The URL can be used to link to this page

Browse Search

Home My WebLink About20031125.tiff HIPAA COMPLIANCE PLAN FOR WELD COUNTY PARAMEDIC SERVICES 2003-1125 Table of Contents GENERAL POLICES NOTICE OF PRIVACY PRACTICES OFFICE ROLE DIRECTORY 2 USE OF PERSONAL HEALTH INFORMATION 3 MINIMUM NECESSARY INFORMATION PATIENTS RIGHT TO ACCESS PHI 4 AUTHORIZATION FOR RELEASE OF INFORMATION&DISCLOSURE LOG 5 PATIENTS RIGHT TO REQUEST AMENDMENT&RESTRICTION 6 REQUESTING CONFIDENTIAL HANDLING OF INFORMATION/FORM& SPECIAL REQUEST LOG 7 HANDLING OF PRIVACY COMPLAINTS/ FORM/LOG 8 INFORMING INDIVIDUALS CONCERNING OPPORTUNITY TO ACCEPT/REJECT CERTAIN USES AND DISCLOSURES ACCOUNTING FOR DISCLOSURES/ 9 REQUEST FORM/LOG OF DISCLOSED PHI/BUSINESS CONTRACTS&LOG 10 OVERVIEW OF PRIVACY&SECURITY/ PERSONNEL DISCIPLINE FOR BREACH OF PRIVACY OR CONFIDENTIALITY 11 PHYSICAL SECURITY/USE OF ELECTRONIC MAIL,INTERNET& FACISIMILE MACHINES r 12 ACS @ WELD COUNTY PRIVACY POLICES AND PROCEDURES ®AVERY• READY INDEXTM INDEXING SYSTEM GENERAL HIPPAA POLICIES AND PROCEDURES PHYSICAL AND TECHNICAL SAFEGAURDS: Weld County shall adopt and follow any policies, procedures or forms dealing with physical and technical safeguards for information technology systems promulgated by ACS, unless Weld County specially adopts a policy in-lieu of ACS for information technology systems. The physical and technical safeguards of ACS used by Weld County are: Application Development Security Clean Desk Policy Electronic Transmission of IIHI Encryption Facility Security Network Security Password Management Screen aver or Logoff Requirements At Home Workers E-mail Acceptable Use Fax machine Acceptable Use WELD COUNTY PERSONNEL POLICIES AND HIPPA: Weld County's Personnel policy on confidential information applies in addition to any HIPAA policies on breach of privacy or confidentiality. Any HIPAA policies on personnel discipline for breach of privacy or confidentiality apply in addition those cited in the Weld County Personnel Policies. If there is conflict in any provision of the HIPAA policies concerning personnel discipline and Weld County Personnel Policies concerning discipline and grievance, Weld County Personnel Policies shall take precedence. PROGRAM POLICIES TAKE PRECEDENCE: Any policies, procedures, or forms promulgated by State of Colorado or federal health grant programs which are equal to or more stringent than Weld County=s policies will take precedence over Weld County=s. The Weld County policies in this HIPAA compliance document are the minimum standard which Weld County employees are held, however sate or federal grant programs may choose or require additional or alternative policies, procedures, or forms to accomplish the same HIPAA compliance requirement. In those cases to insure that grant requirements are met and to avoid redundant effort the state or federal grant policies, procedures, and forms may be used as long as they meet the county=s minimum standards specified in this HIPAA compliance document. Alternative grant policies, procedures, and forms must be approved by the Health Department=s HIPAA Privacy Officer. HIPAA PROCEDURE AND POLICY PROMULGATION: The Privacy Officer responsible for the departmental HIPAA compliance shall amend and promulgate HIPAA policies and procedures as necessary by securing the department head's approval, and submitting them to the Director of Finance and Administration for review. The changes shall then be forwarded to the Board of Weld County Commissioners for review by the Board members signing off on a cover sheet. If approved by the Board of Weld County Commissioners on the sign off sheet the changes shall be placed upon the Board's consent agenda for final approval. All HIPAA policies shall be reviewed at least annually by the Privacy Officer of each plan for any necessary updates or amendments. HIPAAgeneralpolicies HIPAA Notice of Privacy Practices Weld County Paramedic Services Effective Date: April 14, 2003 This notice describes how health information about you may be used and disclosed and how you can get access to this information. Please review it carefully. If you have any questions about this notice, please contact David W. Bressler, Privacy Officer at 1-970-353-5700 extension 13211. OUR PLEDGE REGARDING HEALTH INFORMATION We understand that health information about you and your health care is personal. We are committed to protecting health information about you. We create a record of the care and services you receive from us. We need this record to provide you with quality care and to comply with certain legal requirements. This notice applies to all of the records of your care generated by this health care practice, whether made by your personal doctor or others working in this office. This notice will tell you about the ways in which we may use and disclose health information about you. We also describe your rights to the health information we keep about you, and describe certain obligations we have regarding the use and disclosure of your health information. We are required by law to: • Make sure that health information that identifies you is kept private. • Give you this notice of our legal duties and privacy practices with respect to health information about you. • Follow the terms of the notice that is currently in effect. HOW WE MAY USE AND DISCLOSE HEALTH INFORMATION ABOUT YOU The following categories describe different ways that we use and disclose health information. For each category of uses or disclosures we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories. For Treatment: We may use health information about you to provide you with health care treatment or services. We may disclose health information about you to doctors, nurses, technicians, health students, or other personnel who are involved in taking care of you. They may work at our offices, at the hospital if you are hospitalized under our supervision, or at another doctor's office, lab, pharmacy, or other health care provider to whom we may refer you for consultation, to take x-rays, to perform lab tests, to have prescriptions filled, or for other treatment purposes. For example, a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian at the hospital if you have diabetes so that we can arrange for appropriate meals. We may also disclose health information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location. For Payment: We may use and disclose health information about you so that the treatment and services you receive from us may be billed to and payment collected from you, an insurance company, or a third party. For example, we may need to give your health plan information about your office visit so your health plan will pay us or reimburse you for the visit. We may also tell your health plan about a treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment. For Health Care Operations: We may use and disclose health information about you for operations of our health care practice. These uses and disclosures are necessary to run our practice and make sure that all of our patients receive quality care. For example, we may use health information to review our treatment and services and to evaluate the performance of our staff in caring for you. We may also combine health information about many patients to decide what additional services we should offer, what services are not needed, whether certain new treatments are effective, or to compare how we are doing with others and to see where we can make improvements. We may remove information that identifies you from this set of health information so others may use it to study health care delivery without knowing the identity of our specific patients. Research: Under certain circumstances, we may use and disclose health information about you for research purposes. For example, a research project may involve comparing the health and recovery of all patients who received one medication to those who received another, for the same condition. All research projects, however, are subject to a special approval process. This process evaluates a proposed research project and its use of health information, trying to balance the research needs with patients' need for privacy of their health information. Before we use or disclose health information for research, the project will have been approved through this research approval process; but we may disclose health information about you to people preparing to conduct a research project. For example, we may help potential researchers look for patients with specific health needs, so long as the health information they review does not leave our facility. We will almost always ask for your specific permission if the researcher will have access to your name, address, or other information that reveals who you are, or will be involved in your care. Organ and Tissue Donation: If you are an organ donor, we may release health information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation. As Required By Law: We will disclose health information about you when required to do so by federal, state, or local law. To Avert a Serious Threat to Health or Safety: We may use and disclose health information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat. Military and Veterans: If you are a member of the armed forces or separated/ discharged from military services, we may release health information about you as required by military command authorities or the Department of Veterans Affairs as may be applicable. We may also release health information about foreign military personnel to the appropriate foreign military authorities. Workers' Compensation: We may release health information about you for workers' compensation or similar programs. These programs provide benefits for work-related injuries or illness. Public Health Risks: We may disclose health information about you for public health activities. These activities generally include the following: • To prevent or control disease, injury or disability. • To report births and deaths. • To report child abuse or neglect. • To report reactions to medications or problems with products. • To notify people of recalls of products they may be using. • To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition. • To notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect, or domestic violence. We will only make this disclosure if you agree or when required or authorized by law. Health Oversight Activities: We may disclose health information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws. Lawsuits and Disputes: If you are involved in a lawsuit or a dispute, we may disclose health information about you in response to a court or administrative order. We may also disclose health information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested. Law Enforcement: We may release health information if asked to do so by a law enforcement official: • In response to a court order, subpoena, warrant, summons or similar process • To identify or locate a suspect, fugitive,material witness, or missing person • About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person's agreement • About a death we believe may be the result of criminal conduct • About criminal conduct at our facility • In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description, or location of the person who committed the crime Coroners, Health Examiners and Funeral Directors: We may release health information to a coroner or health examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release health information about patients to funeral directors as necessary to carry out their duties. National Security and Intelligence Activities: We may release health information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law. Protective Services for the President and Others: We may disclose health information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations. Inmates: If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release health information about you to the correctional institution or law enforcement official. This release would be necessary(1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or(3) for the safety and security of the correctional institution. YOUR RIGHTS REGARDING HEALTH INFORMATION ABOUT YOU You have the following rights regarding health information we maintain about you: Right to Inspect and Copy: You have the right to inspect and copy health information that may be used to make decisions about your care. Usually, this includes health and billing records. To inspect and copy health information that may be used to make decisions about you, you must submit your request in writing to David W. Bressler, Privacy Officer. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies and services associated with your request. We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to health information, you may request that the denial be reviewed. Another licensed health care professional chosen by our practice will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review. Right to Amend: If you feel that health information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as we keep the information. To request an amendment, your request must be made in writing, submitted to David W. Bressler, Privacy Officer, and must be contained on one page of paper legibly handwritten or typed in at least 10-point font size. In addition, you must provide a reason that supports your request for an amendment. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that: • Was not created by us, unless the person or entity that created the information is no longer available to make the amendment • Is not part of the health information kept by or for our practice • Is not part of the information,which you would be permitted to inspect and copy • Is accurate and complete Any amendment we make to your health information will be disclosed to those with whom we disclose information as previously specified. Right to an Accounting of Disclosures: You have the right to request a list accounting for any disclosures of your health information we have made, except for uses and disclosures for treatment, payment, and health care operations, as previously described. To request this list of disclosures, you must submit your request in writing to David W. Bressler, Privacy Officer. Your request must state a time period, which may not be longer than six years and may not include dates before April 14, 2003. The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred. We will mail you a list of disclosures in paper form within 30 days of your request, or notify you if we are unable to supply the list within that time period and by what date we can supply the list; but this date will not exceed a total of 60 days from the date you made the request. Right to Request Restrictions: You have the right to request a restriction or limitation on the health information we use or disclose about you for treatment,payment, or health care operations. You also have the right to request a limit on the health information we disclose about you to someone who is involved in your care or the payment for your care, such as a family member or friend. For example, you could ask that we restrict a specified nurse from use of your information, or that we not disclose information to your spouse about a surgery you had. We are not required to agree to your request for restrictions if it is not feasible for us to ensure our compliance or believe it will negatively impact the care we may provide you. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment. To request a restriction, you must make your request in writing to David W. Bressler, Privacy Officer. In your request, you must tell us what information you want to limit and to whom you want the limits to apply; for example, use of any information by a specified nurse, or disclosure of specified surgery to your spouse. Right to Request Confidential Communications: You have the right to request that we communicate with you about health matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail to a post office box. To request confidential communications, you must make your request in writing to David W. Bressler, Privacy Officer. We will not ask you the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted. r Right to a Paper Copy of This Notice: You have the right to obtain a paper copy of this notice at any time. To obtain a copy, please request if from David W. Bressler Privacy Officer. You may also ask that a copy of this notice be sent through electronic mail. If we know that the electronic message has failed to be delivered, a paper copy of the notice will be provided. You may also obtain a copy of this notice at our Web site, http://www.co.weld.co.us/departments/paramedic_services/ambulance.html. Even if you have received a notice electronically, you still retain the right to receive a paper copy upon request. If the first service delivery is delivered electronically, other than by telephone, we provide electronic notice in the same medium, automatically and contemporaneously in response to a first request for service. CHANGES TO THIS NOTICE We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for health information we already have about you as well as any information we receive in the future. We will post a copy of the current notice in our facility. The notice will contain on the first page, in the top right-hand corner, the effective date. In addition, each time you register for treatment or health care services, we will offer you a copy of the current notice in effect. COMPLAINTS If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with us, contact David W. Bressler, Privacy Officer. All complaints must be submitted in writing. You will not be penalized for filing a complaint. OTHER USES OF HEALTH INFORMATION Other uses and disclosures of health information not covered by this notice or the laws that apply to us will be made only with your written permission. If you provide us permission to use or disclose health information about you, you may revoke that permission, in writing, at any time. If you revoke your permission,we will no longer use or disclose health information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we provided to you. ACKNOWLEDGEMENT OF RECEIPT OF THIS NOTICE We will request that you sign a separate form or notice acknowledging you have received a copy of this notice. If you choose, or are not able to sign, a staff member will sign their name, date. This acknowledgement will be filed with your account record. Office Role Directory Weld County Paramedic Services The following is a current list of all Weld County Paramedic Services staff positions. They are listed according to the office role category (as defined in the Policy on Minimum Necessary Information) to which they belong. The office role category determines the type of information access each position requires to perform its functions. Direct Health Care Providers Director Medical Operations Manager Medical Operations Supervisor Emergency Medical Technician Paramedic Emergency Medical Technician Intermediate Emergency Medical Technician Basic Direct Support Staff Director Office Manager Office Technician Policy on Uses and Disclosures of Protected Health Information Overview of Weld County Paramedic Service's Policy on Privacy Policy It is the policy of Weld County Paramedic Services to protect the privacy and confidentiality of patients' protected health information by following the requirements of federal and state law and Weld County Paramedic Services polices and procedures. This policy provides the basics of Weld County Paramedic Services privacy compliance framework. More detailed information is contained in the Weld County Paramedic Services Standard Operating Procedures Manual and Weld County Paramedic Services computer system. "Protected health information," (PHI) means individually identifiable information about the present, past, or future health care or payment for health care, maintained in any form or medium. Responsibility The Weld County Paramedic Services Privacy Official is responsible for developing and implementing privacy policies and procedures. The Privacy Official is David W. Bressler. He can be reached at 1-970-353-5700 extension 13211 or dbressler(a�co.weld.co.us. It is the responsibility of each member of Weld County Paramedic Services to understand and follow the privacy policies and procedures. Procedures A. Permissions needed Weld County Paramedic Services will use and disclose PHI only in accordance with Weld County Paramedic Services notice of privacy practices and with the appropriate permission from the patient, or as otherwise permitted or required by law. See Authorization Policy and Notice of Privacy Practices. B. Permitted disclosures Weld County Paramedic Services may disclose a patient's PHI to the patient himself or herself, the patient's legally authorized personal representative, those involved with the person's care and treatment, to law enforcement personnel in appropriate situations, for public policy decisions as required by law, and for purposes of a patient's treatment, payment for services, or Weld County Paramedic Services health care operations. Disclosure of PHI may also be made to business associates, or on the basis of and in accordance with a properly executed authorization. 