The URL can be used to link to this page

Browse Search

Home My WebLink About20030902.tiff RESOLUTION RE: APPROVE HIPAA COMPLIANCE PLAN FOR WELD COUNTY AND ADOPT HIPAA COMPLIANCE PLAN FOR AFFILIATED COMPUTER SERVICES, INC. WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to Colorado statute and the Weld County Home Rule Charter, is vested with the authority of administering the affairs of Weld County, Colorado, and WHEREAS,the Health Insurance Portability and Accountability Act(HIPAA)was enacted by the federal government in 1996, and WHEREAS, Weld County provides various operations and functions in the county that fall underthe HIPAA regulations and can be considered a"hybrid entity"under HIPAA regulations,and WHEREAS, the Weld County Attorney and Director of Finance and Administration recommend that the Board of Weld County Commissioners designate Weld County government a "hybrid entity" for the purposes of HIPAA regulation compliance, and WHEREAS, Weld County offers Dental, Vision, and Flexible Spending Plans that are considered health plans under HIPAA regulations, and WHEREAS, the HIPAA Compliance Plan for the Dental, Vision, and Flexible Spending Plans,a copyof which is attached hereto and incorporated herein by reference,has been prepared by the Director of Finance and Administration, and is hereby presented to the Board of County Commissioners for adoption prior to the compliance date of April 14, 2003, and WHEREAS,the Weld County Departments of Public Health and Environment, Paramedic Services,and Human Services,Area Agency on Aging Division,have prepared HIPAA Compliance Plans as healthcare providers, copies of which are attached hereto and incorporated herein by reference, have been prepared by County staff and are hereby presented to the Board of County Commissioners for adoption prior to the compliance date of April 14, 2003, and WHEREAS,the HIPAA Compliance Plan for Affiliated Computer Services, Inc., a copy of which is attached hereto and incorporated herein by reference, is hereby presented to the Board of County Commissioners for adoption prior to the compliance date of April 14, 2003. NOW, THEREFORE, BE IT RESOLVED, by the Board of County Commissioners, that Weld County government be, and hereby is, declared to be a "hybrid entity" for the purposes of HIPAA regulation compliance. BE IT FURTHER RESOLVED by the Board that the HIPAA Compliance Plan as attached for the Dental, Vision, and Flexible Spending Plans be, and hereby is, approved. n 2003-0902 CO : E . OA./ �E 19L� HQ Aron) PE0022 RE: HIPAA COMPLIANCE PLAN PAGE 2 BE IT FURTHER RESOLVED by the Board that the HIPAA Compliance Plans for healthcare providers as attached for the Weld County Departments of Public Health and Environment, Paramedic Services, and Human Services, Area Agency on Aging Division, be, and hereby are, approved. BE IT FURTHER RESOLVED by the Board that the HIPAA Compliance Plan as attached for Affiliated Computer Services, Inc., be, and hereby is, adopted. The above and foregoing Resolution was, on motion duly made and seconded, adopted by the following vote on the 7th day of April, A.D., 2003. BOA D OF COUNTY COMMISSIONERS WEL OUNT)(, COLO ADC A / ATTEST: a� Da 'd . Lon , Chair Weld County Clerk to th n A, -7' rJ Robert D. sden, Pro-Tern BY: Deputy Clerk to the Boar . J. eie A OV AS TOE EXCUSED William . Jerke )17---- ��unty Attorney Glenn Vaad Date of signature: y05-- 2003-0902 PE0022 HIPAA COMPLIANCE PLAN FOR WELD COUNTY WELD COUNTY HIPAA COMPLIANCE PLANS The Health Insurance Portability and Accountability Act ("HIPAA")was enacted in 1996. HIPAA was enacted in recognition of the increased electronic exchange of health information among providers and health plans, and the resulting need for increased privacy protection. Title II of HIPAA includes the "Administrative Simplification" requirements of HIPAA that significantly impact entities that are healthcare providers and/or provide health plans to employees on a self insured basis. Weld County must comply both as a health plan provider and healthcare provider. HIPAA has three components that require compliance. The transactional rules that have to do with the electronic transaction standards that were effective October 16, 2002, but Weld County requested an extension until October 16, 2003. Second, the privacy rules that go into effect April 14, 2003. Third, the security rules that do not have an effective date yet. Weld County, like most counties, will be considered a"hybrid entity' under HIPAA. This means that while Weld County may or may not provide health care as a primary function, healthcare provision may be a primary function of some of its operations, such as the Public Health Department, Paramedic Service, and detention facility. These operations may conduct covered transactions such as billing for, paying, providing services or issuing reports on health care, or may conduct other transactions which qualify for standardization. In addition to the healthcare provider components Weld County is covered by HIPAA because we offer self insured health plans in the form of the county's Dental, Vision, and Flexible Spending Plans. In an analysis of county functions under the "hybrid entity" provision the following conclusions have been reached: The Weld County Department of Public Health and Environment, and Weld County Paramedic Services both fall under HIPAA regulations as a healthcare provider due to the fact that they transmit electronic medical billing information for Medicaid billings. The Human Services' Area on Aging program case management function is covered under HIPAA. Under the definition of"health care"in HIPAA"assessment" is cited. In addition in the Federal Register Volume 65,Number 160 dated Thursday, August 17, 2000, under III. A. 3. Analysis of and Responses to. Public Comments on the Proposed Rules-Atypical Services, HHS determined that case management is subject to HIPAA standards. In the same citation, however, HHS excluded nonemergency transportation from HIPAA. Therefore, the Weld County Human Services' Area on Aging case management function is cover by HIPAA, but the Weld County Human Services' transportation function is not covered by HIPAA, even though it bills Medicaid electronically for the nonemergency transportation services.. The Weld County Coroner's Office and Weld County Veteran's Office may have access to certain medical information but neither is considered a healthcare providers and neither is covered under HIPAA. The Weld County Personnel-Department may have access to medical information for employment purposes only, and is therefore not covered under HIPAA. The Weld County Jail is a medical provider through a contract with Correctional Healthcare Management, Inc.,but neither transmits or receives any health information whatsoever in electronic form in connection with any transaction. It does transmit and receive health information by fax. However, paper to paper faxes are not considered to be transmission of health information in electronic form. Because neither the Weld County Jail nor its health contractor transmit health information in electronic form in connection with any transaction, it is not a healthcare provider covered by HIPAA Privacy Regulations. A letter dated May 24, 2002, from William Fischer of Shugart, Thomson& Kilroy, general counsel to Correctional Healthcare Management,Inc., confirms our opinion that the Weld County Jail is not covered by HIPAA regulations. The Weld County Department of Social Services' involvement with general assistance and Medicaid are excluded as health plans, since they are government funded programs not specifically cited under HIPAA as covered entities. Weld County's information technology provider, ACS, has adopted privacy policies and procedures to insure that ACS and Weld County are in compliance with HIPAA at all county locations that have access to, receive, collect, process, store, transmit, or create individually identifiable health information.- Weld County's fully insured group health insurance plan is provided by Pacificare. In accordance with HIPAA and the insurance contract between Weld County and Pacificare the health plan provider (Pacificare) is responsible for HIPAA compliance for the health insurance program. No action is required of Weld County. Weld County provide three benefits that fall under the HIPAA rules. Weld County's Dental, Vision, and Flexible Spending Plans, although not covered by ERISA,they are covered by HIPAA as self insured "health plans'. Therefore, a HIPAA plan must be put in place for these Weld County"health plans". The following is the HIPAA Compliance Plan for Weld County. Hippecovakncr GENERAL HIPPAA POLICIES AND PROCEDURES PHYSICAL AND TECHNICAL SAFEGAURDS: Weld County shall adopt and follow any policies, procedures or forms dealing with physical and technical safeguards for information technology systems promulgated by ACS, unless Weld County specially adopts a policy in-lieu of ACS for information technology systems. The physical and technical safeguards of ACS used by Weld County are: Application Development Security Clean Desk Policy Electronic Transmission of IIHI Encryption Facility Security Network Security Password Management Screen aver or Logoff Requirements At Home Workers E-mail Acceptable Use Fax machine Acceptable Use WELD COUNTY PERSONNEL POLICIES AND HIPPA: Weld County's Personnel policy on confidential information applies in addition to any HIPAA policies on breach of privacy or confidentiality. Any HIPAA policies on personnel discipline for breach of privacy or confidentiality apply in addition those cited in the Weld County Personnel Policies. If there is conflict in any provision of the HIPAA policies concerning personnel discipline and Weld County Personnel Policies concerning discipline and grievance, Weld County Personnel Policies shall take precedence. PROGRAM POLICIES TAKE PRECEDENCE: Any policies, procedures, or forms promulgated by State of Colorado or federal health grant programs which are equal to or more stringent than Weld County's policies will take precedence over Weld County's. The Weld County policies in this HIPAA compliance document are the minimum standard which Weld County employees are held, however sate or federal grant programs may choose or require additional or alternative policies, procedures, or forms to accomplish the same HIPAA compliance requirement. In those cases to insure that grant requirements are met and to avoid redundant effort the state or federal grant policies, procedures, and forms may be used as long as they meet the county's minimum standards specified in this HIPAA compliance document. Alternative grant policies,procedures, and forms must be approved by the Health Department's HIPAA Privacy Officer. HIPAA PROCEDURE AND POLICY PROMULGATION: The Privacy Officer responsible for the departmental HIPAA compliance shall amend and promulgate HIPAA policies and procedures as necessary by securing the department head's approval, and submitting them to the Director of Finance and Administration for review. The changes shall then be forwarded to the Board of Weld County Commissioners for review by the Board members signing off on a cover sheet. If approved by the Board of Weld County Commissioners on the sign off sheet the changes shall be placed upon the Board's consent agenda for final approval. All HIPAA policies shall be reviewed at least annually by the Privacy Officer of each plan for any necessary updates or amendments. • HIPAAgeneraipolicies HIPAA COMPLIANCE PLAN FOR DENTAL, VISION, AND FLEXIBLE SPENDING PLANS HIPAA COMPLIANCE PLAN DENTAL, VISION, AND FLEXIBLE SPENDING PLANS TABLE OF CONTENTS Job Description of Privacy Officer HIPAA Notice of Privacy Practices Policy on Use of Authorizations Business Associates Contract Disclosure to Plan Sponsor Participant Privacy Rights Adequate Separation Documentation Sponsor Certificate to Receive PHI Participant's Privacy Rights Policy and Procedure to Request Restrictions on Use and Disclosure of Protected Health Information Policy and Procedure on Request for Confidential Communication Policy and Procedure on Participant's Right to Access Health Information Policy and Procedure on Participant's Right to Request Amendment to Health Information Policy and Procedure on Accounting for Disclosures Policy on Minimum Necessary Uses Information Policy on Minimum Necessary Disclosure of Information