The URL can be used to link to this page

Browse Search

Home My WebLink About20122813.tiff NOTICE OF FINAL READING OF ORDINANCE Pursuant to the Weld County Home Rule Charter, Ordinance Number 2012-10 was introduced on first reading on October 3, 2012, and a public hearing and second reading was held on October 22, 2012. A public hearing and final reading was completed on November 14, 2012, with no change being made to the text of said Ordinance, and on motion duly made and seconded, was adopted. Effective date of said Ordinance is listed below. Any backup material, exhibits or information previously submitted to the Board of County Commissioners concerning this matter may be examined in the office of the Clerk to the Board of County Commissioners, located within the Weld County Administration Building, 1150 O Street, Greeley, Colorado, between the hours of 8:00 a.m. and 5:00 p.m., Monday thru Friday, or may be accessed through the Weld County Web Page (www.co.weld.co.us). E-Mail messages sent to an individual Commissioner may not be included in the case file. To ensure inclusion of your E-Mail correspondence into the case file, please send a copy to egesick@co.weld.co.us. ORDINANCE NO. 2012-10 ORDINANCE TITLE: IN THE MATTER OF REPEALING AND REENACTING, WITH AMENDMENTS, CHAPTER 3 HUMAN RESOURCES, OF THE WELD COUNTY CODE EFFECTIVE DATE: November 26, 2012 BOARD OF COUNTY COMMISSIONERS WELD COUNTY, COLORADO DATED: November 16, 2012 PUBLISHED: November 21, 2012, in the Greeley Tribune ,RO/,2 3 Y •- Affidavit of Publication STATE OF COLORADO SS. County of Weld, I Jennifer Usher of said County of Weld, being duly sworn, say that I am an advertising clerk of THE GREELEY TRIBUNE, that the same is a daily newspaper of general circulation and printed and published in the City of Greeley, in said county and state; that the notice or advertisement, of which the annexed is a true copy, has been published in said daily newspaper for consecutive (days): that the notice was published in NOTICE OF the regular and entire issue of every number of said FINAL READING OF ORDINANCE newspaper during the period and time of Pursuant to the Weld County Home Rule Charter,Ordinance publication of said notice, and in the newspaper Number 2012-10 was introduced on first reading on October 3, proper and not in a supplement thereof; that the 2012,and a public hearing and second reading was held on October 22,2012. A public hearing and final reading was com- first publication of said notice was contained in the pleted on November 14,2012,with no change being made to the text of said Ordinance,and on motion duly made and seconded, Twenty-first day of November A.D. was adopted. Effective date of said Ordinance is listed below. Any backup material,exhibits or mtormanon previously submit- 2012 and the last publication thereof: in the issue of ted to the Board of County Commissioners concerning this mat- ter may be examined in the office of the Clerk to the Board of said newspaper bearing the date of the County Commissioners,located within the Weld County Admin- istration Building,1150 O Street,Greeley.Colorado,between the Twenty-first day of November A.D. accessed though the W°d CountyC' Monday gc Friday,or may be 2012 that said The Greeley Tribune has been o.wnl may notbeE-MailInmessages the sent to an individual T continuously and uninterruptedly during Commissioner may). mess in tssent fn. To ensure published p y inclusion of your E-Mail correspondence into the case file,please the period of at least six months next prior to the sendacopytoegesick@co.weld.co.us. ORDINANCE NO. 2012-10 first issue thereof contained said notice or ORDINANCE TITLE IN THE MATTER OF REPEALING AND advertisement above referred to; that said REENACTING.WITH AMENDMENTS,CHAPTER 3 HUMAN newspaper has been admitted to the United States RESOURCES,OF THE WELD COUNTY CODE EFFECTIVE DATE: November 26,2012 mails as second-class matter under the provisions of the Act of March 3,1879, or any amendments WELD COUNTTY,,COL COMMISSIONERS thereof; and that said newspaper is a daily DATED: November 15,2012 newspaper duly qualified for publishing legal The Tribune notices and advertisements within the meaning of November 21,2012 the laws of the State of Colorado. November 21,2012 Total Charges: $7.88 21st day of November,2012 My Commission Expires 6/14/2013 flat Notary Public NOTICE OF SECOND READING OF ORDINANCE Pursuant to the Weld County Home Rule Charter, Ordinance Number 2012-10 was introduced on first reading on October 3, 2012, and a public hearing and second reading was held on October 22, 2012, with changes being made as listed below. A public hearing and third reading is scheduled to be held in the Chambers of the Board, located within the Weld County Administration Building, 1150 O Street, Greeley, Colorado 80631, on November 14, 2012. All persons in any manner interested in the next reading of said Ordinance are requested to attend and may be heard. Please contact the Clerk to the Board's Office at phone (970) 336-7215, Extension 4225, or fax (970) 352-0242, prior to the day of the hearing if, as a result of a disability, you require reasonable accommodations in order to participate in this hearing. Any backup material, exhibits or information previously submitted to the Board of County Commissioners concerning this matter may be examined in the office of the Clerk to the Board of County Commissioners, located within the Weld County Administration Building, 1150 O Street, Greeley, Colorado, between the hours of 8:00 a.m. and 5:00 p.m., Monday thru Friday, or may be accessed through the Weld County Web Page (www.co.weld.co.us). E-Mail messages sent to an individual Commissioner may not be included in the case file. To ensure inclusion of your E-Mail correspondence into the case file, please send a copy to egesick@co.weld.co.us. ORDINANCE NO. 2012-10 ORDINANCE TITLE: IN THE MATTER OF REPEALING AND REENACTING, WITH AMENDMENTS, CHAPTER 3 HUMAN RESOURCES, OF THE WELD COUNTY CODE DATE OF NEXT READING: November 14, 2012, at 9:00 a.m. BOARD OF COUNTY COMMISSIONERS WELD COUNTY, COLORADO DATED: October 26, 2012 PUBLISHED: October 31, 2012, in the Greeley Tribune CHANGES MADE TO CODE ORDINANCE #2012-10 ON SECOND READING Amend Sec. 3-15-30. Privacy Officer and Privacy Policy, to read as follows: A. The HIPAA Privacy Officer ("Privacy Officer") shall be the Director of Finance and Administration, or his or her designee. The Privacy Officer's primary responsibilities include: Remainder of Section - No change ,_,Po 7;2-: 813 Affidavit of Publication STATE OF COLORADO ss. County of Weld, I Jennifer Usher of said County of Weld, being duly sworn, say that I am an advertising clerk of THE GREELEY TRIBUNE, that the same is a daily newspaper of general NOTICE OF circulation and printed and published in the City of SECOND READING OF ORDINANCE Greeley, in said county and state; that the notice or Pursuant to the Weld County Home Rule Chatter,Ordinance advertisement, of which the annexed is a true copy, Number 2012-10 was introduced on first reading on October 3, has beenpublished in said daily newspaper for 2012,and a public hearing and second reading was held oh October 22,2012,with changes being made as listed below- A consecutive (days): that the notice was published in public bearing and third reading is scheduled to be held in the Chambers of the Board,located within the Weld County Admin- the regular and entire issue of every number of said istration Building,1150O Street,Greeley,Colorado 80631,on November 14,2012. All persons in any manner interested in the newspaper during the period and time of next reading of said Ordinance are requested to attend and may be heard. Please contact the Clerk to the Board's Office at publication of said notice, and in the newspaper phone(970)336-7215,Extension 4225,or fax(970)352 0242. prior to the day of the hearing it,as a result of a disability,you proper and not in a supplement thereof; that the require reasonable accommodations in order to participate in this hearing. Any backup material,exhibits or information previously first publication of said notice was contained in the submitted to the Board of County Commissioners concerning this matter may be examined in the office of the Clerk to the Board of Thirty-first day of October A.D. County Commissioners,located within the Weld County Admin- istrationBuilding,1150 O Street,Greeley,Colorado,between the hours of a:oo a.m.and 5:00 p.m..Monday thru Friday,or may be said newspaper bearing the date of the accessed through the Weld County Web Page (www.co.weld.co.us). E-Mail messages sent to an individual Thirty-first day of October A.D. 2012 Commissioner may not be included in the case file. To ensure inclusion of your E-Mail correspondence into the case file,please that said The Greeley Tribune has been published send soppy to egesmk®co.wem.co.us. continuously and uninterruptedly during the period ORDINANCE NO. 2012-10 of at least six months next prior to the first issue ORDINANCE TITLE: IN THE MATTER OF REPEALING AND REENACTING,WITH AMENDMENTS.CHAPTER 3 HUMAN thereof contained said notice or advertisement RESOURCES,OF THE WELD COUNTY CODE above referred to; that said newspaper has been DATE OF NEXT READING. November 14,2012,at 9.00 a.m. admitted to the United States mails as second-class BOARD OF COUNTY COMMISSIONERS matter under the provisions of the Act of March WELD COUNTY,COLORADO 3,1879, or any amendments thereof; and that said DATED: October 26,2012 newspaper is a daily newspaper duly qualified for CHANGES MADE TO CODE ORDINANCE#2012-10 ON SEC- publishing legal notices and advertisements within OND READING the meaning of the laws of the State of Colorado. Amend Sec.3-15-30. Privacy Officer and Privacy Policy,to read as follows: A.The HIPAA(Privacy OBlcer')shall be the Director of Finance October 31, 2012 and Administration,or his or her designee. The Privacy Officer's primary responsibilities include: Remainder of Section-No change The TribuneTotal Charges: $11.84 October 31,2012 gtat. fi k;h1. 31 day of October,2012 My Commission Expires 6/14/2013 44,It Notary Public WELD COUNTY CODE ORDINANCE 2012-10 IN THE MATTER OF REPEALING AND REENACTING, WITH AMENDMENTS, CHAPTER 3 HUMAN RESOURCES, OF THE WELD COUNTY CODE BE IT ORDAINED BY THE BOARD OF COUNTY COMMISSIONERS OF THE COUNTY OF WELD, STATE OF COLORADO: WHEREAS, the Board of County Commissioners of the County of Weld, State of Colorado, pursuant to Colorado statute and the Weld County Home Rule Charter, is vested with the authority of administering the affairs of Weld County, Colorado, and WHEREAS, the Board of County Commissioners, on December 28, 2000, adopted Weld County Code Ordinance 2000-1, enacting a comprehensive Code for the County of Weld, including the codification of all previously adopted ordinances of a general and permanent nature enacted on or before said date of adoption, and WHEREAS, the Weld County Code is in need of revision and clarification with regard to procedures, terms, and requirements therein. NOW, THEREFORE, BE IT ORDAINED by the Board of County Commissioners of the County of Weld, State of Colorado, that certain existing Chapters of the Weld County Code be, and hereby are, repealed and re-enacted, with amendments, and the various Chapters are revised to read as follows: CHAPTER 3 HUMAN RESOURCES ADD the following: Article XV HIPAA Policies and Procedures Sec. 3-15-10 Purpose, authority and applicability. Sec. 3-15-20 Definitions. Sec. 3-15-30 Privacy Officer and Privacy Policy. Sec. 3-15-40 Authorization for disclosure of PHI. Sec. 3-15-50 Disclosure of PHI without Authorization or Objection of Individual. Sec. 3-15-60 Disclosure of PHI required by law. Sec. 3-15-70 Requests for disclosure of PHI. Sec. 3-15-80 Notice of disclosure of PHI. Sec. 3-15-90 Personal representatives. Sec. 3-15-100 Business associates. Sec. 3-15-110 Confidential communications of PHI. Sec. 3-15-120 Requests for restricted use of PHI. Sec. 3-15-130 Requests to access, inspect and/or obtain copy of PHI. Sec. 3-15-140 Requests to amend PHI. Sec. 3-15-150 Accountings of disclosures of PHI. Sec. 3-15-160 Complaints regarding these policies and procedures. Sec. 3-15-170 Policy prohibiting retaliation. Sec. 3-15-180 Security of PHI. Sec. 3-15-190 Breach of Security. 2012-2813 Sec. 3-15-200 Destruction and Disposal of PHI. Sec. 3-15-210 Transmittal of PHI. Sec. 3-15-10. Purpose, authority and applicability. A. On August 14, 2002, the U.S. Department of Health and Human Services ("HHS") published final regulations for Standards for Privacy of Individually Identifiable Health Information ("the Privacy Rule"). The Rule was established to provide national standards for the protection and privacy of Protected Health Information. The purpose of this Article XV is the establishment of the Health Insurance Portability and Accountability Act Policies and Procedures ("HIPAA Policies and Procedures") for the employees of the Covered Department(s) of Weld County (collectively, the "Covered Employees"). B. This Article XV provides a comprehensive outline of Weld County's responsibilities for compliance with Federal HIPAA Privacy Regulations. Any policies, procedures, or forms promulgated by state or Federal health grant programs which are equal to or more stringent than Weld County's policies will take precedence over Weld County's. The Weld County policies in this Article XV are the minimum standard for Covered Employees; however, state or Federal grant programs may choose or require additional or alternative policies, procedures, or forms to accomplish the same HIPAA compliance requirement. In those instances, to insure that grant requirements are met and to avoid redundant effort the state or Federal grant policies, procedures, and forms may be used as long as they meet the minimum standards specified in this Article XV. Alternative grant policies, procedures, and forms must be approved by the HIPAA Privacy Officer. C. Weld County's policy on confidential information applies in addition to any HIPAA policies on breach of privacy or confidentiality. Any HIPAA policies on personnel discipline for breach of privacy or confidentiality as set forth in this Article XV apply in addition those cited in Weld County's Personnel Policies set forth in Chapter 3 of this Code. If there is conflict in any provision of the HIPAA policies concerning personnel discipline and Weld County's Personnel Policies concerning discipline and grievance, Weld County's Personnel Policies shall take precedence. D. All members of Covered Departments shall be trained regarding HIPAA privacy policies and procedures with respect to PHI, as necessary and appropriate to carry out their duties and responsibilities. Sec. 3-15-20. Definitions. "Covered Departments" mean those departments of Weld County, or any programs under the authority of such departments, which constitute a covered health care component under HIPAA. This includes the following departments: a. The Weld County Department of Public Health and Environment ("Health"). b. The Weld County Department of Human Resources ("HR"). c. The Weld County Department of Accounting ("Accounting"). d. The Weld County Jail ("Jail"). e. The Area Agency on Aging ("Area Agency"). "De-identified information" means Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information. "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d — 1320d8, as amended, and the regulations thereunder, 45 C.F.R. Parts 160 and 164. "Business associate" means a person or entity (not a member of a covered entity's workforce) that helps a covered entity with a function or activity involving the use or disclosure of Individually Identifiable Health Information, or offers service to the covered entity which involves the disclosure of Individually Identifiable Health Information. "Health information" means any information, whether oral or recorded in any form or medium, that: a. Is created or received by a covered department or other covered entity, and b. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. "Individually identifiable health information" means a subset of health information, collected from an individual that: a. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and b. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and c. Identifies the individual; or d. With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Routine health information meeting the above definition will be automatically designated as PHI immediately upon its creation or receipt by the Covered Employees. "Payment"means the activities undertaken by: (i) A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or (ii) A health care provider or health plan to obtain or provide reimbursement for the provision of health care. "Protected health information (PHI)"means individually identifiable information, including demographic information collected from an individual, about a person's past, present, or future health care or payment for health care, maintained in any form or medium, or transmitted electronically. "Psychotherapy notes"means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. "Treatment" means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another. Sec. 3-15-30. Privacy Officer and Privacy Policy. A. The HIPAA Privacy Officer ("Privacy Officer') shall be the Director of Human Resources, or his or her designee. The Privacy Officer's primary responsibilities include: 1. Development of the HIPAA Privacy Policies and Procedures. This shall include an annual review to ensure compliance with Federal and state law. 2. Oversight of the HIPAA Privacy Policies and Procedures implementation. 3. Preparation and oversight of distribution of the HIPAA Privacy Notice. 4. Providing assistance to Covered Departments in determining potential risks and vulnerabilities to the integrity of PHI. 5. Development, coordination and participation in the education and training for the Covered Employees. 6. Development of an atmosphere to encourage staff to report possible noncompliance by Weld County, health insurance carriers and/or Third Party Administrators ("TPA"). 7. Acting on matters related to privacy compliance. This includes the design and coordination of internal reviews and any needed corrective action (e.g., revisions to HIPAA Privacy Policies and Procedures, institution of additional training, etc.). 8. Coordination of disciplinary sanctions associated with violations of the HIPAA Privacy Policies and Procedures. 9. Coordination of mitigating efforts in the event of a violation to the Privacy Rules. 10. Review and accommodation, if appropriate, of individual requests for confidential communications of PHI. 11. Review and accommodation, if appropriate, of individual requests for restrictions on use and disclosure of their own PHI. 12. Review and accommodation, if appropriate, of individual requests for amendments to their own PHI. This includes notification of approval or denial of the amendment to the individual and/or any relevant Business Associate, as necessary. 13. Preparation of PHI summaries, upon an individual's request for access to their own PHI records, in accordance with Section 3-15-120. 14. Periodic revision of the HIPAA Privacy Policies and Procedures as a result of changes of Federal and state law. 15. Receiving complaints against Covered Departments. B. General Privacy Policy. It is the policy of Weld County to protect the privacy and confidentiality of patients' PHI by following the requirements of Federal and State law and Weld County's policies and procedures. The policy provides the basics of Weld County's privacy compliance framework. The policy should be provided to each individual as necessary to make informed decisions about their own PHI, and shall be generally available from the Privacy Officer. 1. Required disclosures. Weld County may make disclosures without consent or authorization as required by law, as required for public health purposes, for certain health oversight activities, for certain judicial and administrative proceedings, for certain law enforcement activities, to coroners or medical examiners. 2. Unique restrictions on disclosures. A patient's request for a particular restriction on the use or disclosure of his or her PHI shall be referred to the Privacy Officer. 