1. Deceased individuals If an executor, administrator, or other person with authority to act on behalf of a deceased patient or that person's estate, that person should be treated as patient's personal representative. Weld County Paramedic Services may disclose PHI, without specific patient consent or authorization, to a coroner or medical examiner responsible for identification of the person, determination of the cause of death, or other duties authorized under state law. Weld County Paramedic Services may also disclose PHI to a funeral director, as permitted by state law. 2. Personal representatives and minors If person has legal authority to act on a person's behalf in making decisions related to health care, this person is a personal representative and can receive PHI. If a minor has authority to act on his or her own behalf with respect to all or certain health care decisions, PHI may not be shared with the parent without the minor's consent, with respect to all relevant PHI. 3. Persons involved in care or treatment PHI may be disclosed to persons involved in the patient's care, as directly relevant to that care. If patient is present when PHI is to be disclosed, and has capacity, PHI can be disclosed to others present if it can reasonably be inferred that patient would not object. If patient is not present when PHI is to be disclosed, or patient is incapacitated, PHI may be disclosed if, in the exercise of reasonable professional judgment, disclosure is in best interests of patient and disclosure is limited to PHI directly relevant to person's involvement with the patient's care. D. Required disclosures Weld County Paramedic Services may make disclosures without consent or authorization as required by law, as required for public health purposes, for certain health oversight activities, for certain judicial and administrative proceedings, for certain law enforcement activities, to coroners or medical examiners, once required releases are obtained by Weld County Paramedic Services Office Manager. E. Privacy official The privacy official of Weld County Paramedic Services is David W. Bressler, Director. This person is responsible for implementing Weld County Paramedic Services privacy policies. F. Complaint personnel The person(s) responsible for handling complaints related to privacy are Kathy Baxley, Office Manager and/or David W. Bressler, Director. All complaints related to privacy should be referred to David W. Bressler, Director Weld County Paramedic Services. G. Unique restrictions on disclosures If a patient requests a particular restriction on the use or disclosure of his or her PHI, refer the request to David W. Bressler. Do not agree to any restriction prior to contacting the Privacy Officer. H. Potential violations If you believe that Weld County Paramedic Services has violated a policy or provision of law related to privacy issues, contact the Privacy Officer immediately. Weld County Paramedic Services will not retaliate against employees who report in good faith. Weld County Paramedic Services will take all reasonable steps to mitigate any damages caused by an improper use or disclosure of PHI. Policy on Minimum Necessary Information Weld County Paramedic Services Date: April 14, 2003 Authority: David W. Bressler, Director Weld County Paramedic Services Responsibility: Office Manager, Weld County Paramedic Services It is crucial that every staff member understands the minimum necessary policy for use, disclosure and request of protected health information. Health care providers and staff are entitled to use protected health information (PHI) consistent with their roles in this organization. Each staff member must also understand that with this role come certain responsibilities such as limiting the viewing, use, disclosure and requesting of PHI to only that data necessary for patient treatment, reimbursement for treatment and health care operations. It is considered a breach of policy and the patient's trust to seek information beyond what is appropriate for the staff role and the patient needs. In the event of an emergency, the strict limits of access may be breached when appropriate for the benefit of the patient, specifically when the potential benefit to the patient is judged to outweigh the risk to patient privacy. Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to ensure our patients' rights to the minimum necessary use and disclosure of their protected health information. General Policy 1. When using or disclosing protected health information or when requesting protected health information from another covered entity, each staff member of Weld County Paramedic Services must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This requirement does not apply to disclosures to a health care provider for treatment, uses or disclosures made to the individual, uses or disclosures made pursuant to an authorization for release signed by the patient or the patient's representative, disclosures made to the Secretary of Health and Human Services, disclosures that are required by law (as described by Sec. 164.512(a) of the privacy regulations) and uses or disclosures that are required for compliance with the privacy regulations. 2. It is necessary that the different roles in Weld County Paramedic Services be defined so that each staff member understands their own roles and responsibilities with regard to handling PHI. Direct Health Care Provider- A licensed and or certified health care professional who provides direct or indirect patient care or consulting services. Direct Support Staff— Staff who work within the office providing a variety of professional and direct administrative support that involves the delivery of patient care or billing operations. Data Access Categories Full Health Information Access—Access to full health information as needed for health, payment or health operations. Staff in this category may access and read all appropriate information. Summary Data Access—Access to summary data with treatment or diagnostic codes as needed to function. Staff in this category should confine the use of protected health information to the absolute minimum required and should not access or read full medical records. Emergency Information Access—Access to any individually identifiable health information should not be granted except in emergency situations. Usage Assignments Data Access Categories are assigned in accordance with the operational requirements for minimum necessary use. Each staff member has a separate access category. Choose whether they have: a. Full health information access b. Summary data access c. Minimum information access d. Emergency information access Direct Health care Providers have access to full health information access with the clear understanding that access and reading is limited to need for treatment, reimbursement, or operations. Direct Support Staff have access to full information access with the clear understanding that access and reading is limited to need for treatment, reimbursement, or operations. Weld County Paramedic Services will maintain a current office role directory that lists every defined position within the office. This will ensure that each position will be granted the correct access authorization as defined in the Usage Assignments section of this policy. It is incumbent on every staff member to report any observed violation of these usage rules to the Office Manager, Medical Operations Supervisor/Manager or Director of Weld County Paramedic Services. Every staff member must be trained in their roles and responsibilities with reference to the minimum use and access to patient data policy. It is considered a breach of organization policies and the patient's trust to seek information beyond what is appropriate for the staff role and the patient needs. In the event of an emergency, the strict limits of access may be breached when appropriate for the benefit of the patient, specifically when the potential benefit to the patient is judged to outweigh the risk to patient privacy. Disclosures for Treatment, Payment or Health Operations The regulations establish that routine and recurring disclosures of protected health information can be made for treatment, payment or health operations without specific patient authorization. The minimum necessary requirements still pertain to all of these disclosures. Minimum necessary determinations will be made for all routine and recurring disclosures for all categories (other than those that are excepted); these categories will include, for example, additional medical information for medical necessity determination, sample records for accreditation and audits, records review for protocol adherence, patient information for participation in a clinical trial, paper claims,phone referral certification information and other categories as determined necessary. Full health information will be provided to routine and recurring requests from: List of all external entities to whom Weld County Paramedic Services provides routine and recurring disclosures of full health information. See Exhibit A. Summary data with treatment and/or diagnostic codes will be provided to routine and recurring requests from: List of all external entities to whom Weld County Paramedic Services provides routine and recurring disclosures of summary data health information. See Exhibit B. Minimum information - patient demographic data with only minimum reference to treatment or diagnostic information - will be provided to routine and recurring requests from: List of all external entities to whom Weld County Paramedic Services provides routine and recurring disclosures of minimum health information. See Exhibit C. Every effort will be made to comply with these disclosure categories except where the cost of extracting information is not reasonable and the risk of breach of patient privacy is considered low. In all situations, the requestor will be informed of their responsibilities towards this data and appropriate agreements entered into. All non-routine and/or non-recurring requests will be considered on a case-by-case basis and determination of the level of response will take into account the minimum necessary requirements. Requests for Information The regulation establishes that for routine and recurring requests, the responsibility for determining the minimum necessary data falls on the requestor. In all situations where data are requested, staff members must ensure that minimum necessary evaluation is made. In situations where the determination has not been made, questions should be directed first to the Office Manager and then to the Director of Weld County Paramedic Services. Minimum necessary determinations will be made for all routine and recurring requests for all categories. These categories will include, for example: Reason for visit Vital medical stats Medical records for referral Referral authorization, if non-standard Test results Patient messages from an answering service Policy and Procedure on Patient's Right to Access Health Information Weld County Paramedic Services Date: April 14, 2003 Authority: David W. Bressler, Director Weld County Paramedic Services Responsibility: Kathy Baxley, Office Manager Weld County Paramedic Services Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act(HIPAA) and to afford our patients the right to inspect and obtain a copy of health information about them. General Policy It is our policy to provide our patients the right of access to inspect and obtain a copy of health information about them, for as long as we maintain the information in our designated record set, with exceptions permitted by law. Definitions Access: patients may inspect their medical records and billing records under the supervision of a staff member for which an inspection fee is charged; or obtain a copy of all or a portion of their medical records and billing records for which a copying fee is charged. Designated record set: medical records and billing records that we use to make health care and payment decisions about patients. Procedure 1. Patients may request access to their medical records and/or billing records by submitting a request in writing on our Authorization for Release of Information Form to our Office Manager. This Form specifies that the access will be granted within 30 days of its receipt unless the patient is otherwise notified, and identifies the fees that will be charged for supervision of inspection, for copying all or portions of the record, or for summarizing the record. The request must state the type of access requested (inspection, copy, or if a summary will be accepted if there are reasons why a complete inspection or copy cannot be released, see step 3.b.), specify the dates and specific information requested, and be signed by the patient. 2. When a request for access to the medical record and/or billing record is made by a patient: a. Obtain the patient's medical record and verify the patient's demographic information and signature on the Authorization for Release of Information Form with demographic information and signature on the consent for use and disclosure of health information, or other document signed by the patient contained within the medical record. If the authenticity of the patient cannot be verified, send a request to the patient to have a new Authorization for Release of Information Form notarized. b. Review the medical record and/or billing record according to the request to determine if: 1) The information requested is excepted from the patient's right of access (see step 3. Exceptions to access), in which case access must be denied. Follow the procedure in step 4. for Denial of access. 2) the information requested is complete. If the information is not complete, inform the physician responsible for completion that a request for access has been made by the patient and the record will need to be completed within 30 days in order to comply with the patient's request or be found in non-compliance with HIPAA and subject to fines. If the record is not completed within 30 days, send a copy of the Authorization for Release of Information Form to the patient indicating that an extension to providing access will be required because the record is in the process of being completed and indicating the specific date on which access will be granted. This date must not exceed an additional 30 days. c. If access is not excepted and the information is complete and the patient requests inspection of the medical record and/or billing record or any portion thereof, schedule an appointment for the patient to visit the office. If the request is only for a portion of a record, remove that portion and place it in a separate folder for purposes of the inspection. Our Office Manager must be present with the patient during the time the patient is inspecting the record(s). A charge of $20.00 per hour can be assessed for this inspection to cover the cost of supervision. During this time, the patient may not remove any documents from the record(s) or write any information in the record(s). If the patient wishes to make an amendment to the record(s), follow the Policy and Procedure for Patient's Right to Request Amendment of Health Information. If the patient has any questions concerning the information in the medical record, inform the patient that an appointment must be made with the physician to discuss the information. If the patient has any questions concerning the information in the billing record, refer the patient to the Office Manager. d. If access is not excepted and the information is complete and the patient requests a copy of any or all of the medical record and/or billing record, make the specified copies and mail the information to the patient via postal mail. If the patient requests this information to be mailed to a different address, mailed to a different individual, or be given to someone else who physically presents to our office, this information must be authorized through the Authorization for Release of Information Form. If another individual is designated to physically pick up the copy of the information, verify the individual's identity by requesting a photo identification card and match the name on the card to the name on the Authorization for Release of Information signed by the patient. Have the individual sign the Authorization for Release of Information as having received the information. 3. Exceptions to access are limited to very specific situations. Certain exceptions are not subject to review, and for others we must permit the patient to request a review of our decision not to grant access. When the information was compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. When the request is from an inmate of a correctional institution, and we have concerns regarding the health, safety, security, custody, or rehabilitation of the inmate or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or the safety of any person responsible for transporting the inmate. When the information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information. When a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the patient or another person. When the information makes reference to another person(unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person. When the request for access is made by the patient's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the patient or another person. 4. Denial of access is a serious matter under the law. Before the Office Manager may make such a denial decision, it is our policy to conduct an internal review of that denial. Any such case should be given to David W. Bressler, who will authorize the denial. a. If access is denied for one of the reasons to deny access that are not subject to review, return a copy of the Authorization for Release of Information to the patient indicating that we are unable to comply with the request for access due to the applicable reason. Retain a copy of the Authorization for Release of Information sent to the patient in the patient's medical record. b. If access is denied for one of the reasons that are subject to review, determine if a summary of the record may be made or portions of the record may be provided access such as to prevent the risk associated with denial. 1) If a summary or access to portions of the record would prevent risk, return a copy of the Authorization for Release of Information to the patient indicating we are not able to comply with the request for access for the specified reason but would be able to provide a summary of information in the record or access to portions of the record. 2) If such a summary or access to portions of the record is not possible, return a copy of the Authorization for Release of Information to the patient indicating we are not able to comply with the request for access for the specified reason. Indicate on this Form that the patient has the right to • have this decision reviewed by another licensed health care professional. 3) If a request for review is received, give a copy of the Authorization for Release of Information Form, the medical record, and, if applicable, the billing record to the Chief Physician, who will make a final determination. Upon its review and a determination, send a response to the patient indicating the result of the review and how the patient may file a complaint with our office or to the Secretary of Health and Human Services (HHS). 4) File a copy of the Authorization for Release of Information Form and other documentation received from the patient in his/her medical record. Place a copy of the Authorization for Release of Information in our Risk Management file. 5) If a request for access to the medical record or billing record is made and the person was not a patient of ours, return a copy of the Authorization for Release of Information Form to the individual indicating we have no records. If we do not have records on this individual but know where the requested information may be maintained (such as at a hospital or other physician's office), return the Authorization for Release of Information Form to the individual and provide the name and address of the location where we believe the records may be maintained. Keep a copy of the Authorization for Release of Information Form in our Risk Management File. EXHIBIT A Weld County Paramedic Services Date: April 14, 2003 Acute Treatment Unit Boulder Community Hospital Centennial Health Care Cheyenne United Medical Center Children's Hospital Colorado Plains Medical Center Craig Rehab Hospital East Morgan County Hospital Fairacres Manor Greeley Medical Clinic Hospice Unit at North Colorado Medical Center Island Grove Regional Detox Center Kenton Manor Life Care Center Longmont United Hospital North Colorado Family Medicine North Colorado Medical Center North Colorado Psychcare North Colorado Surgery Center Platte Valley Medical Center Poudre Valley Hospital Salud Clinic Sterling House Sunrise Clinic St Anthony's North Hospital St Anthony's Central Hospital St Joseph's Hospital The Bridge Assisted Living Westlake Family Physicians Willow Station Dialysis Windsor Health Care .-. r EXHIBIT B Weld County Paramedic Services Date: April 14, 2003 Acute Treatment Unit Boulder Community Hospital Centennial Health Care Cheyenne United Medical Center Children's Hospital Colorado Plains Medical Center Craig Rehab Hospital East Morgan County Hospital Fairacres Manor Greeley Medical Clinic Hospice Unit at North Colorado Medical Center Island Grove Regional Detox Center Kenton Manor Life Care Center Longmont United Hospital North Colorado Family Medicine North Colorado Medical Center North Colorado Psychcare North Colorado Surgery Center Platte Valley Medical Center Poudre Valley Hospital Salud Clinic Sterling House Sunrise Clinic St Anthony's North Hospital St Anthony's Central Hospital St Joseph's Hospital The Bridge Assisted Living Westlake Family Physicians Willow Station Dialysis Windsor Health Care EXHIBIT C Weld County Paramedic Services Date: April 14, 2003 Acute Treatment Unit Boulder Community Hospital Centennial Health Care Cheyenne United Medical Center Children's Hospital Colorado Plains Medical Center Craig Rehab Hospital East Morgan County Hospital Fairacres Manor Greeley Medical Clinic Hospice Unit at North Colorado Medical Center Island Grove Regional Detox Center Kenton Manor Life Care Center Longmont United Hospital North Colorado Family Medicine North Colorado Medical Center North Colorado Psychcare North Colorado Surgery Center Platte Valley Medical Center Poudre Valley Hospital Salud Clinic Sterling House Sunrise Clinic St Anthony's North Hospital St Anthony's Central Hospital St Joseph's Hospital The Bridge Assisted Living Westlake Family Physicians Willow Station Dialysis Windsor Health Care Weld County Paramedic Services Authorization for Release of Information Patient: Last First MI Maiden or Other Name: Date of Birth: MO DAY YR SS#: - Medical Record Number#: Address: City: State: Zip Code: Day Phone: Evening Phone: I hereby authorize: (Print Name of Provider) to release information from my medical record as indicated below to: Name: Address: City: State: Zip Code: Day Phone: Evening Phone: Fax#: E-mail Address: Page 2 Authorization for Release of Information (con't) INFORMATION TO BE RELEASED Dates: I specifically authorize the release of information relating to: ❑ History and physical exam ❑ Progress notes ❑ Substance abuse (including alcohol/drug abuse) ❑ Lab reports ❑ Mental health(including psychotherapy notes)* ❑ X-ray reports .