclose PHI without
the individual's written authorization including those purposes listed in Section 3-
15-40(E). If a use or disclosure described in Section 3-15-40(E) is prohibited or
materially limited by other laws, the description of the disclosure must reflect the
more stringent law.
E. The notice must also contain the following statements or information:
1. A statement indicating other uses and disclosures shall be made only with the
individual's written authorization and that the individual may revoke such
authorization as permitted by the individual's rights under HIPAA.
2. A statement of the individual's rights with respect to PHI and a brief description of
how the individual may exercise those rights:
a. The right to request restrictions on certain uses and disclosures of PHI. A
statement that Covered Department is not required to agree to a
requested restriction.
b. The individual's right to receive confidential communications of PHI, as
applicable.
c. A statement and a brief description of how the individual may exercise
his/her right to inspect, copy, amend, and receive an accounting of
disclosure of PHI.
d. A statement and a brief description of how the individual may exercise
his/her right to obtain a paper copy of the notice from the Covered Entity,
even if the individual has agreed to receive the notice electronically;
PAGE 12 2012-2812
ORD2012-10
3. A statement that the Covered Entity is required by law to maintain the privacy of
PHI and to provide individuals with notice of its legal duties and privacy practices
with respect to PHI.
4. A statement that the Covered Entity is required to abide by the terms of the
notice that is currently in effect.
5. A statement indicating that, for PHI that it created or received prior to issuing a
revised notice, Covered Department reserves the right to change the terms of its
notice and to make the new notice provisions effective for all PHI that it
maintains.
6. A statement that individuals may complain to Covered Department and to the
Covered Department of Health and Human Services if they believe their privacy
rights have been violated. A brief description of how an individual may file a
complaint with Covered Department. A statement that Covered Department shall
not retaliate against the individual for filing a complaint.
7. The name, or title, and telephone number of a person or office within Covered
Department to contact for further information concerning the notice of privacy
practices.
8. The date on which the notice is first in effect, which is not to be earlier than the
date on which the notice is printed or otherwise published.
F. If applicable, the description in the notice of the types of uses and disclosures that the
Covered Department is permitted to make for purposes of treatment, payment, and
health care operations (see procedure 2(a)) must also include separate statement
indicating that:
1. A group health plan, or a health insurance issuer or HMO with respect to a group
health plan, may disclose PHI to the sponsor of the plan.
2. Covered Department may contact the individual to provide appointment
reminders or information about treatment alternatives or other health-related
benefits and services that may be of interest to the individual.
G. A statement that Covered Department shall promptly revise and distribute its notice
whenever there is a material change to the uses or disclosures, the individual's rights,
the Covered Entity's legal duties, or other privacy practices stated in the notice, and how
it shall provide individuals with the revised notice. Covered Department shall not
implement a material change to any term of the notice prior to the effective date of the
notice in which such material change is reflected, except when required by law. Upon
making a change to a notice and policies and procedures, due to a change in law,
Covered Department may use the notice revision date as the new effective date.
H. For a Covered Department which is a health care provider, such notice shall be provided
to the individual on the date services are provided, or in emergency situations, as soon
PAGE 13 2012-2812
ORD2012-10
as reasonably practicable thereafter. In emergency situations, an acknowledgement of
receipt of such notice shall be obtained if possible. Such notice shall be provided
prominently at the location of service, and at the Covered Department's web address.
Covered Department which is also a correctional facility is not required to provide the
notice described in this section to inmates.
J. Such notice shall also be provided to county employees at the time of enrollment in any
county sponsored group health plan, within 60 days of any material revision to the
notice, and at least once every three years.
K. Knowledge of a violation or potential violation of this policy must be reported directly to
the Privacy Officer.
Sec. 3-15-90. Personal representatives.
A. If under applicable law a person has authority to act on behalf of an individual who is an
adult or an emancipated minor in making decisions related to health care, Covered
Department shall treat such person as a personal representative, with respect to PHI
relevant to such personal representation.
B. With respect to unemancipated minors, deceased individuals, and others, Covered
Department shall follow these procedures in determining whether to treat a person as a
personal representative of an individual.
C. Covered Department shall treat a person as a personal representative of an individual
with respect to disclosure of PHI if under applicable law:
1. A parent, guardian, or other person acting in loco parentis (in the place of a
parent) has authority to act on behalf of an individual who is an unemancipated
minor in making decisions related to health care; or
2. An executor, administrator, or other person has authority to act on behalf of a
deceased individual or of the individual's estate.
D. Covered Department shall treat a person as a personal representative of a deceased
individual with respect to the PHI relevant to such representation, if under applicable law
the person is an executor, administrator, or other person with authority to act on behalf
of the deceased individual or of the individual's estate.