3. Potential violations. Any person believing that Weld County has violated a policy or provision of law related to privacy issues must contact the Privacy Officer immediately. Weld County will not retaliate against employees who report in good faith. Weld County will take all reasonable steps to mitigate any damages caused by an improper use or disclosure of PHI. C. Minimum necessary information. Covered Employees shall follow proper procedures to ensure that only the minimum amount of PHI necessary to accomplish the specific purpose of a use or disclosure is actually used or disclosed. D. Covered Employees shall request only the minimum amount of PHI necessary to accomplish the specific purpose of the request. This includes routine and/or recurring requests. 1. This policy does not apply to the following uses or disclosures: a. Disclosure to or requests by a provider for treatment. b. Uses or disclosures made to the individual who is the subject of the information. c. Uses or disclosures pursuant to an Authorization. d. Disclosures made to the Covered Departments. e. Uses or disclosures required by law, or for compliance with applicable laws and regulations, as determined by the Privacy Officer. 2. All proposed uses or disclosures of PHI shall be reviewed by persons having an understanding of these privacy policies and practices, and sufficient expertise to understand and weigh the necessary factors. 3. Covered Department employees shall only use, disclose, or request an entire medical record when the entire medical record is specifically justified as being reasonably necessary to accomplish the purpose of the use, disclosure, or request. Covered Employees shall document the request and justification for disclosure of the entire medical record, except when the entire medical record is disclosed to a provider for purposes of providing care. 4. Within the Covered Departments, only appropriate personnel shall have access to PHI, as determined by the department director in conjunction with the Privacy Officer. Such individuals require shall maintain the appropriate levels of access to PHI on a routine basis to appropriately accomplish their duties and responsibilities: 5. The following criteria shall be used in limiting the amount of PHI requested (disclosed) by the Covered Employees: a. Do the individuals who are requesting or disclosing the PHI have a complete understanding of the purpose for the use or disclosure of the PHI? b. Are all of the individuals identified for whom the requested use or disclosure of the PHI required? c. A request for an entire medical record requires the requestor to justify disclosure of the entire medical record to be reasonably necessary. 6. Requests for disclosures of PHI shall be reviewed on an individual basis in accordance with criteria listed in the policy. 7. Covered Department employees may reasonably rely on requests by: a. Public health and law enforcement agencies in determining the Minimum Necessary information for certain disclosures; b. Other Covered Entities in determining the Minimum Necessary information for certain disclosures; or c. A professional who is a member of its workforce or is a Business Associate of a Covered Department for the purpose of providing professional services to the Covered Department, if the professional represents that the information requested is the Minimum Necessary for the stated purpose. 8. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. E. De-identified information shall not be disclosed if those Covered Department employees creating or disclosing the information, or any other employees of Covered Department, have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. De- identification requires the removal of names, addresses, birthdates, age, telephone/fax numbers, social security numbers, account numbers, license numbers, fingerprints, full face photographs, or any other unique identifier. Such de-identified information may be used or disclosed as a limited data set for research, public health, or health care operations, and may be provided to Business Associates pursuant to a written agreement. F. Covered Departments, with the assistance of the Privacy Officer, shall comply with any other duty required by the Secretary of DHHS. Sec. 3-15-40. Authorization for disclosure of PHI. A. For all uses and disclosures of an individual's PHI, Covered Department shall obtain a signed authorization from the individual, unless the use or disclosure is required, or otherwise permitted without an authorization for treatment, payment or health care operations or as otherwise permitted by 45 C.F.R. Part 164 (the Privacy rule). Covered Department shall be permitted, but not required, to obtain consent for disclosure related to treatment, payment, or healthcare operations. B. Covered Department shall comply with the requirements set forth in 45 C.F.R. § 164.508, to obtain authorization to use or disclose PHI. C. Covered Department shall not condition treatment, payment, or enrollment in the health plan, or eligibility for benefits on the provision of an authorization, unless the authorization sought is for the health plan's eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations D. Covered Department shall obtain a signed authorization from all individuals before using or disclosing their PHI for purposes other than treatment, payment, or health care operations. Additionally, PHI may be disclosed without a signed authorization under certain circumstances, as listed in the Privacy Policy. E. Authorization is required for the disclosure of psychotherapy notes, except to the originator of the notes for treatment, payment, or health care operations. F. The authorization shall be written in plain language, and shall allow individuals to request that their PHI be used or disclosed for specific purposes. G. When Covered Department initiates an authorization to use or disclose PHI for its own purposes, Covered Department shall provide individuals with any facts they need to make an informed decision as to whether to allow release of the information. H. The authorization shall not be combined with another document to create a compound authorization, unless: 1. The other document is a similar authorization; 2. If the authorization is for the disclosure of psychotherapy notes, the other document is also an authorization for the disclosure of psychotherapy notes; or Whenever a Covered Department requests an authorization from an individual, Covered Departments shall use a form which complies with this policy and with HIPAA generally. Nothing in this policy prohibits a Covered Department from jointly using any form with other Covered Departments or other treatment providers in which the Covered Department shares information pursuant to an Organized Health Care Arrangement. The form must be completed in full, including a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. J. In the event that the authorization is signed by a personal representative of the individual, the authorization shall contain a description of the representative's authority to act for the individual. K. Covered Department shall provide the individual with a copy of the signed authorization. L. Covered Department shall invalidate the authorization if: 1. Any material information in the authorization is known by Covered Department to be false or revoked. 2. The requirements of the authorization have not been filled out completely. 3. The expiration date has passed or the expiration event is known by Covered Department to have occurred. M. Covered Department shall document and retain the signed authorization for a period of at least six years from the date of its creation or the date when it last was in effect, whichever is later. N. Covered Department shall not condition an individual's treatment, payment, enrollment or eligibility for benefits on the provision of an authorization to use or disclose PHI. All authorization forms for the use or disclosure of PHI shall include a statement that the individual's treatment and payment for services shall not be conditioned on provision of the authorization, except as permitted by law. O. Covered Department shall allow an individual to revoke an authorization to use or disclose their PHI, except in situations where: 1. Covered Department has taken action in reliance thereon. 2. The authorization was obtained as a condition of obtaining insurance coverage and state law provides the insurer with the right to contest a claim under the policy or the policy itself. P. Covered Department shall take all necessary steps to honor and comply with an individual revocation of an authorization to use or disclose PHI, unless stated otherwise in this policy. Covered Department shall not impose a time restriction on when an individual may revoke authorization to use or disclose their PHI. Covered Department shall require individuals to request the revocation of authorization to use or disclose PHI in writing. Sec. 3-15-50. Disclosure of PHI without Authorization or Objection of Individual. A. Covered Department may disclose PHI without a valid authorization in limited circumstances, if the individual is given the opportunity to object to such disclosure. B. A Covered Department which is a health care provider may, under this section: 1. Maintain a facility directory including the individual's name, location at the facility, condition (in general terms), and religious affiliation (which is only to be provided to members of clergy). 2. Disclose the individual's specific health information to family, close friends, or anyone else identified by the individual to be involved in relevant care, payment, or necessary notification. C. The individual must be informed of the opportunity to object, unless impracticable due to emergency circumstances. If the individual is present, PHI may be disclosed if the individual agrees, does not object, or it can be reasonably inferred that the individual does not object. If the individual is not present, or unable agree or object, PHI may be disclosed if in the individual's best interests, in the provider's professional judgment. Sec. 3-15-60. Disclosure of PHI required by law. A. Disclosure of PHI should first be made pursuant to an Authorization, as described in Section 3-15-40. If no authorization exists, disclosure may be made pursuant to this section. 1. Permitted disclosures. Weld County may disclose a patient's PHI without the patient's signed authorization to the patient himself or herself, the patient's legally authorized personal representative, those involved with the person's care and treatment, to law enforcement personnel in appropriate situations, for public policy decisions as required by law, and for purposes of a patient's treatment, payment for services, or Weld County's health care operations. Disclosure of PHI may also be made to business associates, or on the basis of and in accordance with a properly executed authorization. 2. Required disclosures. Weld County may make disclosures without consent or authorization as required by law, as required for public health purposes, for certain health oversight activities, for certain judicial and administrative proceedings, for certain law enforcement activities, to coroners, or medical examiners. 3. Unique restrictions on disclosures. If a patient requests a particular restriction on the use or disclosure of his or her PHI, refer the request to the Privacy Officer. 4. Deceased individuals. Covered Departments must protect the PHI of deceased individuals. If an executor, administrator, or other person has authority to act on behalf of a deceased patient or that person's estate, that person should be treated as patient's personal representative. Weld County may disclose PHI, without specific patient consent or authorization, to a coroner or medical examiner responsible for identification of the person, determination of the cause of death, or other duties authorized under state law. The Coroner may also disclose PHI to a funeral director, as permitted by state law. 5. Persons involved in care or treatment. PHI may be disclosed, without the patient's signed authorization, to persons involved in the patient's care, as directly relevant to that care. If the patient is present when PHI is to be disclosed, and has capacity to make health care decisions, PHI can be disclosed to others present if it can reasonably be inferred that patient would not object. If the patient is not present when PHI is to be disclosed, or the patient is incapacitated, PHI may be disclosed if, in the exercise of reasonable professional judgment, disclosure is in best interests of the patient and disclosure is limited to PHI directly relevant to person's involvement with the patient's care. If federal, state, and/or local law requires a use or disclosure of PHI, Covered Department may use or disclose PHI to the extent that the use or disclosure complies with such law and is limited to the requirements of such law. B. In the event that two or more laws or regulations governing the same use or disclosure conflict, Covered Department shall comply with the more restrictive laws or regulations. C. Covered Department may use or disclose PHI to the extent that such use or disclosure is required by law including, but not limited to: 1. For public health activities required by law. 2. For disclosures about victims of abuse, neglect, or domestic violence. 3. In order to comply with judicial release. 4. To comply with law enforcement. 5. For a health release. 6. To avert a serious threat to health or safety. 7. To comply with special government functions or requests. Such requests shall be referred to the Privacy Officer. 8. For purposes of workers compensation investigation and claims, as permitted or required by law. 9. Uses and disclosures for health oversight activities. 10. Uses and disclosures for cadaveric organ, eye or tissue donation purposes. Sec. 3-15-70. Requests for disclosure of PHI. A. Covered Departments shall verify the identity and authority of individuals requesting PHI. B. Once it is determined that use or disclosure is appropriate, personnel with appropriate clearance shall access the individual's PHI using appropriate procedures. C. The requested PHI shall be delivered to the individual in a secure and confidential manner, such that the information cannot be accessed by employees or other persons who do not have appropriate access clearance to that information. D. The proper personnel shall appropriately document the request and delivery of the PHI. E. In the event that the identity and legal authority of an individual or entity requesting PHI cannot be verified, personnel shall refrain from disclosing the requested information and report the case to the Privacy Officer in a timely manner. F. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. Sec. 3-15-80. Notice of disclosure of PHI. A. Covered Department shall give adequate notice to individuals regarding the use or disclosure of their PHI, their rights with respect to such use or disclosure, and Covered Department's legal duties pursuant to 45 C.F.R. §164.520. Covered Department shall comply with the contents of such notice. B. The content of the notice regarding the use and disclosure of PHI pursuant to 45 C.F.R. §164.520 shall comply with the policies and procedures that are described herein. The notice shall reserve the right of Covered Department to amend the notice and any of its privacy policies, procedures and practices. C. Notice given to an individual regarding the use and disclosure of PHI must be written in plain language and contain the statement prominently displayed: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." D. The Notice must contain descriptions in sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by HIPAA and other applicable laws, including: 1. A description and at least one example of the types of uses and disclosures that Covered Department is permitted by law to make for each of the following purposes: treatment, payment, and health care operations. 2. A description of each of the other purposes for which Covered Department is permitted or required by the Privacy regulations to use or disclose PHI without the individual's written authorization including those purposes listed in Section 3- 15-40(E). If a use or disclosure described in Section 3-15-40(E) is prohibited or materially limited by other laws, the description of the disclosure must reflect the more stringent law. E. The notice must also contain the following statements or information: 1. A statement indicating other uses and disclosures shall be made only with the individual's written authorization and that the individual may revoke such authorization as permitted by the individual's rights under HIPAA. 2. A statement of the individual's rights with respect to PHI and a brief description of how the individual may exercise those rights: a. The right to request restrictions on certain uses and disclosures of PHI. A statement that Covered Department is not required to agree to a requested restriction. b. The individual's right to receive confidential communications of PHI, as applicable. c. A statement and a brief description of how the individual may exercise his/her right to inspect, copy, amend, and receive an accounting of disclosure of PHI. d. A statement and a brief description of how the individual may exercise his/her right to obtain a paper copy of the notice from the Covered Entity, even if the individual has agreed to receive the notice electronically; 3. A statement that the Covered Entity is required by law to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy practices with respect to PHI. 4. A statement that the Covered Entity is required to abide by the terms of the notice that is currently in effect. 5. A statement indicating that, for PHI that it created or received prior to issuing a revised notice, Covered Department reserves the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains. 6. A statement that individuals may complain to Covered Department and to the Covered Department of Health and Human Services if they believe their privacy rights have been violated. A brief description of how an individual may file a complaint with Covered Department. A statement that Covered Department shall not retaliate against the individual for filing a complaint. 7. The name, or title, and telephone number of a person or office within Covered Department to contact for further information concerning the notice of privacy practices. 8. The date on which the notice is first in effect, which is not to be earlier than the date on which the notice is printed or otherwise published. F. If applicable, the description in the notice of the types of uses and disclosures that the Covered Department is permitted to make for purposes of treatment, payment, and health care operations (see procedure 2(a)) must also include separate statement indicating that: 1. A group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose PHI to the sponsor of the plan. 2. Covered Department may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to the individual. G. A statement that Covered Department shall promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the Covered Entity's legal duties, or other privacy practices stated in the notice, and how it shall provide individuals with the revised notice. Covered Department shall not implement a material change to any term of the notice prior to the effective date of the notice in which such material change is reflected, except when required by law. Upon making a change to a notice and policies and procedures, due to a change in law, Covered Department may use the notice revision date as the new effective date. H. For a Covered Department which is a health care provider, such notice shall be provided to the individual on the date services are provided, or in emergency situations, as soon as reasonably practicable thereafter. In emergency situations, an acknowledgement of receipt of such notice shall be obtained if possible. Such notice shall be provided prominently at the location of service, and at the Covered Department's web address. Covered Department which is also a correctional facility is not required to provide the notice described in this section to inmates. J. Such notice shall also be provided to county employees at the time of enrollment in any county sponsored group health plan, within 60 days of any material revision to the notice, and at least once every three years. K. