The URL can be used to link to this page

Browse Search

Home My WebLink About20051138.tiff RESOLUTION RE: APPROVE AMENDED HIPAA COMPLIANCE PLAN FOR WELD COUNTY AND APPOINTMENT OF PRIVACY OFFICER WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to Colorado statute and the Weld County Home Rule Charter, is vested with the authority of administering the affairs of Weld County, Colorado, and WHEREAS,the Health Insurance Portability and Accountability Act(HIPAA)was enacted by the federal government in 1996, and WHEREAS,Weld County provides various operations and functions in the county that fall under the HIPAA regulations and can be considered a"hybrid entity"under HIPAA regulations,and WHEREAS, the Weld County Attorney and Director of Finance and Administration recommend that the Board of Weld County Commissioners designate Weld County government a "hybrid entity' for the purposes of HIPAA regulation compliance, and WHEREAS, it has been determined that the county jail will be having health records in electronic form, and may be covered by HIPAA regulations, and WHEREAS,incarcerated inmates are not covered by H I PAA regulation,but once the inmate is released the inmate has HIPAA rights as to his medical records while he or she was incarcerated, and WHEREAS,it has been determined that it would be appropriate for the jail to have amended HIPAA policies and procedures to comply with HIPAA regulations only for the medical records of released inmates, and WHEREAS,it will be necessary to appoint David Malcolm as the HIPAA Privacy Officer for the Weld County Jail. NOW,THEREFORE,BE IT RESOLVED,by the Board of County Commissioners,that the Weld County HIPAA Compliance Plan adopted on April 7,2003,is hereby amended to include the Weld County Jail per the attached HIPAA policies and procedures to cover the medical records of released inmates,but not including any HIPAA policies or procedures for incarcerated inmates that are not covered by HIPAA regulations. BE IT FURTHER RESOLVED by the Board that David Malcom is hereby appointed HIPAA privacy Officer for the Weld County Jail. 2005-1138 PE0022 et _ e1---2g RE: HIPAA COMPLIANCE PLAN PAGE 2 The above and foregoing Resolution was,on motion duly made and seconded,adopted by the following vote on the 6th day of April, A.D., 2005. BOARD OF COUNTY COMMISSIONERS WELD COUNTY, COLORADO t r-e _ u�l ��'v"G (AT�t WilliamH. J e, Chair t4T Weld OpunIy Clerk to the Board �b ti's/ ,1 ./ /g✓ �l BY � _,,,, ,./ M. J. eile, Pro-Tem <751 Deputy Clerk to the Board - EXCUSED E. Long APPEtne DAST \ Robe astir , (l y ai Glenn Vaad Date of signature: /�/©s-- 2005-1138 PE0022 WELD COUNTY HIPAA COMPLIANCE PLANS The Health Insurance Portability and Accountability Act ("HIPAA") was enacted in 1996. HIPAA was enacted in recognition of the increased electronic exchange of health information among providers and health plans, and the resulting need for increased privacy protection. Title II of HIPAA includes the "Administrative Simplification" requirements of HIPAA that significantly impact entities that are healthcare providers and/or provide health plans to employees on a self insured basis. Weld County must comply both as a health plan provider and healthcare provider. HIPAA has three components that require compliance. The transactional rules that have to do with the electronic transaction standards that were effective October 16, 2002, but Weld County requested an extension until October 16, 2003. Second, the privacy rules were effective April 14, 2003. Third, the security rules were effective April 20, 2005. Weld County, like most counties, will be considered a "hybrid entity" under HIPAA. This means that while Weld County may or may not provide health care as a primary function, healthcare provision may be a primary function of some of its operations, such as the Public Health Department, Paramedic Service, and detention facility. These operations may conduct covered transactions such as billing for, paying, providing services or issuing reports on health care, or may conduct other transactions which qualify for standardization. In addition to the healthcare provider components Weld County is covered by HIPAA because we offer self insured health plans in the form of the county's Dental, Vision, and Flexible Spending Plans. In an analysis of county functions under the "hybrid entity" provision the following conclusions have been reached: The Weld County Department of Public Health and Environment, and Weld County Paramedic Services both fall under HIPAA regulations as a healthcare provider due to the fact that they transmit electronic medical billing information for Medicaid billings. The Human Services' Area on Aging program case management function is covered under HIPAA. Under the definition of"health care" in HIPAA"assessment" is cited. In addition in the Federal Register Volume 65, Number 160 dated Thursday, August 17, 2000, under III. A. 3. Analysis of and Responses to. Public Comments on the Proposed Rules-Atypical Services, HHS determined that case management is subject to HIPAA standards. In the same citation, however, HHS excluded non-emergency transportation from HIPAA. Therefore, the Weld County Human Services' Area on Aging case management function is cover by HIPAA, but the Weld County Human Services' transportation function is not covered by HIPAA, even though it bills Medicaid electronically for the non-emergency transportation services. The Weld County Coroner's Office and Weld County Veteran's Office may have access to certain medical information but neither is considered a healthcare providers and neither is covered under HIPAA. The Weld County Personnel Department may have access to medical information for employment purposes only, and is therefore not covered under HIPAA. The Weld County Jail is a medical provider through a contract with a contract provider. The jail only provides medical services to incarcerated inmates that have no right to privacy under HIPAA regulations and are therefore not covered. Once an inmate is released, however, the inmate's records are covered by HIPAA and the handling of those records must be in accordance with HIPAA regulations. Therefore, the HIPAA policies for the jail have been amended to comply with HIPAA regulations only for the medical records of released inmates. HIPAA policies and regulations not applicable due to the determination that incarcerated inmates are not cover by HIPAA are not adopted, such as privacy notices. The Weld County Department of Social Services' involvement with general assistance and Medicaid are excluded as health plans, since they are government funded programs not specifically cited under HIPAA as covered entities. Weld County's information technology provider, ACS, has adopted privacy policies and procedures to insure that ACS and Weld County are in compliance with HIPAA at all county locations that have access to, receive, collect, process, store, transmit, or create individually identifiable health information.- Weld County's fully insured group health insurance plan is provided by Great West Healthcare. In accordance with HIPAA and the insurance contract between Weld County and Great West Healthcare the health plan provider (Great West Healthcare) is responsible for HIPAA compliance for the health insurance program. No action is required of Weld County. Weld County provides three benefits that fall under the HIPAA rules. Weld County's Dental, Vision, and Flexible Spending Plans, although not covered by ERISA, they are covered by HIPAA as self insured "health plans'. Therefore, a HIPAA plan must be put in place for these Weld County "health plans". The following is the HIPAA Compliance Plan for Weld County. Amended 4/6/05. Hippacoverlener GENERAL HIPPAA POLICIES AND PROCEDURES PHYSICAL AND TECHNICAL SAFEGAURDS: Weld County shall adopt and follow any policies, procedures or forms dealing with physical and technical safeguards for information technology systems promulgated by ACS, unless Weld County specially adopts a policy in-lieu of ACS for information technology systems. The physical and technical safeguards of ACS used by Weld County are: Application Development Security Clean Desk Policy Electronic Transmission of IIHI Encryption Facility Security Network Security Password Management Screen saver or Logoff Requirements At Home Workers E-mail Acceptable Use Fax machine Acceptable Use WELD COUNTY PERSONNEL POLICIES AND HIPPA: Weld County's Personnel policy on confidential information applies in addition to any HIPAA policies on breach of privacy or confidentiality. Any HIPAA policies on personnel discipline for breach of privacy or confidentiality apply in addition those cited in the Weld County Personnel Policies. If there is conflict in any provision of the HIPAA policies concerning personnel discipline and Weld County Personnel Policies concerning discipline and grievance, Weld County Personnel Policies shall take precedence. PROGRAM POLICIES TAKE PRECEDENCE: Any policies, procedures, or forms promulgated by State of Colorado or federal health grant programs which are equal to or more stringent than Weld County's policies will take precedence over Weld County's. The Weld County policies in this HIPAA compliance document are the minimum standard which Weld County employees are held, however sate or federal grant programs may choose or require additional or alternative policies, procedures, or forms to accomplish the same HIPAA compliance requirement. In those cases to insure that grant requirements are met and to avoid redundant effort the state or federal grant policies, procedures, and forms may be used as long as they meet the county's minimum standards specified in this HIPAA compliance document. Alternative grant policies, procedures, and forms must be approved by the Health Department's HIPAA Privacy Officer. HIPAA PROCEDURE AND POLICY PROMULGATION: The Privacy Officer responsible for the departmental HIPAA compliance shall amend and promulgate HIPAA policies and procedures as necessary by securing the department head's approval, and submitting them to the Director of Finance and Administration for review. The changes shall then be forwarded to the Board of Weld County Commissioners for review by the Board members signing off on a cover sheet. If approved by the Board of Weld County Commissioners on the sign off sheet the changes shall be placed upon the Board's consent agenda for final approval. All HIPAA policies shall be reviewed at least annually by the Privacy Officer of each plan for any necessary updates or amendments. H IPAAgeneralpolic ies Policy on Uses and Disclosures of Protected Health Information Overview of Weld County Sheriffs Office Policy on Privacy Policy It is the policy of Weld County Sheriffs Office to protect the privacy and confidentiality of patients' protected health information by following the requirements of federal and state law and Weld County Sheriffs Office polices and procedures. This policy provides the basics of Weld County Sheriffs Office privacy compliance framework. More detailed information is contained in the Weld County Sheriffs Office Standard Operating Procedures Manual and Weld County Sheriffs Office computer system. "Protected health information," (PHI) means individually identifiable information about the present, past, or future health care or payment for health care, maintained in any form or medium. Responsibility The Weld County Sheriffs Office Privacy Official is responsible for developing and implementing privacy policies and procedures. The Privacy Official is Commander Dave Malcom. He can be reached at 970-356-4000 extension 3939 or dmalcomco.weld.co.us. co.weld.co.us. It is the responsibility of each member of Weld County Sheriffs Office to understand and follow the privacy policies and procedures. Procedures A. Permissions needed Weld County Sheriffs Office will use and disclose PHI only in accordance with Weld County Sheriffs Office notice of privacy practices and with the appropriate permission from the patient, or as otherwise permitted or required by law. See Authorization Policy and Notice of Privacy Practices. B. Permitted disclosures Weld County Sheriffs Office may disclose a patient's PHI to the patient himself or herself, the patient's legally authorized personal representative, those involved with the person's care and treatment, to law enforcement personnel in appropriate situations, for public policy decisions as required by law, and for purposes of a patient's treatment, payment for services, or Weld County Sheriffs Office health care operations. Disclosure of PHI may also be made to business associates, or on the basis of and in accordance with a properly executed authorization. 