E. Covered Department shall not treat a person as a personal representative of an
unemancipated minor; when the minor has authority to act with respect to their PHI
pertaining to a health care service if:
1. The minor consents to such health care service, no other consent is required by
applicable law, and the minor has not requested that another person be treated
as the personal representative;
2. Applicable law permits the minor to obtain such health care service without the
consent of a parent, guardian, or other person acting in loco parentis; and the
PAGE 14 2012-2812
ORD2012-10
minor, a court, or another person authorized by law consents to such health care
service; or
3. A parent, guardian, or other person acting in loco parentis assents to an
agreement of confidentiality between a covered health care provider and the
minor with respect to such health care service.
F. Covered Department shall not treat a person as the personal representative of an
individual if:
1. Covered Department has a reasonable belief that the individual has been or may
be subjected to domestic violence, abuse, or neglect by such person; or treating
such person as the personal representative could endanger the individual; and
2. Covered Department, in the exercise of professional judgment, decides that it is
not in the best interest of the individual to treat the person as the individual's
personal representative.
G. Covered Department shall follow the requirements and/or permissions of applicable
state and other law in determining whether to provide or deny access to a minor's PHI to
a parent, guardian, or other person acting in loco parentis.
Sec. 3-15-100. Business associates.
A. Covered Department shall ensure contracts or other arrangements between Covered
Department and its Business Associates comply with the policies and procedures
described herein and pursuant to 45 C.F.R. §164.504(e).
B. Covered Department shall document satisfactory assurances of compliance with the
policies and procedures herein through a written contract or other written agreement or
arrangement with the Business Associate; that establishes the permitted and required
uses and disclosures of PHI.
C. Contracts or agreements between Covered Department and a Business Associate shall
prohibit a Business Associate to use or disclose PHI in a manner that would violate
HIPAA privacy regulations.
D. If Covered Department and the Business Associate are both government entities, and
the entities comply with the Business Associate contract provisions by entering into a
memorandum of understanding, Covered Department shall ensure that the
memorandum of understanding or other applicable law contains terms that accomplish
the objectives of the Business Associate contract provisions of the HIPAA privacy
requirements.
E. When a Business Associate is required by law to perform a function on behalf of
Covered Department, and Covered Department discloses PHI to the Business Associate
to comply with the legal mandate without meeting the requirements of the HIPAA Privacy
rule, Covered Department shall attempt in good faith to obtain satisfactory assurances
that the requirements applicable to the Business Associate accomplish the objectives of
PAGE 15 2012-2812
ORD2012-10
the Business Associate requirements, and, if such attempt fails, document the attempt
and the reasons that such assurances cannot be obtained; and before omitting a
termination authorization from its other arrangements, Covered Department shall ensure
that the authorization is inconsistent with statutory obligations of Covered Department or
its Business Associate.
F. Covered Departments which form a contractual relationship with other businesses or
entities, and which expect to share protected health information as a result of that
contractual relationship, shall execute an appropriate Business Associate Contract
(BAC) or Business Associate Agreement (BAA) to ensure compliance with this policy
and with HIPAA generally.
G. Nothing in this policy prohibits the County or a Covered Department from entering into
an Organized Health Care Arrangement (OHCA) for the purpose of sharing protected
health information between treatment providers, as permitted under HIPAA.
H. Knowledge of a violation or potential violation of this policy must be reported directly to
the Privacy Officer.
Sec. 3-15-110. Confidential communications of PHI.
A. Covered Department, with the assistance of the Privacy Officer, shall take necessary
steps to accommodate reasonable requests by individuals to receive confidential
communications of PHI.
1. Covered Department shall provide confidential communications by alternative
means or at alternative locations pursuant to the HIPAA Privacy rule.
2. Covered Department may require individuals to make a request for a confidential
communication in writing.
3. Covered Department shall not require an explanation from the individual as to the
basis for the request as a condition of providing communications on a
confidential basis.
4. When appropriate, Covered Department may condition the provision of a
reasonable accommodation on information as to how payment, if any, shall be
handled, and specification of an alternative address or other method of contact.
5. An alternative means or location shall be designated on a case by case basis
that is satisfactory to both Covered Department and the individual, before
communication of PHI is made.
6. The Privacy Officer, using professional judgment and considering all relevant
factors, shall be responsible for deciding the alternative means or location to
communicate PHI to an individual, and shall otherwise comply with the disclosure
requirements of Section 3-15-60.
PAGE 16 2012-2812
ORD2012-10
B. Knowledge of a violation or potential violation of this policy must be reported directly to
the Privacy Officer.
Sec. 3-15-120. Requests for restricted use of PHI.
A. Covered Department shall, with the assistance of the Privacy Officer, allow an individual
to request that uses and disclosures of his or her PHI be restricted in accordance with
the HIPAA Privacy rule.
B. The Privacy Officer, using professional judgment and considering all relevant factors,
shall be responsible for approving or denying the requested restriction. The Privacy
Officer is not required to agree to a restriction.
C. Upon approval of such a restriction, Covered Department shall not violate such
restriction, unless as specified within this policy and procedure.