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. Sec. 3-15-90. Personal representatives. A. If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, Covered Department shall treat such person as a personal representative, with respect to PHI relevant to such personal representation. B. With respect to unemancipated minors, deceased individuals, and others, Covered Department shall follow these procedures in determining whether to treat a person as a personal representative of an individual. C. Covered Department shall treat a person as a personal representative of an individual with respect to disclosure of PHI if under applicable law: 1. A parent, guardian, or other person acting in loco parentis (in the place of a parent) has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care; or 2. An executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual's estate. D. Covered Department shall treat a person as a personal representative of a deceased individual with respect to the PHI relevant to such representation, if under applicable law the person is an executor, administrator, or other person with authority to act on behalf of the deceased individual or of the individual's estate. E. Covered Department shall not treat a person as a personal representative of an unemancipated minor; when the minor has authority to act with respect to their PHI pertaining to a health care service if: 1. The minor consents to such health care service, no other consent is required by applicable law, and the minor has not requested that another person be treated as the personal representative; 2. Applicable law permits the minor to obtain such health care service without the consent of a parent, guardian, or other person acting in loco parentis; and the minor, a court, or another person authorized by law consents to such health care service; or 3. A parent, guardian, or other person acting in loco parentis assents to an agreement of confidentiality between a covered health care provider and the minor with respect to such health care service. F. Covered Department shall not treat a person as the personal representative of an individual if: 1. Covered Department has a reasonable belief that the individual has been or may be subjected to domestic violence, abuse, or neglect by such person; or treating such person as the personal representative could endanger the individual; and 2. Covered Department, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative. G. Covered Department shall follow the requirements and/or permissions of applicable state and other law in determining whether to provide or deny access to a minor's PHI to a parent, guardian, or other person acting in loco parentis. Sec. 3-15-100. Business associates. A. Covered Department shall ensure contracts or other arrangements between Covered Department and its Business Associates comply with the policies and procedures described herein and pursuant to 45 C.F.R. §164.504(e). B. Covered Department shall document satisfactory assurances of compliance with the policies and procedures herein through a written contract or other written agreement or arrangement with the Business Associate; that establishes the permitted and required uses and disclosures of PHI. C. Contracts or agreements between Covered Department and a Business Associate shall prohibit a Business Associate to use or disclose PHI in a manner that would violate HIPAA privacy regulations. D. If Covered Department and the Business Associate are both government entities, and the entities comply with the Business Associate contract provisions by entering into a memorandum of understanding, Covered Department shall ensure that the memorandum of understanding or other applicable law contains terms that accomplish the objectives of the Business Associate contract provisions of the HIPAA privacy requirements. E. When a Business Associate is required by law to perform a function on behalf of Covered Department, and Covered Department discloses PHI to the Business Associate to comply with the legal mandate without meeting the requirements of the HIPAA Privacy rule, Covered Department shall attempt in good faith to obtain satisfactory assurances that the requirements applicable to the Business Associate accomplish the objectives of the Business Associate requirements, and, if such attempt fails, document the attempt and the reasons that such assurances cannot be obtained; and before omitting a termination authorization from its other arrangements, Covered Department shall ensure that the authorization is inconsistent with statutory obligations of Covered Department or its Business Associate. F. Covered Departments which form a contractual relationship with other businesses or entities, and which expect to share protected health information as a result of that contractual relationship, shall execute an appropriate Business Associate Contract (BAC) or Business Associate Agreement (BAA) to ensure compliance with this policy and with HIPAA generally. G. Nothing in this policy prohibits the County or a Covered Department from entering into an Organized Health Care Arrangement (OHCA) for the purpose of sharing protected health information between treatment providers, as permitted under HIPAA. H. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. Sec. 3-15-110. Confidential communications of PHI. A. Covered Department, with the assistance of the Privacy Officer, shall take necessary steps to accommodate reasonable requests by individuals to receive confidential communications of PHI. 1. Covered Department shall provide confidential communications by alternative means or at alternative locations pursuant to the HIPAA Privacy rule. 2. Covered Department may require individuals to make a request for a confidential communication in writing. 3. Covered Department shall not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis. 4. When appropriate, Covered Department may condition the provision of a reasonable accommodation on information as to how payment, if any, shall be handled, and specification of an alternative address or other method of contact. 5. An alternative means or location shall be designated on a case by case basis that is satisfactory to both Covered Department and the individual, before communication of PHI is made. 6. The Privacy Officer, using professional judgment and considering all relevant factors, shall be responsible for deciding the alternative means or location to communicate PHI to an individual, and shall otherwise comply with the disclosure requirements of Section 3-15-60. B. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. Sec. 3-15-120. Requests for restricted use of PHI. A. Covered Department shall, with the assistance of the Privacy Officer, allow an individual to request that uses and disclosures of his or her PHI be restricted in accordance with the HIPAA Privacy rule. B. The Privacy Officer, using professional judgment and considering all relevant factors, shall be responsible for approving or denying the requested restriction. The Privacy Officer is not required to agree to a restriction. C. Upon approval of such a restriction, Covered Department shall not violate such restriction, unless as specified within this policy and procedure. D. If a restriction is agreed, Covered Department is not required to honor an individual's request when the individual who requested the restriction is in need of emergency treatment and the restricted PHI is needed to provide the emergency treatment. If restricted PHI is disclosed to a health care provider for emergency treatment, Covered Department shall request that such health care provider not further use or disclose the information. E. If Covered Department agrees to an individual's requested restriction, the restriction does not apply to the following uses and disclosures: 1. To an individual accessing their own PHI. 2. To an individual requesting an accounting of their own PHI. 3. Instances for which an authorization, or opportunity to agree or object is not required. F. Covered Department may terminate its agreement to a restriction in the following situations: 1. The individual agrees to or requests the termination in writing. 2. The individual orally agrees to the termination and the oral agreement is documented. 3. Covered Department informs the individual that it is terminating its agreement to a restriction. Such termination is only effective with respect to PHI created or received after it has so informed the individual. G. Covered Department shall document and retain the restriction for a period of at least six years from the date of its creation or the date when it last was in effect, whichever is later. H. If Covered Department does not agree to a request for restriction, it shall notify the individual who requested the restriction and advise them that Covered Department shall not honor the restriction. Sec. 3-15-130. Requests to access, inspect and/or obtain copy of PHI. A. Covered Department shall take necessary steps to address individual requests to access, inspect, and/or obtain a copy of their PHI that is maintained in a designated record set in a timely and professional manner. B. Individuals may request to access, inspect, and/or obtain a copy of their PHI that is maintained in a designated record set. In instances where the PHI is in more than one record set, or at more than one location, Covered Department shall produce the PHI only once in response to a request for access. Copy and retrieval fees, including postage, based on actual costs, may be applicable. C. If the covered department does not maintain the PHI that is the subject of the individual's request for access, and the covered department knows where the requested information is maintained, the covered department must inform the individual where to direct the request for access. D. Individuals do not have the right to access the following types of information: 1. Psychotherapy notes. 2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. 3. PHI that is: a. Subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. §263a, to the extent the provision of access to the individual would be prohibited by law; or b. Exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 C.F.R. §493.3(a)(2). 4. If Covered Department is acting under the direction of a correctional institution upon an inmate's request for a copy of the PHI and obtaining a copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate. Any Covered Department receiving such a request from a current inmate must seek the assurance of the Department Head of the Jail that providing the copy of the inmates requested PHI will not jeopardize the operations of the jail. 5. The individual's access to PHI that is contained in records that are subject to the Privacy Act, 5 U.S.C. §552a, may be denied, if the denial of access under the Privacy Act would meet the requirements of that law. 6. The individual's access may be denied if the PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information. E. The Covered Department may require individuals to direct requests for access, inspection, or a copy of PHI to the Privacy Officer, and complete a form request for health information. The individual shall be informed that request for access is required to be in writing. F. An appropriate request from an individual regarding PHI using a request form for health information shall, within a reasonable time period, be reported, along with the form, to records personnel with appropriate access clearance to PHI. G. Upon receipt of a request made, records personnel with appropriate clearance shall act on the request by: (1) informing the individual of the acceptance and providing the access requested, or (2) providing the individual with a written denial. H. Action upon the request must be taken: 1. No later than 30 days after the request is made; or, 2. If the request is for PHI that is not maintained or accessible on-site to Covered Department, no later than 60 days after the request. 3. If Covered Department cannot take action on a request for access to PHI within the relevant time periods, Covered Department may extend the time required by 30 days. 4. In the event that the time period for the action must be extended, then Covered Department shall provide the individual with a written statement of the reasons for the delay and the date by which Covered Department shall complete its action on the request. Only one extension is permitted. Records personnel with appropriate clearance shall access the individual's PHI using appropriate procedures. J. The individual shall be allowed access, inspection, and/or copies of the requested PHI in a secure and confidential manner, such that the information cannot be accessed by employees or other persons who do not have appropriate clearance to that information. K. Covered Department shall provide the individual with access to the PHI contained in a designated record set in the form or format requested by the individual, if it is readily producible in such form or format. L. If the requested format is not readily producible, then Covered Department shall provide the individual with access to the PHI in a readable hard copy form or such other form as agreed to by the individual. M. If requested by the individual, Covered Department shall arrange with the individual for a convenient time and place to inspect or obtain a copy of the PHI, or mailing of PHI. The individual may request, in writing, that the PHI be disclosed by reasonable alternative means, or in a reasonable alternative location, as permitted in Section 3-15-100. Records personnel shall appropriately document the request and delivery of the PHI. N. A summary of the requested PHI shall be provided in lieu of access to the information only when the individual agrees in advance to a summary, and to any related fees imposed. 1. An explanation of the requested PHI to which access has been provided shall accompany the access reply only when the individual agrees in advance to a summary, and to any related fees imposed. 2. If a summary or explanation of the requested PHI is to be prepared, such summary or explanation shall be completed only by records, or other applicable personnel with appropriate access clearance. O. Covered Department shall document and retain designated record sets that are subject to access by individuals for a period of at least six (6) years from the date of its creation or the date when it last was in effect, whichever is later. P. In denying access in whole or in part, to the extent possible, records personnel shall give the individual access to any other PHI requested, after excluding the PHI that was denied. Q. When denying an individual access to PHI, the denial shall: 1. Be written in plain language. 2. Contain the basis for the denial. 3. Contain the following statement: THE INDIVIDUAL HAS THE RIGHT TO HAVE THE DENIAL REVIEWED BY A LICENSED HEALTH CARE PROFESSIONAL, DESIGNATED BY [COVERED DEPARTMENT] TO ACT AS A REVIEWING OFFICIAL AND WHO DID NOT PARTICIPATE IN THE ORIGINAL DENIAL DECISION. 4. Contain a description of how the individual may complain to the Privacy Officer. The description of how the individual may complain shall include the name, or title, and telephone number of the contact person or office designated to receive such complaints. R. All denial reviews shall be conducted by a licensed health care professional who is designated by Covered Department to act as a reviewing official and who did not participate in the original decision to deny. 1. The designated reviewing official shall be determined on a case by case basis by Privacy Officer. 2. Records personnel shall promptly refer a request for review to the designated reviewing official. 3. The designated reviewing official shall determine, within a reasonable period of time, whether or not to deny the access requested based on the applicable standards. 4. Records personnel shall promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required to carry out the designated reviewing official's determination. S. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. Sec. 3-15-140. Requests to amend PHI. A. Covered Department shall allow an individual to request an amendment to his or her PHI or a record in a designated record set for as long as the information is maintained in a designated record set. B. Records personnel, with the assistance of the Privacy Officer, shall be responsible for receiving, processing, and responding to requests for amendments to PHI. C. All individual requests for amendments to PHI shall be in writing, and directed to the Privacy Officer. The Privacy Officer shall inform the individual of the requirement to make requests for amendments in writing. D. Individuals must document the reason(s) to support the requested amendment. E. The Privacy Officer shall inform the individual no later than 60 days after receipt of such a request if the amendment is accepted or denied. The time period for the action by Covered Department shall be extended by no more than 30 days. If the time period for the action is extended, records shall, within 30 days after receipt of the request, provide the individual with a written statement of the reasons for the delay and the date by which Covered Department shall complete the action on the request. The time period for action shall not be extended more than once. F. If the requested amendment is accepted, records shall: 1. Make the appropriate amendment; or 2. Arrange to have the necessary health care professional make the amendment. G. Upon accepting and completing a requested amendment, records shall perform the following tasks: 1. Inform the individual, in a timely manner, and obtain the individual's identification of, and agreement to have Covered Department notify, the relevant persons with which the amendment needs to be shared; 2. Make reasonable efforts to inform and provide the amendment within a reasonable time to persons identified by the individual as needing the amendment; 3. Make reasonable efforts to inform and provide the amendment within a reasonable time to persons, including Business Associates, that are known to have the affected PHI and that may have relied, or could foreseeably rely, on such information to the detriment of the individual. 