1. Deceased individuals If an executor, administrator, or other person with authority to act on behalf of a deceased patient or that person's estate, that person should be treated as patient's personal representative. Weld County Sheriff's Office may disclose PHI, without specific patient consent or authorization, to a coroner or medical examiner responsible for identification of the person, determination of the cause of death, or other duties authorized under state law. Weld County Sheriffs Office may also disclose PHI to a funeral director, as permitted by state law. 2. Personal representatives and minors If person has legal authority to act on a person's behalf in making decisions related to health care, this person is a personal representative and can receive PHI. If a minor has authority to act on his or her own behalf with respect to all or certain health care decisions, PHI may not be shared with the parent without the minor's consent, with respect to all relevant PHI. 3. Persons involved in care or treatment PHI may be disclosed to persons involved in the patient's care, as directly relevant to that care. If patient is present when PHI is to be disclosed, and has capacity, PHI can be disclosed to others present if it can reasonably be inferred that patient would not object. If patient is not present when PHI is to be disclosed, or patient is incapacitated, PHI may be disclosed if, in the exercise of reasonable professional judgment, disclosure is in best interests of patient and disclosure is limited to PHI directly relevant to person's involvement with the patient's care. D. Required disclosures Weld County Sheriff's Office may make disclosures without consent or authorization as required by law, as required for public health purposes, for certain health oversight activities, for certain judicial and administrative proceedings, for certain law enforcement activities, to coroners or medical examiners, once required releases are obtained by Weld County Sheriff's Office Privacy Officer. E. Privacy official The privacy official of Weld County Sheriff's Office is Commander Dave Malcom. This person is responsible for implementing Weld County Sheriffs Office privacy policies. F. Complaint personnel The person(s)responsible for handling complaints related to privacy is Commander Dave Malcom. All complaints related to privacy should be referred to Commander Dave Malcom Weld County Sheriff's Office. G. Unique restrictions on disclosures If a patient requests a particular restriction on the use or disclosure of his or her PHI, refer the request to Commander Dave Malcom. Do not agree to any restriction prior to contacting the Privacy Officer. H. Potential violations If you believe that Weld County Sheriffs Office has violated a policy or provision of law related to privacy issues, contact the Privacy Officer immediately. Weld County Sheriffs Office will not retaliate against employees who report in good faith. Weld County Sheriff's Office will take all reasonable steps to mitigate any damages caused by an improper use or disclosure of PHI. Policy on Minimum Necessary Information Weld County Sheriff's Office Date: April 1, 2005 Authority: Commander Dave Malcom Weld County Sheriffs Office Responsibility: Privacy Officer, Weld County Sheriffs Office It is crucial that every staff member understands the minimum necessary policy for use, disclosure and request of protected health information. Health care providers and staff are entitled to use protected health information (PHI) consistent with their roles in this organization. Each staff member must also understand that with this role come certain responsibilities such as limiting the viewing, use, disclosure and requesting of PHI to only that data necessary for patient treatment, reimbursement for treatment and health care operations. It is considered a breach of policy and the patient's trust to seek information beyond what is appropriate for the staff role and the patient needs. In the event of an emergency, the strict limits of access may be breached when appropriate for the benefit of the patient, specifically when the potential benefit to the patient is judged to outweigh the risk to patient privacy. Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to ensure our patients' rights to the minimum necessary use and disclosure of their protected health information. General Policy 1. When using or disclosing protected health information or when requesting protected health information from another covered entity, each staff member of Weld County Sheriffs Office must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This requirement does not apply to disclosures to a health care provider for treatment, uses or disclosures made to the individual, uses or disclosures made pursuant to an authorization for release signed by the patient or the patient's representative, disclosures made to the Secretary of Health and Human Services, disclosures that are required by law (as described by Sec. 164.512(a) of the privacy regulations) and uses or disclosures that are required for compliance with the privacy regulations. 2. It is necessary that the different roles in Weld County Sheriffs Office be defined so that each staff member understands their own roles and responsibilities with regard to handling PHI. Direct Health Care Provider - A licensed and or certified health care professional who provides direct or indirect patient care or consulting services. Direct Support Staff—Staff who work within the office providing a variety of professional and direct administrative support that involves the delivery of patient care or billing operations. Data Access Categories Full Health Information Access—Access to full health information as needed for health, payment or health operations. Staff in this category may access and read all appropriate information. Summary Data Access—Access to summary data with treatment or diagnostic codes as needed to function. Staff in this category should confine the use of protected health information to the absolute minimum required and should not access or read full medical records. Emergency Information Access—Access to any individually identifiable health information should not be granted except in emergency situations. Usage Assignments Data Access Categories are assigned in accordance with the operational requirements for minimum necessary use. Each staff member has a separate access category. Choose whether they have: a. Full health information access b. Summary data access c. Minimum information access d. Emergency information access Direct Health care Providers have access to full health information access with the clear understanding that access and reading is limited to need for treatment, reimbursement, or operations. Direct Support Staff have access to full information access with the clear understanding that access and reading is limited to need for treatment, reimbursement, or operations. Weld County Sheriffs Office will maintain a current office role directory that lists every defined position within the office. This will ensure that each position will be granted the correct access authorization as defined in the Usage Assignments section of this policy. It is incumbent on every staff member to report any observed violation of these usage rules to the Privacy Officer, Weld County Sheriff's Office. Every staff member must be trained in their roles and responsibilities with reference to the minimum use and access to patient data policy. It is considered a breach of organization policies and the patient's trust to seek information beyond what is appropriate for the staff role and the patient needs. In the event of an emergency, the strict limits of access may be breached when appropriate for the benefit of the patient, specifically when the potential benefit to the patient is judged to outweigh the risk to patient privacy. Disclosures for Treatment, Payment or Health Operations The regulations establish that routine and recurring disclosures of protected health information can be made for treatment, payment or health operations without specific patient authorization. The minimum necessary requirements still pertain to all of these disclosures. Minimum necessary determinations will be made for all routine and recurring disclosures for all categories (other than those that are excepted); these categories will include, for example, additional medical information for medical necessity determination, sample records for accreditation and audits, records review for protocol adherence, patient information for participation in a clinical trial, paper claims, phone referral certification information and other categories as determined necessary. Full health information will be provided to routine and recurring requests from: List of all external entities to whom Weld County Sheriffs Office provides routine and recurring disclosures of full health information. See Exhibit A. Summary data with treatment and/or diagnostic codes will be provided to routine and recurring requests from: List of all external entities to whom Weld County Sheriffs Office provides routine and recurring disclosures of summary data health information. See Exhibit B. Minimum information - patient demographic data with only minimum reference to treatment or diagnostic information -will be provided to routine and recurring requests from: List of all external entities to whom Weld County Sheriffs Office provides routine and recurring disclosures of minimum health information. See Exhibit C. Every effort will be made to comply with these disclosure categories except where the cost of extracting information is not reasonable and the risk of breach of patient privacy is considered low. In all situations, the requestor will be informed of their responsibilities towards this data and appropriate agreements entered into. All non-routine and/or non-recurring requests will be considered on a case-by-case basis and determination of the level of response will take into account the minimum necessary requirements. Requests for Information The regulation establishes that for routine and recurring requests, the responsibility for determining the minimum necessary data falls on the requestor. In all situations where data are requested, staff members must ensure that minimum necessary evaluation is made. In situations where the determination has not been made, questions should be directed first to the Privacy Officer and then to the Director of Weld County Sheriff's Office. Minimum necessary determinations will be made for all routine and recurring requests for all categories. These categories will include, for example: Reason for visit Vital medical stats Medical records for referral Referral authorization, if non-standard Test results Patient messages from an answering service Policy and Procedure on Patient's Right to Access Health Information Weld County Sheriff's Office Date: April 1, 2005 Authority: Commander Dave Malcom Weld County Sheriffs Office Responsibility: Privacy Officer Weld County Sheriffs Office Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to afford our patients the right to inspect and obtain a copy of health information about them. General Policy It is our policy to provide our patients the right of access to inspect and obtain a copy of health information about them, for as long as we maintain the information in our designated record set, with exceptions permitted by law. Definitions Access: patients may inspect their medical records and billing records under the supervision of a staff member for which an inspection fee is charged; or obtain a copy of all or a portion of their medical records and billing records for which a copying fee is charged. Designated record set: medical records and billing records that we use to make health care and payment decisions about patients. Procedure 1. Patients may request access to their medical records and/or billing records by submitting a request in writing on our Authorization for Release of Information Form to our Privacy Officer. This Form specifies that the access will be granted within 30 days of its receipt unless the patient is otherwise notified, and identifies the fees that will be charged for supervision of inspection, for copying all or portions of the record, or for summarizing the record. The request must state the type of access requested (inspection, copy, or if a summary will be accepted if there are reasons why a complete inspection or copy cannot be released, see step 3.b.), specify the dates and specific information requested, and be signed by the patient. 2. When a request for access to the medical record and/or billing record is made by a patient: a. Obtain the patient's medical record and verify the patient's demographic information and signature on the Authorization for Release of Information Form with demographic information and signature on the consent for use and disclosure of health information, or other document signed by the patient contained within the medical record. If the authenticity of the patient cannot be verified, send a request to the patient to have a new Authorization for Release of Information Form notarized. b. Review the medical record and/or billing record according to the request to determine if: 1) The information requested is excepted from the patient's right of access (see step 3. Exceptions to access), in which case access must be denied. Follow the procedure in step 4. for Denial of access. 