Policy on Minimum Necessary Requests of Information Participant Privacy and Marketing Privacy of the PHI of Deceased Participants Workforce Privacy Training HI PAAtableofcontents PRIVACY OFFICIAL JOB DESCRIPTION Job Title: Privacy Official/Director of Finance and Administration Reports to: Board of Weld County Commissioners Purpose: To provide oversight of compliance with Dental, Vision, and Flexible Spending Plans (Plans) policies and procedures related to the protection of Protected Health Information("PHI") and federal and state regulations related to participant privacy. Essential Duties and Functions: Assist in the interpretation of applicable state law and federal law and regulations, including the HIPAA Privacy Rule, to develop, implement and maintain comprehensive privacy policies and procedures. Serve as the designated contact person in Plans' Notice of Privacy Practices ("Notice") and receive questions and complaints related to the protection of PHI, participant privacy, and violations of Plans' privacy practices. Monitor systems and processes for appropriate access to, use and disclosure of, and requests for PHI. Provide leadership in complying with regulations related to participant privacy and PHI. Ensure that the Notice and authorization forms, Business Associate contracts,plan documents and privacy policies and procedures conform to the requirements of the Privacy Rule. Ensure that Plans' operations and actual practice conform to Privacy Rule requirements. Develop and conduct training on privacy regulations and ensure that all workforce members who perform functions related to the Health Plan and Business Associates receive adequate and appropriate training. Ensure that all documentation required by the Privacy Rule is maintained and retained for six (6) years from the date it was created or was last in effect, whichever is later. Develop systems and processes to monitor Business Associate contracts. Develop systems and processes to ensure that participants' rights to restrict, amend, have access to and receive an accounting of their health information are honored. Serve as an internal and external liaison and resource between the Health Plan and outside entities (including vendors, oversight agencies and other parties) to ensure that Plans' privacy practices are implemented, consistent and coordinated. PRIVACY OFFICIAL JOB DESCRIPTION Cooperate with the Office of Civil Rights or other oversight agencies in any investigations of privacy violations. Audit and monitor compliance with Plans' privacy practices and ensure that appropriate sanctions are applied for any violations. Assist in fostering awareness of the importance of protecting participant privacy and developing an organizational culture committed to the protection of PRI. POLICY & PROCEDURE: Notice of Privacy Practices Section: Effective Date: April 14, 2003 Reviewed by: Don Warden Privacy Review Date:2/1/03 POLICY The privacy practices of Weld County Dental, Vision and Flexible Spending Plans (Plans) designed to protect the privacy, use and disclosure of Protected Health Information ("PHI"), are clearly delineated in the Plans' Notice of Privacy Practices ("Notice") which was developed and is used in accordance with the Privacy Rule. PROCEDURE • The privacy practices of Plans are described in its Notice. _ • The Notice is distributed to all new participants at enrollment. All current participants received the Notice as of the compliance date. All participants receive a revised Notice within 60 days of any material revision to the Notice. The Notice is provided to the named participant or employee for the benefit of all dependents. • The Notice is available to anyone who requests it. Participants have the right to receive a paper copy of the Notice, even if they previously agreed to receive the Notice electronically. • All current participants are notified at least once every three years of the availability of the Notice and provided with instructions on how to obtain it. • The Notice is given to all Business Associates. • The Notice is reviewed with all current workforce members who perform Health Plan functions during their initial training and annually thereafter. • The Notice is revised as needed to reflect any changes in Plans' privacy practices. Revisions to the policies and procedures are not implemented prior to the effective date of the revised Notice. • When revisions to the Notice are necessary, all current participants, workforce members who perform Plan functions and Business Associates receive a revised copy of the Notice. POLICY & PROCEDURE: Notice of Privacy Practices • The Privacy Official retains copies of the original Notice and any subsequent revisions for a period of six (6) years from the date of its creation or when it was last in effect, whichever is later. • All workforce members who perform Health Plan functions and Business Associates are required to adhere to the privacy practices as detailed in the Notice, privacy policies and procedures and Business Associate contracts. • Violations of[Health Plan's] privacy practices will result in disciplinary action up to and including termination of employment or contracts. • The Notice is prominently displayed and available electronically on [Health Plan's] Web site at http://www.co.weld.co.us 1.. • NOTICE OF HEALTH PLAN'S PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. USE AND DISCLOSURE OF HEALTH INFORMATION , Weld County Dental, Vision and Flexible Spending Plans ("Health Plan") may use your health information,that is, information that constitutes protected health information as defined in the Privacy Rule of the Administrative Simplification provision of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), for purposes of making or obtaining payment for your care and conducting health care operations. Health Plan has established a policy to guard against unnecessary disclosure of your health information. THE FOLLOWING IS A SUMMARY OF THE CIRCUMSTANCES UNDER WHICH AND PURPOSES FOR WHICH YOUR HEALTH INFORMATION MAY BE USED AND DISCLOSED: To Make or Obtain Payment. Health Plan may use or disclose your health information to make payment to or collect payment from third parties, such as other health plans or providers, for the care you receive. For example,.Health Plan may provide information regarding your coverage or health care treatment to other health plans to coordinate payment of benefits. To Conduct Health Care Operations. Health Plan may use or disclose health information for its own operations to facilitate the administration of Health Plan and as necessary to provide coverage and services to all of Health Plan's participants. Health care operations includes such activities as: - Quality assessment and improvement activities. - Activities designed to improve health or reduce health care costs. - Clinical guideline and protocol development, case management and care coordination. - Contacting health care providers and participants with information about treatment alternatives and other related functions.. NOTICE OF HEALTH PLAN'S PRIVACY PRACTICES - Health care professional competence or qualifications review and performance evaluation. - Accreditation, certification, licensing or credentialing activities. - Underwriting, premium rating or related functions to create, renew or replace health insurance or health benefits. - Review and auditing, including compliance reviews, medical reviews, legal services and compliance programs. - Business planning and development including cost management and planning related analyses and formulary development. - Business management and general administrative activities of Health Plan, including customer service and resolution of internal grievances. For example, Health Plan may use your health information to conduct case management, quality improvement and utilization review, and provider credentialing activities or to engage in customer service and grievance resolution activities. For Treatment Alternatives. Health Plan may use and disclose your health information to tell you about or recommend possible treatment options or alternatives that may be of interest to you. For Distribution of Health-Related Benefits and Services. Health Plan may use or disclose your health information to provide to you information on health-related benefits and services that may be of interest to you. For Disclosure to the Plan Sponsor. Health Plan may disclose your health information to the plan sponsor for plan administration functions performed by the plan sponsor on behalf of Health Plan. In addition, Health Plan may provide summary health information to the plan sponsor so that the plan sponsor may solicit premium bids from health insurers or modify, amend or terminate the plan. Health Plan also may disclose to the plan sponsor information on whether you are participating in the health plan. When Legally Required. Health Plan will disclose your health information when it is required to do so by any federal, state or local law. NOTICE OF HEALTH PLAN'S PRIVACY PRACTICES To Conduct Health Oversight Activities. Health Plan may disclose your health information to a health oversight agency for authorized activities including audits, civil administrative or criminal investigations, inspections, licensure or disciplinary action. Health Plan, however, may not disclose your health information if you are the subject of an investigation and the investigation does not arise out of or is not directly related to your receipt of health care or public benefits. In Connection With Judicial and Administrative Proceedings. As permitted or required by state law, Health Plan may disclose your health information in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal as expressly authorized by such order or in response to a subpoena, discovery request or other lawful process, but only when Health Plan makes reasonable efforts to either notify you about the request or to obtain an order protecting your health information. _ For Law Enforcement Purposes. As permitted or required by state law, Health Plan may disclose your health information to a law enforcement official for certain law enforcement purposes, including, but not limited to, if Health Plan has a suspicion that your death was the result of criminal conduct or in an emergency to report a crime. In the Event of a Serious Threat to Health or Safety. Health Plan may, consistent with applicable law and ethical standards of conduct, disclose your health information if Health Plan, in good faith, believes that such disclosure is necessary to prevent or lessen a serious and imminent threat to your health or safety or to the health and safety of the public. For Specified Government Functions. In certain circumstances, federal regulations require Health Plan to use or disclose your health information to facilitate specified government functions related to the military and veterans, national security and intelligence activities, protective services for the president and others, and correctional institutions and inmates. For Worker's Compensation. Health Plan may release your health information to the extent necessary to comply with laws related to worker's compensation or similar programs. AUTHORIZATION TO USE OR DISCLOSE HEALTH INFORMATION Other than as stated above, Health Plan will not disclose your health information other than with your written authorization. If you authorize Health Plan to use or disclose your health information, you may revoke that authorization in writing at any time. • NOTICE OF HEALTH PLAN'S PRIVACY PRACTICES YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION You have the following rights regarding your health information that Health Plan maintains: Right to Request Restrictions. You may request restrictions on certain uses and disclosures of your health information. You have the right to request a limit on Health Plan's disclosure of your health information to someone involved in the payment of your care. However, Health Plan is not required to agree to your request. If you wish to make a request for restrictions, please contact Don Warden, Director of Finance and Administration at 970-356-4000 Extension 4218. Right to Receive Confidential Communications. You have the right to request that Health Plan communicate with you in a certain way if you feel the disclosure of your health information could endanger you. For