4. Identify the affected information in the designated record set and append or otherwise provide a link to the location of the amendment. H. In the event that another covered entity notifies Covered Department of an amendment to an individual's PHI, records shall amend the respective information by, at minimum, identifying the affected information in the designated record set and appending or otherwise providing a link to the location of the amendment. Covered Department may deny an individual's request for amendment if it determines that the requested PHI or record: 1. Was not created by Covered Department, unless the individual provides a reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment; 2. Is not part of a designated record set; 3. Would not be available for inspection under the requirements for individual rights to access PHI; or 4. Is accurate and complete. J. Records personnel, with the assistance of the Privacy Officer, shall be responsible for receiving, processing, and responding to requests for amendments to PHI. K. Upon denying an amendment, in whole or in part, Covered Department shall provide the individual with a written denial. The denial shall be written in plain language and shall contain the following: 1. The basis for the denial; 2. The individual's right to submit a written statement disagreeing with the denial; 3. A description of how the individual may file such a statement; 4. A description of how the individual may file a complaint to Covered Department pursuant to its complaint procedures including the name, or title, and telephone number of the contact person or office designated to receive such complaints; 5. A description of how the individual may file a complaint with the Covered Department of Health and Human Services; 6. The following statement - IF INDIVIDUAL DOES NOT SUBMIT A STATEMENT OF DISAGREEMENT, THEN INDIVIDUAL MAY REQUEST COVERED DEPARTMENT TO PROVIDE THE INDIVIDUAL'S REQUEST FOR AMENDMENT AND THE DENIAL WITH ANY FUTURE DISCLOSURES OF THE PHI THAT IS THE SUBJECT OF THE AMENDMENT. L. If the individual provides a statement of disagreement, Covered Department may prepare a written rebuttal to the individual's statement of disagreement. Covered Department shall provide the individual with a copy of the above rebuttal. M. Covered Department shall append or otherwise link the following to the designated record set or PHI that is the subject of the disputed amendment: 1. The individual's request for an amendment; 2. The denial of the request; 3. The individual's statement of disagreement, if any; and 4. Covered Department's rebuttal, if any. N. Any subsequent disclosures of the PHI to which an individual's written disagreement relates shall include the following: 1. The material appended as described above; or 2. An accurate summary of any such information. O. If the individual has not submitted a written statement of disagreement, Covered Department shall include the individual's request for amendment and Covered Department's denial, or an accurate summary of such information, with any subsequent disclosure of the PHI only if the individual has requested such action. Sec. 3-15-150. Accountings of disclosures of PHI. A. Covered Department shall document and maintain an accounting of when patients' PHI has been disclosed for purposes other than treatment, payment or health care operations. Covered Department shall allow individuals to receive an accounting of all instances where PHI about them is used or disclosed. This requirement does not apply to instances where PHI was disclosed: 1. To carry out treatment, payment and health care operations; 2. Under the authority of a written authorization given by the subject of the PHI; 3. To the individuals about their own PHI; 4. For the facility's directory; 5. To persons involved in the individual's care or other notification purposes; 6. For national security or intelligence purposes; 7. To correctional institutions or law enforcement custodial situation; 8. As de-identified information in a data set. B. Covered Department is not required to include in an accounting of disclosures that were made incidental to another use or disclosure that is permissible under 45 C.F.R. Part 164; however, to minimize incidental disclosures, Covered Department shall: 1. Take precautions to reasonably safeguard PHI as required by 45 C.F.R. § 164.530(c)(1); and 2. Disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the disclosure. C. Covered Department shall allow an individual to obtain an accounting of instances when their PHI has been disclosed by Covered Department anytime up to and including the six years prior to the date on which the accounting is requested. D. The accounting shall be in writing and shall include disclosures made to or by Business Associates of Covered Department. E. Each accounting of a disclosure shall include the following: 1. The date of disclosure; 2. The name of the entity or person who received the PHI and, if known, the address of such entity or person; 3. A brief description of the PHI disclosed; 4. A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure; or in lieu of such statement: a. A copy of the individual's written authorization to use or disclose the PHI, or b. A copy of a written request for a disclosure required by the DHHS Secretary to investigate or determine the Covered Entity's compliance with applicable laws and regulations. 5. The frequency, periodicity, or number of disclosures made during the requested period, if applicable, including the date of the last such disclosure. F. Covered Department shall act on the individual's request for an accounting not later than 60 days after receipt of the request by: 1. Providing the individual with the accounting requested, or 2. Extending the time to provide the accounting by no more than 30 days. This one- time extension requires a written explanation. G. Any accounting shall be provided to an individual once in any 12 month period without charge. Subsequent accountings in the same period may be subject to charges as determined by the Privacy Officer. H. Covered Department shall document and retain the following for a period of at least 6 years, or from the date of its creation or the date when it last was in effect, whichever is later: 1. The information required to be included in an accounting; 2. The written accounting that is provided to the individual; 3. The title of the persons or officer responsible for receiving and processing requests for an accounting by individual. Covered Department shall temporarily suspend an individual's right to receive an accounting under this section if a health oversight agency or law enforcement official requests such suspension due to the reasonable likelihood that it will impede an investigation. Such request made orally shall be documented and enforced for no more than 30 days. Such request made in writing shall be enforced for the duration listed in the request. J. Business Associates of Covered Departments shall comply with the requirements of the section. K. The Privacy Officer is responsible for responding to a request from an individual for an audit trail of instances when their PHI has been disclosed for purposes other than treatment, payment, or health care operations. Sec. 3-15-160. Complaints regarding these policies and procedures. A. As specified in 45 C.F.R. §164.530(d), Covered Department shall provide a process for individuals to make complaints concerning Covered Department's policies and procedures regarding the use or disclosure of PHI, or its compliance with such policies and procedures. B. The Privacy Officer shall be Covered Department's designated contact for individuals to file complaints pursuant to this policy. The Privacy Officer should be contacted in order to file complaint concerning Covered Department's policies and procedures required by the HIPAA privacy rule, or its compliance with such policies and procedures. The Privacy Officer shall document all complaints. C. Covered Department shall not require individuals to waive their rights to file a complaint with the Department of Health and Human Services as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. D. Covered Department shall refer all complaints regarding potential HIPAA privacy violations to the Privacy Officer. The Privacy Officer shall document all complaints received, and their disposition, if any, for a period of at least six years from the date of its creation or the date when it last was in effect, whichever is later. E. It is the responsibility of all Covered Department employees to report perceived misconduct, including actual or potential violations of the Privacy rules or these policies, procedures. F. Covered Department shall maintain an "open-door policy" at all levels of management to encourage employees to report problems and concerns. Sec. 3-15-170. Policy prohibiting retaliation. A. Covered Department shall follow all necessary procedures to protect against any retaliation toward any employee, individual, or other for exercising their rights or participating in any process pursuant to internal policies, applicable law, and/or regulation. B. Any Covered Employee who commits or condones any form of retaliation shall be subject to discipline up to, and including, termination. C. Covered Department shall not retaliate against employees, individuals, or others for: 1. Filing a complaint with Covered Department; 2. Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing; or 3. Opposing in good faith any act or practice made unlawful by the HIPAA Privacy rule, provided that the manner of the opposition is reasonable and does not itself violate law. Sec. 3-15-180. Security of PHI. A. Covered Department shall: 1. Protect individually identifiable health information transmitted or maintained by Covered Department, regardless of form (e.g., patient name, patient number, address, telephone number, social security number, etc). 2. Ensure that non-covered departments are restricted from accessing, using, or disclosing PHI, as if the non-covered departments were separate legal entities. 3. Protect against reasonably anticipated threats, hazards, or impermissible disclosures of PHI. B. The Director of the Covered Department, with the assistance of the Privacy Officer, shall: 1. Have the continuing responsibility to ensure that individual members of the Covered Department's workforce have appropriate access to the minimum amount of PHI necessary to their work duties; 2. Ensure that workforce members receive necessary training in order to comply with these requirements; 3. Ensure that each individual with access to electronic PHI can be individually tracked with unique user identification; 4. Use hardware, software, or procedural mechanisms to document electronic activity related to PHI and protect it from improper transmission, alteration or destruction; Sec. 3-15-190. Breach of Security. A. Breach means the improper acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information, which poses a significant risk of financial, reputational, or other harm to the individual. Breach does not include: de-identified information; good faith unintentional or inadvertent use or disclosure of PHI that does not result in further improper use or disclosure. B. Covered Department, with the assistance of the Privacy Officer, shall: 1. Take all necessary steps to mitigate any harmful effect that is known to Covered Department of a use or disclosure of PHI in violation of Covered Department policies and procedures. 2. Establish procedures for responding to an emergency that damages PHI, including a data backup and recovery plan, and continuing to provide critical services. 3. Re-evaluate these procedures periodically to ensure compliance with HIPAA. C. Notice In the event of a breach, Covered Department, with the assistance of the Privacy Officer, shall: 1. Mail written notice to all individuals whose PHI has or may have been breached without unreasonable delay, and in no case more than 60 days. Such notice shall be written in plain language and include a brief description of what happened, the date, the type of PHI involved, any steps the individual should take to protect themselves from further harm, what the Covered Department is doing to investigate, mitigate, and protect from further harm, and contact procedures for further information. Such notice shall be provided to local media if the breach affects 500 or more individuals. 2. Notify the DHHS Secretary without unreasonable delay of any breach involving 500 or more individuals. All other breaches must be documented and submitted to the Secretary annually. 3. If the Covered Department received notice from a law enforcement official that sending the notice as required by this subsection would impede a criminal investigation or cause damage to national security. Sending such notice shall be delayed by thirty (30) days if the request is made orally, and for as long as may be requested in writing by such law enforcement official. D. Covered Department shall utilize the following process to mitigate the effect of an unauthorized release of PHI by an employee: 1. Any unauthorized release of PHI shall be immediately reported to Privacy Officer upon discovery of the release. 2. Covered Department shall apply appropriate sanctions against members of its workforce who fail to comply with the Covered Department policies and procedures. 3. The type of sanction applied shall vary depending on the severity of the violation, whether the violation was intentional or unintentional, whether the violation indicates a pattern or practice of improper access, use or disclosure of health information, and similar factors. E. Employees, agents, and other contractors should be aware that violations of a severe nature may result in notification to law enforcement officials as well as regulatory, accreditation, and/or licensure organizations. F. The sanction policy and procedures contained herein do not apply specifically when member(s) of Covered Department's workforce: 1. Oppose any act made unlawful by the HIPAA Privacy rule, provided the individual or person has a good faith belief that the act opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of PHI in violation of the HIPAA Privacy rule; 2. Disclose PHI as a whistleblower and the disclosure is to a health oversight agency, public health authority, or an attorney retained by the individual for purposes of determining the individual's legal options with regard to the whistleblower activity; or 3. Is an employee who is a victim of a crime and discloses PHI to a law enforcement official, provided that the PHI is about a suspected perpetrator of the criminal act. G. Failure by any Covered Employee to comply with these policies or procedures shall subject such Covered Employee to disciplinary action, up to and including termination. Sec. 3-15-200. Destruction and Disposal of PHI. Covered Department shall make reasonable efforts to dispose of PHI in a manner that protects the confidentiality of the information. A. Destruction of PHI 1. Destruction of Paper Copies and Original Documents (Day-to-Day Disposal). a. Printed material (e.g., faxes, printed emails, etc.) containing PHI must not be discarded in trash bins, unsecured recycle bags or other publicly accessible locations. Instead this information must be shredded, placed in a secured recycling bag, or destroyed by cutting, tearing or burning. b. The user may elect to use either shredding, secure recycle bags, or other options for the destruction of these documents, as long as the destruction is in accordance with this policy. It is the individual's responsibility to ensure that the document has been secured or destroyed. And it is the supervisor's responsibility to ensure that their employees are adhering to the policy. c. Microfilm or microfiche must be cut into pieces or chemically destroyed. d. After documents have reached their retention period, all PHI must be securely destroyed using the Covered Department record retention process governing destruction of records. 2. Destruction of Electronic Media a. Secure methods shall be used to dispose of electronic data and output. The [Information Services (IS) Covered Department] is responsible for the destruction of electronic copies containing PHI, including any media that may be reused. However, employees may dispose of the electronic data themselves using the following methods: b. Deleting on-line data using the appropriate utilities; c. "Degaussing" computer tapes to prevent recovery of data; d. Removing PHI from mainframe disk drives being sold or replaced, using the appropriate initialization utilities; e. Erasing diskettes to be re-used using a special utility to prevent recovery of data; or destroying discarded diskettes. 3. Hardcopy (Bulk Disposal). a. Secure methods shall be used to dispose of hardcopy data and output. b. PHI printed material shall be shredded and recycled by a firm specializing in the disposal of confidential records or be shredded by an employee of Covered Department authorized to handle and personally shred the PHI. c. If hardcopy PHI (paper, microfilm, microfiche, etc.) cannot be shredded, it must be incinerated. B. Documentation of PHI Disposal. 1. To ensure that it is in fact performed, employees or a bonded destruction service must carry out the destruction of PHI. 2. If Covered Department personnel undertake the destruction of the records, the employee must use the records destruction form provided by designated personnel, if the record is found on the record retention schedule for the Covered Department destroying the record. 3. If a bonded destruction company undertakes the destruction, the bonded destruction company must provide Covered Department with the document of destruction that contains the following information: a. Date of destruction; b. Method of destruction; c. Description of the disposed records; d. Inclusive dates covered; e. A statement that the records have been destroyed in the normal course of business; and f. The signatures of the individuals supervising and witnessing the destruction C. Enforcement. All supervisors are responsible for enforcing this policy. Individuals who violate this policy shall be subject to the disciplinary process as outlined in the disciplinary and sanctions policy. D. Covered Department shall protect individually identifiable health information transmitted or maintained. Covered Department is committed to safeguarding PHI in order to operate in a manner that is consistent with applicable federal and State laws and regulations. E. If there is need to destroy any information it must be done either by shredder or placed in a confidential/secured trash bin. PHI must never be discarded in non- secured trashcans. F. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. Sec. 3-15-210. Transmittal of PHI. A. Transmittal of PHI by FAX. 1. PHI should be hand delivered or mailed whenever possible. Faxing of protected health information internally to authorized employees is allowable at anytime to facilitate treatment, payment and health care operations, provided the guidelines outlined in this policy are adhered to. 2. Faxing of protected health information outside of the facility is allowable in situations when health information is needed immediately for patient care purposes, continuing care placement, payment or when mail or courier delivery will not meet a necessary timeframe. 3. Faxing of sensitive health information such as that dealing with mental health, chemical dependency, sexually transmitted diseases, HIV or other highly personal information is prohibited unless requirements above are met. 4. Each Covered Department must designate a FAX machine in their area that will be utilized to send and/or receive protected health information. This FAX machine must not be accessible to the public and should only be accessible to staff directly involved in patient care of those authorized to handle faxed information. 5. The faxed information must be accompanied by special FAX cover sheet specifically designated for faxing of protected health information. Each page of intended FAX should be stamped or marked "confidential". In the event of a misdirected FAX, recipient should be directed to immediately destroy the fax. 6. Covered Employees authorized to FAX protected health information must take reasonable steps to confirm the accuracy of the FAX numbers and security of recipient machines. 7. When possible, a FAX confirmation slip should be printed from the FAX machine or e-FAX for each outgoing transmission and machine operators must also verify that the intended destination matches the number on the confirmation. The confirmation should be attached to the document that was transmitted and kept as part of the individual's record. If the confirmation slip cannot be obtained from the FAX machine, sender must attempt to verify recipient. 8. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. B. Receiving PHI by FAX. 1. When expecting the arrival of a FAX containing protected health information, schedule with the sender whenever possible to ensure that the faxed documents can be promptly removed from the FAX machine. 2. Each Covered Department must designate employees who are authorized to handle PHI who will be responsible to check FAX trays at scheduled intervals and disseminate their contents to the appropriate responsible parties. 3. Staff responsible for routing protected health information must be sure that they leave it in a secure/confidential location. 4. If there is need to destroy any information it must be done either by shredder or placed in a confidential/secured trash bin. Protected health information must never be discarded in non-secured trashcans. 5. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. BE IT FURTHER ORDAINED by the Board that the Clerk to the Board be, and hereby is, directed to arrange for Colorado Code Publishing to supplement the Weld County Code with the amendments contained herein, to coincide with chapters, articles, divisions, sections, and subsections as they currently exist within said Code; and to resolve any inconsistencies regarding capitalization, grammar, and numbering or placement of chapters, articles, divisions, sections, and subsections in said Code. BE IT FURTHER ORDAINED by the Board if any section, subsection, paragraph, sentence, clause, or phrase of this Ordinance is for any reason held or decided to be unconstitutional, such decision shall not affect the validity of the remaining portions hereof. The Board of County Commissioners hereby declares that it would have enacted this Ordinance in each and every section, subsection, paragraph, sentence, clause, and phrase thereof irrespective of the fact that any one or more sections, subsections, paragraphs, sentences, clauses, or phrases might be declared to be unconstitutional or invalid. NOTICE PURSUANT to the Weld County Home Rule Charter, Ordinance Number 2012-10 published above, was introduced and, on motion duly made and seconded, approved upon first reading on October 3, 2012. A public hearing and second reading is scheduled to be held in the Chambers of the Board, located within the Weld County Administration Building, 1150 O Street, Greeley, Colorado 80631, on October 22, 2012. All persons in any manner interested in the reading of said Ordinance are requested to attend and may be heard. Please contact the Clerk to the Board's office at phone (970) 336-7215, Extension 4225, or fax (970) 352-0242, prior to the day of the hearing if, as the result of a disability, you require reasonable accommodations in order to participate in this hearing. Any backup material, exhibits or information previously submitted to the Board of County Commissioners concerning this matter may be examined in the office of the Clerk to the Board of County Commissioners, located within the Weld County Administration Building, 1150 O Street, Greeley, Colorado, between the hours of 8:00 a.m. and 5:00 p.m., Monday thru Friday, or may be accessed through the Weld County Web Page (www.co.weld.co.us). E-Mail messages sent to an individual Commissioner may not be included in the case file. To ensure inclusion of your E-Mail correspondence into the case file, please send a copy to egesick@co.weld.co.us. SECOND READING: October 22, 2012, at 9:00 a.m. THIRD READING: November 14, 2012, at 9:00 a.m. BOARD OF COUNTY COMMISSIONERS WELD COUNTY, COLORADO DATED: October 5, 2012 PUBLISHED: October 10, 2012, in the Fort Lupton Press PROOF OF PUBLICATION FORT LUPTON PRESS STATE OF COLORADO COUNTY OF WELD SS. I, Christopher L. Harrop, do solemnly swear that I am the Managing Editor of the Fort Lupton Press that the same is a weekly newspaper printed and published in the County of Weld, State of Colorado, and has a general circulation therein; that said newspaper has been published continuously and uninterruptedly in said county of Weld for a period of more than fifty-two consecutive weeks prior to the first publication of the annexed legal notice or advertisement; that said newspaper has been admitted to the United States mails as second-class matter under the provisions of the act of March 3, 1879, or any amendments thereof, and that said newspaper is a weekly newspaper duly qualified for publishing legal notices and advertisements within the meaning of the laws of the State of Colorado. That the annexed legal notice or advertisement was published in the regular and entire issue of every number of said weekly newspaper for the period of ONE consecutive insertion(s); and that the first publication of said notice was in the issue of newspaper, dated 10th day of OCTOBER 2012, and the last on the 10th day of OCTOBER 2012 1/ Managing Editor, Subscribed a worn before me, this 10th day of OCTOBER 2012 ' My Commission Expires : 02/02/2014 2 FORT LUPTON PRESS WEDNESDAY,OCTOBER 10,2012 wNA4.HLUPTONPRESS.COM LEGAL NOTICES EGA 1 Sec.3-15-170 P o I icy person or entity (not a member of 3. Preparation and 1. This policy does not set for research, public health, or ,EGA LS J prohibiting retaliation. Policy covered entity's workforce) that oversight of distribution of the HIPAA apply to the following uses or health care operations, and may ( Sec.3-15-180 Security of helps a covered entity with a function Privacy Notice. disclosures: be provided to Business Associates PHI. or activity involving the use or pursuant to a written agreement. OM page 9 Sec.3-15-190 Breach of disclosure of Individually Identifiable 4. Providing assistance to a Disclosure to or requests Security. Health Information,or offers service Covered Departments in determining i by a provider for treatment F. Covered Departments, Sec.3-15-200 Destruction to the covered entity which involves potential risks and vulnerabilities to i with the assistance of the Privacy described in Exhibit A pursuant and Disposal of PHI. the disclosure of Individually the integrity of PHI. ' b Uses or disclosures Officer, shall comply with any other i the City of Fort Lupton Notice Sec.3-15-210 Transmittal Identifiable Health Information. made to the individual who is the duty required by the Secretary of equirements. of PHI. 5. Development , subject of the information. DHHS. he same shall be heard before "Health information" means any coordination and participation in ie City Council at a public hearing Sec. 3-15-10- Purpose, authority information,whether oral or recorded the education and training for the c. Uses or disclosures Sec. 3-15-40. Authorization for n November 5, 2012 at 7:00 P.M. and applicability. in any form or medium,that: .. Covered Employees. pursuant to an Authorization. disclosure of PHI. r soon as possible thereafter.The udlic hearing will be held at Fort A. On August 14, 2002, a. Is created or received 6. Development of an d. Disclosures made to the A. For all uses and upton City Hall located at 130 the U.S. Department of Health and by a covered department or other atmosphere to encourage staff to Covered Departments. disclosures of an individual's outh McKinley Avenue. Human Services ("HHS") published covered entity,and report possible noncompliance PHI, Covered Department shall urther information is available final regulations for Standards for . by Weld County, health insurance e. Uses or disclosures obtain a signed authorization from trough the City Planning and Privacy of Individually Identifiable b. Relates to the past, carriers and/or Third Party required by law, or for compliance the individual, unless the use or uilding Department at (303) 857- Health Information (-the Privacy present,or future physical or mental Administrators("TPA"). with applicable laws and regulations, disclosure is required, or otherwise 694. Rule"). The Rule was established health or condition of an individual, as determined by the Privacy permitted without an authorization to provide national standards forthe the provision of health care to an 7 Acting on matters related Officer. for treatment,payment or health care .LL INTERESTED PERSONS MAY protection and privacy of Protected individual: or the past. present, or i to privacy compliance.This includes operations or as otherwise permitted TTEND Health Information. The purpose of future payment for the provision of the design and coordination of 2. All proposed uses or by 45 C.F.R. Part 164 (the Privacy this Article XV is the establishment health care to an individual. internal reviews and any needed i disclosures of PHI shall be reviewed rule). Covered Department shall be EXHIBIT A of the Health Insurance Portability corrective action (e.g., revisions , by persons having an understanding permitted,but not required,to obtain (Legal Description) and Accountability Act Policies and "Individually identifiable health ' to HIPAA Privacy Policies and of these privacy policies and consent for disclosure related to Procedures ('HIPAA Policies and information" means a subset of Procedures, institution of additional practices,and sufficient expertise to treatment payment, or healthcare A tract of land,being a part of Procedures") for the employees of health information,collected from an training etc.). understand and weigh the necessary operations. Government Lots One(1)and the Covered Department(s)of Weld l individual that: factors. Two(2)of the Northeast Quarter County (collectively, the 'Covered 8. Coordination of B. Covered Department (NE1/4)of Employees'). a. Is created or received disciplinary sanctions associated 3. Covered Department shall comply with the requirements Section Four(4),Township One by a health care provider, health with violations of the HIPAA Privacy employees shall only use, disclose. set forth in 45 C.F.R. § 164.508, Forth(T1 N.),Range Sixty-six West B. This Article XV provides plan, employer, or health care ' Policies and Procedures. '.I or request an entire medical record to obtain authorization to use or (R.66W(of the Sixth Principal a comprehensive outline of Weld clearinghouse:and i when the entire medical record disclose PHI. Meridian County s responsibilities for 9. Coordination of I is specifically justified as being (6th P M),City of Fort Lupton, compliance with Federal HIPAA b. Relates to the past, mitigating efforts in the event of a reasonably necessary to accomplish I C. Covered Department County of Weld,State of Colorado Privacy Regulations. Any policies, present,or future physical or mental violation to the Privacy Rules. the purpose of the use, disclosure, shall not condition treatment, procedures, or forms promulgated health or condition of an individual, I : or request. Covered Employees payment,or enrollment in the health - by state or Federal healthgrantprovision 10. Review andplan, or eligibility for benefits on the Ictober 1 in the Fort Lupton Press the the health s care to an shall the sureest and g y )ctober 10,2012 sronremswhichare Count s or more individual;al', or past,provision snt, or ''i accvmual requests if appropriate, of justificationntir medicalfor disclosure of the the evauth ri an authorization,uis unless willn take r e Weld health a payment for the l: n of individual soffor confidential entire record, except health plan's elig sought is for the Co take The Weldprecedence over Weld care to an individual:and communications of PHI. when the entire o uro is ter plan's eligibility or enrollment WELD COUNTY County s. the Weld are the ety policies disclosed providing a provider for purposes determinations ns relating to the CODE ORDINANCE 2012-10 in standard this f Co ployeem c. Identifies the individual' 11 accommodation, if and of care. individual or for its underwriting or l Covered r Employees: or individual requests restrictions of risk rating determinations however,m may ate or Federal quire eandreduclos for f their own Departments,Within the ropeate V DHE M EENA TI GEPE WITH I arc rams lteoose or require t Wlrh tenable b is o Pn use disclosure of their own pan only e appropriate HI shallD Covered Department ;NDIME REENACTING, WITH ror or forms to accomplish pies. there is a reasonable basis to PHI. personnel shall have access rt PHI m individuals a signed beforear using or IIUMAN RESO, CHAPTER 3 eced same or farms to n to idea information individual. Routine used as determined by the department enf from all disclosing teir using s VELD DN RESOURCES. OF THE the n HIPAA complian o to identify lthi the 12. Review and Pireacy in conjunction with s other than their PHI for purposes COUNTY CODE eethant. In those instances,to aboe information meeting iom the accommodation. If appropriate. iofs Privacy Officer maintain Such individuals te eal treatment payment, l or insure and to avoid o requirements redundant effort ig definition fedas immediately Il meitean upon n individual own nu PHI.ests for amendments levels reque shallsto PHI on routine health care operations. without itho a IF IT ORDAINED C M THE BOARD met ored lgrant effort designated os PHI t byaeey notification tt PHL This includes of aappro tri PHI on c routine PHI may he zationsud n IF THENCY NTMMISSIONER , the edue . for s mat Itsc or receipt by:rte Covered theamendment f to the individual or du aid; basis dutieso and responsibilities oly accomplish sig ned tances authorization under certain IF THE COUNTY OF WELD, procedures.s and meet oms may policies,e used Employees, Or any B the ss and; their and : Privacy Popes. as listed in the ITATE OF COLORADO: as long as they the minimum as any relevant Business Associate, Pnvacy Policy. standards in this icies, undertake' means the activities as necessary. 5 The it h criteria VHEREA5, the Board of i XV. Alternative s, grant m policies, undertaken by: shall PHI r used in o limiting the amount E. Authorization psychotherapy is therapy Veld, Stateerf o the County of '' aove and t forms must be su. Preparation i PHI o Employ (disclosed)by the farts. disclosure originator of Veld State ofstatute tute ano theapprovedplanCoveredto the Weld Officer- fodetermineerful its responsibility request for accost with Section PHI the notes for preations. payment,or nth thyHome Rule Charter, sasind for coverage and provision of 3'15-12. in accordance with Section a. Do or individualsc who health care operations. le a authority of administeringotao, C. Weld County's policy in benefits under the health plan:or 3-15-120. are requesting understanding the PHI �e affairs of Weld County.Colorado. confidential yorHIPAA s in nave a complete or userr sclog of F The nua shall and reech to any HIPAA policies on healthdi) A plan care orprovider or 14. Periodic revision of ofthe for the use or disclosure be shall lo in plain d language, and A of privacy or o personnel mb s m t obtain ro provide the HIPAA Privacy Policies and of the PHI? shall i individuals used to request VHEREAS, the Beare oferCounty8, Any HIPAA policies on pivacynor reimbursement care. for the provision of Procedures at result of changes that their ecif PHI be used or disclosed om. adopted on ountyer discipline for as of privacy or health care- of Federal and state law- b Are all of the individuals for specific purposes- ' dinancepled Weld County Code confidentialityaly net forth in this identified for whom the requested :ompre e ve . enacting he a I Article XV dply in addition those "Protected e health Fden(PHI)" 1g. Receiving rede complaints use or disclosure of the PHI D. When Covered oWeld n Code for theCounty Policies in set Weld County's pier Personnel means individually. includingifincluding thef demographicrm use disclose PHI for its own it ral adopted rmordinancese y Code. If there is conflict in dia, collected from an IBt General Weldpurposesprovide andanyprovision ofpast, protect County to entire termedical record tifyregosur the shas eyi tdimakela wifo aed nacted on or before said date of WecerCou personnelsnneipline des paymen or future al are. care or l ientprivacy and confidentiality t requester to justify disclosure ef facts theysneed to h informed oallow idophon,and concerning County's Personnel and nie payment for d oo,maismitted of patients PHI by n the the entire medical s record to be decision h to whether i to allow conoe County's discipline Personnel and grievance,Policies In any form or medium,or transmitted requirementslaw of Federal and State reasonably necessary. release of the information. Y VHERed of the Weld County Code Weld electronically. I and The hentp policies and - shall take precedence. procedures. policy provides 6 f Requests reviewed o an H The authorization shall ;in need of revision and clarification q rich regard e procedures, terms, "Psychotherapyoe recorded notes' means the n of Weld rk.County's privacy p PHI shall be reviewed on an not be combined with another und .rid requirements therein. D. All members of Covered in notes re althed (in any medium) compliance de framework. The policy individual basis in accordance with document n create a compound Departments shall be siand is a mental care eal provider rf who should provided t d to each individual u,I criteria listed in the policy. authorization,unless'. IOW, THEREFORE,theCBE IT procediurHIPAA spec policiestoI,and documenting a mental or a przingsio I ds necessarybo tt irokew PHI nd Commis io by theBoard of nfy of necess rya ndh respect pprrito PHI, as or analyzing the decisions l t their own PHI. and 7. may Covered Department on 1. The other document is a lommisaite of of the County in necessary and appropriate respon tobi ties iat of coning ss session durina Priv be generally icer. available from the employees may reasonably rely on similar authorization; Veld,gCh pt rs ofthe,teat county out their tluties antl responsibilities. g private emir ore flog co or a I Privacy Officer- requests by )(Ding be herebyeWeldCeantyled group. jaid or family a flingpm 2.for if the authorization psychotherapy is :ode -e. and hereby are. repealed Sec.3-15-20. Definitions. the es and that are separated from 1. Required may disclosures. a.enforcement agec health ind ere law forts, thecothure of ument also rid re varous with amendments red rest of tse i otherapys medical Welo County may make holosuro Miimu :Necessary information notes. the other r the di document is also )dad various Chapters fire revised "Coverer/ is of Weld County, those record. medication notes as et consent or authorization rei the Minimum:Necessary information pschauthorizationthrotes: disclosure of r read as follows: departments d r County,or any excludes meth cation prescriptionines ' required by law-purposes.reor ce far for certain disclosures; psychotherapy notes;or programs anent the authority tofo sad mndi[ t iesn thhng sessies ealth health fight for certain :HAPTER UMAN 3 such edrth departments, which component ' and and stop er lies the read ant ai oversight activities for in Other Covered Entities I. Whenever a Covered IUMAN RESOURCES a covered rHIhealth care comesn the and d results of tines. certain judicial and certain Lao in determiningar the certain Dehortment requests an under gIdepa 'This includes the furnished, r of clinicalhe testa proceedings, for oac law Necessary information for certain • authorization from an individual, e ,DD the P Policies an: Article XV following departments'. andany summary nf the following enforcement r medical activities,mrs, to coroners disclosures,or Ca Departments shall use (IPAA Policies and Procedures items: Diagnosis, fan status, or medical examiners- a form which complies with this a. The Weld County the treatment dplan.ge symptoms, c. A professional who is policy and with licyA generally. uth 3-15-10 Purpose Department Public Health and prognosis,and progress to date. 2 i Unique restrictions on a of its to a or is a Nothing in this t prohibits y cc y and applicability. Environment("Health"). disclosures. A patent'so therequest for m Associate of a Covered Covered Department hnt from v red ec.3-15-20 Definitions "Treatment' means the provision. a sure restriction oron on the use or Department for the purpose of pg any form with other treatment ei 3-15-30 Privacy b The Weld County �II coordination. management of disclosure of his iv her PHI shall be the professional xedservices providers Departments or hth t Covered cc 3 l5- Privacy Policy. Department of Human Resources health care and related services by referred to the Privacy Officer- to the Covered Department, if Department in shares h re the Covered eih 3-15-00 ("HR") including n d more health or pronetlero, the nformatio al request e i that Depaant tt nh Orq and Health c 3-15-150 for disclosure l PHL me the coordination t or 3. Poteev rig hl violations. Any th information ary for h is the pursuant tn man t. The Health cc PHI 0 Disclosure or c The Weld County management of health care a ha dveag that or County io i Minimum Necessary for the stated Care ee in ns The formd must f PHI without Authorization or Department of Accounting I health care provider with a third has violated a policy a y ses purpose. be completedof tfull, including a ice 3-156f Indevedual. ('Accounting"). care consultation en between a health of law ac privacy issues ' description of the information identifies to HI equireO Disclosure of care frral relating halt must contact the Privacy Officer I 8. Knowledge f aviolation I b used d in nea that and cc required by law. d. The Weld County Jail or the nl of a patient for health ider aliteimmediately. Weld County will not must potential bets violation re this policy ' the information a specific and ec.3-15-70 Requests for ("Jail"). care from one health care provider retaliate against employees who I iva be reportedi directly to the meaningful fashion. icclosure of PHI. to another. will in good faith. Weld psCounty : Privacy Officer. cc.3-15-80of Notice of A. The Area Agency on takeat all reasonable c by to J. n the event that the isclosure of PHI. Aging("Area Agency"). v 3-15-30.y oliPrivacy Officer and improper any s damages causedH, be close if hse representative epr sent ion is signed eye personal upr 3-15-90 Personal Privacy Policy. improper use or disclosure of PHI. shall not e rtmented if those they authorize of the contain ec. 31i00s. information information" means Covered Department employees the authorization h shall contain s ssociates.3-15-100 Business Health tif informaua that does not i A The HIPAA Privacy in Minimum e necessary creating other ployees iof v description f the representative's cc, identify individualthand ea respect Officer ("Privacy tor R r s, shall y. proper procedures rEmployeesc oDepartment,any other aveemployees actual of Covered authority to act for the individual. 