D. If a restriction is agreed, Covered Department is not required to honor an individual's
request when the individual who requested the restriction is in need of emergency
treatment and the restricted PHI is needed to provide the emergency treatment. If
restricted PHI is disclosed to a health care provider for emergency treatment, Covered
Department shall request that such health care provider not further use or disclose the
information.
E. If Covered Department agrees to an individual's requested restriction, the restriction
does not apply to the following uses and disclosures:
1. To an individual accessing their own PHI.
2. To an individual requesting an accounting of their own PHI.
3. Instances for which an authorization, or opportunity to agree or object is not
required.
F. Covered Department may terminate its agreement to a restriction in the following
situations:
1. The individual agrees to or requests the termination in writing.
2. The individual orally agrees to the termination and the oral agreement is
documented.
3. Covered Department informs the individual that it is terminating its agreement to
a restriction. Such termination is only effective with respect to PHI created or
received after it has so informed the individual.
G. Covered Department shall document and retain the restriction for a period of at least six
years from the date of its creation or the date when it last was in effect, whichever is
later.
PAGE 17 2012-2812
ORD2012-10
H. If Covered Department does not agree to a request for restriction, it shall notify the
individual who requested the restriction and advise them that Covered Department shall
not honor the restriction.
Sec. 3-15-130. Requests to access, inspect and/or obtain copy of PHI.
A. Covered Department shall take necessary steps to address individual requests to
access, inspect, and/or obtain a copy of their PHI that is maintained in a designated
record set in a timely and professional manner.
B. Individuals may request to access, inspect, and/or obtain a copy of their PHI that is
maintained in a designated record set. In instances where the PHI is in more than one
record set, or at more than one location, Covered Department shall produce the PHI only
once in response to a request for access. Copy and retrieval fees, including postage,
based on actual costs, may be applicable.
C. If the covered department does not maintain the PHI that is the subject of the individual's
request for access, and the covered department knows where the requested information
is maintained, the covered department must inform the individual where to direct the
request for access.
D. Individuals do not have the right to access the following types of information:
1. Psychotherapy notes.
2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal,
or administrative action or proceeding.
3. PHI that is:
a. Subject to the Clinical Laboratory Improvements Amendments of 1988,
42 U.S.C. §263a, to the extent the provision of access to the individual
would be prohibited by law; or
b. Exempt from the Clinical Laboratory Improvements Amendments of 1988,
pursuant to 42 C.F.R. §493.3(a)(2).
4. If Covered Department is acting under the direction of a correctional institution
upon an inmate's request for a copy of the PHI and obtaining a copy would
jeopardize the health, safety, security, custody, or rehabilitation of the individual
or of other inmates, or of any officer, employee, or other person at the
correctional institution or responsible for the transporting of the inmate. Any
Covered Department receiving such a request from a current inmate must seek
the assurance of the Department Head of the Jail that providing the copy of the
inmates requested PHI will not jeopardize the operations of the jail.
5. The individual's access to PHI that is contained in records that are subject to the
Privacy Act, 5 U.S.C. §552a, may be denied, if the denial of access under the
Privacy Act would meet the requirements of that law.
PAGE 18 2012-2812
ORD2012-10
6. The individual's access may be denied if the PHI was obtained from someone
other than a health care provider under a promise of confidentiality and the
access requested would be reasonably likely to reveal the source of the
information.
E. The Covered Department may require individuals to direct requests for access,
inspection, or a copy of PHI to the Privacy Officer, and complete a form request for
health information. The individual shall be informed that request for access is required
to be in writing.
F. An appropriate request from an individual regarding PHI using a request form for health
information shall, within a reasonable time period, be reported, along with the form, to
records personnel with appropriate access clearance to PHI.
G. Upon receipt of a request made, records personnel with appropriate clearance shall act
on the request by: (1) informing the individual of the acceptance and providing the
access requested, or (2) providing the individual with a written denial.
H. Action upon the request must be taken:
1. No later than 30 days after the request is made; or,
2. If the request is for PHI that is not maintained or accessible on-site to Covered
Department, no later than 60 days after the request.
3. If Covered Department cannot take action on a request for access to PHI within
the relevant time periods, Covered Department may extend the time required by
30 days.
4. In the event that the time period for the action must be extended, then Covered
Department shall provide the individual with a written statement of the reasons
for the delay and the date by which Covered Department shall complete its action
on the request. Only one extension is permitted.
Records personnel with appropriate clearance shall access the individual's PHI using
appropriate procedures.
J. The individual shall be allowed access, inspection, and/or copies of the requested PHI in
a secure and confidential manner, such that the information cannot be accessed by
employees or other persons who do not have appropriate clearance to that information.
K. Covered Department shall provide the individual with access to the PHI contained in a
designated record set in the form or format requested by the individual, if it is readily
producible in such form or format.
L. If the requested format is not readily producible, then Covered Department shall provide
the individual with access to the PHI in a readable hard copy form or such other form as
agreed to by the individual.