example, you may ask that Health Plan only communicate with you at a certain telephone number or by email. If you wish to receive confidential communications, please make your request in writing to Don Warden, 915 10th Street, Greeley, CO 80631. Health Plan will attempt to honor your reasonable requests for confidential communications. Right to Inspect and Copy Your Health Information. You have the right to inspect and copy your health information. A request to inspect and copy records containing your health information must be made in writing to Don Warden, Director of Finance and Administration, 915 10th Street, Greeley, CO 80631]. If you request a copy of your health information, Health Plan may charge a reasonable fee for copying, assembling costs and postage, if applicable, associated with your request. Right to Amend Your Health Information. If you believe that your health information records are inaccurate or incomplete, you may request that Health Plan amend the records. That request may be made as long as the information is maintained by Health Plan. A request for an amendment of records must be made in writing to Don Warden, Director of Finance and Administration, 91510` Street, Greeley, CO 80631 Health Plan may deny the request if it does not include a reason to support the amendment. The request also may be denied if your health information records were not created by Health Plan, if the health information you are requesting to amend is not part of Health Plan's records, if the health information you wish to amend falls within an exception to the health information you are permitted to inspect and copy, or if Health Plan determines the records containing your health information are accurate and complete. NOTICE OF HEALTH PLAN'S PRIVACY PRACTICES Right to an Accounting. You have the right to request a list of certain disclosures of your health information that Health Plan is required to keep a record of under the Privacy Rule, such as disclosures for public purposes authorized by law or disclosures that are not in accordance with the Plan's privacy policies and applicable law. The request must be made in writing to Don Warden, Director Finance and Administration, 91510h Street, Greeley, CO 80631 The request should specify the time period for which you are requesting the information, but may not start earlier than April 14, 2003 . Accounting requests may not be made for periods of time going back more than six (6) years. Health Plan will provide the first accounting you request during any 12-month period without charge. Subsequent accounting requests may be subject to a reasonable cost-based fee. Health Plan will inform you in advance of the fee, if applicable. Right to a Paper Copy of this Notice. You have a right to request and receive a paper copy of this Notice at any time, even if you have received this Notice previously or agreed to receive the Notice electronically. To obtain a paper copy, please contact Don Warden, Director Finance and Administration, 915101kStreet, Greeley, CO 80631. You also may obtain a copy of the current version of Health Plan's Notice at its Web site, www.co.weld.co.us. DUTIES OF HEALTH PLAN Health Plan is required by law to maintain the privacy of your health information as set forth in this Notice and to provide to you this Notice of its duties and privacy practices. Health Plan is required to abide by the terms of this Notice, which may be amended from time to time. Health Plan reserves the right to change the terms of this Notice and to make the new Notice provisions effective for all health information that it maintains. If Health Plan changes its policies and procedures, Health Plan will revise the Notice and will provide a copy of the revised Notice to you within 60 days of the change. You have the right to express complaints to Health Plan and to the Secretary of the Department of Health and Human Services if you believe that your privacy rights have been violated. Any complaints to Health Plan should be made in writing to Don Warden, Director of Finance and administration, 915 10" Street, Greeley, CO 80631]. Health Plan encourages you to express any concerns you may have regarding the privacy of your information. You will not be retaliated against in any way for filing a complaint. NOTICE OF HEALTH PLAN'S PRIVACY PRACTICES CONTACT PERSON Health Plan has designated the Don Warden, Director of Finance and Administration as its contact person for all issues regarding patient privacy and your privacy rights. You may contact this person at 91510` Street, Greeley, CO 80631 or phone him at 970-356-4000 Extension 4218]. EFFECTIVE DATE This Notice is effective April 14, 2003. IF YOU HAVE ANY QUESTIONS REGARDING THIS NOTICE, PLEASE CONTACT Don Warden Director of Finance and Administration, 91510`h Street, Greeley, CO or phone him at 970-356-4000 Extension 4218. POLICY & PROCEDURE: Use of Authorizations Section: Effective Date: April 14, 2003 Reviewed by: Don Warden Privacy Reviewed Date: 2/1/03 POLICY Authorizations are required for the use and disclosure of Protected Health Information . ("PHI")for purposes other than the permitted uses and disclosures specified in the Privacy Rule. PROCEDURE • Weld County dental, Vision, and Flexible Spending Plans (Plans) do not obtain an authorization from the participant to: • Use or disclose PHI for [Health Plan's] payment or Health Care Operations; • Disclose PHI to a Health Care Provider for the participant's treatment; • Disclose PHI to another Covered Entity or a Health Care Provider for that entity's payment activities; and • Disclose PHI to another Covered Entity for that entity's Health Care Operations if both entities have or had a relationship with the participant whose PHI is being requested, the PHI pertains to the current or former relationship, and the purpose of the disclosure is for: • A Health Care Operations activity for which the Privacy Rule states an authorization is not required; or • Detection of health care fraud and abuse or compliance with health care fraud and abuse laws. • Use or disclose PHI as specifically permitted by the Privacy Rule pursuant to an exception. • When authorization is needed, the participant is provided with a copy of the authorization form and asked to sign it. • Signing the authorization form is voluntary and the participant may refuse to sign it. • A copy of the signed authorization is provided to the participant. POLICY & PROCEDURE: Use of Authorizations • The participant may revoke the authorization, in writing, at any time. • The permissions granted in the authorization are not acted upon if the authorization has been revoked or if it has expired. • The authorization is documented and retained for a period of six (6) years after it was created or expired, whichever date is later. PARTICIPANT AUTHORIZATION FORM [A separate authorization must be used if the authorization is for psychotherapy notes.] Participant Name: Birth Date: MM / DD / YR Address: Home Telephone Number: E-mail:, Work Telephone Number: Participant Identification Number and/or Social Security Number: By signing this authorization form I authorize the person(s) and/or organization(s) described below to use and/or disclose my health information (information that constitutes protected health information as defined in the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996) in the manner described below. I understand that I am under no obligation to sign this form. The person(s) and/or organization(s) described below who I am authorizing to use and/or disclose my information may not condition treatment, payment, enrollment in a health plan or eligibility for health care benefits on my decision to sign this authorization, except as follows: • A health plan may condition enrollment in the health plan or eligibility for benefits on this authorization if I am not yet enrolled in the health plan, the purpose of this authorization is to allow the health plan to obtain the information it needs to make an eligibility, enrollment, underwriting or risk rating determination and psychotherapy notes are not requested. If I refuse to sign this authorization I may be denied enrollment in the health plan or eligibility for health care benefits. I have signed this form voluntarily to document my wishes regarding the use and/or disclosure of the health information described below in Section 1 of this form. PARTICIPANT AUTHORIZATION FORM 1. Description of Health Information I Authorize to be Used or Disclosed. The following is a specific description of the health information I authorize be used and/or disclosed: (Specify and provide a meaningful description.) 2. Persons/Organizations Authorized to Use and/or Disclose My Health Information. I authorize the following person(s) and/or organization(s) (or classes of persons and/or organizations), including Weld County Dental, Vision, and Flexible Spending Plans (Plans) to use and/or disclose the health information described above in Section 1 of this form. 3. Persons/Organizations Authorized to Receive and/or Use My Health Information. I authorize the following person(s) and/or organization(s) (or classes of persons and/or organizations) to receive my health information from the person(s) and/or organization(s) described in Section 2 above and to use or disclose such information for the purposes listed below in Section 4 of this form. I understand that if the person(s) and/or organization(s) listed below are not health care providers, health plans or health care clearinghouses subject to federal privacy standards, the health information disclosed pursuant to this authorization may no longer be protected by the federal privacy standards and such person(s) and/or organization(s) may redisclose my health information without obtaining my authorization. PARTICIPANT AUTHORIZATION FORM 4. Description of Each Purpose for the Requested Use and/or Disclosure. I authorize my health information to be used and/or disclosed for the following specific purposes: 5. Your Rights with Respect to This Authorization. 5.1 Right to Revoke. I understand that I have the right to revoke this authorization at any time. I also understand that my revocation of this authorization must be in writing. To obtain a copy of an authorization revocation form I may contact Weld County Director of Finance and Administration, 915loth Street, Greeley, Co 80631 or phone him at 970-356-4000 Extension 4218. I am aware that my revocation will not be effective as to uses and/or disclosures of my health information that the person(s) and/or organization(s) identified in Sections 2 and 3 of this form have already made in reliance upon this authorization. 