3-15-110 Confidential t which there is no nan the or her of Human Resources, shall follow proper pr minium that t h information have actual knowledge ommunications'15- 2 of PHI basis to believe that the information his her a The Privacy to t that only the minimum ot the tin ombin could be h used K Covered theDep with a t pc.cted use Requests for can used to identify e an eindividual alth Officer'se primary responsibilities amount of PHI s to alone ti in ooideinayon d other shall y provide the individual with a Pc.3-1 use of PHI. is not individuallyfi identifiable health include'. accomplish r the specific ally se of information a on to identify of than individual rm copy of the signed authorization. Pc. s, sp Requests in to information. is or disclosure is actually used or who is subject o of the information. cress, inspect and/or obtain copy ' 1. Development Pt of disclosed. removal ads the L. Covered Department if: f PHI,, "HIPAA"means the Health t InsuranceAct the HIPAA isPrivacy Policies and removal of names, addresses, shall invalidate the authorization if: sec.3-15-140 Requests to 1Portability96, and .§132tab 1 20t of , annual review This include m an D.shall Covered tonl Employees numbers, age, telephone/fax nu mend PHI. as9a, e U.S.C.§1 the —132ions with annual decal td l compliance mo request only the minimum numbers, mbiel security numbers, 1. Any material information 'edi 3-15-150 Accountings amended, and the regulations with Federal and state law. amount of PHI necessary toof account numbers,license numbers, oleo, osures of PHI. thereunder,45 C.F.R.Parts 160 and accomplish the specific purpose of '. fingerprints, full face photographs, LEGALS Pc.3-15-160 Complaints 164. 2. Oversight of the HIPAA the request. This includes routine or any other unique identifier. Such ■ see egarding these policies and Privacy Policies and Procedures and/or recurring requests. de-identified information may be rocedures. ' "Business associate" means a implementation. used or disclosed as a limited data page 1 3 WWW.ETLUPTONPRESS.COM WEDNESDAY,OCTOBER 10,20(2 FORT LUPTON PRESS 13 LEGAL NOTICES LEGALS for public policy decisions as using appropriate procedures. required by law, and for purposes a paper copy of the notice from the A. under applicable law a C. Contracts or agreements Covered Entity,even if the individual person has authority to act on behalf between Covered Department and of a patient's treatment,payment for i C. The requested PHI shall I has agreed to receive the notice of an individual who is an adult or a Business Associate shall prohibit from page 2 services, or Weld County's health be delivered to the individual in a electronically; an emancipated minor in making a Business Associate to use or care operations. Disclosure of PHI secure and confidential manner, • decisions related to health care, disclose PHI in a manner that would may also be made to business such that the information cannot 3. A statement that the Covered Department shall treat such violate HIPAA privacy regulations. associates,or on the basis of and in ' be accessed by employees or Covered Entity is required by law person as a personal representative, accordance with a properly executed other persons who do not have to maintain the privacy of PHI and with respect to PHI relevant to such D. If Covered Department in the authorization is known by authorization. appropriate access clearance to that to provide individuals with notice of personal representation. and the Business Associate are Covered Department to be false or information. its legal duties and privacy practices both government entities, and the revoked. 2. Required disclosures. with respect to PHI. B. With respect to entities comply with the Business Weld County may make disclosures D. The proper personnel unemancipated minors, deceased Associate contract provisions by 2 The requirements of the without consent or authorization shall appropriately document the 4. A statement that the individuals, and others, Covered entering into a memorandum of authorization have not been filled as required by law, as required for request and delivery of the PHI. Covered Entity is required to abide Department shall follow these understanding,Covered Department out completely. public health purposes, for certain by the terms of the notice that is procedures in determining whether shall ensure that the memorandum health oversight activities, for E. In the event that the currently in effect. to treat a person as a personal of understanding or other applicable 3. The expiration date has certain judicial and administrative identity and legal authority of an representative of an individual. law contains terms that accomplish passed or the expiration event is ' proceedings, for certain law individual or entity requesting PHI 5. A statement indicating the objectives of the Business known by Covered Department to enforcement activities, to coroners, cannot be verified, personnel shall that, for PHI that it created or C. Covered Department Associate contract provisions of the have occurred or medical examiners. refrain from disclosing the requested received prior to issuing a revised shall treat a person as a personal HIPAA privacy requirements. information and report the case notice, Covered Department representative of an individual with M Covered Department 3. Unique restrictions on to the Privacy Officer in a timely reserves the right to change the respect to disclosure of PHI if under E. When a Business shall document and retain the signed disclosures. If a patent requests a manner. terms of its notice and to mace the applicable law: Associate is required by law to authorization for a period of at least particular restriction on the use or new notice provisions effective for all perform a function on behalf of six years from the date of its creation ' disclosure of his or her PHI,refer the F. Knowledge of a violation PHI that it maintains. 1. A parent, guardian, Covered Department, and Covered or the date when it last was in effect, request to the Privacy Officer. or potential violation of this policy or other person acting in loco Department discloses PHI to the whichever is later must be reported directly to the 6. A statement that parentis (in the place of a parent) Business Associate to comply with 4. Deceased individuals. Privacy Officer. individuals may complain to has authority to act on behalf of an the legal mandate without meeting N. Covered Department ' Covered Departments must protect . Covered Department and to the individual who is an unemancipated the requirements of the HIPAA shall not condition an individual's the PHI of deceased individuals. Sec.3-15-80. Notice of disclosure Covered Department of Health and minor in making decisions related to Privacy rule, Covered Department treatment, payment, enrollment or If an executor, administrator, or of PHI. Human Services if they believe their health care;or shall attempt in good faith to obtain eligibility for benefits on the provision other person has authority to act on privacy rights have been violated. satisfactory assurances that the of an authorization to use or disclose behalf of a deceased patient or that A. Covered Department A brief description of how an 2. An executor, requirements applicable to the PHI.All authorization forms for the person's estate, that person should shall give adequate notice to individual may file a complaint with administrator, or other person Business Associate accomplish the use or disclosure of PHI shall include I be treated as patient's personal individuals regarding the use I Covered Department. A statement has authority to act on behalf of objectives of the Business Associate a statement that the individual's representative. Weld County may or disclosure of their PHI, their i that Covered Department shall not a deceased individual or of the requirements, and, if such attempt treatment and payment for services disclose PHI, without specific rights with respect to such use 'iI retaliate against the individual for individual's estate. fails, document the attempt and shall not be conditioned on provision patient consent or authorization, or disclosure, and Covered filing a complaint. the reasons that such assurances of the authorization, except as to a coroner or medical examiner Department's legal duties pursuant ' D. Covered Department cannot be obtained; and before permitted by law. responsible for identification of the to 45 C.F.R. §164.520. Covered I 7. The name, or title, and shall treat a person as a personal omitting a termination authorization person, determination of the cause Department shall comply with the telephone number of a person or representative of a deceased from its other arrangements, O. Covered Department of death,or other duties authorized contents of such notice. office within Covered Department individual with respect to the PHI Covered Department shall ensure shall allow an individual to revoke an under state law. The Coroner to contact for further information relevant to such representation, if that the authorization is inconsistent authorization to use or disclose their may also disclose PHI to a funeral B. The content of the notice concerning the notice of privacy under applicable law the person is with statutory obligations of PHI,except in situations where: director,as permitted by state law. regarding the use and disclosure of practices. an executor, administrator, or other Covered Department or its Business PHI pursuant to 45 C.F.R.§164.520 i person with authority to act on behalf Associate. 1. Covered Department has 5. Persons involved in shall comply with the policies and ' 8. The date on which the of the deceased individual or of the taken action in reliance thereon. care or treatment. PHI may be procedures that are described notice is first in effect, which is not individual's estate. F. Covered Departments disclosed, without the patient's herein. The notice shall reserve I to be earlier than the date on which which form a contractual relationship 2. The authorization was signed authorization, to persons the right of Covered Department the notice is printed or otherwise E. Covered Department with other businesses or entities, obtained as a condition of obtaining involved in the patient's care, as to amend the notice and any of its published. shall not treat a person as a personal and which expect to share protected insurance coverage and state law directly relevant to that care. If the privacy policies, procedures and representative of an unemancipated health information as a result of provides the insurer with the right to patient is present when PHI is to be practices. F. If applicable, the minor;when the minor has authority that contractual relationship, shall contest a claim under the policy or disclosed,and has capacity to make description in the notice of the to act with respect to their PHI execute an appropriate Business the policy itself. health care decisions, PHI can be C. Notice given to an types of uses and disclosures pertaining to a health care service Associate Contract (BAC) or disclosed to others present if it can individual regarding the use and that the Covered Department is if; Business Associate Agreement P. Covered Department reasonably be inferred that patient disclosure of PHI must-be written permitted to make for purposes of ' (BAA)to ensure compliance with this shall take all necessary steps to would not object. If the patient is not in plain language and contain the treatment, payment, and health 1. The minor consents to policy and with HIPAA generally. honor and comply with an individual present when PHI is to be disclosed, statement prominently displayed: care operations (see procedure such health care service, no other revocation of an authorization to or the patient is incapacitated, PHI "THIS NOTICE DESCRIBES 2(a)) must also include separate consent is required by applicable G. Nothing in this policy use or disclose PHI, unless stated may be disclosed if, in the exercise HOW MEDICAL INFORMATION statement indicating that: law,and the minor has not requested prohibits the County or a Covered otherwise in this policy Covered of reasonable professional judgment, ABOUT YOU MAY BE USED AND that another person be treated as Department from entering into an Department shall not impose a time disclosure is in best interests of the DISCLOSED AND HOW YOU 1. A group health plan, or the personal representative; Organized Health Care Arrangement restriction on when an individual patient and disclosure is limited to CAN GET ACCESS TO THIS a health insurance issuer or HMO (OHCA)for the purpose of sharing may revoke authorization to use PHI directly relevant to person's INFORMATION. PLEASE REVIEW with respect to a group health plan, 2. Applicable law permits protected health information or disclose their PHI. Covered involvement with the patient s care. IT CAREFULLY" may disclose PHI to the sponsor of the minor to obtain such health between treatment providers, as Department shall require individuals If federal, state, and/or local law the plan. care service without the consent of permitted under HIPAA. to request the revocation of requires a use or disclosure of PHI, D. The Notice must contain a parent,guardian, or other person authorization to use or disclose PHI Covered Department may use or descriptions in sufficient detail to 2. Covered Department acting in loco parentis; and the H. Knowledge of a violation in writing. disclose PHI to the extent that the place the individual on notice of may contact the individual to minor, a court, or another person or potential violation of this policy use or disclosure complies with such the uses and disclosures that are provide appointment reminders authorized by law consents to such must be reported directly to the Sec. 3-15-50. Disclosure of PHI law and is limited to the requirements permitted or required by HIPAA and or information about treatment health care service;or Privacy Officer. without Authorization or Objection of such law. other applicable laws,including: alternatives or other health-related of Individual. benefits and services that may be of 3 A parent, guardian, Sec. 3-15-110. Confidential B. In the event that two or 1. A description and at interest to the individual. or other person acting in loco communications of PHI. A. Covered Department more laws or regulations governing least one example of the types of parentis assents to an agreement may disclose PHI without a the same use or disclosure conflict, uses and disclosures that Covered G. Astatement that Covered of confidentiality between a covered A. Covered Department, valid authorization in limited Covered Department shall comply Department is permitted by law Department shall promptly revise health care provider and the minor with the assistance of the Privacy circumstances, if the individual is with the more restrictive laws or to make for each of the following and distribute its notice whenever with respect to such health care Officer,shall take necessary steps to given the opportunity to object to j regulations. purposes: treatment, payment, and there is a material change to the service. accommodate reasonable requests such disclosure. health care operations. uses or disclosures,the individual's by individuals to receive confidential C. Covered Department rights, the Covered Entity's legal F Covered Department communications of PHI. B. A Covered Department may use or disclose PHI to the i 2. A description of each duties, or other privacy practices shall not treat a person as the which is a health care provider may, extent that such use or disclosure of the other purposes for which stated in the notice,and how it shall personal representative of an 1. Covered Department under this section: is required by law including,but not Covered Department is permitted or provide individuals with the revised individual if: shall provide confidential limited to: required by the Privacy regulations notice. Covered Department shall communications by alternative 1. Maintain a facility to use or disclose PHI without the not implement a material change to 1. Covered Department means or at alternative locations directory including the individual's 1. For public health individual's written authorization any term of the notice prior to the has a reasonable belief that the pursuant to the HIPAA Privacy rule. name, location at the facility, activities required by law. including those purposes fisted effective date of the notice in which individual has been or may be condition On general terms), and in Section 3-15-40(E). If a use or such material change is reflected, subjected to domestic violence, 2. Covered Department religious affiliation (which is only to 2. For disclosures about '., disclosure described in Section except when required by law. Upon abuse,or neglect by such person;or may require individuals to make be provided to members of clergy). victims of abuse, neglect, or 3-15-40(E)is prohibited or materially making a change to a notice and treating such person as the personal a request for a confidential domestic violence. ' limited by other laws,the description policies and procedures, due to a representative could endanger the communication in writing. 2. Disclose the individual's of the disclosure must reflect the change in law,Covered Department individual;and specific health information to family, 3. In order to comply with more stringent law. may use the notice revision date as 3. Covered Department close friends, or anyone else I judicial release. the new effective date. 2. Covered Department, shall not require an explanation from identified by the individual to be E. The notice must also in the exercise of professional the individual as to the basis for the involved in relevant care, payment, 4. To comply with law contain the following statements or H. For a Covered judgment, decides that it is not in request as a condition of providing or necessary notification. , enforcement. information: Department which is a health the best interest of the individual to communications on a confidential care provider, such notice shall treat the person as the individual's basis. C. The individual must 5. For a health release. 1. A statement indicating be provided to the individual on personal representative. be informed of the opportunity to ! other uses and disclosures shall be the date services are provided, 4. When appropriate, object, unless impracticable due to F 6. To avert a serious threat made only with theindividual'swritten or in emergency situations, as G. Covered Department Covered Department may condition emergency circumstances. If the . to health or safety. authorization and that the individual soon as reasonably practicable shall follow the requirements and/or the provision of a reasonable individual is present, PHI may be may revoke such authorization as thereafter. In emergency situations, permissions of applicable state and accommodation on information as disclosed if the individual agrees, 7. To comply with special permitted by the individual's rights an acknowledgement of receipt other law in determining whether to to how payment, if any, shall be does not object, or it can be ' government functions or requests. under HIPAA. i of such notice shall be obtained provide or deny access to a minor's handled, and specification of an reasonably inferred that the individual Such requests shall be referred to if possible. Such notice shall be PHI to a parent, guardian, or other alternative address or other method does not object. If the individual j the Privacy Officer. 