2) the information requested is complete. If the information is not complete, inform the physician responsible for completion that a request for access has been made by the patient and the record will need to be completed within 30 days in order to comply with the patient's request or be found in non-compliance with HIPAA and subject to fines. If the record is not completed within 30 days, send a copy of the Authorization for Release of Information Form to the patient indicating that an extension to providing access will be required because the record is in the process of being completed and indicating the specific date on which access will be granted. This date must not exceed an additional 30 days. c. If access is not excepted and the information is complete and the patient requests inspection of the medical record and/or billing record or any portion thereof, schedule an appointment for the patient to visit the office. If the request is only for a portion of a record, remove that portion and place it in a separate folder for purposes of the inspection. Our Privacy Officer must be present with the patient during the time the patient is inspecting the record(s). A charge of $20.00 per hour can be assessed for this inspection to cover the cost of supervision. During this time, the patient may not remove any documents from the record(s) or write any information in the record(s). If the patient wishes to make an amendment to the record(s), follow the Policy and Procedure for Patient's Right to Request Amendment of Health Information. If the patient has any questions concerning the information in the medical record, inform the patient that an appointment must be made with the physician to discuss the information. If the patient has any questions concerning the information in the billing record, refer the patient to the Privacy Officer. d. If access is not excepted and the information is complete and the patient requests a copy of any or all of the medical record and/or billing record, make the specified copies and mail the information to the patient via postal mail. If the patient requests this information to be mailed to a different address, mailed to a different individual, or be given to someone else who physically presents to our office, this information must be authorized through the Authorization for Release of Information Form. If another individual is designated to physically pick up the copy of the information, verify the individual's identity by requesting a photo identification card and match the name on the card to the name on the Authorization for Release of Information signed by the patient. Have the individual sign the Authorization for Release of Information as having received the information. 3. Exceptions to access are limited to very specific situations. Certain exceptions are not subject to review, and for others we must permit the patient to request a review of our decision not to grant access. When the information was compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. When the request is from an inmate of a correctional institution, and we have concerns regarding the health, safety, security, custody, or rehabilitation of the inmate or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or the safety of any person responsible for transporting the inmate. When the information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information. When a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the patient or another person. When the information makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person. When the request for access is made by the patient's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the patient or another person. 4. Denial of access is a serious matter under the law. Before the Privacy Officer may make such a denial decision, it is our policy to conduct an internal review of that denial. Any such case should be given to Commander Dave Malcom, who will authorize the denial. a. If access is denied for one of the reasons to deny access that are not subject to review, return a copy of the Authorization for Release of Information to the patient indicating that we are unable to comply with the request for access due to the applicable reason. Retain a copy of the Authorization for Release of Information sent to the patient in the patient's medical record. b. If access is denied for one of the reasons that are subject to review, determine if a summary of the record maybe made or portions of the record may be provided access such as to prevent the risk associated with denial. 1) If a summary or access to portions of the record would prevent risk, return a copy of the Authorization for Release of Information to the patient indicating we are not able to comply with the request for access for the specified reason but would be able to provide a summary of information in the record or access to portions of the record. 2) If such a summary or access to portions of the record is not possible, return a copy of the Authorization for Release of Information to the patient indicating we are not able to comply with the request for access for the specified reason. Indicate on this Form that the patient has the right to have this decision reviewed by another licensed health care professional. 3) If a request for review is received, give a copy of the Authorization for Release of Information Form, the medical record, and, if applicable, the billing record to the Chief Physician, who will make a final determination. Upon its review and a determination, send a response to the patient indicating the result of the review and how the patient may file a complaint with our office or to the Secretary of Health and Human Services (HHS). 4) File a copy of the Authorization for Release of Information Form and other documentation received from the patient in his/her medical record. Place a copy of the Authorization for Release of Information in our Risk Management file. 5) If a request for access to the medical record or billing record is made and the person was not a patient of ours, return a copy of the Authorization for Release of Information Form to the individual indicating we have no records. If we do not have records on this individual but know where the requested information maybe maintained (such as at a hospital or other physician's office), return the Authorization for Release of Information Form to the individual and provide the name and address of the location where we believe the records may be maintained. Keep a copy of the Authorization for Release of Information Form in our Risk Management File. Weld County Sheriff's Office Authorization for Release of Information Patient: Last First Ml Maiden or Other Name: Date of Birth: MO DAY YR SS#: - Medical Record Number#: Address: City: State: Zip Code: Day Phone: Evening Phone: I hereby authorize: (Print Name of Provider) to release information from my medical record as indicated below to: Name: Address: City: State: Zip Code: Day Phone: Evening Phone: Fax #: E-mail Address: Page 2 Authorization for Release of Information (con't) INFORMATION TO BE RELEASED Dates: I specifically authorize the release of information relating to: ❑ History and physical exam ❑ Progress notes ❑ Substance abuse(including alcohol/drug abuse) ❑ Lab reports ❑ Mental health (including psychotherapy notes)* ❑ X-ray reports ❑ HIV related information (AIDS related testing) ❑ Other: ❑ Marketing(except for face-to-face encounters or promotional gifts of nominal value) X SIGNATURE OF PATIENT OR LEGAL GUARDIAN DATE Page 3 Authorization for Release of Information (con't) Purpose of Disclosure: ❑ Changing Physicians ❑ Consultation/second opinion ❑ Continuing Care ❑ Insurance ❑ Legal ❑ Research ❑ School O Worker's Compensation O Other(please specify): I understand that this authorization will expire days after I have signed the form. I understand that if this authorization is used for the purpose of research, that it will expire at the end of research study or indefinite date if the authorization is used for the creation or maintenance of a research database or repository. I understand that I may revoke this authorization at any time by notifying the providing organization in writing, and it will be effective on the date notified except to the extent action has already been taken in reliance upon it. I understand that information used or disclosed pursuant to this authorization may be subject to re-disclosure by the recipient and no longer be protected by federal or state privacy regulations. I understand that I am being requested to release this information by: (Print Name of Provider) for the purpose of: By authorizing this release of information, my health care and payment for my health care will not be affected if I do not sign this form. I understand I may see and copy the information described on this form if I ask for it (permitted by federal law or state law to the extent the state law provides greater access rights), and that I will get a copy of this form after I sign it. Page 4 Authorization for Release of Information (con't) I have been informed that (Print Name of Provider): will not receive financial or in-kind compensation in exchange for using or disclosing the health information described above. I understand that in compliance with: (Print the state whose laws govern the Provider): statute, I will pay a fee of: $ 14.00. There is no charge for medical records if copies are sent to facilities for ongoing care or follow up treatment. I understand that I may refuse to sign this authorization. SIGNATURE OF PATIENT DATE OR PARENT/LEGAL GUARDIAN/AUTHORIZED PERSON DATE RECORDS RECEIVED BY DATE RELATIONSHIP TO PATIENT FOR OFFICE USE ONLY DATE REQUEST FILED: BY: TYPE OF IDENTIFICATION PRESENTED AND EXPIRATION: FEE COLLECTED Weld County Sheriff's Office Authorization of Disclosure Log opine- - �,. _, : .. bat= . _ . ., w�P,atie � e ' � zyTypeo[�'-eques ,� � ;-� Received'=y ,: sL`"ocation.Filed Policy and Procedure on Patient's Right to Request Amendment to Health Information Weld County Sheriffs Office Date: April 1, 2005 Authority: Commander Dave Malcom Weld County Sheriffs Office Responsibility: Privacy Officer Weld County Sheriff's Office Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to afford our patients the right to request amendment to their protected health information. General Policy It is our policy to provide our patients the right to request amendment to their protected health information that we maintain in our designated record set, with exceptions permitted by law. Definitions Amendment: to add information to an existing record, which either provides additional information, clarifies or corrects existing information, or provides an alternative view with respect to information that we have compiled about the patient in the patient's designated record set. Designated record set: Privacy Officer and billing records that we use to make health care and payment decisions about patients. Procedure 1. A patient who believes there is an error in information in the medical record or billing record may approach the author of the entry, point out the error, and request the author to correct it. The author may accept any correction believed to be required, and will document the correction. This documentation must retain the original entry, state the correct information, and reflect the author's identity and date of correction. In electronic information system, the correction should be made in accordance with the vendor's specification for correcting errors such that an audit trail exists to show both the original entry and the new entry. In paper documents, a correction may be made in one of two ways: If an entry is simply erroneous and needs to be deleted, a line may be drawn through the erroneous information, initialed, and dated. If an entry is erroneous and requires correction, the entry should be noted as erroneous and correct information written in a separate note, which must be signed and dated. The author should inquire of the patient if the correction of the error should be disclosed to anyone who may have received this information in the past. If so, the patient should be directed to complete the Form to Request Amendment. 2. A patient may also request that information be added to the medical record or billing record. This request must be made in writing, on our Form to Request Amendment, to the Privacy Officer. This Form serves as both documentary evidence of the request and our response, as well as a tracking mechanism to ensure response within 60 days of request (with not more than one 30-day extension) and duty to supply others with the information. This form will be processed in the following manner: a. Request the patient to complete the Form to Request Amendment in triplicate. If this is not received in person, verify the patient's signature on the Form with a sample in the medical record. The patient should keep the last copy of the Form. b. Place the remaining two copies of the Form in the patient's medical record or billing record, which ever is the subject of the amendment. Route the record to the author of the record. c. If the author accepts the patient's amendment, the author will sign and date the Form as amendment accepted and make a note at the site in the record to which the amendment applies that an amendment exists. The author may also add a comment to the Form. The second copy of the Form will be returned to the patient indicating that the amendment has been accepted. The original copy of the Form will be used to furnish copies of the amendment to those individuals or organizations the patient deems necessary. Such disclosures will be noted on the form as having been completed with the signature of the staff member who processed the disclosures. The original Form will be placed in the record. d. If the author rejects the patient's amendment, the author must indicate one of the following as reasons: 1) The information subject to amendment was not created by us 2) The information subject to amendment is not part of the designated record set 3) The information would not be available for access (see our policy on Patient's Right to Access Health Information) 4) The information contained in the existing record is accurate and complete The Form must be signed and dated, and the author must make a note at the site in the record to which the amendment applies that an amendment was requested. The second copy of the Form with this information will be returned to the patient. The original copy of the Form will be filed in the record. The patient may request that the request for amendment and the denial be disclosed with any future disclosures of the information that is the subject of the amendment. e. If this processing cannot occur within 60 days of receipt of the request, notify the patient in writing that a 30-day extension will be necessary to process the request. f The patient may choose to submit a written statement disagreeing with the denial. This statement must be contained on not more than one handwritten or typewritten page of at least 10-point font. Any additional information beyond the one page will be discarded. When this statement of disagreement is received, it should be forwarded to the author, who will determine whether a rebuttal will be prepared. The statement of disagreement and any rebuttal must also be filed in the record and accompany any future disclosures of the information that is the subject of the amendment. 