- ❑ HIV related information(AIDS related testing) ❑ Other: ❑ Marketing (except for face-to-face encounters or promotional gifts of nominal value) X SIGNATURE OF PATIENT OR LEGAL GUARDIAN DATE Page 3 Authorization for Release of Information (con't) Purpose of Disclosure: ❑ Changing Physicians ❑ Consultation/second opinion O Continuing Care ❑ Insurance O Legal ❑ Research ❑ School O Worker's Compensation ❑ Other(please specify): I understand that this authorization will expire days after I have signed the form. I understand that if this authorization is used for the purpose of research, that it will expire at the end of research study or indefinite date if the authorization is used for the creation or maintenance of a research database or repository. I understand that I may revoke this authorization at any time by notifying the providing organization in writing, and it will be effective on the date notified except to the extent action has already been taken in reliance upon it. I understand that information used or disclosed pursuant to this authorization may be subject to re-disclosure by the recipient and no longer be protected by federal or state privacy regulations. I understand that I am being requested to release this information by: (Print Name of Provider) for the purpose of: By authorizing this release of information,my health care and payment for my health care will not be affected if I do not sign this form. I understand I may see and copy the information described on this form if I ask for it(permitted by federal law or state law to the extent the state law provides greater access rights), and that I will get a copy of this form after I sign it. Page 4 Authorization for Release of Information (con't) I have been informed that(Print Name of Provider): will not receive financial or in-kind compensation in exchange for using or disclosing the health information described above. I understand that in compliance with: (Print the state whose laws govern the Provider): statute, I will pay a fee of: $ 14.00. There is no charge for medical records if copies are sent to facilities for ongoing care or follow up treatment. I understand that I may refuse to sign this authorization. SIGNATURE OF PATIENT DATE OR PARENT/LEGAL GUARDIAN/AUTHORIZED PERSON DATE RECORDS RECEIVED BY DATE RELATIONSHIP TO PATIENT FOR OFFICE USE ONLY DATE REQUEST FILED: BY: TYPE OF IDENTIFICATION PRESENTED AND EXPIRATION: FEE COLLECTED Weld County Paramedic Services Authorization of Disclosure Log Safe ? _ rPu ta, .r . . ... Tye sr#Toast; : ec �uct By airi'ilec7. Policy and Procedure on Patient's Right to Request Amendment to Health Information Weld County Paramedic Services Date: April 14, 2003 Authority: David W. Bressler, Director Weld County Paramedic Services Responsibility: Kathy Baxley, Office Manager Weld County Paramedic Services Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act(HIPAA) and to afford our patients the right to request amendment to their protected health information. General Policy It is our policy to provide our patients the right to request amendment to their protected health information that we maintain in our designated record set, with exceptions permitted by law. Definitions Amendment: to add information to an existing record, which either provides additional information, clarifies or corrects existing information, or provides an alternative view with respect to information that we have compiled about the patient in the patient's designated record set. Designated record set: Office Manager and billing records that we use to make health care and payment decisions about patients. Procedure 1. A patient who believes there is an error in information in the medical record or billing record may approach the author of the entry, point out the error, and request the author to correct it. The author may accept any correction believed to be required, and will document the correction. This documentation must retain the original entry, state the correct information, and reflect the author's identity and date of correction. In electronic information system, the correction should be made in accordance with the vendor's specification for correcting errors such that an audit trail exists to show both the original entry and the new entry. In paper documents, a correction may be made in one of two ways: If an entry is simply erroneous and needs to be deleted, a line may be drawn through the erroneous information, initialed, and dated. If an entry is erroneous and requires correction, the entry should be noted as erroneous and correct information written in a separate note, which must be signed and dated. The author should inquire of the patient if the correction of the error should be disclosed to anyone who may have received this information in the past. If so, the patient should be directed to complete the Form to Request Amendment. 2. A patient may also request that information be added to the medical record or billing record. This request must be made in writing, on our Form to Request Amendment, to the Office Manager. This Form serves as both documentary evidence of the request and our response, as well as a tracking mechanism to ensure response within 60 days of request (with not more than one 30-day extension) and duty to supply others with the information. This form will be processed in the following manner: a. Request the patient to complete the Form to Request Amendment in triplicate. If this is not received in person, verify the patient's signature on the Form with a sample in the medical record. The patient should keep the last copy of the Form. b. Place the remaining two copies of the Form in the patient's medical record or billing record, which ever is the subject of the amendment. Route the record to the author of the record. c. If the author accepts the patient's amendment, the author will sign and date the Form as amendment accepted and make a note at the site in the record to which the amendment applies that an amendment exists. The author may also add a comment to the Form. The second copy of the Form will be returned to the patient indicating that the amendment has been accepted. The original copy of the Form will be used to furnish copies of the amendment to those individuals or organizations the patient deems necessary. Such disclosures will be noted on the form as having been completed with the signature of the staff member who processed the disclosures. The original Form will be placed in the record. d. If the author rejects the patient's amendment, the author must indicate one of the following as reasons: 1) The information subject to amendment was not created by us 2) The information subject to amendment is not part of the designated record set 3) The information would not be available for access (see our policy on Patient's Right to Access Health Information) 4) The information contained in the existing record is accurate and complete The Form must be signed and dated, and the author must make a note at the site in the record to which the amendment applies that an amendment was requested. The second copy of the Form with this information will be returned to the patient. The original copy of the Form will be filed in the record. The patient may request that the request for amendment and the denial be disclosed with any future disclosures of the information that is the subject of the amendment. e. If this processing cannot occur within 60 days of receipt of the request, notify the patient in writing that a 30-day extension will be necessary to process the request. f. The patient may choose to submit a written statement disagreeing with the denial. This statement must be contained on not more than one handwritten or typewritten page of at least 10-point font. Any additional information beyond the one page will be discarded. When this statement of disagreement is received, it should be forwarded to the author, who will determine whether a rebuttal will be prepared. The statement of disagreement and any rebuttal must also be filed in the record and accompany any future disclosures of the information that is the subject of the amendment. 3. If we are informed by another provider of an amendment to one of our patient's records, the Office Manager will review its contents and advise the physician who attended the patient as to any information which appears to require our action. We will place the amendment information in our designated record set. Policy and Procedure to Request Restrictions on Use and Disclosure of Protected Health Information Weld County Paramedic Services Date: March 10, 2003 Authority: David W. Bressler, Director Weld County Paramedic Services Responsibility: 1. It will be the responsibility of the Weld County Paramedic Services to receive requests for and agree to any restrictions on use and disclosure of protected health information. 2. It will be the responsibility of the Office Manager to monitor any restrictions which the office agrees to follow. General Policy 1. We will supply any individual who requests restrictions placed on use and disclosure of protected health information a Form to Request Restrictions. 2. We will agree to requested restrictions if, in the judgment of a licensed health care professional, we believe the restriction will not limit our ability to provide quality health care treatment or manage our health care operations, and if our information management procedures and systems will permit us to comply consistently with the requested restrictions. We will also provide confidential communications by alternative means or to an alternative address provided by the patient if we obtain assurance that payment for our health care services will be handled and we receive specification of the alternative address or other method of contact. Procedure 1. When an individual requests restrictions, supply him or her with our Form to Request Restrictions. 2. The Office Manager of Weld County Paramedic Services will review the Form to Request Restrictions and determine whether we are able to accept the restrictions. The Office Manager of Weld County Paramedic Services will complete and sign the Form to Request Restrictions, supply the individual a copy, place the original in the individual's permanent health record and file a copy in our Risk Management file. The Office Manager of Weld County Paramedic Services will also make the necessary postings to the individual's health record and/or billing record to enable the restrictions to be carried out. 3. If the individual makes the request for restrictions in our office, we will attempt to complete the Form to Request Restrictions during the time the individual is present in our office, but no later than 30 days after receipt. 4. If at any time we find that we cannot carry out the restrictions requested by an individual, we will prepare a written notice to send to him or her terminating our agreement, which will be applicable only to information created or received after such notice has been sent to the individual. 5. We will accept a written request from the individual to terminate the restrictions at any time or will document any oral request to terminate restrictions from the individual. If an oral request is received, this will be documented on the original Form to Request Restrictions, a copy of which will be supplied to the individual. Policy and Procedure on Requesting Confidential Handling of Information Weld County Paramedic Services Date: April 14, 2003 Authority: David W. Bressler, Director Weld County Paramedic Services Responsibility: Office Manager Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to inform our patients of their right to request confidential handling of their protected health information when it is sent to them. General Policy It is our policy to accommodate reasonable requests regarding the confidential handling of protected health information, and to maintain that the use of Protected Health Information be consistent with the patient's request. Definitions and Regulatory Requirements Protected health information: Individually identifiable health information, including information that is maintained in our medical records and billing records. A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations. Conditions on providing confidential communications: 1. A covered entity may require the individual to make a request for a confidential communication in writing. 2. A covered entity may condition the provision of a reasonable accommodation on: a. When appropriate, information as to how payment, if any, will be handled; and b. Specification of an alternative address or other method of contact. 3. A covered health care provider may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis. Procedure 1. Patients may request confidential handling of health information by submitting a request in one of the following ways: a. In person, on our Request for Confidential Handling of Health Information Form b. By mail, either on our Request for Confidential Handling of Information Form or in a letter containing the necessary information specified below. All requests should be mailed to: Weld County Paramedic Services 1121 M Street Greeley, CO 80631 Determine what forms of communication your office will accept to request confidential handling of patient information—in writing or by fax, telephone, and/or e-mail. Include information regarding each method you will accept in your policy. All requests should be directed to the Office Manager, Weld County Paramedic Services. The request must supply the following details about the protected health information the individual wants confidentially handled: a. The type of information, specifying if the request is limited to a particular illness or treatment or all health information exchanges b. The time period for which the request applies c. The manner in which payment will be received, if confidential handling of billing matters pertaining to the type of information is also requested d. The manner in which the patient wishes to receive confidential communications, with any alternate information necessary to deliver information in the requested manner 2. When a patient makes a request for confidential handling of their PHI: a. Validate the request with the individual. If the request is received by mail or e- mail, call existing contact phone number and ask to speak with the patient to confirm the request. If the request is made in person, request confirmation of identity, if needed. b. If the request involves billing information, confirm that the commitment for payment will be satisfied and hold confidential mailing until any payment due is received. For future billing, ensure that an agreement to pay at the time of visit is signed. Place a prominent note in the file or have a flag in your scheduling system that payment is required at the time of visit. c. If the request is for an alternate address, enter the address into the patient's address file as the required confidential address. d. If the request is to pick-up the confidential information in person, highlight the requirement for easy recognition by staff handling correspondence. e. If the request is time limited, flag the end date for confidential handling of information in the appropriate files and systems. f. Place a copy of the Request for Confidential Handling of Information Form in the patient's medical record. Determine if your office wishes to track requests for confidential handling of information for risk management purposes. (Include the following statement in your policy only if answer is "yes") Place a copy of the Request for Confidential Handling of Health Information Form in our Risk Management file. g. Determine if your office ill send confidential communications to patients via e- mail. If yes: If the request is for e-mail exchange, ensure that the patient has signed the agreement stating they are responsible for access and use of their e-mail and Weld County Paramedic Services will not be held liable for inappropriate use or breach of that e-mail. Ensure that the patient has initialed his/her understanding of the security requirements for exchanging patient information over the Internet. Highlight the requirement for easy recognition by staff handling correspondence. Page 1 Request for Confidential Handling of Health Information I, (print name), request confidential handling of correspondence regarding my health information for the period: From: To: This request applies to health information involving: Please be as specific as possible, e.g., treatment regarding a given illness or diagnosis. Do you wish confidential handling of billing matters pertaining to the information described above? O Yes O No If yes,please read and sign the following: I agree to pay all charges at the time of my visits. If for any reason the bill remains unpaid for 30 days,then I understand the following organization will bill the original fiscally responsible individual on record. SIGNATURE OF PATIENT DATE I have selected to receive confidential communications in the following way: ❑ Patient will pick up communications at the provider's office. ❑ Patient will receive any information at an alternate mailing address. ❑ Patient will receive any information through secure e-mail. Please use the following mailing address for all health information communications that fit in the description provided above. (Please Print) Mailing Address: City: State: Zip Code: Page 2 Request for Confidential Handling of Health Information If you have any questions concerning this confidential handling,please contact: Signature(Person responsible for handling information) Title Print Name Phone Number ❑ PLEASE SEND CONFIDENTIAL INFORMATION VIA E-MAIL E-mail Address: Determine if your office will send confidential communications to patients via e-mail. If yes: Determine if you will use secure e-mail, and if so, what type of encryption will be required for the patient's browser. (Include the following statement in your policy only if answer is "yes") I understand that if I choose to receive confidential communications through e-mail, I am responsible for secure access to my e-mail and computer and will not hold the provider's office responsible for any breach that may occur on the receiving end of this transmission. I also understand that in order to receive this confidential communication securely I must have a browser that supports 128 bit, currently supported by version 5.50 of Microsoft Internet Explorer. SIGNATURE OF PATIENT DATE Weld County Paramedic Services Special Request by Patient Log G Dat ' antehik a .. .. _m:.r.fic:ft =7'9C}eo#Request: . .... . . . . .. . RiStida9._ .. , °' Liita[ianF..