PAGE 19 2012-2812
ORD2012-10
M. If requested by the individual, Covered Department shall arrange with the individual for a
convenient time and place to inspect or obtain a copy of the PHI, or mailing of PHI. The
individual may request, in writing, that the PHI be disclosed by reasonable alternative
means, or in a reasonable alternative location, as permitted in Section 3-15-100.
Records personnel shall appropriately document the request and delivery of the PHI.
N. A summary of the requested PHI shall be provided in lieu of access to the information
only when the individual agrees in advance to a summary, and to any related fees
imposed.
1. An explanation of the requested PHI to which access has been provided shall
accompany the access reply only when the individual agrees in advance to a
summary, and to any related fees imposed.
2. If a summary or explanation of the requested PHI is to be prepared, such
summary or explanation shall be completed only by records, or other applicable
personnel with appropriate access clearance.
O. Covered Department shall document and retain designated record sets that are subject
to access by individuals for a period of at least six (6) years from the date of its creation
or the date when it last was in effect, whichever is later.
P. In denying access in whole or in part, to the extent possible, records personnel shall give
the individual access to any other PHI requested, after excluding the PHI that was
denied.
Q. When denying an individual access to PHI, the denial shall:
1. Be written in plain language.
2. Contain the basis for the denial.
3. Contain the following statement: THE INDIVIDUAL HAS THE RIGHT TO HAVE
THE DENIAL REVIEWED BY A LICENSED HEALTH CARE PROFESSIONAL,
DESIGNATED BY [COVERED DEPARTMENT] TO ACT AS A REVIEWING
OFFICIAL AND WHO DID NOT PARTICIPATE IN THE ORIGINAL DENIAL
DECISION.
4. Contain a description of how the individual may complain to the Privacy Officer.
The description of how the individual may complain shall include the name, or
title, and telephone number of the contact person or office designated to receive
such complaints.
R. All denial reviews shall be conducted by a licensed health care professional who is
designated by Covered Department to act as a reviewing official and who did not
participate in the original decision to deny.
PAGE 20 2012-2812
ORD2012-10
1. The designated reviewing official shall be determined on a case by case basis by
Privacy Officer.
2. Records personnel shall promptly refer a request for review to the designated
reviewing official.
3. The designated reviewing official shall determine, within a reasonable period of
time, whether or not to deny the access requested based on the applicable
standards.
4. Records personnel shall promptly provide written notice to the individual of the
determination of the designated reviewing official and take other action as
required to carry out the designated reviewing official's determination.
S. Knowledge of a violation or potential violation of this policy must be reported directly to
the Privacy Officer.
Sec. 3-15-140. Requests to amend PHI.
A. Covered Department shall allow an individual to request an amendment to his or her PHI
or a record in a designated record set for as long as the information is maintained in a
designated record set.
B. Records personnel, with the assistance of the Privacy Officer, shall be responsible for
receiving, processing, and responding to requests for amendments to PHI.
C. All individual requests for amendments to PHI shall be in writing, and directed to the
Privacy Officer. The Privacy Officer shall inform the individual of the requirement to
make requests for amendments in writing.
D. Individuals must document the reason(s) to support the requested amendment.
E. The Privacy Officer shall inform the individual no later than 60 days after receipt of such
a request if the amendment is accepted or denied. The time period for the action by
Covered Department shall be extended by no more than 30 days. If the time period for
the action is extended, records shall, within 30 days after receipt of the request, provide
the individual with a written statement of the reasons for the delay and the date by which
Covered Department shall complete the action on the request. The time period for
action shall not be extended more than once.
F. If the requested amendment is accepted, records shall:
1. Make the appropriate amendment; or
2. Arrange to have the necessary health care professional make the amendment.
G. Upon accepting and completing a requested amendment, records shall perform the
following tasks:
PAGE 21 2012-2812
ORD2012-10
1. Inform the individual, in a timely manner, and obtain the individual's identification
of, and agreement to have Covered Department notify, the relevant persons with
which the amendment needs to be shared;
2. Make reasonable efforts to inform and provide the amendment within a
reasonable time to persons identified by the individual as needing the
amendment;
3. Make reasonable efforts to inform and provide the amendment within a
reasonable time to persons, including Business Associates, that are known to
have the affected PHI and that may have relied, or could foreseeably rely, on
such information to the detriment of the individual.
4. Identify the affected information in the designated record set and append or
otherwise provide a link to the location of the amendment.
H. In the event that another covered entity notifies Covered Department of an amendment
to an individual's PHI, records shall amend the respective information by, at minimum,
identifying the affected information in the designated record set and appending or
otherwise providing a link to the location of the amendment.
Covered Department may deny an individual's request for amendment if it determines
that the requested PHI or record:
1. Was not created by Covered Department, unless the individual provides a
reasonable basis to believe that the originator of PHI is no longer available to act
on the requested amendment;
2. Is not part of a designated record set;
3. Would not be available for inspection under the requirements for individual rights
to access PHI; or
4. Is accurate and complete.
J. Records personnel, with the assistance of the Privacy Officer, shall be responsible for
receiving, processing, and responding to requests for amendments to PHI.