3. If we are informed by another provider of an amendment to one of our patient's records, the Privacy Officer will review its contents and advise the physician who attended the patient as to any information which appears to require our action. We will place the amendment information in our designated record set. Policy and Procedure to Request Restrictions on Use and Disclosure of Protected Health Information Weld County Sheriff's Office Date: March 10, 2003 Authority: Commander Dave Malcom Weld County Sheriff's Office Responsibility: 1. It will be the responsibility of the Weld County Sheriff's Office to receive requests for and agree to any restrictions on use and disclosure of protected health information. 2. It will be the responsibility of the Privacy Officer to monitor any restrictions which the office agrees to follow. General Policy 1. We will supply any individual who requests restrictions placed on use and disclosure of protected health information a Form to Request Restrictions. 2. We will agree to requested restrictions if, in the judgment of a licensed health care professional, we believe the restriction will not limit our ability to provide quality health care treatment or manage our health care operations, and if our information management procedures and systems will permit us to comply consistently with the requested restrictions. We will also provide confidential communications by alternative means or to an alternative address provided by the patient if we obtain assurance that payment for our health care services will be handled and we receive specification of the alternative address or other method of contact. Procedure 1. When an individual requests restrictions, supply him or her with our Form to Request Restrictions. 2. The Privacy Officer of Weld County Sheriff's Office will review the Form to Request Restrictions and determine whether we are able to accept the restrictions. The Privacy Officer of Weld County Sheriffs Office will complete and sign the Form to Request Restrictions, supply the individual a copy, place the original in the individual's permanent health record and file a copy in our Risk Management file. The Privacy Officer of Weld County Sheriff's Office will also make the necessary postings to the individual's health record and/or billing record to enable the restrictions to be carried out. 3. If the individual makes the request for restrictions in our office, we will attempt to complete the Form to Request Restrictions during the time the individual is present in our office, but no later than 30 days after receipt. 4. If at any time we find that we cannot carry out the restrictions requested by an individual, we will prepare a written notice to send to him or her terminating our agreement, which will be applicable only to information created or received after such notice has been sent to the individual. 5. We will accept a written request from the individual to terminate the restrictions at any time or will document any oral request to terminate restrictions from the individual. If an oral request is received, this will be documented on the original Form to Request Restrictions, a copy of which will be supplied to the individual. Policy and Procedure on Requesting Confidential Handling of Information Weld County Sheriff's Office Date: April 1, 2005 Authority: Commander Dave Malcom Weld County Sheriff's Office Responsibility: Privacy Officer Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to inform our patients of their right to request confidential handling of their protected health information when it is sent to them. General Policy It is our policy to accommodate reasonable requests regarding the confidential handling of protected health information, and to maintain that the use of Protected Health Information be consistent with the patient's request. Definitions and Regulatory Requirements Protected health information: Individually identifiable health information, including information that is maintained in our medical records and billing records. A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations. Conditions on providing confidential communications: 1. A covered entity may require the individual to make a request for a confidential communication in writing. 2. A covered entity may condition the provision of a reasonable accommodation on: a. When appropriate, information as to how payment, if any, will be handled; and b. Specification of an alternative address or other method of contact. 3. A covered health care provider may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis. Procedure 1. Patients may request confidential handling of health information by submitting a request in one of the following ways: a. In person, on our Request for Confidential Handling of Health Information Form b. By mail, either on our Request for Confidential Handling of Information Form or in a letter containing the necessary information specified below. All requests should be mailed to: Weld County Sheriff's Office 2110 "O" Street Greeley, CO 80631 Determine what forms of communication your office will accept to request confidential handling of patient information—in writing or by fax, telephone, and/or e-mail. Include information regarding each method you will accept in your policy. All requests should be directed to the Privacy Officer, Weld County Sheriff's Office. The request must supply the following details about the protected health information the individual wants confidentially handled: a. The type of information, specifying if the request is limited to a particular illness or treatment or all health information exchanges b. The time period for which the request applies c. The manner in which payment will be received, if confidential handling of billing matters pertaining to the type of information is also requested d. The manner in which the patient wishes to receive confidential communications, with any alternate information necessary to deliver information in the requested manner 2. When a patient makes a request for confidential handling of their PHI: a. Validate the request with the individual. If the request is received by mail or e- mail, call existing contact phone number and ask to speak with the patient to confirm the request. If the request is made in person, request confirmation of identity, if needed. b. If the request involves billing information, confirm that the commitment for payment will be satisfied and hold confidential mailing until any payment due is received. For future billing, ensure that an agreement to pay at the time of visit is signed. Place a prominent note in the file or have a flag in your scheduling system that payment is required at the time of visit. c. If the request is for an alternate address, enter the address into the patient's address file as the required confidential address. d. If the request is to pick-up the confidential information in person, highlight the requirement for easy recognition by staff handling correspondence. e. If the request is time limited, flag the end date for confidential handling of information in the appropriate files and systems. f. Place a copy of the Request for Confidential Handling of Information Form in the patient's medical record. Determine if your office wishes to track requests for confidential handling of information for risk management purposes. (Include the following statement in your policy only if answer is "yes") Place a copy of the Request for Confidential Handling of Health Information Form in our Risk Management file. g. Determine if your office ill send confidential communications to patients via e- mail. If yes: If the request is for e-mail exchange, ensure that the patient has signed the agreement stating they are responsible for access and use of their e-mail and Weld County Sheriff s Office will not be held liable for inappropriate use or breach of that e-mail. Ensure that the patient has initialed his/her understanding of the security requirements for exchanging patient information over the Internet. Highlight the requirement for easy recognition by staff handling correspondence. Page 1 Request for Confidential Handling of Health Information I, (print name), request confidential handling of correspondence regarding my health information for the period: From: To: This request applies to health information involving: Please be as specific as possible, e.g., treatment regarding a given illness or diagnosis. Do you wish confidential handling of billing matters pertaining to the information described above? O Yes O No Ifyes,please read and sign the following: I agree to pay all charges at the time of my visits. If for any reason the bill remains unpaid for 30 days,then I understand the following organization will bill the original fiscally responsible individual on record. SIGNATURE OF PATIENT DATE I have selected to receive confidential communications in the following way: ❑ Patient will pick up communications at the provider's office. ❑ Patient will receive any information at an alternate mailing address. ❑ Patient will receive any information through secure e-mail. Please use the following mailing address for all health information communications that fit in the description provided above. (Please Print) Mailing Address: City: State: Zip Code: Page 2 Request for Confidential Handling of Health Information If you have any questions concerning this confidential handling, please contact: Signature (Person responsible for handling information) Title Print Name Phone Number O PLEASE SEND CONFIDENTIAL INFORMATION VIA E-MAIL E-mail Address: Determine if your office will send confidential communications to patients via e-mail. If yes: Determine if you will use secure e-mail, and if so, what type of encryption will be required for the patient's browser. (Include the following statement in your policy only if answer is "yes") I understand that if I choose to receive confidential communications through e-mail, I am responsible for secure access to my e-mail and computer and will not hold the provider's office responsible for any breach that may occur on the receiving end of this transmission. I also understand that in order to receive this confidential communication securely I must have a browser that supports 128 bit, currently supported by version 5.50 of Microsoft Internet Explorer. SIGNATURE OF PATIENT DATE Weld County Sheriff's Office Special Request by Patient Log '� '�,atea ..