[let Policy and Procedure on the Handling of Privacy Complaints Weld County Paramedic Services Date: April 14, 2003 Authority: David W, Bressler, Weld County Paramedic Services Responsibility: Office Manager, 1-970-353-5700 extension 13202 Purpose The purpose of this policy is to comply with the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to afford our patients the right to file a complaint, have the complaint investigated and, if appropriate, receive the disposition of the complaint pursuant to the HIPAA privacy rules and our implementing policies and procedures. General Policy It is our policy to keep a record of all complaints and to investigate all valid complaints to determine the circumstances surrounding any concerns our patients raise regarding privacy. If a patient's privacy rights have been infringed upon in any way, or there is evidence that our staff or associates have not adhered to the privacy standards or our policies and procedures, we will take actions consistent with the HIPAA regulations and our Policy and Procedure on Personnel Discipline for Breach of Privacy or Confidentiality and document these actions accordingly. The HIPAA privacy regulations give all individuals the right to file complaints to Weld County Paramedic Services and the Office of the Secretary in the Federal Department of Health and Human Services. Under no circumstances will the fact that an individual has filed a complaint affect the services provided to that individual. Any staff found to be treating any individual differently in light of a complaint will be sanctioned. Any retaliation is prohibited by law. Procedure 1. Patients may file privacy complaints by submitting them in one of the following ways: a. In person, on our Privacy Complaint Form; b. By mail, either on our Privacy Complaint Form or in a letter containing the necessary information specified below. All requests should be mailed to: Weld County Paramedic Services 1121 M Street Greeley, CO 80631 a. By telephone at 1-970-353-5700 extension 13203 b. By facsimile machine at 1-970-304-6408 c. By e-mail to dbressler@co.weld.co.us All privacy complaints should be directed to the David W. Bressler Director, 1- 970-353-5700 extension 13211. The complaint must describe the privacy concern in as much detail as possible including when the infraction of the standards or mishandling of protected health information was believed to have occurred, and who, if known, was believed to have acted inappropriately with respect to protected health information or an individual's privacy rights. The complaint must include the following information: a. The type of infraction the complaint involves (i.e. inappropriate handling of PHI, appropriateness of privacy policies and processes) b. A detailed description of the privacy issue c. The date the incident or problem occurred, if applicable d. The mailing address 2. When a patient files a privacy complaint: a. Validate the complaint with the individual. If the complaint is received by mail, phone, fax or e-mail, call existing contact phone number and ask to speak with the patient to confirm the complaint. If the complaint is made in person request confirmation of identity, if needed, and validate the facts of the complaint. b. If the complaint appears to be a misunderstanding of the requirements or your policies and procedures, contact the patient and determine if, based on a more in depth discussion of the concern, the individual still wants to file a complaint. Be as courteous as possible. UNDER NO CIRCUMSTANCES SHOULD A PATIENT FEEL PRESSURED OR COERCED EVEN IF YOU BELIEVE THEY ARE STILL MISUNDERSTANDING THE RULES OR POLICIES. If the individual does not want to pursue the complaint any further, indicate "no further action required based on clearer understanding", record the date and time, and file under dismissed complaints. c. Once validated and if not dismissed, log the complaint by placing a copy of the complaint form in the complaint file and the patient's medical record. d. Investigate the complaint by reviewing the circumstances with the relevant staff and reviewing any audit and monitoring logs that may have relevance to the complaint. If the complaint involves any issues with an individual's rights that have attendant documentation (e.g., consent or authorization processes or confidential requests), pull all relevant forms. Complete the complaint investigation section of the complaint form with a summary of your findings. e. If you determine the complaint is invalid, draft a letter stating the reasons the complaint was found invalid. Initially, an impartial, knowledgeable staff person or lawyer should review all letters for tone and rationale. Standard letters will likely emerge over time. File a copy of the letter and form in the investigated complaints file. f. If you are uncertain about your findings, get a second opinion from your HIPAA privacy committee or your lawyer. g. If you determine the complaint is valid and linked to a required process or an individual's rights, follow your office sanction policy to the extent that an individual is responsible. If the complaint involves your office's compliance with the standards that do not involve a single individual (e.g., policies and procedures themselves versus adherence to them), then begin the process to revise your current policies and procedures. h. Once an appropriate sanction or action has been taken with respect to a complaint with merit, or if the response will take more than 30 days, draft a letter explaining the findings and the associated response or intended response. Use the same review process as for the invalid complaint letter in item e in the list above. Document the disposition of the complaint on the complaint form and file the letter and form in the investigated complaints file. i. Place a copy of the complaint form in the patient's medical record. j. Determine if your office will respond to privacy complaints via e-mail If yes: Determine if you will use secure e-mail and if so what type of encryption will be required for the patient's browser. (Include this statement in your policy only if answer is "yes") Since your office accepts complaints via e-mail, be sure that the patient has signed the agreement stating they are responsible for access and use of their e-mail and that Weld County Paramedic Services will not be held liable for inappropriate use or breach of that e-mail. Also, check to ensure that the patient has initialed their understanding of the security requirements for exchanging patient information over the Internet. k. Determine if your office wishes to track privacy complaints for risk management purposes. (Include the following statement only if answer is "yes") Review complaint files, both invalid and investigated complaints, at least annually to determine if there are any emerging patterns. Page 1 Weld County Paramedic Services Privacy Complaint Form I, (print name), am registering a formal complaint regarding Weld County Paramedic Services. The complaint involves: ❑ Issue relating to Weld County Paramedic Services privacy policies and processes ❑ Specific concern regarding the handling of my protected health information ❑ Other A detailed description of the privacy issue involved in the complaint is provided below: The incident or problem occurred on (month/day/year), if applicable I can be reached at (please provide day-time number) Patient Signature: Please use the following mailing address for a formal response to this complaint. MAILING ADDRESS (Please Print): City: State: Zip Code: If you would like to follow up on the status of your complaint, please contact: X Office Manager, Weld County Paramedic Services: 1-970-353-5700 extension 13203 Page 2 Weld County Paramedic Services Privacy Complaint Form (con't) FOR OFFICE USE ONLY Dismissed 0 Investigated 0 Invalid 0 Has Merit 0 Summary of Investigation Response to Complaints with Merit: Staff Involved in Review: Name: Date: Name: Date: Name: Date: Name: Date: Weld County Paramedic Services Patient Complaint Log a m..: P nt Name Tyr ofea ue$ ..: Received$3f . .. q►a. led . Policy and Procedure for Informing Individuals Concerning Opportunity to Accept/Reject Certain Uses and Disclosures Weld County Paramedic Services Date: April 14, 2003 Authority: David W. Bressler Responsibility It will be the responsibility of the Office Manager to exercise professional judgment to use or disclose information where consent or authorization is not required. The individual, however, must be given an opportunity to agree or object to the use or disclosure. General Policy Our Notice of Privacy Practices will identify the circumstances in which we may use or disclose protected health information for which consent or authorization is not required, but the individual must be given an opportunity to agree or object. These circumstances include: 1. Uses and disclosures of protected health information that we believe in our professional judgment to be in the individual's best interest for purposes of care or for notification of the individual's general condition, location, or death. Such disclosures may include making health information directly relevant to the individual's care or payment related to care available to a family member, other relative, close personal friend, or any other person identified by the individual as involved in care or payment of care. We may disclose health information to notify a family member, personal representative, or another person responsible for the individual's care concerning the individual's general condition, location, or death. We may also disclose health information about the individual to an entity assisting in a disaster relief effort so that the individual's family can be notified about the individual's general condition, location, or death. 2. Using and disclosing protected health information to contact the individual as a reminder that the individual has an appointment. We must give the individual the right to request that such confidential communication be sent to an alternative location or by an alternative means. 3. Using and disclosing protected health information to tell the individual about non- health-related products or services. Such marketing communications must indicate whether we are being paid for the marketing. 4. Using protected health information about the individual to contact the individual in an effort to raise money for our not-for-profit operations. We may disclose health information to a foundation related to our practice so that the foundation may contact the individual in raising money for our practice. We only will release contact information, such as the individual's name, address, and phone number and the dates the individual received treatment or services from us. The fundraising communication must include a description of how the individual may opt-out of receiving any further fundraising communications. Procedure 1. When an individual is present or otherwise available prior to a use or disclosure for which a consent or authorization is not required but the individual must be given an opportunity to agree or object, we may obtain the individual's oral agreement, inform him/her of our intent and provide the individual the opportunity to object, or reasonably infer from the circumstances that the individual does not object to the disclosure. For example, if we request an individual to complete an appointment reminder post card, we may infer from the individual's completion of the card that there is no objection to this disclosure. If we plan on calling the individual, however, we will inform him/her that a call will be made and ask if there is any objection or alternative telephone number for us to call. 2. If the individual is not present or the opportunity to agree or object cannot practicably be provided because of the individual's incapacity or an emergency circumstance, we may exercise professional judgment to determine whether the disclosure is in the best interest of the individual. If so, we will disclose only the protected health information that is directly relevant to the person's involvement with the individual's health care. For example, we will infer there is no objection if a person is acting on behalf of the individual to pick up filled prescriptions, medical supplies, x-rays, or other similar forms of protected health information. However, if a known family member, other relative, close personal friend, or other person involved in the individual's care is present in our office and does not volunteer to act on behalf of the individual, we will not infer that there is no objection to disclosing protected health information and we will not disclose such information. 3. If the individual is sent any marketing or fundraising communications for which we do not have specific restrictions on file, we will ensure they meet the requirements set forth in HIPAA's privacy rule and will include a description of how the individual may-opt out of receiving any further such communications. 4. If the individual has filed a Form to Request Restrictions that cover any of the above disclosures of protected health information, we will accept such restrictions and take every measure practicable to not disclose such information. Policy and Procedure on Accounting for Disclosures Weld County Paramedic Services Date: April 14, 2003 Authority: David W. Bressler, Director Weld County Paramedic Services Responsibility: Office Manager, 1-970-353-5700 extension 13203 Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to afford our patients the right to request and receive an accounting of disclosures we make concerning their health information. General Policy It is our policy to keep an accurate accounting of all applicable disclosures that we make of our patients' protected health information; and to provide an accounting of those disclosures to patients who may request an accounting, as permitted by law. Definitions Disclosure—the release, transfer, provision of access to, or divulging in any other manner of information outside of this office. Applicable disclosure—refers only to those disclosures of patients' protected health information made for reasons other than: • to carry out treatment, receive reimbursement, or carry out our operations • to the patients themselves • to persons involved in a patient's care • for national security or intelligence purposes (as specified in our policy on Authorization for Release of Information) • to correctional institutions or law enforcement officials under certain circumstances (as specified in our policy on Authorization for Release of Information) • those that occurred prior to April 14, 2003 Protected health information—individually identifiable health information, including that information maintained in our medical records and billing records. Procedure 1. Patients may request an accounting of disclosures by submitting a request in writing on our Request for Accounting for Disclosures Form to our Office Manager. The request must state the time period for which the accounting is to be supplied, which may not be longer than six years and may not include dates before April 14, 2003. 2. When a request for an accounting of disclosures is made by a patient: a. Obtain the patient's medical record. b. Review the medical record to determine if it contains a written statement from a health oversight agency or law enforcement official that such an accounting to the patient must be suspended because such an accounting would impede the agency's activities. If such a statement exists, review the time period of the suspension. If the suspension is for less than 60 days from the date of receiving the request, hold the request until the suspension period has ended and then process the request. If the suspension is for more than 60 days from the date of receiving the request, send the Accounting for Disclosures Form indicating that we are temporarily unable to process the accounting due to a suspension required by law, but will comply with the request when the suspension has been lifted, and specify the date on which the suspension will be lifted. If the time period for suspension has passed, proceed to process the request. c. Review the section of the medical record that contains authorizations and requests for disclosures to determine which disclosures are applicable to the accounting (see Definitions above) and within the time period being requested. d. Complete the Accounting for Disclosures Form to supply the date(s) of disclosure(s), name(s) and address(es) of organizations or persons to whom the disclosure(s) were made, a brief description of the protected health information disclosed, the purpose of the disclosure(s), and the name of our Office Manager and date the form was mailed. e. Send the Accounting for Disclosures Form to the patient within 60 days of receiving the request. If we are unable to complete this process within 60 days, send the Accounting for Disclosures Form to the patient indicating we will need a 30-day extension to complete the process, indicate the date on which we will supply the accounting, and check off the reason for the delay. f. Place a copy of the Accounting for Disclosures Form in the patient's medical record. Determine if your office wishes to track accountings for disclosures for risk management purposes (Include the following statement only if answer is "yes"). Place a copy of the Accounting for Disclosures Form in our Risk Management file. 3. We will provide the first accounting to a patient in any 12-month period without charge. For any subsequent request within the 12-month period, we will charge $14.00, as specified on the Request for Accounting for Disclosures Form. (A patient who does not wish to pay for subsequent accountings may withdraw the request and no accounting will be made. Page 1 Request for Accounting for Disclosures of Health I, (print name),request an accounting for disclosures of my health information for the period: From: To: I understand that this accounting for disclosures will include disclosures made only to those organizations or persons other than: • to those for whom use and disclosure of my health information was made to carry out • my treatment,process payment for my health care,or carry out your operations • to myself or persons involved in my care for national security or intelligence purposes • (as specified in your Notice of Privacy Practices) • to correctional institutions or law enforcement officials under certain circumstances(as specified in your Notice of Privacy Practices)that occurred prior to April 14,2003 ❑ 1 understand that I may receive the first accounting for disclosures within a 12-month period at no charge. ❑ I understand that 1 am requesting a second or subsequent accounting in a 12-month period and will pay the charge of$30.00 for this accounting. Send this accounting to: (Please Print) Mailing Address: City: State: Zip: SIGNATURE OF PATIENT DATE Page 2 Accounting for Disclosures O There were no applicable disclosures made of your health information for the period you specified. O Disclosures of your health information were made by this office to: Date Name and Address to Description of Purpose of of Disclosure Whom Disclosed Information Disclosed Disclosure We are temporarily unable to process the accounting for disclosures you have requested due to: ❑ a suspension required by law ❑ other: but will comply with your request by the date of: If you have any questions concerning this accounting for disclosures,please contact: X Signature of person responsible for handling Date requests for access to health information Phone Number Print Name of person responsible for handling requests for access to health information FOR OFFICE USE ONLY LAST PAID > > Weld County Paramedic Services Log of Disclosed PHI NOTE -It is NOT Necessary to Log Disclosures Made: For Treatment, Payment or Operations To the Individuals Themselves When the Individual has Made an Authorization For a Facility Directory or to Care Providers As Part of a Limited Data Set Defined in 164.514(e) As Required and Allowed by Law(Seek Counsel for Requests Made Under These Circumstances) ..Daft:d.ctosett .. _.::' #2C0.Son#orDi$CtGSt[ ' Staff ietther. : °' Business Associates Contract THIS CONTRACT is entered into on this [EFFECTIVE DATE OF POLICY], between Weld County Paramedic Services and [BUSINESS ASSOCIATE]. WHEREAS, Weld County Paramedic Services will make available and/or transfer to [BUSINESS ASSOCIATE]. Protected Health Information, in conjunction with goods or services that are being provided by [BUSINESS ASSOCIATE] to Weld County Paramedic Services, that is confidential and must be afforded special treatment and protection. WHEREAS, [BUSINESS ASSOCIATE] will have access to and/or receive from Weld County Paramedic Services Protected Health Information that can be used or disclosed only in accordance with this Contract and the HHS Privacy Regulations. NOW, THEREFORE, Weld County Paramedic Services and [BUSINESS ASSOCIATE] agree as follows: 1. Definitions. The following terms shall have the meaning ascribed to them in this Section. Other capitalized terms shall have the meaning ascribed to them in the context in which they first appear. a. Contract shall refer to this document. b. BUSINESS ASSOCIATE shall mean [BUSINESS ASSOCIATE]. c. COVERED ENTITY shall mean Weld County Paramedic Services. d. HHS Privacy Regulations shall mean the Code of Federal Regulations ("C.F.R.") at Title 45, Sections 160 and 164. e. Individual shall mean the person who is the subject of the Protected Health Information, as defined by 45 C.F.R. 164.501. f Protected Health Information shall mean any individually identifiable health information provided and/or made available by Weld County Paramedic Services to [BUSINESS ASSOCIATE], and has the same meaning as the term "protected health information" as defined by 45 C.F.R. 164.501. g. Parties shall mean [BUSINESS ASSOCIATE] and Weld County Paramedic Services. h. Secretary shall mean the Secretary of the Depaitment of Health and Human Services (HHS) and any other officer or employee of HHS to whom the authority involved has been delegated. 2. Term. The term of this Contract shall commence as of(the 14th of April 2003 of the HHS Privacy Regulations), and shall expire when all of the Protected Health Information provided by Weld County Paramedic Services to [BUSINESS ASSOCIATE] is destroyed or returned to Weld County Paramedic Services pursuant to Clause 26 of this contract. 3. Limits On Use And Disclosure Established By Terms Of Contract. [BUSINESS ASSOCIATE] hereby agrees that it shall be prohibited from using or disclosing the Protected Health Information provided or made available by Weld County Paramedic Services for any purpose other than as expressly permitted or required by this Contract. (ref. 164.504(e)(2)(i)). 4. Stated Purposes For Which BUSINESS ASSOCIATE May Use Or Disclose Protected Health Information. The Parties hereby agree that [BUSINESS ASSOCIATE] shall be permitted to use and/or disclose Protected Health Information provided or made available from Weld County Paramedic Services for the following stated purposes: [STATE PURPOSE OF DISCLOSURE] 5. Use Of Protected Health Information For Management,Administration And Legal Responsibilities. [BUSINESS ASSOCIATE] is permitted to use Protected Health Information if necessary for the proper management and administration of [BUSINESS ASSOCIATE] or to carry out legal responsibilities of[BUSINESS ASSOCIATE]. (ref. 164.504(e)(4)(i)(A-B)). 6. Disclosure Of Protected Health Information For Management, Administration and Legal Responsibilities. [BUSINESS ASSOCIATE] is permitted to disclose Protected Health Information received from Weld County Paramedic Services for the proper management and administration of[BUSINESS ASSOCIATE] or to carry out legal responsibilities of[BUSINESS ASSOCIATE], provided: a. The disclosure is required by law; or b. The [BUSINESS ASSOCIATE] obtains reasonable assurances from the person to whom the Protected Health Information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, the person will use appropriate safeguards to prevent use or disclosure of the Protected Health Information, and the person immediately notifies the [BUSINESS ASSOCIATE] of any instance of which it is aware in which the confidentiality of the Protected Health Information has been breached. (ref.164.504(e)(4)(ii)). 