K. Upon denying an amendment, in whole or in part, Covered Department shall provide the
individual with a written denial. The denial shall be written in plain language and shall
contain the following:
1. The basis for the denial;
2. The individual's right to submit a written statement disagreeing with the denial;
3. A description of how the individual may file such a statement;
PAGE 22 2012-2812
ORD2012-10
4. A description of how the individual may file a complaint to Covered Department
pursuant to its complaint procedures including the name, or title, and telephone
number of the contact person or office designated to receive such complaints;
5. A description of how the individual may file a complaint with the Covered
Department of Health and Human Services;
6. The following statement - IF INDIVIDUAL DOES NOT SUBMIT A STATEMENT
OF DISAGREEMENT, THEN INDIVIDUAL MAY REQUEST COVERED
DEPARTMENT TO PROVIDE THE INDIVIDUAL'S REQUEST FOR
AMENDMENT AND THE DENIAL WITH ANY FUTURE DISCLOSURES OF THE
PHI THAT IS THE SUBJECT OF THE AMENDMENT.
L. If the individual provides a statement of disagreement, Covered Department may
prepare a written rebuttal to the individual's statement of disagreement. Covered
Department shall provide the individual with a copy of the above rebuttal.
M. Covered Department shall append or otherwise link the following to the designated
record set or PHI that is the subject of the disputed amendment:
1. The individual's request for an amendment;
2. The denial of the request;
3. The individual's statement of disagreement, if any; and
4. Covered Department's rebuttal, if any.
N. Any subsequent disclosures of the PHI to which an individual's written disagreement
relates shall include the following:
1. The material appended as described above; or
2. An accurate summary of any such information.
O. If the individual has not submitted a written statement of disagreement, Covered
Department shall include the individual's request for amendment and Covered
Department's denial, or an accurate summary of such information, with any subsequent
disclosure of the PHI only if the individual has requested such action.
Sec. 3-15-150. Accountings of disclosures of PHI.
A. Covered Department shall document and maintain an accounting of when patients' PHI
has been disclosed for purposes other than treatment, payment or health care
operations. Covered Department shall allow individuals to receive an accounting of all
instances where PHI about them is used or disclosed. This requirement does not apply
to instances where PHI was disclosed:
1. To carry out treatment, payment and health care operations;
PAGE 23 2012-2812
ORD2012-10
2. Under the authority of a written authorization given by the subject of the PHI;
3. To the individuals about their own PHI;
4. For the facility's directory;
5. To persons involved in the individual's care or other notification purposes;
6. For national security or intelligence purposes;
7. To correctional institutions or law enforcement custodial situation;
8. As de-identified information in a data set.
B. Covered Department is not required to include in an accounting of disclosures that were
made incidental to another use or disclosure that is permissible under 45 C.F.R. Part
164; however, to minimize incidental disclosures, Covered Department shall:
1. Take precautions to reasonably safeguard PHI as required by 45 C.F.R. §
164.530(c)(1); and
2. Disclose only the minimum amount of PHI necessary to accomplish the intended
purpose of the disclosure.
C. Covered Department shall allow an individual to obtain an accounting of instances when
their PHI has been disclosed by Covered Department anytime up to and including the six
years prior to the date on which the accounting is requested.
D. The accounting shall be in writing and shall include disclosures made to or by Business
Associates of Covered Department.
E. Each accounting of a disclosure shall include the following:
1. The date of disclosure;
2. The name of the entity or person who received the PHI and, if known, the
address of such entity or person;
3. A brief description of the PHI disclosed;
4. A brief statement of the purpose of the disclosure that reasonably informs the
individual of the basis for the disclosure; or in lieu of such statement:
a. A copy of the individual's written authorization to use or disclose the PHI,
or
PAGE 24 2012-2812
ORD2012-10
b. A copy of a written request for a disclosure required by the DHHS
Secretary to investigate or determine the Covered Entity's compliance
with applicable laws and regulations.
5. The frequency, periodicity, or number of disclosures made during the requested
period, if applicable, including the date of the last such disclosure.
F. Covered Department shall act on the individual's request for an accounting not later than
60 days after receipt of the request by:
1. Providing the individual with the accounting requested, or
2. Extending the time to provide the accounting by no more than 30 days. This one-
time extension requires a written explanation.
G. Any accounting shall be provided to an individual once in any 12 month period without
charge. Subsequent accountings in the same period may be subject to charges as
determined by the Privacy Officer.
H. Covered Department shall document and retain the following for a period of at least 6
years, or from the date of its creation or the date when it last was in effect, whichever is
later:
1. The information required to be included in an accounting;
2. The written accounting that is provided to the individual;
3. The title of the persons or officer responsible for receiving and processing
requests for an accounting by individual.