5.2 Right to Receive Copy of This Authorization. I understand that if I agree to sign this authorization, which I am not required to do, I must be provided with a signed copy of it. 6. Disclosure of Direct or Indirect Remuneration Received By Any Person or Organization Authorized to Use or Disclose My Health Information. I understand that the following person(s) and/or organization(s) will be receiving direct or indirect remuneration in connection with the use or disclosure of my health information: NONE 7. Expiration of Authorization. This authorization will expire (choose and complete one): ❑ On / / MM / DD / YR PARTICIPANT AUTHORIZATION FORM ❑ Upon the occurrence of the following event(s) related to my health care or to the purpose(s) for which I have authorized the use and/or disclosure of my health information described in Section 4 of this form: I (please print name),have had an opportunity to review and understand the contents of this form. By signing this form, I am confirming that it accurately reflects my wishes. / / Participant Signature Date If signed by a personal representative, complete the following: Name of personal representative: Relationship to participant or nature of authority (e.g., health care power of attorney, guardian, other statutory authorization): Address: Home Telephone Number: E-mail: Work Telephone Number: / / Signature of Personal Representative Date POLICY & PROCEDURE: Business Associates Section: Effective Date: April 14, 2003. Reviewed by: Don Warden Privacy Reviewed Date:2/1/03 POLICY Weld County Dental, Vision, and flexible Spending Plans' (Plans) Business Associates are required to provide satisfactory assurances that they will maintain the confidentiality of the Protected Health Information ("PHI") of Plan's participants and only use and disclose PHI for the purposes for which it was provided. PROCEDURE • Existing and new relationships with the Plans' service providers are reviewed to determine if the relationship requires the use and/or disclosure of PHI and thus, _ whether the entity is a Business Associate. • • Business associates are required to sign a written contract that provides satisfactory assurances that they will adhere to Plans' privacy practices. • Plans require their Business Associates to determine the minimum necessary type and amount of PHI required to perform the services under the Agreement and to represent to Plans that it has requested the minimum necessary PHI for the stated purpose. Plans rely on the professional judgement of Business Associates to determine the type and amount of PHI necessary for their purposes. • The Privacy Official monitors the return or destruction of PHI used, created or obtained by the Business Associate upon termination of the contract (or the extension of protection if not returned or destroyed). • The Privacy Official ensures that any complaints regarding privacy violations by Business Associates are reviewed. If the Privacy Official is aware of a pattern or practice that is a material violation of the Business Associate's duties with regard to privacy, the Privacy Official takes reasonable steps to end the violation. If such steps are unsuccessful, the Privacy Official determines, in consultation with the Board of Weld County Commissioners whether termination of the agreement is feasible. If not, the Privacy Official reports-the violation to DHHS. *Small Health Plans must comply by April 14,2004. Large Health Plans must comply by April 14,2003, except for contacts that are entitled to the following extension. Health Plans,other than Small Health Plans,are not required to amend a Business Associate agreement to meet the requirements of the Privacy Rule by April 14,2003 if the agreement is in writing and is not renewed or modified between October 15, 2002 and April 14,2003. Such agreements must be brought into compliance on the date they are renewed or modified following April 14,2003,but no later than April 14,2004. Agreements that renew automatically without any change in terms or other action by the parties are eligible for the extension. Business Associate Addendum to Existing Contracts This Addendum is effective on April 14, 2003, and amends and is made part of the Agreement by and between Weld County, acting as a Health Plan in relationship to Weld County's Dental, Vision, and Flexible Spending Plans ("Health Plans")and [Business Associate] ("Business Associate") dated , "Agreement." Health Plan and Business Associate agree to modify the Agreement, to comply with the Administrative Simplification requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as set forth in Title 45, Parts 160 and 164 of the Code of Federal Regulations (the "CFR"). In the event of conflicting terms or conditions, this Addendum shall supersede the Agreement. 1. Definitions. Capitalized terms not otherwise defined in the Agreement shall have the meanings given to them in Title 45, Parts 160 and 164 of the CFR and are incorporated herein by reference. 2. Use and Disclosure of Protected Health Information. Business Associate shall use and/or disclose Protected Health Information ("PHI") only to the extent necessary to satisfy Business Associate's obligations under the Agreement. 3. Prohibition on Unauthorized Use or Disclosure of PHI. Business Associate shall not use or disclose any PHI received from or on behalf of Health Plan, except as permitted or required by the Agreement, as required by law or as otherwise authorized in writing by Health Plan. Business Associate shall comply with: (a) Title 45, Part 164 of the CFR; (b) State laws, rules and regulations applicable to PHI not preempted pursuant to Title 45, Part 160, Subpart B of the CFR or the Employee Retirement Income Security Act of 1974 ("ERISA") as amended; and (c) Health Plan's health information privacy and security policies and procedures. 4. Business Associate's Operations. Business Associate may use PHI it creates or receives for or from Health Plan only to the extent necessary for Business Associate's proper management and administration or to carry out Business Associate's legal responsibilities. Business Associate may disclose such PHI as necessary for Business Associate's proper management and administration or to carry out Business Associate's legal responsibilities only if: (a) The disclosure is required by law; or Business Associate Addendum to Existing Contracts (b) Business Associate obtains reasonable assurance, evidenced by written contract, from any person or organization to which Business Associate shall disclose such PHI that such person or organization shall: (i) Hold such PHI in confidence and use or further disclose it only for the purpose for which Business Associate disclosed it to the person or organization or as required by law; and (H) Notify Business Associate (who shall in turn promptly notify Health Plan) of any instance of which the person or organization becomes aware in which the confidentiality of such PHI was breached. 5. Data Aggregation Services. Business Associate may use PHI to provide Data Aggregation Services related to Health Plan's Health Care Operations. 6. PHI Safeguards. Business Associate shall develop, implement, maintain and use appropriate administrative, technical and physical safeguards to prevent the improper use or disclosure of any PHI received from or on behalf of Health Plan. 7. Electronic Health Information Security and Integrity. Business Associate shall develop, implement, maintain and use appropriate administrative, technical and physical security measures in compliance with Section 1173(d) of the Social Security Act, Title 42, Section 1320d-2(d) of the United States Code and Title 45, Part 142 of the CFR to preserve the integrity and confidentiality of all electronically maintained or transmitted Health Information received from oron behalf of Health Plan pertaining to an individual. Business Associate shall document and keep these security measures current. 8. Protection of Exchanged Information in Electronic Transactions. If Business Associate conducts any Standard Transaction for or on behalf of Health Plan, Business Associate shall comply, and shall require any subcontractor or agent conducting such Standard Transaction to comply, with each applicable requirement of Title 45, Part 162 of the CFR. Business Associate shall not enter into or permit its subcontractors or agents to enter into any Trading Partner Agreement in connection with the conduct of Standard Transactions for or on behalf of Health Plan that: (a) changes the definition, Health Information condition or use of a Health Information element or segment in a Standard; (b) adds any Health Information elements or segments to the maximum defined Health Information set; (c) uses any code or Health Information elements that are either marked "not used" in the Standard's Implementation Specification or are not in the Standard's Implementation Specification(s); or (d) changes the meaning or intent of the Standard's Implementation Specification(s). Business Associate Addendum to Existing Contracts 9. Subcontractors and-Agents. Business Associate shall require each of its subcontractors or agents to whom Business Associate may provide PHI received from, or created or received by Business Associate on behalf of Health Plan to agree to written contractual provisions that impose at least the same obligations to protect such PHI as are imposed on Business Associate by the Agreement. 10. Access to PHI. Business Associate shall provide access, at the request of Health Plan, to PHI in a Designated Record Set, to Health Plan or, as directed by Health Plan, to an individual to meet the requirements under Title 45, Part 164, Subpart E, Section 164.524 of the CFR and applicable state law. Business Associate shall provide access in the time and manner set forth in Health Plan's health information privacy and security policies and procedures. 11. Amending PHI. Business Associate shall make any amendment(s) to PHI in a Designated Record Set that Health Plan directs or agrees to pursuant to Title 45, Part 164, Subpart E, Section 164.526 of the CFR at the request of Health Plan or an Individual, and in the time and manner set forth in Health Plan's health information privacy and security policies and procedures. 12. Accounting of Disclosures of PHI. (a) Business Associate shall document such disclosures of PHI and information related to such disclosures as would be required for Health Plan to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with Title 45, Part 164, Subpart E, Section 164.528 of the CFR. (b) Business Associate agrees to provide Health Plan or an individual, in the time and manner set forth in Health Plan's health information privacy and security policies and procedures, information collected in accordance with Section 11(a) above, to permit Health Plan to respond to a request by an individual for an accounting of disclosures of PHI in accordance with Title 45, Part 164, Subpart E, Section 164.528 of the CFR. 13. Access to Books and Records. Business Associate shall make its internal practices, books and records relating to the use and disclosure of PHI received from or on behalf of Health Plan available to Health Plan and to DHHS or its designee for the purpose of determining Health Plan's compliance with the Privacy Rule. 14. Reporting. Business Associate shall report to Health Plan any use or disclosure of PHI not authorized by the Agreement,by law, or in writing by Health Plan. Business Associate shall make-the report to Health Plan's Privacy Official not less than Business Associate Addendum to Existing Contracts 24 hours after Business Associate learns of such unauthorized use or disclosure. Business Associate's report shall at least: (a) identify the nature of the unauthorized use or disclosure; (b) identify the PHI used or disclosed; (c) identify who made the unauthorized use or received the unauthorized disclosure; (d) identify what Business Associate has done or shall do to mitigate any deleterious effect of the unauthorized use or disclosure; (e) identify what corrective action Business Associate has taken or shall take to prevent future similar unauthorized use or disclosure; and(f) provide such other information, including a written report, as reasonably requested by Health Plan's Privacy Official. 15. Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of the Agreement. 16. Termination for Cause. Upon Health Plan's knowledge of a material breach by Business Associate, Health Plan shall: (a) Provide an opportunity for Business Associate to cure the breach or end the violation and terminate if Business Associate does not cure the breach or end the violation within the time specified by Health Plan. (b) Immediately terminate the Agreement if Business Associate has breached a material term of the Agreement and cure is not possible. (c) If neither termination nor cure is feasible, Health Plan shall report the violation to DHHS. 17. Return or Destruction of Health Information. (a) Except as provided in Section 17(b) below, upon termination, cancellation, expiration or other conclusion of the Agreement, Business Associate shall return to Health Plan or destroy all PHI received from Health Plan, or created or received by Business Associate on behalf of Health Plan. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI. Business Associate Addendum to Existing Contracts (b) In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Health Plan notification of the conditions that make return or destruction infeasible. Upon verification by Health Plan that the return or destruction of PHI is infeasible, Business Associate shall extend the protections of the Agreement to such PHI and limit further uses and disclosure of PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI. 18. Automatic Amendment. Upon the effective date of any amendment to the regulations promulgated by HHS with respect to PHI, the Agreement shall automatically amend such that the obligations imposed on Business Associate as a Business Associate remain in compliance with such regulations. IN WITNESS WHEREOF, each of the undersigned has caused this Addendum to be duly executed in its name and on its behalf effective as of April 14, 2003. WELD COUNTY BUSINESS ASSOCIATE By: By: Print Name: Print Name: Title: Chair, Bd. Weld Co. Commissioners Print Title: Date: • Date: POLICY & PROCEDURE: Disclosure to the Plan Sponsor Section: Effective Date: April 14, 2003 Reviewed by: Don Warden Privacy Reviewed Date: 2/1/03 POLICY Weld County Dental, Vision, and Flexible Spending Plans do not disclose PHI to the Plan Sponsor, except in the manner and for the purposes specifically permitted under the Privacy Rule. The Plan Sponsor is required to certify that plan documents have been amended before disclosure may occur. PROCEDURE • Plans only disclose PHI to the Plan Sponsor if one of the following applies: • Plans receive written authorization from the participant to disclose PHI to the Plan Sponsor; • Plans disclose information to the Plan Sponsor on whether an individual is participating in the health plan; • Plans provides the Plan Sponsor with PHI in the form of Summary Health Information for the purpose of obtaining premium bids from health insurance issuers; • Plans provide the Plan Sponsor with PHI in the form of Summary Health Information for the purpose of assessing modifying, amending, or terminating the Plans; or • Plans receive certification from the Plan Sponsor that the plan documents have been modified as required by the Privacy Rule, and the uses and disclosures of PHI by the Plan Sponsor will be restricted to plan administration functions performed by the Plan Sponsor on behalf of the Plans in accordance with the plan document. • Plans require certification from the Plan Sponsor that the Plan Sponsor will not use the PHI for any employment-related decisions and that plan documents have been amended as required before disclosing PHI to the Plan Sponsor. • Plans include a separate statement in its Notice of Privacy Practices informing participants that PHI may be disclosed to the Plan Sponsor. • Plans only disclose the minimum necessary amount and type of PHI to the Plan Sponsor. Plan Sponsor Addendum to Existing Plan Documents This Addendum is effective on April 14, 2003 and amends and is made part of the Health Plan's plan documents. The Health Plan ("Plan") modifies the plan documents as required under the Administrative Simplification requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), to allow the disclosure of Protected Health Information ("PHI") as defined under HIPAA, to Weld County, ("Plan Sponsor") for the purposes specified below. If the terms or conditions of the plan documents conflict with this Addendum, this Addendum shall control. 1 . Disclosure of PHI to Plan Sponsor. Plan shall disclose PHI to Plan Sponsor only to the extent necessary for Plan Sponsor to perform the following Plan administrative functions: Accounting department shall process claims. 2. Use and Disclosure of PHI by Plan Sponsor. Plan Sponsor shall use and/or disclose PHI only to the extent necessary to perform the following Plan Administration functions, which it performs on behalf of the Plan: Accounting department to process claims and Finance and administration shall have oversight of the plans and perform budget functions to determine funding levels of plans and file necessary reports. 3. Plan Sponsor Certification. The Plan agrees that it will only disclose PHI to the Plan Sponsor upon receipt of a certification that this addendum has been adopted and the Plan Sponsor agrees to abide by such conditions. Plan Sponsor is subject to the following: Prohibition on Unauthorized Use or Disclosure of PHI. The Plan Sponsor will not use or disclose any PHI received from the Plan, except as permitted in these documents or required by law. ii. Subcontractors and Agents. The Plan Sponsor will require each of its subcontractors or agents to whom the Plan Sponsor may provide PHI to agree to written contractual provisions that impose at least the same obligations to protect PHI as are imposed on the Plan Sponsor. iii. Permitted Purposes. The Plan Sponsor will not use or disclose PHI for employment-related actions and decisions or in connection with any other of Plan Sponsor's benefits or employee benefit plans. Plan Sponsor Addendum to Existing Plan Documents iv. Reporting. The Plan Sponsor will report to the Plan any impermissible or improper use or disclosure of PHI not authorized by the plan documents. v. Access to PHI by Participants. The Plan Sponsor will make PHI available to the Plan to permit participants to inspect and copy their PHI contained in the designated record set. vi. Correction of PHI. The Plan Sponsor will make a participant's PHI available to the Plan to permit participants to amend or correct PHI contained in the designated record set that is inaccurate or incomplete and Plan Sponsor will incorporate amendments provided by the Plan. vii. Accounting of PHI. The Plan Sponsor will make a participant's PHI available to permit the Plan to provide an accounting of disclosures. • viii. Disclosure to Government Agencies. The Plan Sponsor will make its internal practices, books and records relating to the use and disclosure of PHI available to the Plan and to DHHS or its designee for the purpose of determining the Plan's compliance with HIPAA. ix. Return or Destruction of Health Information. When the PHI is no longer needed for the purpose for which disclosure was made, the Plan Sponsor must, if feasible, return to the Plan or destroy all PHI that the Plan Sponsor received from or on behalf of the Plan. This includes all copies in any form, including any compilations derived from the PHI. If return or destruction is not feasible, the Plan Sponsor agrees to restrict and limit further uses and disclosures to the purposes that make the return or destruction infeasible. x. Minimum Necessary Requests. The Plan Sponsor will use best efforts to request only the minimum necessary type and amount of PHI to carry out the functions for which the information is requested. Plan Sponsor Addendum to Existing Plan Documents 4. Adequate Separation. The Plan Sponsor represents that adequate separation exists between the Plan and Plan Sponsor so that PHI will be used only for plan administration. The following employees or persons under the control of the Plan Sponsor have access to participants' PHI for the purposes set forth under number 1 above: Accounting and Finance and Administration staff with claims processing duties and oversight responsibility for claims administration. 5. Adequate Separation Certification. The Plan requires the Plan Sponsor to certify that the employees identified above are the only employees that will access and use participants' PHI. The Plan Sponsor must further certify that the such employees will only access and use PHI for the purposes set forth under number 1 above. 6. Reports of Non-Compliance. Anyone who suspects an improper use or disclosure of PHI may report the occurrence to the Plan's Privacy Official at 970-356-4000 Extension 4218. Adequate Separation Documentation Employee Recipient (by Categories/Amount of Purpose/Plan title, department or Protected Health Administration function) Information Function Claims and financial data Administrative oversight Director of Finance and and financial data Administration analysis. Privacy officer functions. Finance and Administration Claims and financial data Administrative oversight Controller and Assistant and financial data Controller analysis. Accounting Department Payroll Technician and Claims Payments of claims and Accountant III payroll administration Accounting Department Office Technicians Claims Payment of claims Accounting Department Personnel Technician Plan enrollment information Plan enrollment Personnel Department Banner Programmer All data elements Maintain claims payment system Information Services (ACS) (Banner) Sponsor Certification to Receive PHI I hereby certify on behalf of Weld County_("Plan Sponsor"), that the a' ed amendment tote Dental Plan ("Plan") has been adopted. Ff / i0-3 Plan Sponsor Signature Date David E. Long Chair, Board of Weld County Commissioners Sponsor Certification to Receive PHI I hereby certify on behalf of Weld County_("Plan Sponsor"), that the attached amendment to the Vision Plan ("Plan") has been adopted. Plan Sponsor Signature Date David E. Long Chair, Board of Weld County Commissioners Sponsor Certification to Receive PHI I hereby certify on behalf of Weld County_("Plan Sponsor"), that the attached amendment to the Flexible Spending Plan ("Plan") has been adopted. Plan Sponsor Signature Date David E. Long Chair, Board of Weld County Commissioners ..1 POLICY & PROCEDURE: Participant Privacy Rights Section: Effective Date: April 14, 2003 Reviewed by: Don Warden Privacy Reviewed Date: 2/1/03 POLICY • Weld County Dental, Vision, and Flexible Spending Plans (Plans) have implemented policies and procedures to ensure participant privacy rights as required by and specified in the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996. PROCEDURE • Participants in the Plans have the right to: • Receive a paper copy of the Plans' Notice of Privacy Practices ("Notice"), even if participant has agreed previously to receive the Notice electronically; • Request restrictions on the uses and disclosures of Protected Health Information ("PHI"); • Request to receive confidential communication by an alternative means or at an alternative location if appropriate cause is shown; • Access documents in the designated record set for inspection and/or copying; • Request to amend documents in the designated record set that are inaccurate or incomplete; and • Obtain an accounting of disclosures of their PHI. • Plans adhere to policies and procedures developed and implemented to ensure participant privacy rights. • Plans provides workforce members who perform plan administration functions with annual training regarding participant rights with respect to their PHI. POLICY & PROCEDURE: Participant Requests for Restrictions on the Use and/or Disclosure of Protected Health Information Section: Effective Date: April 14, 2003 Reviewed by: Don Warden Privacy Reviewed Date: 2/1/03 POLICY Participants have the right to request restrictions on how their Protected Health Information ("PHI") is used and/or disclosed for treatment, payment and health care operations. PROCEDURE • Participants are informed of their right to request restrictions on the use and disclosure of their PHI in Weld County Dental, Vision, and Flexible Spending Plans (Plans) Notice of Privacy Practices ("Notice"). • All requests by participants for restrictions on the use and disclosure of their PHI must be forwarded to the Privacy Official or designee for approval. • Workforce members or Business Associates who perform plan functions may not grant or deny a participant's request for restrictions without prior authorization from the Privacy Official or designee. When a request for restriction(s) is accepted: • The participant will be informed of any potential consequences of the restriction; • A notation will be made in the participant's record(s); • Plans will not use or disclose PHI inconsistent with the agreed restriction, nor will its Business Associates; • The participant will be informed that Plans are not required to comply with the agreed upon restriction(s) in emergency treatment situations when the restricted PHI is needed for treatment; • If the agreed upon restriction hampers treatment, Plans will ask the participant to modify or revoke the restriction and get written agreement to the modification or revocation or document an oral agreement; POLICY & PROCEDURE: Participant Requests for Restrictions on the Use and/or Disclosure of Protected Health Information • The use and/or disclosure of PHI will be consistent with the status of the restriction in effect on the date it is used or disclosed; and • Written documentation of the agreed to restriction will be maintained for six (6) years from the date of its creation or the date when it was last in effect, whichever is later. When a request for restriction(s) is denied by Plans: • The participant will be given the opportunity to discuss his or her privacy concerns, if desired; and • Efforts will be made to assist the participant in modifying the request for restrictions to accommodate his or her concerns and obtain acceptance by Plans. Request For Restrictions On Use and/or Disclosure Of Protected Health Information Participant Name: Birth Date: /_ / Address: Home Telephone Number: E-mail: Participant Identification Number and/or Social Security Number: , am requesting a restriction on Weld County Dental. Vision, and Flexible Spending Plans' (Plans) use and/or disclosure of my health information (information that constitutes protected health information as defined in the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996) in the manner described below. I understand that Plans may deny this request for any reason. I also understand that if agreed to, Plans may not be able to honor this request if I require emergency treatment and that the Plans may remove this restriction in the future, if I am notified in advance. Description of Restriction of the Health Information to be Used or Disclosed. The following is a description of the specific health information I wish to restrict: Persons/Organizations Restricted from Use and/or Disclosure of Health Information. I request that the following person(s) and/or organization(s) not be allowed to use, receive and/or disclose the health information described above. By signing this form, I am confirming that it accurately reflects my wishes. / / Signature Date If signed by personal representative: Name of personal representative: Relationship to participant or nature of authority: / / Signature of Personal Representative Date POLICY & PROCEDURE: Participant Requests for Confidential Communications Section: Effective Date: April 14, 2003 Reviewed by: Don Warden Privacy Reviewed Date: 2/1/03 POLICY Participants have the right to request restrictions on how and where their Protected Health Information ("PHI") is communicated. PROCEDURE • Weld County Dental, Vision, and Flexible Spending Plans require participants who desire their PHI to be communicated in an alternative manner or location than the Plan would otherwise use, to specify the alternative location or other method of communication. • Plans require that the participant clearly state that the restriction is necessary to prevent a disclosure that could endanger the participant. • Plans do not refuse to accommodate such requests unless the request imposes an unreasonable administrative burden. • The participant may request confidential communication at any time. • The request must be made in writing to the Director of Finance and 'Administration, 915 10th Street, Greeley, CO 80631 or phone 970-356-4000 Extension 4218. • Written documentation of the participant's request, if granted, will be placed in the participant's record(s). Participant Request For Confidential Communications Participant Name: Birth Date: _ / MM / DD / YR Address: Home Telephone Number: E-mail: Participant Identification Number and/or Social Security Number: l , am requesting that (Please check one or more): _Weld County Dental Plan —Weld County Vision Plan Weld County flexible Spending Plan communicate with me in the alternative manner and/or location described below - regarding my health information (information that constitutes protected health information as defined in the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996). Such restriction is necessary to prevent a disclosure that could endanger me. I understand that Plans may deny this request if it imposes an unreasonable administrative burden. Description of the Health Information that Must be Communicated Confidentially. The following is a description of the specific health information to which this request applies: Alternative Manner and/or Location. I request that Plan(s) only communicate with me in the following manner and/or at the location described below: By signing this form, I am confirming that it accurately reflects my wishes. Signature Date Participant Request For Confidential Communications If signed by personal representative: Name of personal representative: Relationship to participant or nature of authority: Signature of Personal Representative Date Submit Form to Don Warden, Director of Finance and administration, 915 10th Street, Greeley, CO 80631 • POLICY & PROCEDURE: Participant Requests for Access to Protected Health Information for Inspection and/or Copying Section: Effective Date: April 14, 2003 Reviewed by: Don Warden Privacy Reviewed Date: 2/1/03 POLICY Participants have the right to request to inspect or obtain a copy of their Protected Health Information ("PHI") in the designated record set. PROCEDURE • Weld County Dental. Vision, and Flexible Spending Plans (Plans) require and inform participants that requests for access to PHI must be made in writing.' • When a request for access to PHI is received;it will be acted upon according to the following time frames: • Within thirty (30) days if the requested information is maintained and accessible on site; or • Within sixty (60) days if the requested information is maintained off site. • If the request is granted, Plans inform the participant and provides the access requested, within the time frames above. • The time frames stated above may be extended one time for no more than thirty (30) days. If the extension is necessary, Plans will provide the participant, within the time frames above, a written statement that specifies the reason(s) for the delay and the date by which the participant may expect to receive a decision on the request to access the PHI for inspection and/or copying. • Plans document the records that comprise the designated record set that is subject to access requests and maintains such records for a period of six (6) years from the date they were created or were last in effect, whichever is later. • Plans maintain the titles of the persons/offices responsible for receiving and processing access requests for a period of six (6) years. Please note that this is permitted,but is not required by the Privacy Rule. Asserting this requirement in the policy and procedure may help facilitate documenting and responding to requests for access to PHI. POLICY & PROCEDURE: Participant Requests for Access to Protected Health Information for Inspection and/or Copying When the Plans deny a request for access (in whole or in part): • The participant is given a statement written in plain language that includes: • the reasons for,the denial decision; • if applicable, the participant's right to a review of the decision with an explanation of how to exercise this right; and • a description of how the participant may file a complaint with the Plans and DHHS, including the title and telephone number of a Health Plan contact person. • To the extent possible, Plans will grant access to other PHI for which there are no grounds to deny access. • If the denial is reviewable and the participant requests such a review, Plans will designate a licensed health care professional, not involved in the original denial decision, to serve as a reviewing official. Upon receipt of a review request, Plans will promptly refer the denial to the reviewing official for reevaluation. Plans will provide written notice to the participant of the reviewing official's determination. • If the Plans deny access because it does not maintain the PHI requested but knows where the.requested PHI is maintained, Plans will inform the participant of where to direct the request. When a request for access is accepted(in whole or in part): • The participant is notified of the decision and may choose to inspect the PHI, copy it, or both, in the form or format requested. • In lieu of providing access, Plans may provide a summary of the requested PHI for an additional charge if the participant agrees to the summary and to the additional fee. • Plans and the participant will arrange a mutually convenient time and place for the . participant to inspect and/or obtain a copy of the requested PHI. • Plans will mail a copy of the requested PHI if the participant prefers this method of obtaining-a copy. POLICY & PROCEDURE: Participant Requests for Access to Protected Health Information for Inspection and/or Copying Fees charged by[Health Plan] for access to PHI: • Plans charges a reasonable, cost-based fee for copying, including labor and supplies (for instance, paper, computer disks). • Plans charge the cost of postage when the participant requests that the information be mailed. • No fee is charged for retrieving or handling the PHI or for processing the participant's access request. Health Plans may charge a nominal fee for preparing an explanation or summary of the requested PHI if the participant is informed of and agrees to receive a summary of the PHI and is willing to pay the fee. Sample Form Letter: Denial (in whole or in part) of Request for Access to Protected Health Information ("PHI") Date Participants Name Address City, State, Zip Dear Thank you for your request to access your health information (information that constitutes protected health information as defined in the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996), received by [Health Plan] on . After careful review, we are not able to grant your request for the following reason(s): [Make reference to the specific permissible ground(s) for denial; if the requested PHI is not maintained by the Health Plan but its whereabouts is known,.redirect the participant to where he/she might redirect the request] [Include if able to grant request in part While we are not able to grant your request to access your entire record for the reason(s) stated above, you may have access to: Please contact (Health Plan) at (telephone number) to discuss the details of your request] [Include if request is appealable (See Right of Access to PHI: Exceptions and Grounds for Denial) If you disagree with our decision regarding access to your health information, you have the right to request that we reconsider. We will appoint a licensed health care professional who was not involved in the original decision to reevaluate your request. You will receive a written response of the review official's determination. Please contact (Insert title of contact person and telephone number for appeal) if you want our determination reviewed.] If you are dissatisfied with our decision and wish to lodge a formal complaint, you may contact: [Insert title of contact person, address and telephone number of person designated to receive privacy complaints]or, alternatively, you may make a complaint to the Secretary of the Department of Health and Human Services. Please contact me if you have any questions or concerns. Sincerely; Sample Form Letter: Acceptance of Request for Access to Protected Health Information Date Participant's Name Address City, State, Zip Dear Thank you for your request to access your health information, received by [Health Plan] on . Your request has been granted. If you would prefer to receive a written summary of the requested information instead of a complete copy, we would be glad to prepare it for you for the fee of$ . Please contact me at(Insert telephone number] if you prefer this option. The health information you requested is available to you for inspection, copying or both. If you prefer to receive a copy of the information by mail, we will prepare a paper copy [if applicable, or a computer disk] that contains the requested information. Please send a check payable to [Health Plan] in the amount of$ to cover the costs of postage and labor and supplies for the copying. If you would prefer to inspect and/or copy the requested information in person, please contact me so we can arrange a mutually convenient time for you to come to [Health Plan]. You will be charged a fee of$ per page if you wish to copy the requested information. Please do not hesitate to contact me if you have any questions or require additional information. Sincerely, Request for Access to Protected Health Information (name) hereby request a copy of my health information from (please check one or more): Weld County Dental Plan Weld County Vision Plan _Weld County Flexible Spending Plan for the following dates: . I request the health information contained in the following records (please check one or more): ❑ enrollment ❑ premium/contribution payment 5 claims, billing and EOB information relating to the following service or claim: (specify date of service and/or medical condition) - ❑ all of the above 5 other (please specify) I understand that I may access my health information through any of the following methods (please check the desired method): ❑ I prefer to inspect and/or copy the requested information in person and will arrange