� >t : _.. P,afiafiName1 ra!":"-Ssr... ._ Type"ofReques . ed "Race s.AoaationFiled =="* Policy and Procedure on the Handling of Privacy Complaints Weld County Sheriffs Office Date: April 1, 2005 Authority: David W, Bressler, Weld County Sheriffs Office Responsibility: Privacy Officer, Weld County Sheriffs Office Purpose The purpose of this policy is to comply with the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to afford our patients the right to file a complaint, have the complaint investigated and, if appropriate, receive the disposition of the complaint pursuant to the HIPAA privacy rules and our implementing policies and procedures. General Policy It is our policy to keep a record of all complaints and to investigate all valid complaints to determine the circumstances surrounding any concerns our patients raise regarding privacy. If a patient's privacy rights have been infringed upon in any way, or there is evidence that our staff or associates have not adhered to the privacy standards or our policies and procedures, we will take actions consistent with the HIPAA regulations and our Policy and Procedure on Personnel Discipline for Breach of Privacy or Confidentiality and document these actions accordingly. The HIPAA privacy regulations give all individuals the right to file complaints to Weld County Sheriffs Office and the Office of the Secretary in the Federal Department of Health and Human Services. Under no circumstances will the fact that an individual has filed a complaint affect the services provided to that individual. Any staff found to be treating any individual differently in light of a complaint will be sanctioned. Any retaliation is prohibited by law. Procedure 1. Patients may file privacy complaints by submitting them in one of the following ways: a. In person, on our Privacy Complaint Form; b. By mail, either on our Privacy Complaint Form or in a letter containing the necessary information specified below. All requests should be mailed to: Weld County Sheriffs Office 2110 "O" Street Greeley, CO 80631 a. By telephone at 970-356-4000 extension 3939 b. By facsimile machine at 970-304-6460 c. By e-mail to dmalcom(n�co.weld.co.us All privacy complaints should be directed to the Commander Dave Malcom Director, 970-356-4000 extension 3939. The complaint must describe the privacy concern in as much detail as possible including when the infraction of the standards or mishandling of protected health information was believed to have occurred, and who, if known, was believed to have acted inappropriately with respect to protected health information or an individual's privacy rights. The complaint must include the following information: a. The type of infraction the complaint involves (i.e. inappropriate handling of PHI, appropriateness of privacy policies and processes) b. A detailed description of the privacy issue c. The date the incident or problem occurred, if applicable d. The mailing address 2. When a patient files a privacy complaint: a. Validate the complaint with the individual. If the complaint is received by mail, phone, fax or e-mail, call existing contact phone number and ask to speak with the patient to confirm the complaint. If the complaint is made in person request confirmation of identity, if needed, and validate the facts of the complaint. b. If the complaint appears to be a misunderstanding of the requirements or your policies and procedures, contact the patient and determine if, based on a more in depth discussion of the concern, the individual still wants to file a complaint. Be as courteous as possible. UNDER NO CIRCUMSTANCES SHOULD A PATENT FEEL PRESSURED OR COERCED EVEN IF YOU BELIEVE THEY ARE STILL MISUNDERSTANDING THE RULES OR POLICIES. If the individual does not want to pursue the complaint any further, indicate "no further action required based on clearer understanding", record the date and time, and file under dismissed complaints. c. Once validated and if not dismissed, log the complaint by placing a copy of the complaint form in the complaint file and the patient's medical record. d. Investigate the complaint by reviewing the circumstances with the relevant staff and reviewing any audit and monitoring logs that may have relevance to the complaint. If the complaint involves any issues with an individual's rights that have attendant documentation (e.g., consent or authorization processes or confidential requests), pull all relevant forms. Complete the complaint investigation section of the complaint form with a summary of your findings. e. If you determine the complaint is invalid, draft a letter stating the reasons the complaint was found invalid. Initially, an impartial, knowledgeable staff person or lawyer should review all letters for tone and rationale. Standard letters will likely emerge over time. File a copy of the letter and form in the investigated complaints file. f. If you are uncertain about your findings, get a second opinion from your HIPAA privacy committee or your lawyer. g. If you determine the complaint is valid and linked to a required process or an individual's rights, follow your office sanction policy to the extent that an individual is responsible. If the complaint involves your office's compliance with the standards that do not involve a single individual (e.g., policies and procedures themselves versus adherence to them), then begin the process to revise your current policies and procedures. h. Once an appropriate sanction or action has been taken with respect to a complaint with merit, or if the response will take more than 30 days, draft a letter explaining the findings and the associated response or intended response. Use the same review process as for the invalid complaint letter in item e in the list above. Document the disposition of the complaint on the complaint form and file the letter and form in the investigated complaints file. i. Place a copy of the complaint form in the patient's medical record. j. Determine if your office will respond to privacy complaints via e-mail If yes: Determine if you will use secure e-mail and if so what type of encryption will be required for the patient's browser. (Include this statement in your policy only if answer is "yes") Since your office accepts complaints via e-mail, be sure that the patient has signed the agreement stating they are responsible for access and use of their e-mail and that Weld County Sheriff's Office will not be held liable for inappropriate use or breach of that e-mail. Also, check to ensure that the patient has initialed their understanding of the security requirements for exchanging patient information over the Internet. k. Determine if your office wishes to track privacy complaints for risk management purposes. (Include the following statement only if answer is "yes") Review complaint files, both invalid and investigated complaints, at least annually to determine if there are any emerging patterns. Page 1 Weld County Sheriff's Office Privacy Complaint Form 1, (print name), am registering a formal complaint regarding Weld County Sheriff's Office. The complaint involves: O Issue relating to Weld County Sheriff's Office privacy policies and processes O Specific concern regarding the handling of my protected health information O Other A detailed description of the privacy issue involved in the complaint is provided below: The incident or problem occurred on (month/day/year), if applicable I can he reached at (please provide day-time number) Patient Signature: Please use the following mailing address for a formal response to this complaint. MAILING ADDRESS (Please Print): City: State: Zip Code: If you would like to follow up on the status of your complaint,please contact: X Privacy Officer, Weld County Sheriff's Office: 970-356-4000 extension 3939 Page 2 Weld County Sheriff's Office Privacy Complaint Form (con't) FOR OFFICE USE ONLY Dismissed 0 Investigated 0 Invalid 0 Has Merit 0 Summary of Investigation Response to Complaints with Merit: Staff Involved in Review: Name: Date: Name: Date: Name: Date: Name: Date: Weld County Sheriff's Office Patient Complaint Log Dap 'Sr BatiefF ,YPe:offZeq sr-- bhOs,t,aReeeittiil,By`�"� t� ,, "'_, '. . , oca to ,File&: Policy and Procedure for Informing Individuals Concerning Opportunity to Accept/Reject Certain Uses and Disclosures Weld County Sheriff's Office Date: April 1, 2005 Authority: Commander Dave Malcom Responsibility It will be the responsibility of the Privacy Officer to exercise professional judgment to use or disclose information where consent or authorization is not required. The individual, however, must be given an opportunity to agree or object to the use or disclosure. General Policy Our Notice of Privacy Practices will identify the circumstances in which we may use or disclose protected health information for which consent or authorization is not required, but the individual must be given an opportunity to agree or object. These circumstances include: 1. Uses and disclosures of protected health information that we believe in our professional judgment to be in the individual's best interest for purposes of care or for notification of the individual's general condition, location, or death. Such disclosures may include making health information directly relevant to the individual's care or payment related to care available to a family member, other relative, close personal friend, or any other person identified by the individual as involved in care or payment of care. We may disclose health information to notify a family member, personal representative, or another person responsible for the individual's care concerning the individual's general condition, location, or death. We may also disclose health information about the individual to an entity assisting in a disaster relief effort so that the individual's family can be notified about the individual's general condition, location, or death. 2. Using and disclosing protected health information to contact the individual as a reminder that the individual has an appointment. We must give the individual the right to request that such confidential communication be sent to an alternative location or by an alternative means. 3. Using and disclosing protected health information to tell the individual about non- health-related products or services. Such marketing communications must indicate whether we are being paid for the marketing. 4. Using protected health information about the individual to contact the individual in an effort to raise money for our not-for-profit operations. We may disclose health information to a foundation related to our practice so that the foundation may contact the individual in raising money for our practice. We only will release contact information, such as the individual's name, address, and phone number and the dates the individual received treatment or services from us. The fundraising communication must include a description of how the individual may opt-out of receiving any further fundraising communications. Procedure 1. When an individual is present or otherwise available prior to a use or disclosure for which a consent or authorization is not required but the individual must be given an opportunity to agree or object,we may obtain the individual's oral agreement, inform him/her of our intent and provide the individual the opportunity to object, or reasonably infer from the circumstances that the individual does not object to the disclosure. For example, if we request an individual to complete an appointment reminder post card, we may infer from the individual's completion of the card that there is no objection to this disclosure. If we plan on calling the individual, however, we will inform him/her that a call will be made and ask if there is any objection or alternative telephone number for us to call. 2. If the individual is not present or the opportunity to agree or object cannot practicably be provided because of the individual's incapacity or an emergency circumstance, we may exercise professional judgment to determine whether the disclosure is in the best interest of the individual. If so, we will disclose only the protected health information that is directly relevant to the person's involvement with the individual's health care. For example, we will infer there is no objection if a person is acting on behalf of the individual to pick up filled prescriptions, medical supplies, x-rays, or other similar forms of protected health information. However, if a known family member, other relative, close personal friend, or other person involved in the individual's care is present in our office and does not volunteer to act on behalf of the individual, we will not infer that there is no objection to disclosing protected health information and we will not disclose such information. 3. If the individual is sent any marketing or fundraising communications for which we do not have specific restrictions on file, we will ensure they meet the requirements set forth in HIPAA's privacy rule and will include a description of how the individual may-opt out of receiving any further such communications. 4. If the individual has filed a Form to Request Restrictions that cover any of the above disclosures of protected health information, we will accept such restrictions and take every measure practicable to not disclose such information. Policy and Procedure on Accounting for Disclosures Weld County Sheriff's Office Date: April 1, 2005 Authority: Commander Dave Malcom Weld County Sheriff's Office Responsibility: Privacy Officer, 970-356-4000 extension 3939 Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act(HIPAA) and to afford our patients the right to request and receive an accounting of disclosures we make concerning their health information. General Policy It is our policy to keep an accurate accounting of all applicable disclosures that we make of our patients'protected health information; and to provide an accounting of those disclosures to patients who may request an accounting, as permitted by law. Definitions Disclosure—the release, transfer,provision of access to, or divulging in any other manner of information outside of this office. Applicable disclosure—refers only to those disclosures of patients'protected health information made for reasons other than: • to carry out treatment, receive reimbursement, or carry out our operations • to the patients themselves • to persons involved in a patient's care • for national security or intelligence purposes (as specified in our policy on Authorization for Release of Information) • to correctional institutions or law enforcement officials under certain circumstances (as specified in our policy on Authorization for Release of Information) • those that occurred prior to April 1, 2005 Protected health information—individually identifiable health information, including that information maintained in our medical records and billing records. Procedure 1. Patients may request an accounting of disclosures by submitting a request in writing on our Request for Accounting for Disclosures Form to our Privacy Officer. The request must state the time period for which the accounting is to be supplied, which may not be longer than six years and may not include dates before April 1, 2005. 