Covered Department shall temporarily suspend an individual's right to receive an
accounting under this section if a health oversight agency or law enforcement official
requests such suspension due to the reasonable likelihood that it will impede an
investigation. Such request made orally shall be documented and enforced for no more
than 30 days. Such request made in writing shall be enforced for the duration listed in
the request.
J. Business Associates of Covered Departments shall comply with the requirements of the
section.
K. The Privacy Officer is responsible for responding to a request from an individual for an
audit trail of instances when their PHI has been disclosed for purposes other than
treatment, payment, or health care operations.
Sec. 3-15-160. Complaints regarding these policies and procedures.
A. As specified in 45 C.F.R. §164.530(d), Covered Department shall provide a process for
individuals to make complaints concerning Covered Department's policies and
procedures regarding the use or disclosure of PHI, or its compliance with such policies
and procedures.
PAGE 25 2012-2812
ORD2012-10
B. The Privacy Officer shall be Covered Department's designated contact for individuals to
file complaints pursuant to this policy. The Privacy Officer should be contacted in order
to file complaint concerning Covered Department's policies and procedures required by
the HIPAA privacy rule, or its compliance with such policies and procedures. The
Privacy Officer shall document all complaints.
C. Covered Department shall not require individuals to waive their rights to file a complaint
with the Department of Health and Human Services as a condition of the provision of
treatment, payment, enrollment in a health plan, or eligibility for benefits.
D. Covered Department shall refer all complaints regarding potential HIPAA privacy
violations to the Privacy Officer. The Privacy Officer shall document all complaints
received, and their disposition, if any, for a period of at least six years from the date of its
creation or the date when it last was in effect, whichever is later.
E. It is the responsibility of all Covered Department employees to report perceived
misconduct, including actual or potential violations of the Privacy rules or these policies,
procedures.
F. Covered Department shall maintain an "open-door policy" at all levels of management to
encourage employees to report problems and concerns.
Sec. 3-15-170. Policy prohibiting retaliation.
A. Covered Department shall follow all necessary procedures to protect against any
retaliation toward any employee, individual, or other for exercising their rights or
participating in any process pursuant to internal policies, applicable law, and/or
regulation.
B. Any Covered Employee who commits or condones any form of retaliation shall be
subject to discipline up to, and including, termination.
C. Covered Department shall not retaliate against employees, individuals, or others for:
1. Filing a complaint with Covered Department;
2. Testifying, assisting, or participating in an investigation, compliance review,
proceeding, or hearing; or
3. Opposing in good faith any act or practice made unlawful by the HIPAA Privacy
rule, provided that the manner of the opposition is reasonable and does not itself
violate law.
Sec. 3-15-180. Security of PHI.
A. Covered Department shall:
PAGE 26 2012-2812
ORD2012-10
1. Protect individually identifiable health information transmitted or maintained by
Covered Department, regardless of form (e.g., patient name, patient number,
address, telephone number, social security number, etc).
2. Ensure that non-covered departments are restricted from accessing, using, or
disclosing PHI, as if the non-covered departments were separate legal entities.
3. Protect against reasonably anticipated threats, hazards, or impermissible
disclosures of PHI.
B. The Director of the Covered Department, with the assistance of the Privacy Officer,
shall:
1. Have the continuing responsibility to ensure that individual members of the
Covered Department's workforce have appropriate access to the minimum
amount of PHI necessary to their work duties;
2. Ensure that workforce members receive necessary training in order to comply
with these requirements;
3. Ensure that each individual with access to electronic PHI can be individually
tracked with unique user identification;
4. Use hardware, software, or procedural mechanisms to document electronic
activity related to PHI and protect it from improper transmission, alteration or
destruction;
Sec. 3-15-190. Breach of Security.
A. Breach means the improper acquisition, access, use, or disclosure of protected health
information which compromises the security or privacy of the protected health
information, which poses a significant risk of financial, reputational, or other harm to the
individual. Breach does not include: de-identified information; good faith unintentional or
inadvertent use or disclosure of PHI that does not result in further improper use or
disclosure.
B. Covered Department, with the assistance of the Privacy Officer, shall:
1. Take all necessary steps to mitigate any harmful effect that is known to Covered
Department of a use or disclosure of PHI in violation of Covered Department
policies and procedures.
2. Establish procedures for responding to an emergency that damages PHI,
including a data backup and recovery plan, and continuing to provide critical
services.
3. Re-evaluate these procedures periodically to ensure compliance with HIPAA.
C. Notice In the event of a breach, Covered Department, with the assistance of the Privacy
Officer, shall:
PAGE 27 2012-2812
ORD2012-10
1. Mail written notice to all individuals whose PHI has or may have been breached
without unreasonable delay, and in no case more than 60 days. Such notice shall
be written in plain language and include a brief description of what happened, the
date, the type of PHI involved, any steps the individual should take to protect
themselves from further harm, what the Covered Department is doing to
investigate, mitigate, and protect from further harm, and contact procedures for
further information. Such notice shall be provided to local media if the breach
affects 500 or more individuals.