2. A statement of the provided prominently at the location person acting in loco parentis. of contact. is not present, or unable agree or individual's rights with respect to of service, and at the Covered object, PHI may be disclosed if in 8. For purposes of workers PHI and a bnef description of how Department's web address. Sec. 3-15-100. Business 5. An alternative means or the individual's best interests,in the compensation investigation and the individual may exercise those associates. location shall be designated on a provider's professional judgment. claims, as permitted or required by rights. I. Covered Department case by case basis that is satisfactory law. which is also a correctional facility A. Covered Department to both Covered Department and the Sec. 3-15-60. Disclosure of PHI a. The right to request is not required to provide the notice shall ensure contracts or other individual, before communication of required by law. 9. Uses and disclosures for restrictions on certain uses and • described in this section to inmates. arrangements between Covered PHI is made. health oversight activities. disclosures of PHI. A statement that i Department and its Business A. Disclosure of PHI I Covered Department is not required I J. Such notice shall also Associates comply with the 6. The Privacy Officer, should first be made pursuant to li 10. Uses and disclosures to agree to a requested restriction. be provided to county employees at policies and procedures described using professional judgment and an Authorization, as described in for cadaveric organ, eye or tissue the time of enrollment in any county herein and pursuant to 45 C.F.R. considering all relevant factors, Section 3-15-40. If no authorization donation purposes. b. The individual's right to ' sponsored group health plan,within §164.504(e). shall be responsible for deciding exists, disclosure may be made ! receive confidential communications 60 days of any material revision to the alternative means or location to pursuant to this section. I Sec. 3-15-70. Requests for of PHI,as applicable. the notice, and at least once every B. Covered Department communicate PHI to an individual, disclosure of PHI. three years. shall document satisfactory and shall otherwise comply with the 1. Permitted disclosures. c. A statement and a brief assurances of compliance with the disclosure requirements of Section Weld County may disclose a patient's A. Covered Departments description of how the individual K. Knowledge of a violation policies and procedures herein 3-15-60. PHI without the patient's signed shall verify the identity and authority may exercise his/her right to or potential violation of this policy through a written contract or other authorization to the patient himself of individuals requesting PHI. inspect, copy, amend, and receive must be reported directly to the written agreement or arrangement or herself, the patients legally an accounting of disclosure of PHI. Privacy Officer. with the Business Associate; that authorized personal representative, B. Once it is determined establishes the permitted and ■ see LEGALS those involved with the person's care that use or disclosure is appropriate, d. A statement and a brief Sec. 3-15-90. Personal required uses and disclosures of and treatment, to law enforcement personnel with appropriate clearance description of how the individual representatives. PHI. personnel in appropriate situations, shall access the individual's PHI may exercise his/her right to obtain I page 14 14 FORT LUPTON PRESS WEDNESDAY,OCTOBER ]0,2012 WWWALUPTONPRESS.C LEGAL NOTICES LEGALS the covered department knows persons who do not have appropriate must be reported directly to the processin and responding to institutions or law enforce where the requested information is clearance to that information. Privacy Officer requests for amendments to PHI. custodial situation; maintained,the covered department must inform the individual where to K. Covered Department Sec. 3-15-140. Requests to K. Upon denying an 8. As de-identi' from page 13 direct the request for access. shall provide the individual with amend PHI. amendment, in whole or in part, information in a data set. access to the PHI contained in a Covered Department shall provide D. Individuals do not have designated record set in the form or A. Covered Department the individual with a written denial. B. Covered Departm B. Knowledge of a violation the right to access the following format requested by the individual,if shall allow an individual to request The denial shall be written in plain is not required to include in 9 types of information: it is readily producible in such form an amendment to his or her PHI language and shall contain the accounting of disclosures that w or potential violation of this policy or format. or a record in a designated record following: made incidental to another use must be reported directly to the 1. Psychotherapy notes. set for as long as the informationis disclosure that is permissible un Privacy Officer L. If the requested format maintained in a designated record 1. The basis for the denial; 45 C.F.R. Part 164; however, 2. Information compiled in is not readily producible, then set. minimize incidental discloses Sec. 3-15-120. Requests for reasonable anticipation of,or for use Covered Department shall provide 2. The individual's right Covered Department shall: restricted use of PHL in,a civil,criminal,or administrative the individual with access to the B. Records personnel,with to submit a written statement A. Covered Department action or proceeding. PHI in a readable hard copy form or the assistance of the Privacy Officer, disagreeing with the denial; 1. Take precautions P such other form as agreed to by the shall be responsible for receiving, reasonably safeguard PHI shall, with the assistance of the 3. PHI that is: individual. processing, and responding to 3. A description of how required by 45 C.F.R. § 164.531 Privacy Officer, allow an individual requests for amendments to PHI. the individual may file such a (1);and to request that uses and disclosures a. Subject to the Clinical M. If requested by the statement; of his or her PHI be restricted in Laboratory Improvements individual, Covered Department C. All individual requests 2. Disclose only accordance with the HIPAA Privacy Amendments of 1988, 42 U.S.C. shall arrange with the individual for amendments to PHI shall be 4. A description of how the minimum amount of PHI necess rule. §263a, to the extent the provision for a convenient time and place to in writing and directed to the individual may file a complaint to to accomplish the intended purp, of access to the individual would be inspect or obtain a copy of the PHI, Privacy Officer. The Privacy Officer Covered Department pursuant to of the disclosure. B. The Privacy Officer, prohibited by law;or or mailing of PHI.The individual may shall inform the individual of the I its complaint procedures including using professional judgment and request, in writing, that the PHI be requirement to make requests for the name, or title, and telephone C. Covered Departm considering all relevant factors, b. Exempt from the disclosed by reasonable alternative amendments in writing. number of the contact person or shall allow an individual to obi shall be responsible for approving Clinical Laboratory Improvements means,or in a reasonable alternative office designated to receive such an accounting of instances wl or denying the requested restriction. Amendments of 1988, pursuant to location, as permitted in Section D. Individuals must complaints; their PHI has been disclosed The Pnvacy Officer is not required to 42 C.F.R.§493.3(a)(2). 3-15-100. Records personnel shall document the reason(s) to support Covered Department anytime u( agree to a restriction. appropriately document the request the requested amendment. 5. A description of how the and including the six years prix 4. If Covered Department and delivery of the PHI. individual may file a complaint with the date on which the accountini C. Upon approval of such is acting under the direction of a E. The Privacy Officer shall the Covered Department of Health requested. a restriction, Covered Department correctional institution upon an N. A summary of the inform the individual no later than 60 and Human Services; shall not violate such restriction, inmate's request for a copy of the requested PHI shall be provided days after receipt of such a request D. The accounting s unless as specified within this policy PHI and obtaining a copy would in lieu of access to the information if the amendment is accepted or 6. The following statement be in writing and shall inch and procedure. jeopardize the health, safety, only when the individual agrees in denied. The time period for the - if individual does not submit a disclosures made to or by Busin security, custody, or rehabilitation advance to a summary, and to any action by Covered Department ' statement of disagreement, then Associates of Covered Departme D. If a restriction is agreed, of the individual or of other inmates, related fees imposed. shall be extended by no more than individual may request Covered Covered Department is not required or of any officer,employee,or other 30 days. If the time period for the Department to provide the E. Each accounting to honor an individual's request when person at the correctional institution 1. An explanation of the action is extended, records shall, individual's request for amendment a disclosure shall include the individual who requested the or responsible for the transporting requested PHI to which access has within 30 days after receipt of the and the denial with any future following: restriction is in need of emergency of the inmate. Any Covered been provided shall accompany the request, provide the individual with disclosures of the PHI that is the treatment and the restricted PHI is Department receiving such a request access reply only when the individual a written statement of the reasons subject of the amendment. 1. The date of disclosur, needed to provide the emergency from a current inmate must seek the agrees in advance to a summary, for the delay and the date by which treatment. If restricted PHI is i assurance of the Department Head and to any related fees imposed. Covered Department shall complete L. 'If the individual provides 2. The name of the entit disclosed to a health care provider ' of the Jail that providing the copy of the action on the request. The 1 a statement of disagreement, person who received the PHI ani for emergency treatment, Covered the inmates requested PHI will not 2. If a summary or time period for action shall not be Covered Department may prepare known,the address of such entit Department shall request that such jeopardize the operations of the jail. explanation of the requested PHI extended more than once. a written rebuttal to the individual's person; health care provider not further use is to be prepared, such summary statement of disagreement. or disclose the information. 5. The individual's access I or explanation shall be completed F. If the requested Covered Department shall provide 3. A brief description of E. If Covered Department to PHI that is contained in records only by records, or other applicable amendment is accepted, records the individual with a copy of the PHI disclosed; P that are subject to the Privacy Act,5 personnel with appropriate access shall: above rebuttal. agrees to an individual's requested U.S.C.§552a,may be denied,if the clearance. 4 A brief statement restriction, the restriction does not denial of access under the Privacy 1. Make the appropriate M. Covered Department the purpose of the disclosure t apply to the following uses and Act would meet the requirements of O. Covered Department amendment;or shall append or otherwise link the reasonably informs the individua disclosures: that law. shall document and retain following to the designated record the basis for the disclosure;or in 1. To an individual designated record sets that are 2. Arrange to have the set or PHI that is the subject of the of such statement:6. The individual's access subject to access by individuals for necessary health care professional disputed amendment: accessing their own PHI. may be denied if the PHI was a period of at least six(6)years from ll make the amendment. a. A copy of the individu obtained from someone other than a the date of its creation or the date 1. The individual's request written authorization to use 2. To an individual health care provider under a promise when it last was in effect,whichever G. Upon accepting and for an amendment; disclose the PHI,or requesting an accounting of their of confidentiality and the access is later. completing a requested amendment, own PHI. requested would be reasonably records shall perform the following 2. The denial of the b. A copy of a writ 3. Instances for which likely to reveal the source of the P. In denying access tasks: request; request for a disclosure required information. in whole or in part, to the extent ', the DHHS Secretary to invests an authorization, or opportunity to possible, records personnel shall 1. Inform the individual, 3. The individual's or determine theCovered Enti ti agree or object is not required. E. TheCovered Department give the individual access to any in a timely manner, and obtain statement of disagreement, if any; compliance with applicable laws may require individuals to direct other PHI requested,after excluding the individual's identification of, and regulations. F. Covered Department requests for access, inspection, or the PHI that was denied. and agreement to have Covered may terminate its agreement to a a copy of PHI to the Privacy Officer, Department notify, the relevant 4. Covered Department's 5. The frequer restriction in the following situations: and complete a form request for Q. When denying an persons with which the amendment rebuttal,if any. periodicity,or number of disclosu health information. The individual individual access to PHI,the denial needs to be shared; made during the requested perioi 1. The individual agrees shall be informed that request for shall: N. Any subsequent applicable, including the date of to or requests the termination in access is required to he in writing. 2. Make reasonable efforts disclosures of the PHI to which an last such disclosure. writing. 1. Be written in plain ' to inform and provide the amendment individual's written disagreement F. An appropriate request language. within a reasonable time to persons relates shall include the following: F. Covered Departm 2. The individual orally from an individual regarding PHI identified by the individual as shall act on the individual's requ agrees to the termination and the using a request form for health 2. Contain the basis for the needing the amendment; 1. The material appended for an accounting not later than oral agreement is documented. information shall,within a reasonable ' denial. as described above;or days after receipt of the request 1 time period, be reported,along with 3. Make reasonable 3. Covered Department ' the form, to records personnel with 3. Contain the following efforts to inform and provide the 2. An accurate summary of 1. Providing the individ informs the individual that it is appppropriate access clearance to statement: the individual has the amendment within a reasonable any such information. with the accounting requested,of terminating its agreement. to a pHI. right to have the denial reviewed by time to persons, including Business restriction. Such termination is only a licensed health care professional, Associates,that are known to have O. If the individual has not 2. Extending the ti effective with respect to PHI created G. Upon receipt of a designated by[Covered Department] the affected PHI and that may have . submitted a written statement of to provide the accounting by or received after it has so informed request made, records personnel to act as a reviewing official and who relied, or could foreseeably rely, on disagreement,Covered Department more than 30 days. This o the individual. with appropriate clearance shall act did not participate in the original ; such information to the detriment of shall include the individual's request time extension requires a writ G Covered Department on the request by:(1)informing the denial decision. '' the individual. for amendment and Covered ' explanation. shall document and individual of the acceptance and Department's denial,or an accurate ' restriction foreperiod of retain nst the e providing the access requested, or 4. Contain a description of ' 4. Identify the affected summary of such information, G. Any accounting shall (2) providing the individual with a how the individual may complain to information in the designated with any subsequent disclosure of provided to an individual once years from the date of its creation or li written denial. the Privacy Officer. The description record set and append or otherwise the PHI only if the individual has any 12 month period without char the date when it last was in effect, - of how the individual may complain provide a link to the location of the requested such action. Subsequent accountings in thesa whichever is later. ' H. Action upon the request shall include the name, or title, and amendment. period may be subject to charges H. If Covered Department must be taken: telephone number of the contact Sec. 3-15-150. Accountings of determined by the Privacy Offices P person or office designated to H. In the event that another disclosures of PHI. does not agree to a request 1. No later than 30 days receive such complaints. covered entity notifies Covered H. Covered Departm for restriction, it shall notify the after the request is made;or, Department of an amendment to A. Covered Department shall document and retain individual who requested the R. All denial reviews shall an individual's PHI, records shall I shall document and maintain an following for a period of at leas restriction and advise them that 2. If the request is for PHI be conducted by a licensed health amend the respective information by, accounting of when patients' PHI years,or from the date of its crest Covered Department shall not honor that is not maintained or accessible care professional who is designated at minimum, identifying the affected has been disclosed for purposes or the date when it last was in effi the restriction. on-site to Covered Department, no by Covered Department to act as a information in the designated record I other than treatment, payment or whichever is later: later than 60 days after the request. reviewing official and who did not set and appending or otherwise ' health care operations. Covered Sec. 3-15-130. Requests to participate in the original decision providing a link to the location of the Department shall allow individuals 1. The information requi access, inspect and/or obtain 3. If Covered Department to deny. amendment. to receive an accounting of all I to be included in an accountin copy of PHI. cannot take action on a request for instances where PHI about them is 9; A. Covered Department access to PHI within the relevant 1. The designated I. Covered Department used or disclosed. This requirement 2. The written account p time periods, Covered Department reviewing official shall be determined may deny an individual's request for I does not apply to instances where that is provided to the individual; shall take necessary steps to may extend the time required by 30 on a case by case basis by Privacy amendment if it determines that the I PHI was disclosed: address individual requests to I days. Officer. requested PHI or record: 3.1 The title of the er access, inspect, and/or obtain a 1. To carry out treatment, or officer responsible for receiv copy of their PHI that is maintained 4. In the event that the 2. Records personnel shall 1. Was not created by payment -and health care and processing requests for in a designated record set in a timely time period for the action must be promptly refer a request for review Covered Department, unless the operations; accounting by idividual. and professional manner. extended,then Covered Department to the designated reviewing official. individual provides a reasonable shall provide the individual with a basis to believe that the originator of 2. Under the authority of I. Covered Departm B. Individuals may request written statement of the reasons 1. 