7. Data Aggregation Services. [BUSINESS ASSOCIATE] is also permitted to use or disclose Protected Health Information to provide data aggregation services, as that term is defined by 45 C.F.R. 164.501, relating to the health care operations of Weld County Paramedic Services. (ref.164.504(e)(2)(i)(B)). 8. Limits On Use And Further Disclosure Established By Contract And Law. [BUSINESS ASSOCIATE] hereby agrees that the Protected Health Information provided or made available by Weld County Paramedic Services shall not be further used or disclosed other than as permitted or required by the Contract or as required by law. (ref. 45 C.F.R. 164.504(e)(2)(ii)(A)). 9. Appropriate Safeguards. [BUSINESS ASSOCIATE] will establish and maintain appropriate safeguards to prevent any use or disclosure of the Protected Health Information. (ref. 164.504(e)(2)(ii)(B)). 10. Reports Of Improper Use Or Disclosure. [BUSINESS ASSOCIATE] hereby agrees that it shall report to Weld County Paramedic Services within two (2) days of discovery of any use or disclosure of Protected Health Information not provided for or allowed by this Contract. (ref. 164.504(e)(2)(ii)(C)). 11. Subcontractors And Agents. [BUSINESS ASSOCIATE] hereby agrees that any time Protected Health Information is provided or made available to any subcontractors or agents, [BUSINESS ASSOCIATE] must enter into a subcontract with the subcontractor or agent that contains the same terms, conditions and restrictions on the use and disclosure of Protected Health Information as contained in this Contract. (ref. 164.504(e)(2)(ii)(D)). 12. Right Of Access To Protected Health Information. [BUSINESS ASSOCIATE] hereby agrees to make available and provide a right of access to Protected Health Information by an Individual. This right of access shall conforni with and meet all of the requirements of 45 C.F.R. 164.524, including substitution of the words "Covered Entity" with [BUSINESS ASSOCIATE] where appropriate. (ref. 164.504(e)(2)(ii)(E)). 13. Amendment And Incorporation Of Amendments. [BUSINESS ASSOCIATE] agrees to make Protected Health Information available for amendment and to incorporate any amendments to Protected Health Information in accordance with 45 C.F.R. 164.526, including substitution of the words "Covered Entity" with [BUSINESS ASSOCIATE] where appropriate. (ref. 164.504(e)(2)(ii)(F)). 14. Provide Accounting. [BUSINESS ASSOCIATE] agrees to make Protected Health Information available as required to provide an accounting of disclosures in accordance with 45 C.F.R. 164.528, including substitution of the words "Covered Entity" with [BUSINESS ASSOCIATE] where appropriate. (ref. 164.504(e)(2)(ii)(G)). 15. Access To Books And Records. [BUSINESS ASSOCIATE] hereby agrees to make its internal practices, books, and records relating to the use or disclosure of Protected Health Information received from, or created or received by [BUSINESS ASSOCIATE] on behalf of the Weld County Paramedic Services, available to the Secretary or the Secretary's designee for purposes of determining compliance with the HHS Privacy Regulations. (ref. 64.504(e)(2)(ii)(H)). 16. Return Or Destruction Of Protected Health Information. At termination of this Contract, [BUSINESS ASSOCIATE] hereby agrees to return or destroy all Protected Health Information received from, or created or received by [BUSINESS ASSOCIATE] on behalf of Weld County Paramedic Services. [BUSINESS ASSOCIATE] agrees not to retain any copies of the Protected Health Information after termination of this Contract. If return or destruction of the Protected Health Information is not feasible, [BUSINESS ASSOCIATE] agrees to extend the protections of this Contract for as long as necessary to protect the Protected Health Information and to limit any further use or disclosure. If[BUSINESS ASSOCIATE] elects to destroy the Protected Health Information, it shall certify to Weld County Paramedic Services that the Protected Health Information has been destroyed. (ref. 164.504(e)(2)(ii)(I)). 17. Mitigation Procedures. [BUSINESS ASSOCIATE] agrees to have procedures in place for mitigating, to the maximum extent practicable, any deleterious effect from the use or disclosure of Protected Health Information in a manner contrary to this Contract or the HHS Privacy Regulations. (ref. 164.530(f)). 18. Sanction Procedures. [BUSINESS ASSOCIATE] agrees and understands that it must develop and implement a system of sanctions for any employee, subcontractor or agent who violates this Agreement or the HHS Privacy Regulations. (see 164.530(e)(1)). 19. Property Rights. The Protected Health Information shall be and remain the property of Weld County Paramedic Services. [BUSINESS ASSOCIATE] agrees that it acquires no title or rights to the Protected Health Information, including any de-identified Protected Health Information, as a result of this Contract. 20. Termination of Contract. [BUSINESS ASSOCIATE] agrees that Weld County Paramedic Services has the right to immediately terminate this Contract and seek relief if Weld County Paramedic Services determines that [BUSINESS ASSOCIATE] has violated a material term of this Contract. (ref. 164.506(e)(2)(iii)). 21. Grounds For Breach. Any non-compliance by [BUSINESS ASSOCIATE] of this Contract or the HHS Privacy Regulations will automatically be considered to be a Grounds For Breach, if[BUSINESS ASSOCIATE] knew or reasonably should have known of such non-compliance and failed to immediately take reasonable steps to notify Weld County Paramedic Services and cure the noncompliance. 22. Governing Law. This Contract shall be governed by the laws of Colorado. 23. Injunctive Relief. Notwithstanding any rights or remedies provided for in this Contract, Weld County Paramedic Services retains all rights to seek injunctive relief to prevent or stop the unauthorized use or disclosure of Protected Health Information by [BUSINESS ASSOCIATE] or any agent, contractor or third party that received Protected Health Information from [BUSINESS ASSOCIATE]. 24. Binding Nature and Assignment. This Contract shall be binding on the Parties hereto and their successors and assigns, but neither Party may assign this Agreement without the prior written consent of the other, which consent shall not be unreasonably withheld. 25. Notices. Whenever under this Contract one party is required to give notice to the other, such notice shall be deemed given if mailed by First Class United States mail, postage prepaid, and addressed as follows: COVERED ENTITY: BUSINESS ASSOCIATE: Weld County Paramedic Services [PUT IN ADDRESS] 1121 M Street Greeley, Colorado 80631 Either Party may at any time change its address for notification purposes by mailing a notice stating the change and setting forth the new address. 26. Article Headings. The article headings used are for reference and convenience only, and shall not enter into the interpretation of this Contract. 27. Force Majeure. [BUSINESS ASSOCIATE] shall be excused from performance under this Contract for any period [BUSINESS ASSOCIATE] is prevented from performing any services pursuant hereto, in whole or in part, as a result of an Act of God, war, civil disturbance, court order, labor dispute or other cause beyond its reasonable control, and such nonperformance shall not be grounds for termination. 28. Entire Agreement. This Contract consists of this document, and constitutes the entire agreement between the Parties. There are no understandings or agreements relating to this Agreement which are not fully expressed in this Contract and no change, waiver or discharge of obligations arising under this Contract shall be valid unless in writing and executed by the Party against whom such change, waiver or discharge is sought to be enforced. IN WITNESS WHEREOF, [BUSINESS ASSOCIATE] and Weld County Paramedic Services have caused this Contract to be signed and delivered by their duly authorized representatives, as of the date set forth above. BUSINESS ASSOCIATE: COVERED ENTITY: X X [Print Name] [Print Name] [Title] [Title] Weld County Paramedic Services Business Associates Contract Log Matt PatieR#Nan►e..: .. .. type.of kaitest ..: .- tte4fro ok tocaaaijaid Overview of Policies and Procedures on Privacy and Security Weld County Paramedic Services Date: April 14, 2003 Authority: David W. Bressler, Director Weld County Paramedic Services Purpose A copy of this document should be given to each staff member. While there are many policies directed at singular aspects of privacy and confidentiality, this overview is directed at developing a simple overall guideline for the understanding of the relationship between the staff and the clients of Weld County Paramedic Services. The electronic and paper record resources of Weld County Paramedic Services are provided for the singular purpose of facilitating patient care and business processes. Any person who uses Weld County Paramedic Services paper records and/or computing resources for non-business or unauthorized purposes maybe subject to disciplinary action, up to and including termination, and civil or criminal legal action. Management at all levels is responsible for monitoring the actions of its staff and enforcing the intent of this overview. All questions, concerns or infractions should be directed to the Director of Weld County Paramedic Services. Prohibited Activities The following are examples of prohibited activities: 1. Using Weld County Paramedic Services computing systems or data for personal business or gain; 2. Specific violations of Weld County Paramedic Services electronic mail, Internet and facsimile machine policy; 3. Unauthorized browsing of patient, personnel, financial, or other records for the purpose of personal curiosity or with the intent of improperly disclosing the information contained in those records; 4. Interfering with the operation of any of Weld County Paramedic Services computing systems or using a Weld County Paramedic Services computer to disrupt any external computing system 5. Altering or deleting any of Weld County Paramedic Services data or software, except when performing authorized business functions; and 6. Installing unauthorized or illegally-copied software on any of Weld County Paramedic Services computer terminals. Responsibilities 1. Every staff member is accountable for all computing activities he/she performs. 2. Users shall comply with all Weld County Polices to safeguard systems and data. 3. User identification codes are not to be shared, except under special circumstances approved by the Director of Weld County Paramedic Services. 4. Passwords shall not be divulged, orally or in writing 5. Workstations and terminals to be left unattended shall be logged off or locked up 6. All suspected or known breaches of confidentiality or computer security shall be reported to the David W. Bressler, Director Weld County Paramedic Services or another member of management immediately Organizational Policies and Training The management of Weld County Paramedic Services will instruct users in Information Confidentiality, Privacy, and Security policies, standards and procedures, as well as in the principles of information confidentiality and computer security. Management of Weld County Paramedic Services shall make written policies on the management of private patient information and other protected data that is readily available to staff. Behavior in Interacting with Patients Staff or volunteers of Weld County Paramedic Services are obligated to make sure that patient information is not disclosed inappropriately, accidentally or negligently. In order to do this we must take appropriate precautions to safeguard medical information, as described below. 1. Do not allow medical information on terminals to be visible to patients. 2. Keep patient charts and encounter forms face down. Never leave them out where others can see them. 3. Use confidential trash bins when disposing of patient information. Any document with a patient's name, insurance number or a partial patient record is considered protected health information. 4. Place patient record charts and other patient information outside exam rooms or clinical offices so that they face the door or wall. 5. Speak softly over the phone and try to avoid excessive use of the patient's name. 6. Do not discuss patient information with anyone in a social conversation. 7. Make a habit of speaking to patients in private offices and exam rooms only. 8. Do not discuss the reason for a patient's visit in the waiting area or in front of others. 9. Anticipate patient privacy needs when giving out test results, setting up appointments and obtaining or explaining referrals. Policy and Procedure on Personnel Discipline for Breach of Privacy or Confidentiality Weld County Paramedic Services Date: April 14, 2003 Authority: David W. Bressler, Director Weld County Paramedic Services Responsibility: David W. Bressler, Director Purpose This plan provides guidance for the appropriate response to breaches in patient privacy and confidentiality at Weld County Paramedic Services. This guidance is intended to ensure that staff and management understand the appropriate seriousness of any breach and the stated penalties and actions. Weld County Paramedic Services has a very strong commitment to protecting the confidentiality of its patients' records and clinical information. To ensure compliance with the policy by all staff and to ensure consistency in the discipline and actions taken upon evidence of breach in patient confidentiality by staff, Weld County Paramedic Services has adopted the disciplinary process set forth below. General Policy Weld County Paramedic Services and its staff are entrusted with information regarding our patients and we recognize that the patient record is highly confidential and must be treated with great respect and care by all staff. Any breach in patient confidentiality by a staff person is subject to formal disciplinary action as delineated in this policy. A breach in patient confidentiality occurs when a member of the Weld County Paramedic Services staff: a. Views or accesses private patient health information for any reason not related to the provision of care and treatment or another authorized purpose; b. Discusses with or reveals to any individual(s), private patient health information for purposes not related to patient care and treatment or another authorized purpose; or c. Violates the provisions of Weld County Paramedic Services policy on the confidentiality of private patient health information as stated in the general overview policy as provided to the staff. For any breach in patient confidentiality, the staff member shall be subject to disciplinary actions as set forth in the "Procedures" section below. Every staff member should receive and read a copy of this document and "Overview of Policies and Practices in Privacy and Security." Procedures 1. Review. The Director of Weld County Paramedic Services is responsible for the content and administration of this policy. The policy shall be reviewed and evaluated one year from its effective date with specific focus on the Disciplinary Process section, and then every two years thereafter. 2. Level of Breach. Breaches in patient confidentiality have been divided into the following three levels, with the corresponding disciplinary actions for each level of breach. A. Level 1 —Carelessness This level of breach occurs when a member of the Weld County Paramedic Services staff unintentionally or carelessly accesses, reviews or reveals patient information to him/herself or others without a legitimate need to know the patient information. Disciplinary Sanctions: 1. Depending upon the facts, counseling, oral warning, written warning, final written warning or suspension, documented in writing and maintained in the employee's personnel record, or termination 2. Except in the case of termination, the employee shall be required to repeat the confidentiality training module 3. Level 1 disciplinary sanctions shall be administered in a progressive manner 4. Disciplinary sanctions shall be reported to the applicable professional licensing board as appropriate B. Level 2—Curiosity or Concern (no personal gain) This level of breach occurs when an employee intentionally accesses or discusses patient information for purposes other than the care of the patient or other authorized purposes, but for reasons unrelated to personal gain. Disciplinary Sanctions: 1. First offense: Depending upon the facts, oral or written warning documented and maintained in the employee's personnel record 2. Second offense: Depending upon the facts, a final written warning and suspension for 3-30 days without pay, documented and maintained in the employee's personnel record, or termination 3. Third Offense: Termination 4. Except in the case of termination, the employee shall be required to repeat the confidentiality training module 5. Disciplinary sanctions shall be reported to the applicable professional licensing board as appropriate. C. Level 3 —Personal Gain or Malice This level of breach occurs when an employee accesses, reviews or discusses patient information for personal gain or with malicious intent. Disciplinary Sanctions: 1. First offense: Termination 2. Report to applicable professional licensing board 3. Disciplinary Process. The following process must be followed when an employee breaches, or is suspected of breaching, patient confidentiality. A. Initial Reporting 1) An individual who observes or is aware of a breach reports it to his/her immediate supervisor, who in turn should report this incident to the Privacy Officer 2) The Privacy Officer reports this to his/her reporting authority, who consults management as appropriate 3) Failure to report a breach of which one has knowledge will result in appropriate disciplinary action 4) Reporting of a breach in bad faith or for malicious reasons will result in appropriate disciplinary action B. Activity Upon Clear Evidence of Breach of Confidentiality 1) The incident shall be reported to the Privacy Officer who hall investigate the incident and report the matter to appropriate management. C. Reporting and Filing Requirements 1) All incidents should be reported to your immediate supervisor and the Privacy Officer. D. Imposition of Appropriate Discipline 1) Based upon the severity of the breach management shall take the appropriate disciplinary actions provided under the employer's personnel policies. For all levels of breach, after final resolution, the initial report and all written documentation relating to the breach shall be filed in a confidential file in the Privacy Officer's office and a referring note placed in the Security Log. The disciplinary action and appropriate documentation shall also be placed in the employee's personnel file. 4. Upon investigation of a Level 2 breach, or higher, the following actions should be taken. a. The Privacy Officer should ensure that the access of the accused employee to any paper or electronic medical records is immediately suspended. b. The Privacy Officer should retrieve keys and/or badges from the accused employee that allow access to secure areas where patient records are kept. c. The Privacy Officer should inform all appropriate supervisors about the suspension or removal of the access privileges of the accused employee. d. The Privacy Officer should include a written report of all actions in a confidential file in the Privacy Officer's office and a referring note placed in the Security Log. The disciplinary action and appropriate documentation shall also be placed in the employee's personnel file. After reading this policy, sign and date the lower portion of this page and return it to your immediate supervisor. Detach the acknowledgement and retain the policy for your records. Policy and Procedure on Physical Security Weld County Paramedic Services Date: April 14, 2003 Authority: David W. Bressler, Director Weld County Paramedic Services Responsibility: Privacy Officer Purpose A Physical Security policy document should exist detailing the measures taken to protect buildings in regard to disasters (flooding, fire, earthquakes, explosions, power outage), theft, physical access, computer rooms and wiring cabinets. General Policy All Weld County Paramedic Services staff should understand and support the control of access to the public, clients, general staff and staff with specific access privileges. Upon observations or detection of any breach of physical access, staff members should implement provisions of the procedure below according to their best judgment, but in all instances a follow-up report should be made to the Privacy Officer for actions and record. Procedures 1. Definition of Areas Zone 1: Areas open to the public Zone 2: Areas not open to the public, open to company clients and staff Zone 3: Areas not open to the public, not open to company clients, open to staff only Zone 4: Protected areas, only accessible with identification, access strictly controlled. 2. Warning Signs Signs clearly identifying the right of access to an area should be placed at every juncture between zones. All staff should be clearly aware of requirements and should not hesitate to challenge inappropriate persons. Specific badges and or actual tokens may be issued to validate authorized entry into different areas. 3. Emergency Telephone Numbers Emergency telephone numbers for private security, police, plumber, etc., should be placed at all telephone handsets. If possible, incidents or disasters should be managed by the Privacy Officer but in emergency situations, any available staff member should make the call. In all instances, follow-up reports should be made to the Privacy Officer for recording in a confidential file. 4. Response to Physical Intrusion or any Disaster a. When staff, clients and/or patients are present: 1) Staff should take the immediate, appropriate actions to safeguard the clients and/or patient, confidential patient information and the physical and electronic infrastructure. 