2. When a request for an accounting of disclosures is made by a patient: a. Obtain the patient's medical record. b. Review the medical record to determine if it contains a written statement from a health oversight agency or law enforcement official that such an accounting to the patient must be suspended because such an accounting would impede the agency's activities. If such a statement exists, review the time period of the suspension. If the suspension is for less than 60 days from the date of receiving the request, hold the request until the suspension period has ended and then process the request. If the suspension is for more than 60 days from the date of receiving the request, send the Accounting for Disclosures Form indicating that we are temporarily unable to process the accounting due to a suspension required by law, but will comply with the request when the suspension has been lifted, and specify the date on which the suspension will be lifted. If the time period for suspension has passed,proceed to process the request. c. Review the section of the medical record that contains authorizations and requests for disclosures to determine which disclosures are applicable to the accounting(see Definitions above) and within the time period being requested. d. Complete the Accounting for Disclosures Form to supply the date(s) of disclosure(s), name(s) and address(es) of organizations or persons to whom the disclosure(s)were made, a brief description of the protected health information disclosed, the purpose of the disclosure(s), and the name of our Privacy Officer and date the form was mailed. e. Send the Accounting for Disclosures Form to the patient within 60 days of receiving the request. If we are unable to complete this process within 60 days, send the Accounting for Disclosures Form to the patient indicating we will need a 30-day extension to complete the process, indicate the date on which we will supply the accounting, and check off the reason for the delay. f. Place a copy of the Accounting for Disclosures Form in the patient's medical record. Determine if your office wishes to track accountings for disclosures for risk management purposes (Include the following statement only if answer is "yes"). Place a copy of the Accounting for Disclosures Form in our Risk Management file. 3. We will provide the first accounting to a patient in any 12-month period without charge. For any subsequent request within the 12-month period,we will charge $14.00, as specified on the Request for Accounting for Disclosures Form. (A patient who does not wish to pay for subsequent accountings may withdraw the request and no accounting will be made. Page 1 Request for Accounting for Disclosures of Health I, (print name),request an accounting for disclosures of my health information for the period: From: To: I understand that this accounting for disclosures will include disclosures made only to those organizations or persons other than: • to those for whom use and disclosure of my health information was made to carry out • my treatment,process payment for my health care, or carry out your operations • to myself or persons involved in my care for national security or intelligence purposes • (as specified in your Notice of Privacy Practices) • to correctional institutions or law enforcement officials under certain circumstances (as specified in your Notice of Privacy Practices)that occurred prior to April 1, 2005 ❑ I understand that I may receive the first accounting for disclosures within a 12-month period at no charge. ❑ I understand that I am requesting a second or subsequent accounting in a 12-month period and will pay the charge of$30.00 for this accounting. Send this accounting to: (Please Print) Mailing Address: City: State: Zip: SIGNATURE OF PATIENT DATE Page 2 Accounting for Disclosures o There were no applicable disclosures made of your health information for the period you specified. ❑ Disclosures of your health information were made by this office to: Date Name and Address to Description of Purpose of of Disclosure Whom Disclosed Information Disclosed Disclosure We are temporarily unable to process the accounting for disclosures you have requested due to: D a suspension required by law ❑ other: but will comply with your request by the date of: If you have any questions concerning this accounting for disclosures,please contact: X Signature of person responsible for handling Date requests for access to health information Phone Number Print Name of person responsible for handling requests for access to health information FOR OFFICE USE ONLY LAST PAID Weld County Sheriff's Office Log of Disclosed PHI NOTE -It is NOT Necessary to Log Disclosures Made: For Treatment, Payment or Operations To the Individuals Themselves When the Individual has Made an Authorization For a Facility Directory or to Care Providers As Part of a Limited Data Set Defined in 164.514(e) As Required and Allowed by Law(Seek Counsel for Requests Made Under These Circumstances) p a ' 7..afien a 3Itt ej o . 44 ",:ej shier =g Business Associates Contract THIS CONTRACT is entered into on this [EFFECTIVE DATE OF POLICY],between Weld County Sheriffs Office and [BUSINESS ASSOCIATE]. WHEREAS, Weld County Sheriff's Office will make available and/or transfer to [BUSINESS ASSOCIATE]. Protected Health Information, in conjunction with goods or services that are being provided by [BUSINESS ASSOCIATE] to Weld County Sheriff s Office, that is confidential and must be afforded special treatment and protection. WHEREAS, [BUSINESS ASSOCIATE] will have access to and/or receive from Weld County Sheriff's Office Protected Health Information that can be used or disclosed only in accordance with this Contract and the HHS Privacy Regulations. NOW, THEREFORE, Weld County Sheriffs Office and [BUSINESS ASSOCIATE] agree as follows: 1. Definitions. The following terms shall have the meaning ascribed to them in this Section. Other capitalized terms shall have the meaning ascribed to them in the context in which they first appear. a. Contract shall refer to this document. b. BUSINESS ASSOCIATE shall mean [BUSINESS ASSOCIATE]. c. COVERED ENTITY shall mean Weld County Sheriff's Office. d. HHS Privacy Regulations shall mean the Code of Federal Regulations ("C.F.R.") at Title 45, Sections 160 and 164. e. Individual shall mean the person who is the subject of the Protected Health Information, as defined by 45 C.F.R. 164.501. f. Protected Health Information shall mean any individually identifiable health information provided and/or made available by Weld County Sheriffs Office to [BUSINESS ASSOCIATE], and has the same meaning as the term "protected health information" as defined by 45 C.F.R. 164.501. g. Parties shall mean [BUSINESS ASSOCIATE] and Weld County Sheriffs Office. h. Secretary shall mean the Secretary of the Department of Health and Human Services (HHS) and any other officer or employee of HHS to whom the authority involved has been delegated. 2. Term. The term of this Contract shall commence as of(the 14`h of April 2003 of the HHS Privacy Regulations), and shall expire when all of the Protected Health Information provided by Weld County Sheriff's Office to [BUSINESS ASSOCIATE] is destroyed or returned to Weld County Sheriffs Office pursuant to Clause 26 of this contract. 3. Limits On Use And Disclosure Established By Terms Of Contract. [BUSINESS ASSOCIATE] hereby agrees that it shall be prohibited from using or disclosing the Protected Health Information provided or made available by Weld County Sheriff's Office for any purpose other than as expressly permitted or required by this Contract. (ref. 164.504(e)(2)(i)). 4. Stated Purposes For Which BUSINESS ASSOCIATE May Use Or Disclose Protected Health Information. The Parties hereby agree that [BUSINESS ASSOCIATE] shall be permitted to use and/or disclose Protected Health Information provided or made available from Weld County Sheriff's Office for the following stated purposes: [STATE PURPOSE OF DISCLOSURE] 5. Use Of Protected Health Information For Management, Administration And Legal Responsibilities. [BUSINESS ASSOCIATE] is permitted to use Protected Health Information if necessary for the proper management and administration of [BUSINESS ASSOCIATE] or to carry out legal responsibilities of[BUSINESS ASSOCIATE]. (ref. 164.504(e)(4)(i)(A-B)). 6. Disclosure Of Protected Health Information For Management, Administration and Legal Responsibilities. [BUSINESS ASSOCIATE] is permitted to disclose Protected Health Information received from Weld County Sheriff's Office for the proper management and administration of[BUSINESS ASSOCIATE] or to carry out legal responsibilities of[BUSINESS ASSOCIATE], provided: a. The disclosure is required by law; or b. The [BUSINESS ASSOCIATE] obtains reasonable assurances from the person to whom the Protected Health Information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, the person will use appropriate safeguards to prevent use or disclosure of the Protected Health Information, and the person immediately notifies the [BUSINESS ASSOCIATE] of any instance of which it is aware in which the confidentiality of the Protected Health Information has been breached. (ref.164.504(e)(4)(ii)). 7. Data Aggregation Services. [BUSINESS ASSOCIATE] is also permitted to use or disclose Protected Health Information to provide data aggregation services, as that term is defined by 45 C.F.R. 164.501, relating to the health care operations of Weld County Sheriffs Office. (ref.164.504(e)(2)(i)(B)). 8. Limits On Use And Further Disclosure Established By Contract And Law. [BUSINESS ASSOCIATE] hereby agrees that the Protected Health Information provided or made available by Weld County Sheriff's Office shall not be further used or disclosed other than as permitted or required by the Contract or as required by law. (ref. 45 C.F.R. 164.504(e)(2)(ii)(A)). 9. Appropriate Safeguards. [BUSINESS ASSOCIATE] will establish and maintain appropriate safeguards to prevent any use or disclosure of the Protected Health Information. (ref. 164.504(e)(2)(ii)(B)). 10. Reports Of Improper Use Or Disclosure. [BUSINESS ASSOCIATE] hereby agrees that it shall report to Weld County Sheriff's Office within two (2) days of discovery of any use or disclosure of Protected Health Information not provided for or allowed by this Contract. (ref. 164.504(e)(2)(ii)(C)). 11. Subcontractors And Agents. [BUSINESS ASSOCIATE] hereby agrees that any time Protected Health Information is provided or made available to any subcontractors or agents, [BUSINESS ASSOCIATE] must enter into a subcontract with the subcontractor or agent that contains the same terms, conditions and restrictions on the use and disclosure of Protected Health Information as contained in this Contract. (ref. 164.504(e)(2)(ii)(D)). 12. Right Of Access To Protected Health Information. [BUSINESS ASSOCIATE] hereby agrees to make available and provide a right of access to Protected Health Information by an Individual. This right of access shall conform with and meet all of the requirements of 45 C.F.R. 164.524, including substitution of the words "Covered Entity" with [BUSINESS ASSOCIATE] where appropriate. (ref. 164.504(e)(2)(ii)(E)). 13. Amendment And Incorporation Of Amendments. [BUSINESS ASSOCIATE] agrees to make Protected Health Information available for amendment and to incorporate any amendments to Protected Health Information in accordance with 45 C.F.R. 164.526, including substitution of the words "Covered Entity" with [BUSINESS ASSOCIATE] where appropriate. (ref. 164.504(e)(2)(ii)(F)). 14. Provide Accounting. [BUSINESS ASSOCIATE] agrees to make Protected Health Information available as required to provide an accounting of disclosures in accordance with 45 C.F.R. 164.528, including substitution of the words "Covered Entity" with [BUSINESS ASSOCIATE] where appropriate. (ref. 164.504(e)(2)(ii)(G)). 15. Access To Books And Records. [BUSINESS ASSOCIATE] hereby agrees to make its internal practices, books, and records relating to the use or disclosure of Protected Health Information received from, or created or received by [BUSINESS ASSOCIATE] on behalf of the Weld County Sheriffs Office, available to the Secretary or the Secretary's designee for purposes of determining compliance with the HHS Privacy Regulations. (ref. 64.504(e)(2)(ii)(H)). 16. Return Or Destruction Of Protected Health Information. At termination of this Contract, [BUSINESS ASSOCIATE] hereby agrees to return or destroy all Protected Health Information received from, or created or received by [BUSINESS ASSOCIATE] on behalf of Weld County Sheriffs Office. [BUSINESS ASSOCIATE] agrees not to retain any copies of the Protected Health Information after termination of this Contract. If return or destruction of the Protected Health Information is not feasible, [BUSINESS ASSOCIATE] agrees to extend the protections of this Contract for as long as necessary to protect the Protected Health Information and to limit any further use or disclosure. If[BUSINESS ASSOCIATE] elects to destroy the Protected Health Information, it shall certify to Weld County Sheriff's Office that the Protected Health Information has been destroyed. (ref. 164.504(e)(2)(ii)(I)). 