2. Notify the DHHS Secretary without unreasonable delay of any breach involving
500 or more individuals. All other breaches must be documented and submitted
to the Secretary annually.
3. If the Covered Department received notice from a law enforcement official that
sending the notice as required by this subsection would impede a criminal
investigation or cause damage to national security. Sending such notice shall be
delayed by thirty (30) days if the request is made orally, and for as long as may
be requested in writing by such law enforcement official.
D. Covered Department shall utilize the following process to mitigate the effect of an
unauthorized release of PHI by an employee:
1. Any unauthorized release of PHI shall be immediately reported to Privacy Officer
upon discovery of the release.
2. Covered Department shall apply appropriate sanctions against members of its
workforce who fail to comply with the Covered Department policies and
procedures.
3. The type of sanction applied shall vary depending on the severity of the violation,
whether the violation was intentional or unintentional, whether the violation
indicates a pattern or practice of improper access, use or disclosure of health
information, and similar factors.
E. Employees, agents, and other contractors should be aware that violations of a severe
nature may result in notification to law enforcement officials as well as regulatory,
accreditation, and/or licensure organizations.
F. The sanction policy and procedures contained herein do not apply specifically when
member(s) of Covered Department's workforce:
1. Oppose any act made unlawful by the HIPAA Privacy rule, provided the
individual or person has a good faith belief that the act opposed is unlawful, and
the manner of the opposition is reasonable and does not involve a disclosure of
PHI in violation of the HIPAA Privacy rule;
2. Disclose PHI as a whistleblower and the disclosure is to a health oversight
agency, public health authority, or an attorney retained by the individual for
PAGE 28 2012-2812
ORD2012-10
purposes of determining the individual's legal options with regard to the
whistleblower activity; or
3. Is an employee who is a victim of a crime and discloses PHI to a law
enforcement official, provided that the PHI is about a suspected perpetrator of
the criminal act.
G. Failure by any Covered Employee to comply with these policies or procedures shall
subject such Covered Employee to disciplinary action, up to and including termination.
Sec. 3-15-200. Destruction and Disposal of PHI.
Covered Department shall make reasonable efforts to dispose of PHI in a manner that
protects the confidentiality of the information.
A. Destruction of PHI
1. Destruction of Paper Copies and Original Documents (Day-to-Day
Disposal).
a. Printed material (e.g., faxes, printed emails, etc.) containing PHI
must not be discarded in trash bins, unsecured recycle bags or
other publicly accessible locations. Instead this information must
be shredded, placed in a secured recycling bag, or destroyed by
cutting, tearing or burning.
b. The user may elect to use either shredding, secure recycle bags,
or other options for the destruction of these documents, as long as
the destruction is in accordance with this policy. It is the
individual's responsibility to ensure that the document has been
secured or destroyed. And it is the supervisor's responsibility to
ensure that their employees are adhering to the policy.
c. Microfilm or microfiche must be cut into pieces or chemically
destroyed.
d. After documents have reached their retention period, all PHI must
be securely destroyed using the Covered Department record
retention process governing destruction of records.
2. Destruction of Electronic Media
a. Secure methods shall be used to dispose of electronic data and
output. The [Information Services (IS) Covered Department] is
responsible for the destruction of electronic copies containing PHI,
including any media that may be reused. However, employees
may dispose of the electronic data themselves using the following
methods:
b. Deleting on-line data using the appropriate utilities;
PAGE 29 2012-2812
ORD2012-10
c. "Degaussing" computer tapes to prevent recovery of data;
d. Removing PHI from mainframe disk drives being sold or replaced,
using the appropriate initialization utilities;
e. Erasing diskettes to be re-used using a special utility to prevent
recovery of data; or destroying discarded diskettes.
3. Hardcopy (Bulk Disposal).
a. Secure methods shall be used to dispose of hardcopy data and
output.
b. PHI printed material shall be shredded and recycled by a firm
specializing in the disposal of confidential records or be shredded
by an employee of Covered Department authorized to handle and
personally shred the PHI.
c. If hardcopy PHI (paper, microfilm, microfiche, etc.) cannot be
shredded, it must be incinerated.
B. Documentation of PHI Disposal.
1. To ensure that it is in fact performed, employees or a bonded destruction
service must carry out the destruction of PHI.
2. If Covered Department personnel undertake the destruction of the
records, the employee must use the records destruction form provided by
designated personnel, if the record is found on the record retention
schedule for the Covered Department destroying the record.
3. If a bonded destruction company undertakes the destruction, the bonded
destruction company must provide Covered Department with the
document of destruction that contains the following information:
a. Date of destruction;
b. Method of destruction;
c. Description of the disposed records;
d. Inclusive dates covered;
e. A statement that the records have been destroyed in the normal
course of business; and
f. The signatures of the individuals supervising and witnessing the
destruction
PAGE 30 2012-2812
ORD2012-10
C. Enforcement. All supervisors are responsible for enforcing this policy. Individuals
who violate this policy shall be subject to the disciplinary process as outlined in
the disciplinary and sanctions policy.