2) The Privacy Office or the most available staff member should call the appropriate authorities to respond to the situation. 3) In all instances, follow-up reports should be made to the Privacy Officer for recording in a confidential. b. Detected outside of hours of operation: 1) If immediate action is necessary, arrangement should be made for the office's security service to contact the Privacy Officer or other available management staff, which should contact the appropriate authorities and take any necessary steps to secure the premises until a complete evaluation of the damage can be made. 2) In all instance, follow-up reports should be made to the Privacy Officer for recording in a confidential file. 3) If no immediate action is necessary to mitigate the loss, reports should be made to the Privacy for action and for recording in a confidential file. 5. Routine Destruction of Paper Records Paper records with protected health information printed on them should not be discarded as regular trash. All paper that has protected health information printed on it should b e segregated from regular trash and destroyed only by methods that ensure the privacy and confidentiality of the information. 6. Routine Destruction of Defective Confidential Disks and Tapes Disks, tapes or any other storage medium with protected health information contained on it should not be discarded as regular trash. All storage mediums that have private health information contained on them should be segregated from regular trash and destroyed only by methods that ensure the privacy and confidentiality of the information. 7. Repair and/or Access to Computer Equipment Access to protected patient information by any service technician should be minimized either by direct supervision or by securing the information source. If possible, business associate contracts should be in place for each type of service technician. 8. Prevention a. Clear instructions on the right of access to an area should be posted at all juncture between zones. b. All staff should be proactive about monitoring access to restricted zones. c. Access to restricted zones for repair or delivery should be minimized and those entrants should understand Weld County Paramedic Services confidentiality. d. Any support contracts that involve on-site, non-staff personnel should include standard Business Contracts language on privacy, confidentiality and security. e. Staff identification and/or badges should be implemented, if not already in use. f. Procedure on locking doors and windows should be clearly understood by all staff members. While all staff members should enforce the procedure, it is the responsibility of the Privacy Office to monitor these physical security actions. In the event o f the absence of the Privacy Officer his designees will assume responsibility for monitoring these physical security procedures. g. Upon termination of a staff member for any cause, all office key/badges should be retrieved from the departing staff member. h. Key registers and logs should be maintained by the Privacy Officer. i. Keys that are marked "Do Not Duplicate" should be issued to staff members to avoid their making unauthorized copies of office keys. 9. Work Station Use a. Workstations should be placed, as much as possible, so that the screens are not seen by unauthorized persons. b. Systems should be configured so that monitors time out after ten minutes of non- use and require a password to re-enter. c. If there is not automatic screen shut down within the system configuration, users should logout of the computer system if the user leaves the terminal unattended. d. If the configurations of the workstations vary across the system, signage should be used to indicate the preferred mode of behavior at each station. 10. Record Handling a. Records should not be left on desks or cabinets unattended. b. Records pulled from cabinets for future treatment session should be left in a secured area until needed by staff members. c. All staff should pro-actively gather up unattended records and return them to a secured area. Policy on Use of Electronic Mail, Internet and Facsimile Machines Weld County Paramedic Services Date: April 14, 2003 Authority: David W. Bressler, Director Weld County Paramedic Services Responsibility: Privacy Officer Purpose This plan provides guidance for the appropriate use of electronic mail, Internet and facsimile machines at Weld County Paramedic Services. This guidance is intended to ensure the privacy and confidentiality of patient data at Weld County Paramedic Services. General Policy Never forward patient-identifiable data to a third without the patient's express permission. Material that is sexually explicit, obscene, embarrassing, fraudulent, hostile, harassing, or otherwise inappropriate or unlawful shall not be forwarded or sent by electronic communication or displayed on or stored on Weld County Paramedic Services computer resources. Users receiving or viewing this kind of information shall immediately report the incident to the Privacy Officer. Unless expressly authorized by the Privacy Officer downloading, sending, transmitting, or otherwise disseminating proprietary information, trade secrets or other sensitive privacy act information strictly prohibited. 1. Electronic Mail Weld County Paramedic Services owns the electronic mail service, and considers electronic mail private, direct communication between sender and recipient(s) or recipient(s)' designee(s); however, employees cannot expect absolute confidentiality. The contents will not be monitored, observed, viewed, displayed or reproduced in any form by anyone other than the sender and the recipient(s) or recipient(s)' designee(s) representative or the Privacy Officer. Electronic mail is considered official correspondence of Weld County Paramedic Services, and users must avoid the inclusion of inappropriate or derogatory language in their messages. Electronic mail is maintained in computer systems and on backup media for varying lengths of time and may be recovered subsequent to deletion. The messages may be disclosed in the same manner as paper records. Reasons for recovery of electronic mail messages may include legal discovery, external investigations by law enforcement personnel and internal security investigations. Work-related mail is forwarded to the most appropriate employee in the case of employment termination or when an employee is absent for an extended period of time. A recipient may designate another employee to receive and read work-related mail for business reasons. Personal messages are forwarded to the intended recipient. If that is not possible, they are destroyed. Messages are not examined further than is necessary to determine the category into which they fall. In anticipation of the finalization of the security regulation of HIPAA, no protected health information should be sent by public or private electronic networks without adequate safeguards against interception and/or misuse. 2. Internet Standard use of the Internet, via the office network, must be primarily for Weld County Paramedic Services business or professional development. Limited personal use is acceptable but discretion is necessary to ensure that individuals do not degrade Weld County Paramedic Services public image through their activities or adversely affect the availability of network resources. 3. Facsimile Machines All staff shall take precautions when using facsimile (fax) machines to transmit documents. Facsimile machines shall not be located in areas accessible to the general public, unless the facsimile machine is intended for public use. In this case the publicly available facsimile machine should not be used by staff members to send or receive faxes containing patient information of any kind. Staff shall not use Weld County Paramedic Services facsimile machines for transmitting personal documents. Facsimile machine cover pages shall include the following information: a. The sender's name, business address,business phone number, and business facsimile machine number b. The recipient's name, business address, business phone number, and business facsimile machine number c. Transmissions time and date (if not stamped by facsimile machine or computer) d. Classification of the document (CONFIDENTIAL documents) Staff shall verify the facsimile machine number of the recipient before transmitting. A recipient of a document containing CONFIDENTIAL information(e.g., for the recipient's eyes only or containing protected health information) must be notified by phone before the document is transmitted. If at all possible, this type of document should not be faxed. All pages, including the cover page of CONFIDENTIAL documents to be faxed, must be marked"Confidential"before they are transmitted. Time, date, sender, recipient and sender or recipient and sender or recipient phone number for all materials sent and received by facsimile machine should be documented in a facsimile machine log to be kept with the facsimile machine. It is crucial that not protected health information be explicitly revealed in this log. ACS @ Weld County Privacy Policies and Procedures ��%%//` A C s® Table of Contents TABLE OF CONTENTS I INTRODUCTION 1 POLICY MAINTENANCE 1 COUNTY POLICIES TAKE PRECEDENCE 1 SECTION 1 PRIVACY POLICY STATEMENTS 2 POLICY: 2 PROCEDURES' 2 1.2 ALLOWABLE USE AND DISCLOSURE 2 POLICY: 2 PROCEDURES' 2 1.3 APPLICABILITY TO LOCATION AND WORKFORCE 3 POLICY: 3 PROCEDURES' 3 1.4 DOCUMENTATION REQUIREMENTS 3 POLICY: 3 PROCEDURES' 3 1.5 MODIFYING POLICIES AS A RESULT OF CHANGE IN LAW 4 POLICY: 4 PROCEDURES' 4 1.6 ORGANIZATIONAL REQUIREMENTS 4 POLICY: 4 PROCEDURES' 4 1.7 PRIVACY OFFICIAL DESIGNATION 5 POLICY: 5 PROCEDURES' 5 1.8 RESPONDING TO REQUESTS FROM STATE OR FEDERAL AGENCIES 5 POLICY: 5 PROCEDURES' 5 1.9 TIME FRAMES FOR PRIVACY IMPLEMENTATION 6 POLICY: 6 SECTION 2 ADMINISTRATIVE REQUIREMENTS 7 2.1 BUSINESS ASSOCIATES 7 POLICY: 7 PROCEDURES' 7 2.2 DOCUMENT DESTRUCTION 7 POLICY: 7 PROCEDURES' 7 ACS_Weld_Privacy_Policy.doc i Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed ACS @ Weld County / i Privacy Policies and Procedures 40, A C S° Paper documents: 7 Electronic documents: 7 2.3 DUTY TO MITIGATE EFFECTS OF DISCLOSURE 8 POLICY: 8 PROCEDURE' 8 2.4 POLICIES AND PROCEDURES 9 POLICY: 9 PROCEDURES' 9 2.5 REPORTING INAPPROPRIATE USE OR DISCLOSURE OF IIHI 10 POLICY: 10 PROCEDURE' 10 2.6 SUBCONTRACTORS AND AGENTS AS BUSINESS ASSOCIATES 11 POLICY: 1 1 PROCEDURE' 11 2.7 TRAINING OF THE WORKFORCE 12 POLICY: 12 PROCEDURES' 12 2.8 WORKFORCE SANCTIONS 13 Applicability 14 Effective 14 Purpose 14 Policy 14 Guidelines 14 See Also 15 Citations 15 Last Update 15 September 1, 2002 /5 Revision History 15 SECTION 3 INDIVIDUAL RIGHTS 16 SECTION 4 PHYSICAL AND TECHNICAL SAFEGUARDS 17 4.1 APPLICATION DEVELOPMENT SECURITY 17 POLICY: 17 PROCEDURES' 17 4.2 APPLICATION SECURITY ADMINISTRATION 18 POLICY: 18 PROCEDURES' 18 4.3 CLEAN DESKTOP POLICY 19 POLICY: 19 PROCEDURES' 19 4.4 ELECTRONIC TRANSMISSION OF IIHI 19 POLICY: 19 PROCEDURES' 19 ACS_Weld_Privacy_Policy.doc ii Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed ACS @ Weld County Privacy Policies and Procedures A C S° 4.5 ENCRYPTION 20 POLICY: 20 PROCEDURES' 20 4.6 FACILITY SECURITY 21 POLICY: 21 PROCEDURES' 21 4.7 NETWORK SECURITY 22 POLICY: 22 PROCEDURES' 22 4.8 PASSWORD MANAGEMENT 23 POLICY: 23 PROCEDURES' 23 4.9 SCREEN SAVER OR LOGOFF REQUIREMENTS 24 POLICY: 24 PROCEDURES' 24 4.10 N/A WELD COUNTY ERROR! BOOKMARK NOT DEFINED. 4.11 AT HOME WORKERS 24 POLICY: 24 PROCEDURES' 24 SECTION 5 USE AND DISCLOSURE 26 5.13 E-MAIL ACCEPTABLE USE 26 POLICY: 26 PROCEDURES' 26 5.14 FAX MACHINE ACCEPTABLE USE 26 POLICY: 26 PROCEDURES' 26 5.17 MINIMUM NECESSARY STANDARDS 27 POLICY: 27 PROCEDURES' 27 ACS guideline' 27 ACS at Weld County policy: 27 5.19 USE AND DISCLOSURE REQUIRED BY LAW 28 POLICY: 28 PROCEDURES' 28 APPENDIX A ACS HIPAA CONTACTS 29 STATE AND LOCAL SOLUTIONS 29 INFORMATION MANAGEMENT SERVICES 29 WELD 29 ACS_Weld_Privacy_Policy.doc Hi Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed ACS @ Weld County itPrivacy Policies and Procedures A C s® Introduction These policies and procedures provide the information needed by ACS staff at Weld County in order to comply with ACS corporate policies and state and federal regulations regarding the safe guarding of private information. Two specific sets of regulations require that staff take care to keep confidential all individually identifiable information about health and finances. Staff may be exposed to this individual information when working with ACS employee records or when processing or assisting clients with data from various Weld County applications. HIPAA(the federal Health Information Portability and Accountability Act) has stringent requirements for handling individually identifiable health information (IIHI) and severe penalties for misuse of this information. All staff are required to take HIPAA Overview(or Awareness if a manager) and Privacy training and must pass the associated tests. Individually identifiable financial information is protected under the Gramm-Leach-Bliley Act. Applying the same level of privacy policies to financial information as is required for health information will ensure that all requirements of the Gramm-Leach-Bliley Act are met. All references to Mil(Individually Identifiable Health Information) in these policies and procedures should be construed to also apply to individually identifiable financial information. All staff must sign an Access and Confidentiality Agreement which is filed in their personnel folder. Policy Maintenance These policies will be maintained on the ACS Weld County Intranet at a location to be determined by Ripley Casdorph, Web Administrator. Once completed, policies will be reviewed by management at least once per year, and staff will be notified if the policies are updated. Each section of the policies will reference the associated corporate policy. Any staff member who is aware of any situation where the privacy of individual information is at risk must report the risk to his/her manager so that appropriate policy or procedure changes can be implemented to protect the privacy of that information. County policies take precedence Any policies or procedures promulgated by Weld County which are more stringent than ACS policies will take precedence over ACS policies. The ACS policies in this document are the minimum standard to which ACS employees are held, however the County may choose to implement additional policies and procedures. ACS_Weld_Privacy_Policy.doc 1 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County Privacy Policies and Procedures A C S° Section 1 Privacy Policy Statements 1 .1 ACS Privacy Compliance Policy Policy: Each Business Unit and Location must comply with Privacy Policy Statements. Business Units or Locations determined to be Covered Entities must comply with the Privacy Policy Statements and the Privacy Standards. Procedures: D. Maintain familiarity with and comply with all Privacy Policy Statements; D. Draft, implement and maintain applicable Privacy Policies and procedures so that such policies and procedures relate to the functions and activities performed within the Business Unit or Location; D. Train the Business Unit and Location Workforce, as required, to allow the Workforce to understand, adhere to, and utilize the Privacy Policies and any policies and procedures developed thereunder; D. Document any Privacy Policies and procedures that are modified and training conducted thereunder; and D. Promptly investigate, document, and cooperate in pursuing any suspected violation of a Privacy Policy. 1.2 Allowable Use and Disclosure Policy: As a Business Associate or an ACS entity handling IIHI (Individually Identifiable Health Information), allowable Use and Disclosure is limited to that which is permitted or required by the client contract. Procedures: ➢ Any changes to the ACS contract with Weld County will be reviewed to determine if changes to policy and procedures are required. D. Any requests for information in any format which contains or may contain individually identifiable information shall only be accepted from: o The department which produced that information o Those departments or individuals to which distribution has been authorized by the department producing the information. o A representative of law enforcement(Request must be in writing and reviewed by ACS and County management prior to release of the information.) o Requests received from any other source will be referred to the department '� which produced the information. ACS_Weld_Privacy_Policy.doc 2 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County it Privacy Policies and Procedures A C S® 1.3 Applicability to location and workforce Policy: All members of the Workforce, which include those who work at home and any temporary employees or subcontractors who have access to IIHI, must comply with the Policy Statements. Procedures: All members of the Workforce are required to: ➢ read these policies (this document) ➢ take ACS HIPAA Overview and Privacy training (and obtain a passing score on the associated tests) unless they are temporary staff excluded by the conditions of the Supplemental Services Agreement. ➢ sign the Access and Confidentiality Agreement. 1.4 Documentation Requirements Policy: A Business Unit or Location must maintain in written or electronic form all policies and procedures and other forms of documentation required by the Privacy Standards and Privacy Overview for a minimum of six years and in compliance with the ACS document retention policy and applicable state law. All documentation must be maintained in a location available to all employees. In addition, Business Units or Locations shall retain, for a minimum of six (6) years, documentation relating to any complaints, investigations or sanctions that are applied as a result of non-compliance with the Allowable Uses and Disclosure Policy of IIHI. Procedures: Policies will be maintained online for ease of access. Hardcopies of policies, procedures and any complaints received will be kept in HIPAA archives by the Office Manager. The HIPAA archive will contain: Si- The Privacy Overview and local Privacy Policies and procedures ➢ Issues identified in the course of Privacy Policy development and implementation ➢ Business decisions and determinations of applicability ➢ Supporting documentation for the assessment and selection of physical and technical measures to provide"reasonable safeguards" in accordance with the Privacy Standards ➢ Privacy Policy meeting minutes ➢ Privacy Policy training records ➢ All other related documentation ACS_Weld_Privacy_Policy.doc 3 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12-.15 PM ACS c@Weld County Privacy Policies and Procedures A C S° 1.5 Modifying Policies as a Result of Change in Law Policy: Upon notification from ACS corporate of a modification in the Privacy Standards or ACS corporate policy, each these Privacy Policies and Procedures, as appropriate, must be promptly modified to comply with applicable changes. Procedures: Upon notification of modifications, the site HIPAA contact or Account Manager will advise local management of the need to review and update policies and procedures. The management team shall designate staff to draft changes and present them to the management team for review, approval, and dissemination. 1.6 Organizational Requirements Policy: Under HIPAA Privacy Standards, ACS at Weld County is designated as a Business Associate of the County. Procedures: Designated status will be reviewed by the Account Manager whenever there are changes in HIPAA regulations. r ACS_Weld_Privacy_Policy.doc 4 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County Privacy Policies and Procedures A C ss 1.7 Privacy Official Designation Policy: ACS will designate a Privacy Director who is responsible for ensuring compliance with the Privacy Overview and that applicable Business Units and Locations carry out the ACS policies and directives included therein. Each Business Unit or Location shall designate a Privacy Official or contact person to coordinate the Business Unit or Location's activities in order to carry out the Privacy Policies and directives included in the Privacy Overview. The Privacy Official or contact person will facilitate and respond to communication regarding the protection of IIHI between Covered Entity clients, third parties, the Business Unit management, and the ACS Privacy Director. This person shall also develop and oversee the effective implementation of policies and procedures for the Business Unit or Location, as they relate to IIHI, in coordination with the ACS Privacy Director Procedures: ACS at Weld County has designated the following individuals: ➢ Julie Jordan, User Services Manager, is acting as the contact person to facilitate communication and coordination of initial policies and procedures. ➢ The Technical Services Manager, Frank DeFelippis, will act as contact for both security and privacy for ongoing HIPAA coordination ➢ Nila Walters, Office Manager, will coordinate compliance with all training and other HR requirements. 