17. Mitigation Procedures. [BUSINESS ASSOCIATE] agrees to have procedures in place for mitigating, to the maximum extent practicable, any deleterious effect from the use or disclosure of Protected Health Information in a manner contrary to this Contract or the HHS Privacy Regulations. (ref. 164.530(f)). 18. Sanction Procedures. [BUSINESS ASSOCIATE] agrees and understands that it must develop and implement a system of sanctions for any employee, subcontractor or agent who violates this Agreement or the HHS Privacy Regulations. (see 164.530(e)(1)). 19. Property Rights. The Protected Health Information shall be and remain the property of Weld County Sheriff's Office. [BUSINESS ASSOCIATE] agrees that it acquires no title or rights to the Protected Health Information, including any de- identified Protected Health Information, as a result of this Contract. 20. Termination of Contract. [BUSINESS ASSOCIATE] agrees that Weld County Sheriff's Office has the right to immediately terminate this Contract and seek relief if Weld County Sheriff's Office determines that [BUSINESS ASSOCIATE] has violated a material term of this Contract. (ref. 164.506(e)(2)(iii)). 21. Grounds For Breach. Any non-compliance by [BUSINESS ASSOCIATE] of this Contract or the HHS Privacy Regulations will automatically be considered to be a Grounds For Breach, if[BUSINESS ASSOCIATE] knew or reasonably should have known of such non-compliance and failed to immediately take reasonable steps to notify Weld County Sheriff's Office and cure the noncompliance. 22. Governing Law. This Contract shall be governed by the laws of Colorado. 23. Injunctive Relief. Notwithstanding any rights or remedies provided for in this Contract, Weld County Sheriffs Office retains all rights to seek injunctive relief to prevent or stop the unauthorized use or disclosure of Protected Health Information by [BUSINESS ASSOCIATE] or any agent, contractor or third party that received Protected Health Information from [BUSINESS ASSOCIATE]. 24. Binding Nature and Assignment. This Contract shall be binding on the Parties hereto and their successors and assigns, but neither Party may assign this Agreement without the prior written consent of the other, which consent shall not be unreasonably withheld. 25. Notices. Whenever under this Contract one party is required to give notice to the other, such notice shall be deemed given if mailed by First Class United States mail, postage prepaid, and addressed as follows: COVERED ENTITY: BUSINESS ASSOCIATE: Weld County Sheriff's Office [PUT IN ADDRESS] 2110 "O" Street Greeley, Colorado 80631 Either Party may at any time change its address for notification purposes by mailing a notice stating the change and setting forth the new address. 26. Article Headings. The article headings used are for reference and convenience only, and shall not enter into the interpretation of this Contract. 27. Force Majeure. [BUSINESS ASSOCIATE] shall be excused from performance under this Contract for any period [BUSINESS ASSOCIATE] is prevented from performing any services pursuant hereto, in whole or in part, as a result of an Act of God, war, civil disturbance, court order, labor dispute or other cause beyond its reasonable control, and such nonperformance shall not be grounds for termination. 28. Entire Agreement. This Contract consists of this document, and constitutes the entire agreement between the Parties. There are no understandings or agreements relating to this Agreement which are not fully expressed in this Contract and no change, waiver or discharge of obligations arising under this Contract shall be valid unless in writing and executed by the Party against whom such change, waiver or discharge is sought to be enforced. IN WITNESS WHEREOF, [BUSINESS ASSOCIATE] and Weld County Sheriffs Office have caused this Contract to be signed and delivered by their duly authorized representatives, as of the date set forth above. BUSINESS ASSOCIATE: COVERED ENTITY: X X [Print Name] [Print Name] [Title] [Title] Weld County Sheriff's Office Business Associates Contract Log � :4P„„anent Name , e rti _ 'A : 'f Overview of Policies and Procedures on Privacy and Security Weld County Sheriff's Office Date: April 1, 2005 Authority: Commander Dave Malcom Weld County Sheriffs Office Purpose A copy of this document should be given to each staff member. While there are many policies directed at singular aspects of privacy and confidentiality, this overview is directed at developing a simple overall guideline for the understanding of the relationship between the staff and the clients of Weld County Sheriffs Office. The electronic and paper record resources of Weld County Sheriffs Office are provided for the singular purpose of facilitating patient care and business processes. Any person who uses Weld County Sheriffs Office paper records and/or computing resources for non-business or unauthorized purposes may be subject to disciplinary action, up to and including termination, and civil or criminal legal action. Management at all levels is responsible for monitoring the actions of its staff and enforcing the intent of this overview. All questions, concerns or infractions should be directed to the Director of Weld County Sheriffs Office. Prohibited Activities The following are examples of prohibited activities: 1. Using Weld County Sheriffs Office computing systems or data for personal business or gain; 2. Specific violations of Weld County Sheriffs Office electronic mail, Internet and facsimile machine policy; 3. Unauthorized browsing of patient,personnel, financial, or other records for the purpose of personal curiosity or with the intent of improperly disclosing the information contained in those records; 4. Interfering with the operation of any of Weld County Sheriffs Office computing systems or using a Weld County Sheriffs Office computer to disrupt any external computing system 5. Altering or deleting any of Weld County Sheriffs Office data or software, except when performing authorized business functions; and 6. Installing unauthorized or illegally-copied software on any of Weld County Sheriff s Office computer terminals. Responsibilities 1. Every staff member is accountable for all computing activities he/she performs. 2. Users shall comply with all Weld County Polices to safeguard systems and data. 3. User identification codes are not to be shared, except under special circumstances approved by the Director of Weld County Sheriffs Office. 4. Passwords shall not be divulged, orally or in writing 5. Workstations and terminals to be left unattended shall be logged off or locked up 6. All suspected or known breaches of confidentiality or computer security shall be reported to the Commander Dave Malcom Weld County Sheriff's Office or another member of management immediately Organizational Policies and Training The management of Weld County Sheriffs Office will instruct users in Information Confidentiality, Privacy, and Security policies, standards and procedures, as well as in the principles of information confidentiality and computer security. Management of Weld County Sheriffs Office shall make written policies on the management of private patient information and other protected data that is readily available to staff Behavior in Interacting with Patients Staff or volunteers of Weld County' Sheriffs Office are obligated to make sure that patient information is not disclosed inappropriately, accidentally or negligently. In order to do this we must take appropriate precautions to safeguard medical information, as described below. 1. Do not allow medical information on terminals to be visible to patients. 2. Keep patient charts and encounter forms face down. Never leave them out where others can see them. 3. Use confidential trash bins when disposing of patient information. Any document with a patient's name, insurance number or a partial patient record is considered protected health information. 4. Place patient record charts and other patient information outside exam rooms or clinical offices so that they face the door or wall. 5. Speak softly over the phone and try to avoid excessive use of the patient's name. 6. Do not discuss patient information with anyone in a social conversation. 7. Make a habit of speaking to patients in private offices and exam rooms only. 8. Do not discuss the reason for a patient's visit in the waiting area or in front of others. 9. Anticipate patient privacy needs when giving out test results, setting up appointments and obtaining or explaining referrals. Policy and Procedure on Personnel Discipline for Breach of Privacy or Confidentiality Weld County Sheriff's Office Date: April 1, 2005 Authority: Commander Dave Malcom Weld County Sheriffs Office Responsibility: Commander Dave Malcom Purpose This plan provides guidance for the appropriate response to breaches in patient privacy and confidentiality at Weld County' Sheriffs Office. This guidance is intended to ensure that staff and management understand the appropriate seriousness of any breach and the stated penalties and actions. Weld County Sheriff's Office has a very strong commitment to protecting the confidentiality of its patients' records and clinical information. To ensure compliance with the policy by all staff and to ensure consistency in the discipline and actions taken upon evidence of breach in patient confidentiality by staff, Weld County Sheriff's Office has adopted the disciplinary process set forth below. General Policy Weld County Sheriffs Office and its staff are entrusted with information regarding our patients and we recognize that the patient record is highly confidential and must be treated with great respect and care by all staff Any breach in patient confidentiality by a staff person is subject to formal disciplinary action as delineated in this policy. A breach in patient confidentiality occurs when a member of the Weld County Sheriff s Office staff: a. Views or accesses private patient health information for any reason not related to the provision of care and treatment or another authorized purpose; b. Discusses with or reveals to any individual(s), private patient health information for purposes not related to patient care and treatment or another authorized purpose; or c. Violates the provisions of Weld County Sheriffs Office policy on the confidentiality of private patient health information as stated in the general overview policy as provided to the staff. For any breach in patient confidentiality, the staff member shall be subject to disciplinary actions as set forth in the "Procedures" section below. Every staff member should receive and read a copy of this document and "Overview of Policies and Practices in Privacy and Security." Procedures 1. Review. The Director of Weld County Sheriffs Office is responsible for the content and administration of this policy. The policy shall be reviewed and evaluated one year from its effective date with specific focus on the Disciplinary Process section, and then every two years thereafter. 2. Level of Breach. Breaches in patient confidentiality have been divided into the following three levels, with the corresponding disciplinary actions for each level of breach. A. Level 1 —Carelessness This level of breach occurs when a member of the Weld County Sheriffs Office staff unintentionally or carelessly accesses, reviews or reveals patient information to him/herself or others without a legitimate need to know the patient information. Disciplinary Sanctions: 1. Depending upon the facts, counseling, oral warning, written warning, final written warning or suspension, documented in writing and maintained in the employee's personnel record, or termination 2. Except in the case of termination, the employee shall be required to repeat the confidentiality training module 3. Level 1 disciplinary sanctions shall be administered in a progressive manner 4. Disciplinary sanctions shall be reported to the applicable professional licensing board as appropriate B. Level 2 —Curiosity or Concern (no personal gain) This level of breach occurs when an employee intentionally accesses or discusses patient information for purposes other than the care of the patient or other authorized purposes, but for reasons unrelated to personal gain. Disciplinary Sanctions: 1. First offense: Depending upon the facts, oral or written warning documented and maintained in the employee's personnel record 2. Second offense: Depending,upon the facts, a final written warning and suspension for 3-30 days without pay, documented and maintained in the employee's personnel record, or termination 3. Third Offense: Termination 4. Except in the case of termination, the employee shall be required to repeat the confidentiality training module 5. Disciplinary sanctions shall be reported to the applicable professional licensing board as appropriate. C. Level 3 — Personal Gain or Malice This level of breach occurs when an employee accesses, reviews or discusses patient information for personal gain or with malicious intent. Disciplinary Sanctions: 1. First offense: Termination 2. Report to applicable professional licensing board 3. Disciplinary Process. The following process must be followed when an employee breaches, or is suspected of breaching, patient confidentiality. A. Initial Reporting 1) An individual who observes or is aware of a breach reports it to his/her immediate supervisor, who in turn should report this incident to the Privacy Officer 2) The Privacy Officer reports