for a mutually convenient time to come to the Weld County Accounting Department by calling 970-356-4000 Extension 4445. I understand I will be charged a per page copying fee of $1.25. • - ❑ I prefer to have the requested information copied and mailed to me at the following address: I understand I will be charged a copying and postage fee of$2.00. ❑ I prefer to receive a written summary of the requested information, instead of the complete records, for the fee of$15.00 per hour to prepare. Signature of Requestor Date If signed by-personal representative: Name of personal representative: Relationship to participant or nature of authority: / / Signature of Personal Representative Date POLICY & PROCEDURE: Participant Requests to Amend Protected Health Information Section: Effective Date: April 14, 2003 Reviewed by: Don Warden Privacy Reviewed Date: 2/1/03 POLICY Participants have the right to request amendment of incorrect or incomplete Protected, Health Information ("PHI") contained in the designated record set. PROCEDURE • Weld County Dental, Vision, and Flexible Spending Plans (plans) require and inform participants that requests for amendment of their PHI must be made in writing and must include a reason to support acceptance of the amendment. • If the request for amendment is not received in writing, or if the written request does not include a reason in support of the request, Plans will not act on the request. • When a request for amendment of PHI is received, it will be acted on within sixty (60) days. If necessary, this time frame may be extended for thirty (30) days. The individual requesting the amendment will be informed in writing of the reason(s) for the delay and the date by which action will be taken on the request. The extension notice will be provided within sixty (60) days of receipt of the original request. • • Plans document the titles of the persons/offices responsible for receiving and processing requests for amendment and retains such documentation for a period of, six (6) years. When a request for amendment is denied: • The participant is given a notice written in plain language that: • Includes a permissible basis for denial'; • Informs the participant of the right to submit a statement of disagreement, and how to file the statement; The information requested was not created by the Health Plan,is accurate and complete,is not part of the record,or may not legally be changed(e.g., information compiled in anticipation of a civil,criminal or administrative proceeding). • POLICY & PROCEDURE: Participant Requests to Amend Protected Health Information • States that if the participant does not file a statement of disagreement the participant may request that the Plans provide the request for amendment and the denial in any future release of the-disputed PHI; and • Includes a description of the procedure to file a complaint with Plans or DHHS. • If the individual chooses to write a statement of disagreement with the denial decision: • Plans may write a rebuttal statement and will provide a copy to the participant; and • Plans will include the request for amendment, denial letter, statement of disagreement, and rebuttal (if any), with any future disclosures of the disputed PHI. • If the participant does not choose to write a statement of disagreement with the denial decision, Plans are not required to include the request for amendment and denial decision letter with future disclosures of the disputed PHI unless requested by the participant. When a request for amendment is accepted (in whole or in part): • Plans will identify the record(s) that are the subject of the amendment request and will append the amendment to the record(s). • Plans will inform the participant that his or her request for amendment has been accepted and,request the identification of and permission to contact other individuals or health care entities that need to be informed of the amendment(s). • Plans will make reasonable efforts to provide the amendment within a reasonable time to the persons/entities identified by the participant as well as persons and Business Associates who the Health Plan knows have the disputed PHI and may rely on it to the participant's detriment. Receipt of notification of amendment from other Covered Entities: • When Plans receive notification from another Covered Entity that a participant's PHI has been amended: • Plans will ensure that the amendment is appended to all applicable records of the participant, and POLICY & PROCEDURE: Participant Requests to Amend Protected Health Information • Plans will inform its Business Associates that may use or rely on the participant's PHI of the amendment and re•uire them to make the necessa corrections. Request to Amend Protected Health Information (name) hereby request to amend my health information from (please check one or more): Weld County Dental Plan Weld County Vision Plan Weld County Flexible Spending Plan for the following dates: . I request the health information contained in the following records be changed as follows: I understand that Weld County is not required to amend any health records, especially if Weld County did not create the record or may not legally change it Signature of Requestor Date If signed by personal representative: Name of personal representative: Relationship to participant or nature of authority: Signature of Personal Representative Date Sample Form Letter: Denial of Request to Amend Protected Health Information Date Participant's Name Address City, State, Zip Dear Thank you for your request to amend your health information, received by [Health Plan] on . After careful review, we are not able to grant your request for the following reason(s): The information you requested to amend was not created by [Health Plan]. Contact the originator of the health information to act upon your request; The information you requested to amend is accurate and complete; The information you requested to amend is not a part of the record you requested be amended; and/or • The information you requested to amend includes information you are not permitted to change: (state type of information - e.q, psychotherapy notes, information compiled in anticipation of civil, criminal or administrative proceedings]. You have the right to submit a written statement of disagreement with this decision. Please send it to my attention at the address below. You should include in your statement the reason(s) for your disagreement with our decision. [Health Plan] reserves the right to prepare a rebuttal to your statement of disagreement. If we choose to do so, you will receive a copy of it. Your statement of disagreement and our rebuttal, if any, will be included in any future disclosures of the disputed PHI. Please be advised that if you choose not to submit a statement of disagreement, we will not provide a copy of your request for amendment and this letter denying your request with any future disclosures of the disputed health information, unless you request that we do so. If you are dissatisfied with our decision and wish to lodge a formal complaint, you may contact: (Insert name or title and telephone number of person designated to receive privacy complaints] or, alternatively, you may file a complaint with the Secretary of the Department of Health and Human Services. Please let me know if you have any questions or concerns. Sincerely, Sample Form Letter: Acceptance of Request to Amend Protected Health Information Date Participants Name Address , City, State, Zip Dear Thank you for your request to amend your health information, received by [Health Plan] on . Your request has been granted. Your health information has been amended as follows [at minimum, specify records affected and information appended or linked thereto]: • Because the accuracy of your health information is so important, we need to know what other individuals or health care entities have received your health information and need to be informed of the above amendment(s). Your identification of individuals/entities who need to be informed of the amendment(s) to your health information will indicate that you give [Health Plan] permission to disclose the amended information to them. Please provide their name(s) and addresses to us. [Health Plan] will also provide the amended information to other persons and Business Associates who [Health Plan] knows have the disputed health information and need the amended information for your benefit. Please do not hesitate to contact me if you have any questions or require additional information. Sincerely, POLICY & PROCEDURE: Requests for an Accounting of Disclosures of Protected Health Information Section: Effective Date: April 14, 2003 Reviewed by: Don Warden Privacy = Reviewed Date: 2/1/03 POLICY Participants have the right to request an accounting of the disclosures of their Protected Health Information ("PHI") for purposes other than treatment, payment or health care operations and other exceptions specified in the Privacy Rule. PROCEDURE • Effective April 14, 2003 Weld County Dental, Vision, and Flexible Spending Plans (Plans) will provide an accounting of disclosures of a participant's PHI for up to six (6) years prior to the date of the participant's request. • The Plans do not provide an accounting of disclosures made for the following purposes: • pursuant to an authorization the individual has signed; • that are incidental to another permissible use or disclosure; • that are part of a limited data set; • made for the purposes of payment or health care operations, including those made to business associates; - • made to the individual who is the subject of the information; • made'for national security or intelligence purposes; • made to correctional institutions or law enforcement officials; and • made prior to April 14, 2003 (the compliance date of the Privacy Rule) • When a request for an accounting of disclosures of PHI is received, it will be provided within sixty (60) days. If necessary, this time frame may be extended for thirty (30) days. The participant requesting the accounting will be informed in writing, within sixty (60) days of the original request, of the reason(s) for the delay and the date by which action will be taken upon the request. • A participant may receive an accounting of disclosures once during any twelve (12) month period for no charge. • If a participant requests more than one accounting within the same-twelve (12) month period, a reasonable, cost-based fee may be charged by the Plans. The participant will be informed of the fee in advance and will be provided the opportunity POLICY & PROCEDURE: Requests for an Accounting of Disclosures of Protected Health Information to modify or withdraw the request. • The accounting for each disclosure includes: • The date of the disclosure; • The name of the entity or person to whom the disclosure was made and their address (if known); • A brief description of the PHI disclosed; • One of the following: • A brief statement of the purpose of the disclosure; or • A copy of the written request for the disclosure from DHHS or from the appropriate - entity. • If the accounting includes multiple disclosures to the same person/entity for a single purpose, the accounting will include only the frequency or number of disclosures and the date of the last disclosure made during the accounting period for all disclosures after the first disclosure. • Plans maintain the information that is required to be included in an accounting of PHI. for six (6) years from the date of its creation or the date when it was last in effect, whichever is later. • Written accountings provided to individuals in response to a request are maintained for six (6) years from the date of the creation or the date when it was last in effect, whichever is later. • Plans maintain the titles of the persons/offices responsible for receiving and processing requests for an accounting for a period of six (6) years. POLICY & PROCEDURE: Minimum Necessary Uses Of Protected Health Information Section: Effective Date: April 14, 2003 Reviewed by: Don Warden Privacy = Reviewed Date: 2/1/03 POLICY Individuals who perform Weld County Dental, Vision, and Flexible Spending Plans (Plans) functions use the minimum amount of Protected Health Information ("PHI") necessary to perform their duties. PROCEDURE • Plans identify the individuals who need access to PHI according to the categories of uses for payment