1.8 Responding to requests from State or Federal Agencies Policy: ACS will cooperate with state and federal agency complaint investigations and compliance reviews by providing records and compliance reports and permitting access to information when required. Prior to releasing information, including any IIHI, to a state or federal agency, the procedures below must be followed in order to maintain and account for proper Disclosures. Procedures: When presented by a request from a State or Federal agency: > Request that the agency present their request to the County rather than to ACS > Notify the direct supervisor and the Account Manager that a request has been made ➢ If the agency requests information without notification of the County, the Account Manager or his designated representative will: o Validate and document the identity of the person making the agency request o Notify the ACS Privacy Director and the Business Unit's Legal Counsel of the request by the state or federal agency o Obtain assistance from the ACS Privacy Director in confirming that the request is made under authorized circumstances in which a state or federal agency may require Disclosures. o Keep detailed records of all conversations, correspondence, and materials provided in response to the request. These records will be given to the Office Manager for filing in the HIPAA archive records. ACS_Weld_Privacy_Policy.doc 5 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS c@Weld County A Privacy Policies and Procedures a c s® 1.9 Time Frames for Privacy Implementation Policy: ACS at Weld County will comply with corporate timelines: ➢ All staff will have completed Privacy training by March 1, 2003 ➢ All existing and future privacy policies and procedures will be continuously enforced. ACS_Weld_Privacy_Policy.doc 6 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS c@Weld County Privacy Policies and Procedures A C S' Section 2 Administrative Requirements 2.1 Business Associates Policy: A"Business Associate Agreement" will be executed with every business partner or sub-contractor which has or may have access to confidential information. At this time no contracts have been identified which constitute a Business Associate relationship with ACS. Procedures: Each contract for services which is executed by ACS shall be reviewed for the potential of access to confidential information. A signed copy of the "Access and Confidentiality Agreement" will be obtained and filed with the contract. 2.2 Document Destruction Policy: When deemed necessary and appropriate, documents containing IIHI shall be safely and securely destroyed. Proper accountability for the destruction of documents will be maintained. Procedures: Paper documents: Any documents received for or printed for Weld County which contains IIHI shall either be given to the designated County staff, or shall be destroyed by processing through a cross cut shredder. Any documents containing health related information regarding ACS staff shall be retained in accordance with current law and regulations and when no longer needed will be destroyed using a cross cut shredder. Two shredders are currently available: • High volume and general purpose shredder located in the utility room behind the receptionist • Low volume shredder located in the Office Manager's office. Electronic documents: Hard drives, removable drives, cartridges, and tapes which may at any time have contained IIHI will be subjected to complete erasure prior to disposal. Low level reformat or magnetic erasure will be used to ensure that no data can be recovered from the media. ACS_Weld_Privacy_Policy.doc 7 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County itPrivacy Policies and Procedures A C S"' 2.3 Duty to Mitigate Effects of Disclosure Policy: ACS staff are responsible for taking action to minimize, to the extent practicable, any harmful effects of a known Use or Disclosure of IIHI in violation of established policies and procedures. Procedure: Upon becoming aware of any prohibited disclosure of information the following steps are to be taken: • Immediately report the violation to your manager(see 2.5 Reporting Inappropriate Use or Disclosure) • Management staff shall determine the steps necessary to minimize the results of an inappropriate Use or Disclosure and act in a timely manner. Steps may include: o Retrieval of any documents inappropriately released o Discussion of privacy concerns with the person(s) who received the inappropriate disclosure o Disciplinary action against ACS staff if the inappropriate disclosure was deliberate. o Review of procedures and retraining of staff to prevent any future inappropriate disclosure. o This shall include, after consultation with the ACS Privacy Director and the Business Unit's Legal Counsel, notification to the County if required by a Business Associate Agreement. • Any incident, and the action taken to minimize the effects of an inappropriate Disclosure, shall be documented in writing and retained by the Office Manager in accordance with the Documentation Requirements Policy. If an ACS Workforce member is approached by a member of the media regarding ACS Privacy Policies or practices related to the Disclosure of IIHI, the employee shall not comment and shall immediately direct the inquiry to the State and Local Solutions unit Privacy Official (see Apendix A - HIPAA Contacts at the end of this document). ACS_Weld_Privacy_Policy.doc 8 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS c Weld County itPrivacy Policies and Procedures A c ss 2.4 Policies and Procedures Policy: ACS at Weld County is required to develop and maintain written documentation of policies and procedures it adopts related to the privacy of IIHI in accordance with the ACS corporate Privacy Overview. Procedures: This document constitutes the required written documentation of policies and procedures. It is maintained to meet the corporate requirements for HIPAA compliance and to meet ACS responsibilities as a Business Associate of the County. It will therefore be maintained using the document management and version control procedures of the County ISD Portal. It will be available for read access by both ACS staff and County personnel. Each policy and procedure will be reviewed and updated as required at least annually. Review will occur: • Whenever policy changes are distributed from ACS corporate • Whenever contract or Business Associate Agreements are being reviewed or updated with the County • When new services are contracted from ACS by the County which involve health information • When County privacy policies and procedures are reviewed (schedule will be at least annually as developed by the County) The Office Manager will notify all staff via email whenever changes are made to Privacy Policies and Procedures. Changes will be discussed in conjunction with monthly staff meetings as needed to ensure staff understanding of the changes. The Office Manager will maintain printed copies of all published versions of these Privacy Policy and Procedures in accordance with the Documentation Requirements policy. ACS_Weld_Privacy_Policy.doc 9 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County A. . Privacy Policies and Procedures A c se 2.5 Reporting Inappropriate Use or Disclosure of IIHI Policy: A member of the Workforce must report any improper Use or Disclosure of IIHI to his/her appropriate management, and his/her Business Unit's Privacy Official after following site reporting procedures. The Privacy Official shall coordinate any necessary communication with the ACS Privacy Director, the Business Unit's Legal Counsel, and/or the client as appropriate. Procedure: ACS staff members shall report any improper Disclosure of IIHI to their immediate supervisor as soon as they become aware that a violation has occurred. This report must be made regardless of whether the violation was accidental or deliberate. This reporting will be verbal followed by an email or other written documentation with all the facts known about the disclosure. This information shall include: • When the violation occurred • What information was inappropriately used or disclosed • Who was involved in the inappropriate use of discloser • Any actions taken immediately by the staff member to mitigate the impact of the inappropriate use or disclosure If the staff member's immediate supervisor is not available, or was involved in the inappropriate use or disclosure, this report shall be made to any other available member of the management staff. The supervisor or manager shall immediately: • Advise the employee that no retribution or retaliation for reporting the violation will occur, so long as the employee reports in good faith. However, if the individual reporting was also the source of the improper Use or Disclosure, appropriate sanctions may be employed. • Report the alleged violation to the Account Manager • Provide copies of all documentation regarding the incident to the Office Manager for retention in accordance with 1.4 Documentation Requirements • Report the alleged violation to the Business Unit management and Privacy Official (see Appendix A- HIPAA Contacts at the end of this document) Management and staff will cooperate with any investigation or reporting requested by Business Unit management or the ACS Privacy Director. ACS_weld_Privacy_Policy.doc 10 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS c Weld County Privacy Policies and Procedures A C S• 2.6 Subcontractors and Agents as Business Associates Policy: ACS will ensure that any subcontractors or agents to whom it provides IIHI received from or created or received by ACS on behalf of the County agree to the same restrictions and conditions that apply to ACS with respect to such information. Procedure: See section 2.1 Business Associates for policy and procedures in relation to subcontractors or agents of ACS acting as a Business Associate of ACS. Subcontractors, volunteers, and temporary employees who are under the direct control of ACS, whether or not they are paid by ACS, are considered a part of the Workforce and must be trained in compliance with section 2.7 Training of the Workforce Policy. Formal classroom or on-line training requirement will be waived for temporary PC support personnel if the County states in the Supplemental Services Agreement that no IIHI will accessible in the areas where these personnel will be working. A confidentiality agreement must still be read, understood, and signed by temporary personnel. ACS_Weld_Privacy_Policy.doc 11 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County /��` Privacy Policies and Procedures A c so 2.7 Training of the Workforce Policy: ACS at Weld County has a responsibility to train its Workforce, including all employees and third parties having access to IIHI under their control, such as temporary employees or subcontractors. All initial training shall be completed by no later than the Privacy Standards compliance date, and subsequent training for new employees shall occur within thirty (30) days of their starting employment and before being given access to live client IIHI data. Training shall include, but not necessarily be limited to, ACS' required HIPAA training and a review of the Business Unit or Location's Privacy Policies and procedures as applicable to the Workforce member's role within ACS. Procedures: All full time staff will complete ACS online HIPAA Awareness and Privacy training. The Office Manager will monitor compliance and maintain documentation of completion of training. All staff will be given access to this document for local Privacy Policies and Procedures. It will be part of the new hire packet and the hiring manager will review it with the employee at hire and at the time of each performance review. Additional HIPAA security training will be required for staff whose duties involve the maintenance of physical or electronic security effecting access to IIHI. Duties of temporary of short term contract staff will be reviewed by the hiring manager. A determination will be made whether or not the staff member is likely to encounter IIHI in the course of their assigned work. The manager will then determine if a review of local Privacy Policies and Procedures will be sufficient training or if the online HIPAA Awareness and Privacy training will be required. Successful completion of required HIPAA training is a condition of initial and ongoing employment. Any changes in HIPAA regulations and associated policy and procedures will result in staff being provided with updated training. Documentation of training completed will be maintained by the Office Manager in the following forms: • Print of training database reports from the ACS online training • Privacy Policy review reports from managers performing policy training with new employees, contracts, and temporary employees. • Privacy Policy review reports from managers performing policy reviews during performance reviews. ACS_Weld_Privacy_Policy.doc 12 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County it Privacy Policies and Procedures A c s° 2.8 Workforce Sanctions ACS_Weld_Privacy_Policy.doc 13 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS c@Weld County Privacy Policies and Procedures Applies to all Business Units and Locations that have access to, receive, collect, process, store, transmit, or create Individually Identifiable Health Applicability Information (IIHI). January 1, 2003 Effective This policy establishes guidelines for the appropriate application of Purpose sanctions as applied to a member of the Workforce as a result of an unauthorized Use or Disclosure of IIHI. Each Business Unit or Location has the responsibility to report any Policy violation, whether inadvertent/accidental or malevolent/purposeful, related to the inappropriate Use or Disclosure of IIHI in the time and manner set forth in the Reporting Inappropriate Use or Disclosure of IIHI Policy and to administer sanctions or disciplinary actions associated as a result of the violation. The application of any sanctions and their resolution shall be documented in accordance with the Documentation Requirements Policy. Workforce sanctions are intended to support and enforce ACS and Business Unit and Location policies as well as client contract requirements related to the protection of IIHI. The application of appropriate sanctions will be addressed through the cooperative efforts of the Business Unit's manager, the Business Unit's Privacy Official, the ACS Human Resources Department, the Business Unit's Legal Counsel, and/or the ACS Privacy Director. Sanctions may vary in severity from re-training to disciplinary action up to and including termination depending on the nature of the violation and whether the violation itself was accidental, deliberate, neglectful, or malicious in nature. 1. Upon receipt of the violation where an employee believes a disclosure of information may have occurred, the information must be reported to Guidelines the appropriate management. Management wil in consultation with the Business Unit's manager, the Business Unit's Privacy Official, the ACS Human Resources Department, the Business Unit's Legal Counsel, and/or the ACS Privacy Director, as appointed, investigate each such matter brought to his attention. 2. Manager should encourage employees to step forward and self-report any mistakes of accidental disclosure. Management will work with the employee to mitigate the situation. Management should then look at process improvement and/or retraining to prevent the accidental disclosure from occurring again. 3. Dependant on the severity of the violation, a formal corrective action ACS_Weld_Privacy_Policy.doc 14 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County Privacy Policies and Proceduresit, A c s° plan, including any follow-up, Workforce member re-training or sanction activity must be documented and is required. This corrective action plan must be placed in the employee personnel file and any other filing system as required by the Business Unit. A copy must be forwarded to the ACS Corporate representative. 4. The employee's Manager will be responsible for ensuring the corrective action plan has been appropriately administered. The Business Unit's Privacy Officer is responsible for oversight of any corrective action and final outcome. 5. All documentation associated with this action will be documented and maintained on site in accordance with the Documentation Requirements Policy. Management is responsible for forwarding the documentation to the ACS Privacy Official, Corporate Representative and to the ACS Human Resources department for filing in the employee's personnel file. 6. If required by client contract, ACS management shall forward documentation, as appropriate, of the Disclosure, mitigation, and sanction activities and resolution to the client which was the subject of the violation. 7. This policy does not address any sanctions or action required as a result of a Disclosure by a subcontractor or agent. Each Business Unit or Location should establish appropriate and, at a minimum, equivalent sanctions, for subcontractors and agents and document such sanction in a policy or in the subcontractors' contract as appropriate. (Numbering is for reference only and is not an indication of order or priority) Documentation Requirements (1.4) See Also Duty to Mitigate Effects of a Disclosure (2.3) Reporting Inappropriate Use or Disclosure of IIHI (2.5) Our Reputation—ACS Code of Ethnical Business Conduct CFR 45 §164.502(j)(1) and (2); §164.530(e)(1) and (2); §164.530(g); Citations §164.530(j) Preamble Discussion: pp. 82501-02; 82636; 82562; and 82745 Last Update September 1, 2002 Revision History ACS_Weld_Privacy_Policy.doc 15 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County Privacy Policies and Procedures A c s° Section 3 Individual Rights Section 3 of the ACS HIPAA Privacy Overview relates to responsibilities of ACS locations which are considered "covered entities" and do not apply to ACS at Weld County. No local policies and procedures will be developed in this area. ACS_WeldPrivacy_Policy.doc 16 Last saved 3/25/2003 3:00 PM Last saved_by jjordanjjordan Last printed 3/29/2003 12.15 PM ACS @ Weld County Privacy Policies and Procedures A C Section 4 Physical and Technical Safeguards 4.1 Application Development Security Policy: All access to IIHI through software applications must be managed to ensure secured access. Application design and development within ACS will be done using methodologies that support the Privacy Policies including, but not limited to, those related to physical and technical security measures and the Minimum Necessary Standard Policy. When application design, development, or testing requires the use of IIHI, fabricated test data, rather than real IIHI, should always be used*. This security model must be maintained through the entire life cycle of the software development process. *Where the County requires the use of a copy of production data for testing, the County requirement will supersede this policy. Procedures: The following measures will be taken to ensure the security of data during or subsequent to development activities: • Source will be maintained in directory structures or libraries which are secured for access only by development personnel. • On systems where the County has provided the required resources, source management which provides an audit trail of maintenance access will be utilized. • Source directories and libraries will be included in routine backup schedules. • Test versions of applications will have the same security as the production systems, or more restrictive security, with the exception of allowing developers to have access required for testing. • Any application designed and developed by ACS staff which has the potential of providing access to individually identifiable health or financial data will incorporate security which requires unique user ids and passwords and provides for role based access control. This security may be: o Internal to the application. Internal application security must also provide functionality for the appropriate user staff to perform security administration. o Network security. Utilization of Windows NT or Active Directory security. . • When live data is required for adequate testing, the users responsible for that data will determine what data is used and who will be allowed to access it. ACS_WeldPrivacy_Policy.doc 17 Last saved 3/25/2003 3:00 PM Last saved_by jjordanjjordan Last printed 3/29/2003 12.15 PM ACS @ Weld County APrivacy Policies and Procedures A C S® 4.2 Application Security Administration Policy: Access to applications that contain IIHI shall be granted to members of the Workforce only on a need-to-know basis and in compliance with the Minimum Necessary Standard Policy. Role Based Access shall be established for each member of the Workforce, modified upon that person's change in job functions, and terminated at the end of that person's employment or contract. Procedures: The following measures will be taken to ensure security of individually identifiable health or financial data accessed via applications which are developed, configured or maintained by ACS: • The appropriate County security personnel will provide the security parameters for application access. Wherever possible, County personnel with responsibility for the data will also carry responsibility for application security administration. • Documentation of approved application roles and the functions within those roles is the responsibility of the County personnel who have responsibility for the data. • Database access will be password secured. Any ODBC access will be associated with a role based user id which limits the data access and functions to the minimum necessary. • For any application secured by Windows NT or Active Directory security, the administration will be performed by ACS Network Administration staff based on formal requests from designated users with appropriate security authority. A security change confirmation message will be sent to the users for documentation and safeguarding against invalid requests. • When an ACS staff member changes roles within the organization the immediate supervisor(s)will review all application, database, file, and network access to determine what changes should be made in security access. Requests for security changes will be made to the appropriate network, system, and application security administrators. • When an ACS staff member terminates employment, their immediate supervisor will immediately request that their network logon be locked, and request that system and application security administrators delete their user id. The listing of applications which are determined to have HIPAA privacy impact will be provided by the County, however the procedures above will be applied to all applications regardless of the HIPAA status of the application. ACS_WeldPrivacy_Policy.doc 18 Last saved 3/25/2003 3:00 PM Last saved_by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County i` Privacy Policies and Procedures A C S 4.3 Clean Desktop Policy Policy: The protection from inadvertent exposure of IIHI requires constant vigilance by members of the Workforce. Awareness of surroundings, understanding of classification of the information and the need to protect it, and implementation of sound technical procedures will provide reasonable protection at each workstation. Procedures: In ACS staff work areas: • No reports or other data printouts containing IIHI will be left where it can be viewed by others. o In the printer room reports will be appropriately boxed or have a cover sheet which does not contain individually identifiable data o In staff work areas, any printed individually identifiable data will be covered with a blank sheet if the staff member leaves the work area temporarily while working with the data. At the end of the work day, any printouts will either be shredded if no longer needed, or put away in drawers or filing cabinets. o Printed data being passed to another ACS staff member or authorized user will be placed in a sealed envelope or box during transit. • On screen viewing of individually identifiable data will be secured from accidental viewing by: o Positioning the display so that visitors can not accidentally view the data o Invoking system lock or screen saver lock whenever the staff member leaves their work area. o See also 4.9 Screen Saver or Logoff Requirements • Documents must not be left on unattended printers or fax machines and should be picked up and stored or disposed of immediately. • Documents or electronic media containing IIHI should not be placed in a trash receptacle, open recycle bins, or unsecured containers. IIHI must be destroyed in compliance with the Document Destruction Policy. 