D. Covered Department shall protect individually identifiable health information
transmitted or maintained. Covered Department is committed to safeguarding
PHI in order to operate in a manner that is consistent with applicable federal and
State laws and regulations.
E. If there is need to destroy any information it must be done either by shredder or
placed in a confidential/secured trash bin. PHI must never be discarded in non-
secured trashcans.
F. Knowledge of a violation or potential violation of this policy must be reported
directly to the Privacy Officer.
Sec. 3-15-210. Transmittal of PHI.
A. Transmittal of PHI by FAX.
1. PHI should be hand delivered or mailed whenever possible. Faxing of protected
health information internally to authorized employees is allowable at anytime to
facilitate treatment, payment and health care operations, provided the guidelines
outlined in this policy are adhered to.
2. Faxing of protected health information outside of the facility is allowable in
situations when health information is needed immediately for patient care
purposes, continuing care placement, payment or when mail or courier delivery
will not meet a necessary timeframe.
3. Faxing of sensitive health information such as that dealing with mental health,
chemical dependency, sexually transmitted diseases, HIV or other highly
personal information is prohibited unless requirements above are met.
4. Each Covered Department must designate a FAX machine in their area that will
be utilized to send and/or receive protected health information. This FAX
machine must not be accessible to the public and should only be accessible to
staff directly involved in patient care of those authorized to handle faxed
information.
5. The faxed information must be accompanied by special FAX cover sheet
specifically designated for faxing of protected health information. Each page of
intended FAX should be stamped or marked "confidential". In the event of a
misdirected FAX, recipient should be directed to immediately destroy the fax.
6. Covered Employees authorized to FAX protected health information must take
reasonable steps to confirm the accuracy of the FAX numbers and security of
recipient machines.
PAGE 31 2012-2812
ORD2012-10
7. When possible, a FAX confirmation slip should be printed from the FAX machine
or e-FAX for each outgoing transmission and machine operators must also verify
that the intended destination matches the number on the confirmation. The
confirmation should be attached to the document that was transmitted and kept
as part of the individual's record. If the confirmation slip cannot be obtained from
the FAX machine, sender must attempt to verify recipient.
8. Knowledge of a violation or potential violation of this policy must be reported
directly to the Privacy Officer.
B. Receiving PHI by FAX.
1. When expecting the arrival of a FAX containing protected health information,
schedule with the sender whenever possible to ensure that the faxed documents
can be promptly removed from the FAX machine.
2. Each Covered Department must designate employees who are authorized to
handle PHI who will be responsible to check FAX trays at scheduled intervals
and disseminate their contents to the appropriate responsible parties.
3. Staff responsible for routing protected health information must be sure that they
leave it in a secure/confidential location.
4. If there is need to destroy any information it must be done either by shredder or
placed in a confidential/secured trash bin. Protected health information must
never be discarded in non-secured trashcans.
5. Knowledge of a violation or potential violation of this policy must be reported
directly to the Privacy Officer.
BE IT FURTHER ORDAINED by the Board that the Clerk to the Board be, and hereby
is, directed to arrange for Colorado Code Publishing to supplement the Weld County Code with
the amendments contained herein, to coincide with chapters, articles, divisions, sections, and
subsections as they currently exist within said Code; and to resolve any inconsistencies
regarding capitalization, grammar, and numbering or placement of chapters, articles, divisions,
sections, and subsections in said Code.
BE IT FURTHER ORDAINED by the Board if any section, subsection, paragraph,
sentence, clause, or phrase of this Ordinance is for any reason held or decided to be
unconstitutional, such decision shall not affect the validity of the remaining portions hereof. The
Board of County Commissioners hereby declares that it would have enacted this Ordinance in
each and every section, subsection, paragraph, sentence, clause, and phrase thereof
irrespective of the fact that any one or more sections, subsections, paragraphs, sentences,
clauses, or phrases might be declared to be unconstitutional or invalid.
PAGE 32 2012-2812
ORD2012-10
The above and foregoing Ordinance Number 2012-10 was, on motion duly made and
seconded, adopted by the following vote on the 14th day of November, A.D., 2012.
BOARD OF COUNTY COMMISSIONERS
WELD COUNTY, COLORADO
ATTEST:
Sean P. Conway, Chair
Weld County Clerk to the Board
William F. Garcia, Pro-Tem
BY:
Deputy Clerk to the Board
Barbara Kirkmeyer
APPROVED AS TO FORM:
David E. Long
County Attorney EXCUSED
Douglas Rademacher
PAGE 33 2012-2812
ORD2012-10
First Reading: October 3, 2012
Publication: October 10, 2012, in the Fort Lupton Press
Second Reading: October 22, 2012
Publication: October 31, 2012, in the Greeley Tribune
Final Reading: November 14, 2012
Publication: November 21, 2012, in the Greeley Tribune
Effective: November 26, 2012
PAGE 34 2012-2812
ORD2012-10
Hello