or health care operations. • Plans identify the type and minimum amount of PHI needed to administer the plan. • Plans determines the circumstances under which individuals who perform plan functions may use PHI. • All individuals are required to use PHI in accordance with the determination made by Plans of the minimum amount necessary to effectively administer the plan. • When an individual performs more than one function of the Plans, the types of PHI and conditions for access are dependent on the function that the member is performing. • Newly hired individuals who will perform plan administration functions are provided with information regarding their access to PHI during their initial training. Role-Based Minimum Necessary Uses of Protected Health Information for Health Care Operations Related to Treatment Role-Based Duties Record Set (category of Conditions on Access PHI Medical/Case Management N/A N/A Pre-Authorization Review N/A N/A (Medical Necessity, Referral Authorization Nurseline, Triage Service N/A N/A Role-Based Minimum Necessary Uses of Protected Health Information for Payment Role-Based Duties Record Set (category of Conditions on Access PHI Customer Service Claims Customer complaint Claims Processing/Review Claims Pa ment and review Complaint and Grievance Claims Review to address issue Review Medical Review N/A N/A Role-Based Minimum Necessary Uses of Protected Health Information for Health Care Operations Role-Based Duties Record Set (category of Conditions on Access PHI) Credentialing N/A N/A Provider Relations N/A N/A Quality Improvement Claims Review Enrollment Enrollment data Enrollment into plan Privacy Official All Review and oversight Rate Setting/Premium Aggregate summary data Program and financial Determination analysis Legal Case by case Resolve legal issue Plan or Benefit Design Aggregate summary data Administrative oversight Information Services All data elements Maintain claims payment system (Banner). -Human Resources Enrollment data Enrollment into plan Marketing Aggregate data Develop marketing plan POLICY & PROCEDURE: Minimum Necessary Disclosures of Protected Health Information Section: Effective Date: April 14, 2003 Reviewed by: Don Warden Privacy Reviewed Date: 2/1/03 -- POLICY Weld County Dental, Vision, and flexible Spending Plans (Plans) and its Business Associates disclose the minimum amount of Protected Health Information ("PHI") necessary to achieve the purpose of the disclosure. PROCEDURE Routine and recurring disclosures of PHI • Plans have identified disclosures of PHI it makes on a routine and recurring basis. • Plans have determined the minimum amount of PHI that is needed to achieve the purpose of these requests. Non-routine disclosures of PHI • Plans review non-routine requests for disclosures of PHI that are subject to the minimum necessary standard on a case-by-case basis. • The request for disclosure is forwarded to the Privacy Official (or designee) to determine if the amount of PHI requested is the minimum necessary to achieve the purpose of the disclosure according to established criteria. • [Plans rely on representations that the PHI requested is the minimum amount necessary if the request is from a public official for a permitted disclosure; a Health Care Provider, a Health Plan, or a Health Care Clearinghouse; or a professional providing services to Plans who is a Business Associate and who represents that the PHI requested is the minimum necessary. • When necessary or appropriate, the Privacy Official will speak with a representative from the entity making the request to get clarification and/or modifications. Disclosures of entire medical record • Plans do not disclose a participant's entire medical record in fulfillment of any request subject to the minimum necessary standard for any reason unless a specific justification for such a disclosure is documented. Routine and Recurring Disclosures of Protected Health Information Recipient Categories/Amount of Purpose Protected Health Information No third party outside Weld None. None County should require any of If any PHI is requested it will the'Plans' data be dealt with on a case by case basis by Privacy Officer Enrollment data Enroll employees into Personnel Department plan Claims and enrollment data Payment of claims and Accounting Department payroll function. Claims, and aggregate data Administrative Finance and Administration oversight and Privacy • Department Officer functions Claims and aggregate data Provide legal advice County Attorney's Office on specific issues Claims and aggregate data Conduct audit function Auditors Claims and aggregate data Grievance of claims Benefit consultant and assist in the administration of plans All data elements Maintain claims Information Services (ACS) payment system (Banner) Non-Treatment Related Disclosures of Entire Medical Record Recipient Purpose Justification Plans will not have entire None None medical record, so will not be disclosed. Related issues will be dealt with by Privacy Officer on case by case basis. POLICY & PROCEDURE: Minimum Necessary Requests for Protected Health Information Section: Effective Date: April 14, 2003 Reviewed by: Don Warden Privacy Reviewed Date: 2/1/03 POLICY Weld County Dental, Vision, and Flexible Benefit Plans (Plans) request the minimum amount of Protected Health Information ("PHI") necessary to achieve its purpose from other Covered Entities. PROCEDURE Routine and recurring requests for PHI • Plans have identified requests for PHI it makes on a routine and recurring basis. • Plans have determined the minimum amount of PHI that is needed to achieve the purpose of these requests. • When Plans request PHI, the Covered Entity to whom the request is made may rely on Plans' determination that the amount of PHI requested is the minimum necessary to achieve the purpose of the request. Non-routine requests for PHI • Plans review-the non-routine requests it makes for disclosures of PHI on a case-by- _ case basis. • The Privacy Official (or designee) reviews non-routine requests made by Plans for PHI from another Covered Entity to ensure that the amount of PHI requested is the minimum necessary to achieve the purpose of the request according to established criteria. Requests for entire medical record Plans do not request a participant's entire medical record for any purpose unless a justification for such a disclosure is documented. Routine and Recurring Requests for Protected Health Information Source Categories/Amount of PHI Purpose Not anticipated that third None None parties will be requesting Dental, Vision, and Flexible Spending Plan data other than Weld County Departments. If requested Privacy Officer will deal with them on a case by case basis. Enrollment data Enrollment of Personnel Department employees into plan. Claims and enrollment data Payment of claims and Accounting Department payroll function. Claims and aggregate data Administrative Finance and Administrative oversight and Privacy Department Officer functions Claims and aggregate data Provide legal advice County Attorney's Office on specific issues Claims and aggregate data Conduct audit function Auditors Claims and aggregate data Grievance of claims Benefits consultant and assist in administration of plans All data elements Maintain claims Information Services (ACS) payment system (Banner) Requests for Entire Medical Record Source: Purpose Justification Plans will not have entire None None medical record, so will not be disclosed. Related issues will be dealt with by Privacy Officer in a case by case basis. f POLICY & PROCEDURE: Participant Privacy and Marketing Section: Effective Date: April 14, 2003 Reviewed by: Don Warden Privacy Reviewed Date: 2/1/03 POLICY Weld County Dental, Vision, and Flexible Spending Plans (Plans) marketing activities protect the privacy of Protected Health Information ("PHI") and include provisions for participants to authorize marketing communications. PROCEDURE • Plans obtain participants' authorization before disclosing PHI to a third party pursuant to an arrangement whereby Plans receive remuneration, direct or indirect, in exchange for the disclosure of PHI to a third party so that the third party may make a communication about its products or services to the participant to encourage the participant to purchase or use that product or service. • Marketing includes communications that encourage participants to purchase or use a product or service. • Marketing does not include: • Plans' description of a health-related product or service (or payment for such product or service) that the Plans provide or include in its plan of benefits, including communications about the Plans' participating providers or network. • Plans' description of replacement of or enhancements to a Plan. • Plans' description of health-related products or services that are only available to Health Plan participants and that are not part of the plan of benefits, but add value to it. • Communications for treatment of the participant. • Communications for the participant's case management or care coordination, or to direct or recommend treatment alternatives, therapies, Health Care Providers or settings of care. • Plans obtain participants' authorization before using or disclosing their PHI for marketing purposes unless: • the marketing communication takes place during a face-to-face encounter; or • the marketing communication is a promotional gift of nominal value. POLICY & PROCEDURE: Participant Privacy and Marketing • All authorizations for marketing disclose whether Plans receive remuneration from a third party, either direct or indirect. • Plans do not allow its Business Associates or others to use PHI for their own marketing purposes without obtaining authorizations from the participants who are the subject of the PHI. POLICY & PROCEDURE: Privacy of the PHI of Deceased Participants Section: Effective Date: April 14, 2003 Reviewed by: Don Warden Privacy Reviewed Date: 2/1/03 POLICY Weld County Dental, Vision, and Flexible Spending Plans (Plans) protect the Protected Health Information ("PHI") of deceased Plan participants in the same manner and to the same extent as it did prior to the participant's death. PROCEDURE • Protection of the privacy of a deceased participant's PHI is provided for as long as Plans maintain this information. • A personal representative of the deceased participant (someone with legal authority to act on behalf of the deceased participant or his or her estate) may exercise the deceased participant's rights with respect to PHI. • POLICY & PROCEDURE: Workforce Privacy Training Section: Effective Date: April 14, 2003 Reviewed by: Don Warden Privacy Reviewed Date: 2/1/03 POLICY Weld County Dental, Vision, and Flexible Spending Plans (Plans) provides privacy training for all current and new workforce members under its direct control who perform the Plans' functions and have contact with participants' Protected Health Information ("PHI"). PROCEDURE • All current members of Plans Sponsor's workforce who perform Health Plan functions received training regarding the requirements of the HIPAA Privacy Rule no later than April 14, 2003. • All new workforce members of Plans Sponsor who perform Plan functions receive privacy training as part of their initial training. • All workforce members of Plans Sponsor who perform Plans functions and who change positions will receive new privacy training (as appropriate) at the time of the change. • All affected members of Plans Sponsor's workforce receive retraining within a reasonable time if the Plans materially change any privacy policy or procedure. •, Documentation of privacy training is maintained by the Privacy Official according to the requirements of the Privacy Rule. HIPAA COMPLIANCE TRAINING I hereby certify that I was given HIPAA compliannce training concerning the Weld County Dental,Vision, and Flexible Spending Plans, plus general HIPAA training for all county operations on the date indicated. As part of the training it was explained to me that I am expected to comply with the HIPAA privacy rules procedures and policies, and appropriate sanction may be taken by Weld County, if I violate the HIPAA privacy rules procedures and policies,whether intentional or unintentional. Sanction may include verbal warnings, written warnings, probation periods, suspension, or termination depending on the nature of the violation. PRINT NAME SIGNATURE DATE • Hello