4.4 Electronic Transmission of IIHI Policy: The County is responsible for ensuring that all transactions processed meet HIPAA transaction code standards. Procedures: ACS staff will not modify the content of data transmissions without a specific formal request from the County personnel who are responsible for the data being transferred. ACS staff will not transmit IIHI to anyone other than the users who created the data without a formal request from the users who are responsible for the data. ea— ACS_Weld_Privacy_Policy.doc 19 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County Privacy Policies and Procedures A C S 4.5 Encryption Policy: Wherever it is within ACS control and the County has provided the necessary resources, all transmission and storage of IIHI shall include encryption to reduce inappropriate or unauthorized Disclosure. Procedures: Data files stored on servers: • All data files containing IIHI stored on servers shall be stored in encrypted files under the following circumstances: o Files received from another system are being held for further processing. o Files have completed processing and are waiting to be transmitted to another system for further processing. o Files are between processing steps, and the delay between processing is of indeterminate length. • Data stored on secure servers or networks, in accordance with ACS standards for secure servers, need not be encrypted. Data files transmitted by electronic means such as the Internet, Intranet, or dial-up: • All data files containing IIHI transmitted or received through the Internet, Intranet, or dial- up shall be sent or received in encrypted files or through encrypted paths (e.g., VPN). Encrypted data or files shall mean data encrypted with either 128-bit encryption algorithms or using industry approved encrypted technology, such as asymmetric or symmetric key encryption. ACS_Weld_Privacy_Policy.doc 20 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County itPrivacy Policies and Procedures A C S 4.6 Facility Security Policy: Proper physical security and operating safeguards are necessary to protect IIHI at ACS facilities. The goal is to protect and preserve IIHI by reducing its exposure to vulnerabilities. Procedures: All facility security standards created by the County will be enforced. Current procedures include: • Secured access to the main computer room via o Building security with perimeter and motion sensors active during times when staff is not present or only Operations staff are present. o Key pad access with codes communicated verbally by the Operations Manager. Codes are changed at random periods, and when staff knowing a code leave ACS employment or change roles to one not requiring computer room access. • Secured access to the Sheriff computer room via o Sheriff administered security of the building o Individual key card access to the computer room • Staff are to wear County issued picture ID badges visible above the waist line at all times when in County facilities • Visitor log is maintained at the front desk. • Non-County staff are escorted when inside the building • UPS, generator, and emergency lighting have been implemented. • Development and maintenance of Disaster Recovery Plans • Compliance with all safety and fire prevention regulations ACS_Weld_Privacy_Policy.doc 21 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12.15 PM ACS @ Weld County i Privacy Policies and Procedures A C S• 4.7 Network Security Policy: All access to IIHI through computer networks will be managed to ensure secured access. Access to networks and network devices by members of the Workforce shall be limited in accordance with the Minimum Necessary Standard Policy. Procedures: To the extent possible with the authority and resources provided by the County, the following will be enforced: 1. Domain security: • Individual usernames and passwords will be assigned • Members of the Workforce may not share passwords. • Passwords will be changed no less frequently than every 90 days • Strong passwords will be enforced. 2. NTFS security permissions/share security: • All server shares must limit access to only those who need access. 3. Full server auditing must be turned on for areas containing IIHI: • All user access will be audited, both successes and failures. • Procedures must be in place to correlate and periodically review the activity logs. 4. Local Area Network (LAN) Security: • Firewalls should be employed to protect LAN segments and resources. • Specific types of firewalls should be implemented based upon the requirements of the resource to be protected. • Each Business Unit or Location should be on its own LAN or separate isolated and protected segments. 5. Intrusion Detection Systems (IDS) should be installed: • Network based IDS should be employed on the WAN and LAN. • Host based IDS should be employed on specific use servers. 6. External public access servers should be segregated in a DMZ protected by firewalls. • Public access servers should be installed on dedicated, single purpose servers. • Only required services should be turned on (e.g., FTP, HTTP, etc.). 7. Desktops will have an approved operating system, such as Windows 2000/XP Professional. • Desktop operating system must support multiple users with individual settings. • Must be able to "lock"the system whenever the user gets up from the PC. B. All Wireless Access Points (WAP) for a Wireless Local Area Network (WLAN) must be secured. 9. VPN access must be restricted on a need-to-use basis. • VPN access will be limited in accordance with County policy and must be approved by the County CIO. • Additionally, VPN access requested by a member of the Workforce must be approved by the immediate supervisor. • VPN access requested by a County Business Associate must also be approved by the head of the department for which the Business Associate is performing services. 10. All network policies and procedures as implemented by the County must be documented, published to the Workforce, and available for review. These policies and procedures will be supported with employee training. ACS_WeldPrivacy_Policy.doc 22 Last saved 3/25/2003 3:00 PM Last saved_by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County Privacy Policies and Procedures A C S" 4.8 Password Management Policy: All computerized access to IIHI must be done through user login and password controls. ACS at Weld County is responsible for management of passwords for all members of the Workforce with rights to access IIHI. While members of the Workforce may have multiple passwords based on need, security level, and application, no member of the Workforce shall: (i) share passwords with others or disclose or post their passwords in such a way that others may determine their passwords; nor(ii) attempt to determine the passwords of others. Procedures: To the extent possible using the resources provided by the County, the following procedures will be enforced for security which allows access to IIHI: 1. A unique user log-on code and initial password code will be provided to each member of the Workforce to grant access to IIHI required to perform assigned job functions in compliance with the Minimum Necessary Standard and Application Security Administration policies. Passwords shall be assigned only to grant access to IIHI on a need-to-know basis. 2. Each password will initially begin with a "known" value, such as the name of the member of the Workforce or fixed word. This initial value must be changed to a new value selected by the user upon the first login and prior to any access to IIHI. 3. Passwords shall be made up of a combination of alphabetic letters, numbers, and special characters. Members of the Workforce are encouraged to select passwords that are easy to remember, but not associated with an obvious personal attribute (such as a name or birthday). Passwords shall be a minimum of eight characters long. 4. Passwords shall not be posted in public areas or where other members of the Workforce can easily see passwords. Passwords may be written down in a secured private area but must not be associated with a login code. 5. Members of the Workforce must change their passwords every thirty (30) to ninety (90) days. Members of the Workforce will be reminded that their passwords shall become obsolete within five (5) days of invalidation. Applications shall support this requirement wherever possible. 6. A Member of the Workforce who forgets their password must be assigned a new password. A manager in the direct line of the requestor must authorize all requests for new logins or requests to reset an existing account password. 7. Passwords shall be invalidated and user codes removed immediately upon the termination of employment of a member of the Workforce or when access to IIHI is no longer authorized or required by job functions. 8. Visitors to Business Units and Locations with access to IIHI shall NOT be granted "guest" log- ins that have access to IIHI. 9. As directed by the County, Network, security, and production management shall run tests on the security of the password management systems from time to time. Such tests shall include procedures to verify that old accounts are inactive and that current passwords are in accordance with published procedures. These tests shall be both planned on a regular basis and unannounced on a random basis. ACS_WeldPrivacy_Policy.doc 23 Last saved 3/25/2003 3:00 PM Last saved_by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County /!4 Privacy Policies and Procedures A C S® 4.9 Screen Saver or Logoff Requirements Policy: All access to IIHI through software applications or database lookups must be appropriately closed when a member of the Workforce is absent from his or her workstation for more than five (5) minutes. Procedures: Each member of the Workforce is required to control their own computer workstation access including logging out of the system during planned breaks or at the end of the work day. A member of the Workforce who habitually leaves his or her computer workstation active during absences shall be subject to disciplinary action. A member of the Workforce shall control access to his or her computer workstation access while away from the workstation by one of the following methods: • Screen Saver. Workstation screens shall be cleared by either a blank screen or graphical motion known as a "screen saver." Screen saver images shall be automatically set to come on within at least five (5) minutes after no activity on the workstation (such as a keystroke or mouse move) has occurred if IHII is accessible. All screen savers shall be password protected. • System Lock Workstation access shall be locked with password protection prior to leaving the workstation for any period of time (CTRL+ALT+DEL ENTER or equivalent shortcut) 4.10 N/A 4.11 At Home Workers Policy: When acting as a Business Associate of Weld County, ACS must ensure that at-home members of the Workforce and all those working away from facilities controlled by ACS take adequate precautions to protect IIHI. In transporting or transmitting IIHI to an at- home worker, ACS must establish proper technical safeguards to prevent unauthorized receipt of the IIHI by third parties. Procedures: Although ACS at Weld County does not have any members of the workforce whose primary work location is the home or any other non-County location, there are instances when application, operations, or network support are provided remotely. The following applies to those situations: • All at-home workers must use adequate measures to protect IIHI while working at home. • The worker's immediate supervisor will evaluate potential threats presented by having a member of the Workforce who handles IIHI work off-site and will advise management of these threats. At-home workers will be appropriately trained to address these concerns. • The immediate supervisor will evaluate the jobs done by at-home workers and ensure that the IIHI available to such workers is the minimum necessary for each job function. ACS_WeldPrivacy_Policy.doc 24 Last saved 3/25/2003 3:00 PM Last saved_by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County J Privacy Policies and Procedures A C S • Members of the workforce must avoid printing materials which contain IIHI whenever possible. If material must be printed, it must be disposed of in accordance with 2.2 Document Destruction. If the worker does not have a cross-cut shredder available, the documents should be brought back to the office for shredding. • All policies and procedures in this document apply to work at home or another non-County site as well as to work in a County office. If these procedures can not be followed at home, the worker will not have approval to perform work from home. • All electronic transmissions between the at-home worker's computer system and any other system that contains images or data files of IIHI shall be encrypted. The County's secure VPN solution will be used. • Programs used to access IIHI will be password protected. The worker is prohibited from sharing these passwords with other members of the household. • The worker is prohibited from saving IIHI to their local system beyond that necessary for the current working session. • Approval for VPN access will be controlled jointly by the worker's manager and the County CIO in accordance with County policy. Records of approval for VPN access will be maintained by the Technical Services Manager or designee. ACS_Weld_Privacy_Policy.doc 25 Last saved 3/25/2003 3:00 PM Last saved by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County Privacy Policies and Procedures A C Section 5 Use and Disclosure The majority of Section 5 of the ACS HIPAA Privacy Overview relates to responsibilities of ACS locations which are considered "covered entities" and do not apply to ACS at Weld County. Local policies and procedures have been developed for only a sub-set of the policies in this area. 5.13 E-Mail Acceptable Use Policy: The Electronic Messaging System is not a secure facility for the transmission of IIHI. It is not to be used to transfer IIHI unless actions have been taken to encrypt and secure the transmission. Procedures: If an instance arises where email appears to be the only viable facility for transmission of IIHI, the worker must contact their manager and obtain the assistance of security personnel in developing a method of transfer which will be secure. Such emails (or the data sent as an attachment) must remain encrypted in storage or be deleted from email storage. The sender must also confirm that each email was received by the intended recipient. 5.14 Fax Machine Acceptable Use Policy: A fax machine that receives or transmits IIHI shall be maintained in a secure location and monitored regularly to minimize the accidental Disclosure of IIHI. When possible, the fax being sent will de-identify any IIHI. A fax machine will be used to send IIHI only if alternative and more secure means cannot meet the purpose of the transmittal of the IIHI. Procedures: If faxing of IIHI is required in support of County business, the location of the fax machine and procedures for logging transmissions will be determined by the County. If faxing of IIHI is required in support of ACS internal business, the fax machine in the Office Manager's office shall be used to ensure confidentiality. ACS_weldPrivacy_Policy.doc 26 Last saved 3/25/2003 3:00 PM Last saved_by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County Privacy Policies and Procedures A C S. 5.17 Minimum Necessary Standards Policy: When acting as a Business Associate of the County of Weld, ACS may be required to limit Use, Disclosure, or requests for Private Health Information (PHI) to that which is the minimum necessary. If required by contract with the County, ACS will make reasonable efforts to limit access of PHI to: • The minimum necessary to accomplish the intended purpose of any Use, Disclosure or request; • Those members of the Workforce who need access to PHI to perform their duties; and • Any subcontractor or agent performing work on behalf of the Business Unit or Location and reasonably necessary to achieve the business purpose. Procedures: ACS guideline: An entity (Business Unit, Location, or member of the Workforce) may rely, if such reliance is reasonable under the circumstances, on a requested Disclosure as the minimum necessary for the stated purpose when the information is requested by: (i) a public official as described in the Privacy Standards; (ii) another Covered Entity; or a professional who is a member of its own Workforce or a Business Associate of the Covered Entity for the purpose of providing services to the Covered Entity, if it is represented to the Covered Entity that the information requested is the minimum amount necessary for the stated purpose ACS at Weld County policy: Please see specific policy and procedures about disclosure of PHI found in Section 1.2 Allowable Use and Disclosure. ACS_WeldPrivacy_Policy.doc 27 Last saved 3/25/2003 3:00 PM Last saved_by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County /14 Privacy Policies and Procedures A C s° 5.19 Use and Disclosure Required by Law Policy: ACS must disclose private health information (PHI)when required to do so by law. PHI should not be released by a member of the Workforce unless the member is knowledgeable of circumstances which warrant and allow for a Disclosure as Required by Law. Each Disclosure Required by Law shall be documented and the documentation retained in accordance with the 1.4 Documentation Requirements policy. Procedures: Upon receiving a request for PHI from a law enforcement officer or agency, the Worker shall: • Request that the request be presented to the County rather than to ACS. If the request is redirected to the County, no further action is required by ACS staff. • Inform their immediate supervisor of the request. The supervisor is responsible for ensuring that appropriate County and ACS management are aware of the request, and that agreement is obtained from appropriate legal counsel regarding the validity of the request prior to release of any information. o If a request for a mandatory Disclosure Required by Law is received, an authorization is not required to allow for the Disclosure. The Privacy Official or contact person will work with the Business Unit's Legal Counsel in responding to and coordinating the release of the information. o If the Disclosure of PHI is permitted but not Required by Law, the Business Unit must determine if the Disclosure comes within one of the other permissible Disclosures. If the Disclosure does not, an authorization from the subject Individual must be obtained prior to Disclosure or De-identification of the PHI must occur before it is Disclosed. • Keep a written record of all communication and actions in relation to the request and provide that written documentation to the Office Manager for filing. • Verify the identity of the requestor using both picture ID and communication with management of the law enforcement agency being represented. • Follow the policy and procedures detailed in these related policy sections: o 1.2 Allowable Use and Disclosure o 1.8 Responding to Request from State or Federal Agencies ACS_WeldPrivacy_Policy.doc 28 Last saved 3/25/2003 3:00 PM Last saved_by jjordanjjordan Last printed 3/29/2003 12:15 PM ACS @ Weld County Privacy Policies and Procedures A C Se Appendix A ACS HIPAA Contacts State and Local Solutions Project Owner: John Brophy HIPAA Contact: Alice-Snow Robinson alice.snow-robinsona.ACS-INC.COM Information Management Services Project Owner: Mike McKenzie Mike.Mckenzie(a)ACS-INC.COM HIPAA Contact Al Landon AI.Landon(a?ACS-INC.COM Weld Project Owner Anita Scrams Ascrams@co.weld.co.us Privacy & Security: Technical Services Manager Fdefelippis@co.weld.co.us HR &Training Nila Walters Nwalters@co.weld.co.us ACS corporate project contacts are also maintained on the ACS HIPAA project website at http://hipaa.acshealthcare.com. ACS_WeldPrivacy_Policy.doc 29 Last saved 3/25/2003 3:00 PM Last saved_by jjordanjjordan Last printed 3/29/2003 12:15 PM Hello