3. The designated PHI is no longer available to act on a written authorization given by the shall temporarily suspend to access, inspect, and/or obtain a for the delay and the date by which reviewing official shall determine, the requested amendment; subject of the PHI; individual's right to receive copy of their PHI that is maintained Covered Department shall complete - within a reasonable period of time, accounting under this section in a designated record set. In its action on the request. Only one whether or not to deny the access 2. Is not part of a designated 3. To the individuals about a health oversight agency or I instances where the PHI is in more extension is permitted. requested based on the applicable record set; their own PHI; enforcement official re uests sr.than one record set,or at more than standards. suspension due to the reasona one location, Covered Department I. Records personnel 3. Would not be available '. 4. For the facility's likelihood that it will impede shall produce the PHI only once in with appropriate clearance shall 4. Records personnel shall forinspection under the requirements directory; investigation. Such request ME response to a request for access_ access the individual's PHI using promptly provide written notice to for individual rights to access PHI; orally shall be documented E Copy and retrieval fees, including appropriate procedures. the individual of the determination or 5. To persons involved enforced for no more than 30 da postage,based on actual costs,may of the designated reviewing official in the individual's care or other ' Such request made in writing sl be applicable. J. The individual shall be and take other action as required to 4. Is accurate and notification purposes; be enforced for the duration lister C. If the covered allowed access, inspection, and/ carry out the designated reviewing complete.' or copies of the requested PHI in official's determination. 6. For national security or LEGAI department does not maintain a secure and confidential manner, J. Records personnel,with intelligence purposes; • see the PHI that is the subject of the such that the information cannot be S. Knowledge of a violation the assistance of the Privacy Officer, individual's request for access, and accessed by employees or other or potential violation of this policy shall be responsible for receiving, 7. To correctional page 1 WWW.FTLUPTONPRESS.COM WEDNESDAY,OCTOBER 10,2012 FORT LUPTON PRESS 15 LEGAL NOTICES LEGALS 2. Ensure-that non-covered discovery of the release. d. Removing PHI from machine in their area that will be on October 22,2012. All persons in departments are restricted from mainframe disk drives being sold utilized to send and/or receive any manner interested in the reading accessing, using,or disclosing PHI, 2. Covered Department or replaced, using the appropriate protected health information. This of said Ordinance are requested to from page as if the non-covered departments shall apply appropriate sanctions initialization utilities; FAX machine must not be accessible attend and may be heard. Please 4 were separate legal entities. against members of its workforce to the public and should only be contact the Clerk to the Board's who fail to comply with the e. Erasing diskettes to accessible to staff directly involved office at phone (970) 336-7215, 3. Protect against Covered Department policies and be re-used using a special utility in patient care of those authorized to Extension 4225, or fax (970) 352- reasonably anticipated threats, procedures. to prevent recovery of data; or handle faxed information. 0242,prior to the day of the hearing the request. hazards, or impermissible destroying discarded diskettes. if, as the result of a disability, you disclosures of PHI. 3. The type of sanction 5. The faxed information require reasonable accommodations J Business Associates applied shall vary depending on the 3. Hardcopy (Bulk must be accompanied by special in order to participate in this hearing. of Covered Departments shall B. The Director of the severity of the violation, whether Disposal). FAX cover sheet specifically Any backup material, exhibits or comply with the requirements of the Covered Department, with the the violation was intentional or designated for faxing of protected information previously submitted to section. assistance of the Privacy Officer, unintentional, whether the violation a. Secure methods shall health information. Each page of the Board of County Commissioners shall: indicates a pattern or practice of be used to dispose of hardcopy data intended FAX should be stamped or concerning this matter may be K. The Privacy Officer is improper access, use or disclosure and output. marked"confidential" In the event examined in the office of the Clerk to responsible for responding to a 1. Have the continuing of health information, and similar of a misdirected FAX, recipient the Board of County Commissioners, request from an individual for an responsibility to ensure that factors. b. PHI printed material should be directed to immediately located within the Weld County audit trail of instances when their individual members of the Covered shall be shredded and recycled by destroy the fax. Administration Building, 1150 O PHI has been disclosed for purposes Department's workforce have E. Employees, agents, a firm specializing in the disposal of Street, Greeley, Colorado, between other than treatment, payment, or appropriate access to the minimum and other contractors should be confidential records or be shredded 6. Covered Employees the hours of 8:00 a.m. and 5:00 health care operations. amount of PHI necessary to their aware that violations of a severe by an employee of Covered authorized to FAX protected health ' p.m., Monday thru Friday, or may work duties; nature may result in notification to Department authorized to handle information must take reasonable be accessed through the Weld Sec. 3-15-160. Complaints law enforcement officials as well and personally shred the PHI. steps to confirm the accuracy of County Web Page (www.co.weld. regarding these policies and 2. Ensure that workforce as regulatory, accreditation, and/or the FAX numbers and security of co.us). E-Mail messages sent to procedures. members receive necessary training licensure organizations. c. If hardcopy PHI (paper, recipient machines. an individual Commissioner may in order to comply with these microfilm, microfiche, etc.) cannot not be included in the case file. To A. As specified in 45 requirements; F. The sanction policy and be shredded,it must be incinerated. 7. When possible, a FAX ensure inclusion of your E-Mail C.F.R. §164.530(d), Covered procedures contained herein do not confirmation slip should be printed correspondence into the case tile, Department shall provide a process 3. Ensure that each apply specifically when member(s) B. Documentation of PHI from the FAX machine or e-FAX please send a copy to egesick@ for individuals to make complaints individual with access to electronic of Covered Department's workforce: Disposal. for each outgoing transmission co.weld.co.us. concerning Covered Department's PHI can be individually tracked with and machine operators must also policies and procedures regarding unique user identification; 1. Oppose any act made 1. To ensure that it is in fact verify that the intended destination SECOND READING: October 22, the use or disclosure of PHI, or its unlawful by the HIPAA Privacy rule, performed,employees or a bonded matches the number on the 2012,at 9:00 a.m. compliance with such policies and 4. Use hardware,software, provided the individual or person destruction service must carry out confirmation. The confirmation THIRD READING: November 14, procedures. or procedural mechanisms to has a good faith belief that the act I the destruction of PHI. : should be attached to the document 2012,at 9:00 a.m. document electronic activity opposed is unlawful,and the manner that was transmitted and kept as B. The Privacy Officer related to PHI and protect it from of the opposition is reasonable and 2. If Covered Department part of the individual's record. If the BOARD OF COUNTY shall be Covered Department's improper transmission, alteration or does not involve a disclosure of PHI personnel undertake the destruction confirmation slip cannot be obtained COMMISSIONERS designated contact for individuals destruction; in violation of the HIPAA Privacy of the records, the employee must from the FAX machine,sender must WELD COUNTY,COLORADO to file complaints pursuant to this rule; use the records destruction form attempt to verify recipient. policy.The Privacy Officer should be Sec. 3-15-190. Breach of provided by designated personnel, DATED: October 5,2012 contacted in order to file complaint Security. 2. Disclose PHI as a if the record is found orr the record i 8. Knowledge of a violation PUBLISHED: October 10, 2012, in concerning Covered Department's I whistleblower and the disclosure retention schedule for the Covered or potential violation of this policy the Fort Lupton Press policies and procedures required A. Breach means the is to a health oversight agency, Department destroying the record. must be reported directly to the .. by the HIPAA privacy rule, or its improper acquisition, access, use, I public health authority, or an I Privacy Officer. compliance with such policies and or disclosure of protected health attorney retained by the individual 3. If a bonded destruction procedures. The Privacy Officer information which compromises -, for purposes of determining the company undertakes the destruction, B. Receiving PHI by FAX. - shall document all complaints. the security or privacy of the i individual's legal options with regard the bonded destruction company i protected health information, which i to the whistleblower activity;or must provide Covered Department 1. When expecting the C. Covered Department poses a significant risk of financial, with the document of destruction that arrival of a FAX containing protected shall not require individuals to reputational, or other harm to the 3. Is an employee who is a contains the following information: health information, schedule with waive their rights to file a complaint individual. Breach does not include: victim of a crime and discloses PHI to the sender whenever possible to with the Department of Health and de-identified information; good faith a law enforcement official, provided a. Date of destruction; ensure that the faxed documents Human Services as a condition of unintentional or inadvertent use that the PHI is about a suspected can be promptly removed from the the provision of treatment,payment, or disclosure of PHI that does not perpetrator of the criminal act. b. Method of destruction; i FAX machine. enrollment in a health plan, or result in further improper use or eligibility for benefits. disclosure. G. Failure by any Covered c. Description of the 2. Each Covered I Employee to comply with these disposed records; Department must designate D. Covered Department B. Covered Department, I policies or procedures shall employees who are authorized to shall refer all complaints regarding with the assistance of the Privacy i subject such Covered Employee d. Inclusive dates covered; I handle PHI who will be responsible potential HIPAA privacy violations Officer,shall: ' to disciplinary action, up to and to check FAX trays at scheduled to the Privacy Officer. The Privacy ' including termination. e. A statement that the intervals and disseminate their Officer shall document all complaints 1. Take all necessary steps records have been destroyed in the contents tc the appropriate received,and their disposition,if any, to mitigate any harmful effect that is Sec. 3-15-200. Destruction and normal course of business;and responsible parties. for a period of at least six years from known to Covered Department of a Disposal of PHI. the date of its creation or the date ' use or disclosure of PHI in violation I f. The signatures of 3. Staff responsible for when it last was in effect,whichever of Covered Department policies and Covered Department the individuals supervising and routing protected health information is later. procedures. I shall make reasonable efforts to witnessing the destruction I must be sure that they leave it in a ' dispose of PHI in a manner that secure/confidential location. E. It is-the responsibility of 2. Establish procedures ' protects the confidentiality of the I C. Enforcement. All all Covered Department employees for responding to an emergency I information_ supervisors are responsible for 4. If there is need to to report perceived misconduct, that damages PHI, including a enforcing this policy.Individuals who destroy any information it must be including actual or potential violations data backup and recovery plan, I A. Destruction of PHI violate this policy shall be subject to done either by shredder or placed of the Privacy rules or these policies, and continuing to provide critical the disciplinary process as outlined in a confidentialisecured trash bin procedures. services. I 1. Destruction of Paper in the disciplinary and sanctions Protected health information must Copies and Original Documents policy. never be discarded in non-secured F. Covered Department I 3. Re-evaluate these I (Day-to-Day Disposal). trashcans. shall maintain an "open-door procedures periodically to ensure D. Covered Department policy"at all levels of management III compliance with HIPAA. I a. Printed material (e,g., shall protect individually identifiable 5. Knowledge of a violation to encourage employees to report I I faxes,printed emails,etc containing health information transmitted or or potential violation of this policy problems and concerns. ' C. Notice In the event of a PHI must not be discarded in trash maintained. Covered Department must be reported directly to the breach, Covered Department, with bins, unsecured recycle bags or is committed to safeguarding PHI Privacy Officer. Sec.3-15-170. Policy prohibiting the assistance of the Privacy Officer, other publicly accessible locations. in order to operate in a manner that retaliation. shall: Instead this information must be is consistent with applicable federal BE IT FURTHER ORDAINED by the ''. shredded, placed in a secured and State laws and regulations. Board that the Clerk to the Board be, A. Covered Department 1. Mail written notice to recycling bag, or destroyed by and hereby is, directed to arrange shall follow all necessary procedures all individuals whose PHI has or ' cutting,tearing or buming. E. If there is need to for Colorado Code Publishing to to protect against any retaliation may have been breached without destroy any information it must be supplement the Weld County Code toward any employee, individual, unreasonable delay,and in no case b. The user may elect done either by shredder or placed I with the amendments contained or other for exercising their rights or more than 60 days.Such notice shall to use either shredding, secure in a confidential/secured trash bin. herein, to coincide with chapters, participating in any process pursuant be written in plain language and recycle bags, or other options for PHI must never be discarded in non- articles, divisions, sections, and to internal policies, applicable law, ' include a brief description of what the destruction of these documents, secured trashcans. subsections as they currently exist and/or regulation happened,the date,the type of PHI as long as the destruction is in within said Code; and to resolve involved, any steps the individual accordance with this policy. It is F. Knowledge of a violation any inconsistencies regarding B. Any Covered Employee should take to protect themselves the individual's responsibility to or potential violation of this policy capitalization, grammar, and who commits or condones any from further harm,what the Covered ensure that the document has been I must be reported directly to the numbering or placement of chapters, form of retaliation shall be subject Department is doing to investigate, secured or destroyed.And it is the Privacy Officer. articles, divisions, sections, and to discipline up to, and including, mitigate, and protect from further supervisor's responsibility to ensure subsections in said Code. termination. harm, and contact procedures for that their employees are adhering to Sec.3-15-210. Transmittal of PHI. further information. Such notice the policy. • BE IT FURTHER ORDAINED by C. Covered Department i shall be provided to local media A. Transmittal of PHI by the Board if any section,subsection, shall not retaliate against employees, ! if the breach affects 500 or more c, Microfilm or microfiche FAX. I paragraph, sentence, clause, or individuals.or others for: individuals. i must be cut into pieces or chemically ' phrase of this Ordinance is for destroyed. 1. PHI should be hand any reason held or decided to be 1. Filing a complaint with . 2. Notify the DHHS delivered or mailed whenever unconstitutional.such decision shall Covered Department; i Secretary without unreasonable d. After documents have possible.Faxing of protected health not affect the validity of the remaining delay of any breach involving 500 or reached their retention period, all information internally to authorized portions hereof, The Board of 2. Testifying, assisting, more individuals. All other breaches PHI must be securely destroyed employees is allowable at anytime County Commissioners hereby or participating in an investigation, must be documented and submitted using the Covered Department to facilitate treatment, payment and declares that it would have enacted compliance review, proceeding, or to the Secretary annually. record retention process governing health care operations,provided the this Ordinance in each and every hearing;or destruction of records. guidelines outlined in this policy are section, subsection, paragraph, 3. If the Covered adhered to. sentence,clause,and phrase thereof 3. Opposing in good faith Department received notice from a 2. Destruction of Electronic irrespective of the fact that any one any act or practice made unlawful law enforcement official that sending Media 2. Faxingofprotectedhealth or more sections, subsections, by the HIPAA Privacy rule,provided the notice as required by this information outside of the facility is paragraphs, sentences, clauses, that the manner of the opposition subsection would impede a criminal a. Secure methods shall allowable in situations when health or phrases might be declared to be is reasonable and does not itself investigation or cause damage to be used to dispose of electronic information is needed immediately unconstitutional or invalid. violate law. national security. Sending such data and output. The (Information for patient care purposes,continuing notice shalt be delayed by thirty(30) Services (IS) Covered Department) care placement, payment or when NOTICE Sec.3-15-180. Security of PHI. days if the request is made orally, is responsible for the destruction mail or courier delivery will not meet and for as long as may be requested of electronic copies containing a necessary timeframe. PURSUANT to the Weld County A. Covered Department in writing by such law enforcement PHI, including any media that may Home Rule Charter, Ordinance shall: official. be reused. However, employees 3. Faxing of sensitive Number 2012-10 published above, may dispose of the electronic data health information such as that was introduced and,on motion duly 1. Protect individually D. Covered Department themselves using the following dealing with mental health,chemical made and seconded, approved identifiable health information shall utilize the following process to methods: dependency, sexually transmitted upon first reading on October 3, transmitted or maintained by mitigate the effect of an unauthorized diseases, HIV or other highly 2012. A public hearing and second Covered Department, regardless release of PHI by an employee: b. Deleting on-line data personal information is prohibited reading is scheduled to be held of form (e.g., patient name, patient using the appropriate utilities; unless requirements above are met. in the Chambers of the Board, number,address.telephone number, 1. Any unauthorized located within the Weld County social security number,etc). release of PHI shall be immediately c. "Degaussing" computer 4. Each Covered Administration Building, 1150 0 y reported to Privacy Officer upon tapes to prevent recovery of data; Department must designate a FAX Street, Greeley, Colorado 80631, Hello