this to his/her reporting authority, who consults management as appropriate 3) Failure to report a breach of which one has knowledge will result in appropriate disciplinary action 4) Reporting of a breach in bad faith or for malicious reasons will result in appropriate disciplinary action B. Activity Upon Clear Evidence of Breach of Confidentiality 1) The incident shall be reported to the Privacy Officer who hall investigate the incident and report the matter to appropriate management. C. Reporting and Filing Requirements 1) All incidents should be reported to your immediate supervisor and the Privacy Officer. D. Imposition of Appropriate Discipline 1) Based upon the severity of the breach management shall take the appropriate disciplinary actions provided under the employer's personnel policies. For all levels of breach, after final resolution, the initial report and all written documentation relating to the breach shall be filed in a confidential file in the Privacy Officer's office and a referring note placed in the Security Log. The disciplinary action and appropriate documentation shall also be placed in the employee's personnel file. 4. Upon investigation of a Level 2 breach, or higher, the following actions should be taken. a. The Privacy Officer should ensure that the access of the accused employee to any paper or electronic medical records is immediately suspended. b. The Privacy Officer should retrieve keys and/or badges from the accused employee that allow access to secure areas where patient records are kept. c. The Privacy Officer should inform all appropriate supervisors about the suspension or removal of the access privileges of the accused employee. d. The Privacy Officer should include a written report of all actions in a confidential file in the Privacy Officer's office and a referring note placed in the Security Log. The disciplinary action and appropriate documentation shall also be placed in the employee's personnel file. After reading this policy, sign and date the lower portion of this page and return it to your immediate supervisor. Detach the acknowledgement and retain the policy for your records. Policy and Procedure on Physical Security Weld County Sheriffs Office Date: April 1, 2005 Authority: Commander Dave Malcom Weld County Sheriffs Office Responsibility: Privacy Officer Purpose A Physical Security policy document should exist detailing the measures taken to protect buildings in regard to disasters (flooding, fire, earthquakes, explosions, power outage), theft, physical access, computer rooms and wiring cabinets. General Policy All Weld County Sheriffs Office staff should understand and support the control of access to the public, clients, general staff and staff with specific access privileges. Upon observations or detection of any breach of physical access, staff members should implement provisions of the procedure below according to their best judgment, but in all instances a follow-up report should be made to the Privacy Officer for actions and record. Procedures 1. Definition of Areas Zone 1: Areas open to the public Zone 2: Areas not open to the public, open to company clients and staff Zone 3: Areas not open to the public, not open to company clients, open to staff only Zone 4: Protected areas, only accessible with identification, access strictly controlled. 2. Warning Signs Signs clearly identifying the right of access to an area should be placed at every juncture between zones. All staff should be clearly aware of requirements and should not hesitate to challenge inappropriate persons. Specific badges and or actual tokens may be issued to validate authorized entry into different areas. 3. Emergency Telephone Numbers Emergency telephone numbers for private security, police,plumber, etc., should be placed at all telephone handsets. If possible, incidents or disasters should be managed by the Privacy Officer but in emergency situations, any available staff member should make the call. In all instances, follow-up reports should be made to the Privacy Officer for recording in a confidential file. 4. Response to Physical Intrusion or any Disaster a. When staff, clients and/or patients are present: 1) Staff should take the immediate, appropriate actions to safeguard the clients and/or patient, confidential patient information and the physical and electronic infrastructure. 2) The Privacy Office or the most available staff member should call the appropriate authorities to respond to the situation. 3) In all instances, follow-up reports should be made to the Privacy Officer for recording in a confidential. b. Detected outside of hours of operation: 1) If immediate action is necessary, arrangement should be made for the office's security service to contact the Privacy Officer or other available management staff, which should contact the appropriate authorities and take any necessary steps to secure the premises until a complete evaluation of the damage can be made. 2) In all instance, follow-up reports should be made to the Privacy Officer for recording in a confidential file. 3) If no immediate action is necessary to mitigate the loss, reports should be made to the Privacy for action and for recording in a confidential file. 5. Routine Destruction of Paper Records Paper records with protected health information printed on them should not be discarded as regular trash. All paper that has protected health information printed on it should b e segregated from regular trash and destroyed only by methods that ensure the privacy and confidentiality of the information. 6. Routine Destruction of Defective Confidential Disks and Tapes Disks, tapes or any other storage medium with protected health information contained on it should not be discarded as regular trash. All storage mediums that have private health information contained on them should be segregated from regular trash and destroyed only by methods that ensure the privacy and confidentiality of the information. 7. Repair and/or Access to Computer Equipment Access to protected patient information by any service technician should be minimized either by direct supervision or by securing the information source. If possible, business associate contracts should be in place for each type of service technician. 8. Prevention a. Clear instructions on the right of access to an area should be posted at all juncture between zones. b. All staff should be proactive about monitoring access to restricted zones. c. Access to restricted zones for repair or delivery should be minimized and those entrants should understand Weld County Sheriff's Office confidentiality. d. Any support contracts that involve on-site, non-staff personnel should include standard Business Contracts language on privacy, confidentiality and security. e. Staff identification and/or badges should be implemented, if not already in use. f. Procedure on locking doors and windows should be clearly understood by all staff members. While all staff members should enforce the procedure, it is the responsibility of the Privacy Office to monitor these physical security actions. In the event o f the absence of the Privacy Officer his designees will assume responsibility for monitoring these physical security procedures. g. Upon termination of a staff member for any cause, all office key/badges should be retrieved from the departing staff member. h. Key registers and logs should be maintained by the Privacy Officer. i. Keys that are marked "Do Not Duplicate" should be issued to staff members to avoid their making unauthorized copies of office keys. 9. Work Station Use a. Workstations should be placed, as much as possible, so that the screens are not seen by unauthorized persons. b. Systems should be configured so that monitors time out after ten minutes of non- use and require a password to re-enter. c. If there is not automatic screen shut down within the system configuration, users should logout of the computer system if the user leaves the terminal unattended. d. If the configurations of the workstations vary across the system, signage should be used to indicate the preferred mode of behavior at each station. 10. Record Handling a. Records should not be left on desks or cabinets unattended. b. Records pulled from cabinets for future treatment session should be left in a secured area until needed by staff members. c. All staff should pro-actively gather up unattended records and return them to a secured area. Policy on Use of Electronic Mail, Internet and Facsimile Machines Weld County Sheriff's Office Date: April 1, 2005 Authority: Commander Dave Malcom Weld County Sheriff's Office Responsibility: Privacy Officer Purpose This plan provides guidance for the appropriate use of electronic mail, Internet and facsimile machines at Weld County Sheriff's Office. This guidance is intended to ensure the privacy and confidentiality of patient data at Weld County Sheriff's Office. General Policy Never forward patient-identifiable data to a third without the patient's express permission. Material that is sexually explicit, obscene, embarrassing, fraudulent, hostile, harassing, or otherwise inappropriate or unlawful shall not be forwarded or sent by electronic communication or displayed on or stored on Weld County Sheriffs Office computer resources. Users receiving or viewing this kind of information shall immediately report the incident to the Privacy Officer. Unless expressly authorized by the Privacy Officer downloading, sending, transmitting, or otherwise disseminating proprietary information, trade secrets or other sensitive privacy act information strictly prohibited. 1. Electronic Mail Weld County Sheriff's Office owns the electronic mail service, and considers electronic mail private, direct communication between sender and recipient(s) or recipient(s)' designee(s); however, employees cannot expect absolute confidentiality. The contents will not be monitored, observed, viewed, displayed or reproduced in any form by anyone other than the sender and the recipient(s) or recipient(s)' designee(s) representative or the Privacy Officer. Electronic mail is considered official correspondence of Weld County Sheriff's Office, and users must avoid the inclusion of inappropriate or derogatory language in their messages. Electronic mail is maintained in computer systems and on backup media for varying lengths of time and may be recovered subsequent to deletion. The messages may be disclosed in the same manner as paper records. Reasons for recovery of electronic mail messages may include legal discovery, external investigations by law enforcement personnel and internal security investigations. Work-related mail is forwarded to the most appropriate employee in the case of employment termination or when an employee is absent for an extended period of time. A recipient may designate another employee to receive and read work-related mail for business reasons. Personal messages are forwarded to the intended recipient. If that is not possible, they are destroyed. Messages are not examined further than is necessary to determine the category into which they fall. In anticipation of the finalization of the security regulation of HIPAA, no protected health information should be sent by public or private electronic networks without adequate safeguards against interception and/or misuse. 2. Internet Standard use of the Internet, via the office network, must be primarily for Weld County Sheriff's Office business or professional development. Limited personal use is acceptable but discretion is necessary to ensure that individuals do not degrade Weld County Sheriff's Office public image through their activities or adversely affect the availability of network resources. 3. Facsimile Machines All staff shall take precautions when using facsimile (fax) machines to transmit documents. Facsimile machines shall not be located in areas accessible to the general public, unless the facsimile machine is intended for public use. In this case the publicly available facsimile machine should not be used by staff members to send or receive faxes containing patient information of any kind. Staff shall not use Weld County Sheriffs Office facsimile machines for transmitting personal documents. Facsimile machine cover pages shall include the following information: a. The sender's name, business address, business phone number, and business facsimile machine number b. The recipient's name,business address, business phone number, and business facsimile machine number c. Transmissions time and date (if not stamped by facsimile machine or computer) d. Classification of the document (CONFIDENTIAL documents) Staff shall verify the facsimile machine number of the recipient before transmitting. A recipient of a document containing CONFIDENTIAL information(e.g., for the recipient's eyes only or containing protected health information) must be notified by phone before the document is transmitted. If at all possible, this type of document should not be faxed. All pages, including the cover page of CONFIDENTIAL documents to be faxed, must be marked "Confidential"before they are transmitted. Time, date, sender, recipient and sender or recipient and sender or recipient phone number for all materials sent and received by facsimile machine should be documented in a facsimile machine log to be kept with the facsimile machine. It is crucial that not protected health information be explicitly revealed in this log. Hello