HomeMy WebLinkAbout20031124.tiff ACS
HIPAA
PRIVACY
POLICIES
AND
PROCEDURES
2003-1124
ACS c Weld County
Privacy Policies and Procedures
A
A C s'
Table of Contents
TABLE OF CONTENTS I
INTRODUCTION 1
POLICY MAINTENANCE 1
COUNTY POLICIES TAKE PRECEDENCE 1
SECTION 1 PRIVACY POLICY STATEMENTS 2
POLICY: 2
PROCEDURES' 2
1.2 ALLOWABLE USE AND DISCLOSURE 2
POLICY: 2
PROCEDURES' 2
1.3 APPLICABILITY TO LOCATION AND WORKFORCE 3
POLICY: 3
PROCEDURES' 3
1.4 DOCUMENTATION REQUIREMENTS 3
POLICY: 3
PROCEDURES' 3
1.5 MODIFYING POLICIES AS A RESULT OF CHANGE IN LAW 4
POLICY' 4
PROCEDURES- 4
L6 ORGANIZATIONAL REQUIREMENTS 4
POLICY: 4
PROCEDURES' 4
1.7 PRIVACY OFFICIAL DESIGNATION 5
POLICY: 5
PROCEDURES' 5
L8 RESPONDING TO REQUESTS FROM STATE OR FEDERAL AGENCIES 5
POLICY: 5
PROCEDURES- 5
1.9 TIME FRAMES FOR PRIVACY IMPLEMENTATION 6
POLICY: 6
SECTION 2 ADMINISTRATIVE REQUIREMENTS 7
2.1 BUSINESS ASSOCIATES 7
POLICY: 7
PROCEDURES' 7
2.2 DOCUMENT DESTRUCTION 7
POLICY: 7
PROCEDURES' 7
ACS_Weld_Privacy_Policy i Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed
ACS c Weld County
Privacy Policies and Procedures
Paper documents: - 7
Electronic documents: 7
2.3 DUTY TO MITIGATE EFFECTS OF DISCLOSURE 8
POLICY' 8
PROCEDURE' 8
2.4 POLICIES AND PROCEDURES 9
POLICY: 9
PROCEDURES' 9
2.5 REPORTING INAPPROPRIATE USE OR DISCLOSURE OF IIHI 10
POLICY: 10
PROCEDURE' 10
2.6 SUBCONTRACTORS AND AGENTS AS BUSINESS ASSOCIATES 11
POLICY: 11
PROCEDURE' 11
2.7 TRAINING OF THE WORKFORCE 12
POLICY: 12
PROCEDURES' 12
2.8 WORKFORCE SANCTIONS 13
Applicability 14
Effective 14
Purpose 14
Policy 14
Guidelines 14
See Also 15
Citations 15
Last Update 15
September 1, 2002 15
Revision History 15
SECTION 3 INDIVIDUAL RIGHTS 16
SECTION 4 PHYSICAL AND TECHNICAL SAFEGUARDS 17
4.1 APPLICATION DEVELOPMENT SECURITY 17
POLICY: 17
PROCEDURES' 17
4.2 APPLICATION SECURITY ADMINISTRATION 18
POLICY: 18
PROCEDURES' 18
4.3 CLEAN DESKTOP POLICY 19
POLICY: 19
PROCEDURES' 19
4.4 ELECTRONIC TRANSMISSION OF IIHI 19
POLICY: 19
PROCEDURES' 19
ACS_Weld_Privacy_Policy II Last saved 3/25/2003 3:00 PM
Last saved by Last printed
ACS @ Weld County APrivacy Policies and Procedures
A C S'
4.5 ENCRYPTION 20
POLICY: 20
PROCEDURES' 20
4.6 FACILITY SECURITY 21
POLICY: = 21
PROCEDURES' 21
4.7 NETWORK SECURITY 22
POLICY: 22
PROCEDURES' 22
4.8 PASSWORD MANAGEMENT 23
POLICY: 23
PROCEDURES' 23
4.9 SCREEN SAVER OR LOGOFF REQUIREMENTS 24
POLICY: 24
PROCEDURES' 24
4.10 N/A WELD COUNTY ERROR! BOOKMARK NOT DEFINED,
4.11 AT HOME WORKERS 24
POLICY: 24
PROCEDURES' 24
SECTION 5 USE AND DISCLOSURE 26
5.13 E-MAIL ACCEPTABLE USE 26
POLICY: 26
PROCEDURES' 26
5.14 FAX MACHINE ACCEPTABLE USE 26
POLICY: 26
PROCEDURES' 26
5.17 MINIMUM NECESSARY STANDARDS 27
POLICY: 27
PROCEDURES' 27
ACS guideline: 27
ACS at Weld County policy: 27
5.19 USE AND DISCLOSURE REQUIRED BY LAW 28
POLICY: 28
PROCEDURES' 28
APPENDIX A ACS HIPAA CONTACTS 29
STATE AND LOCAL SOLUTIONS 29
INFORMATION MANAGEMENT SERVICES 29
WELD 29
ACS_Weld_Privacy_Policy iii Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed
ACS @ Weld County it
Privacy Policies and Procedures
A C S'
Introduction
These policies and procedures provide the information needed by ACS staff at Weld County in
order to comply with ACS corporate policies and state and federal regulations regarding the safe
guarding of private information.
Two specific sets of regulations require that staff take care to keep confidential all individually
identifiable information about health and finances. Staff may be exposed to this individual
information when working with ACS employee records or when processing or assisting clients
with data from various Weld County applications.
HIPAA(the federal Health Information Portability and Accountability Act) has stringent
requirements for handling individually identifiable health information (IIHI) and severe penalties
for misuse of this information. All staff are required to take HIPAA Overview(or Awareness if a
manager) and Privacy training and must pass the associated tests.
Individually identifiable financial information is protected under the Gramm-Leach-Bliley Act.
Applying the same level of privacy policies to financial information as is required for health
information will ensure that all requirements of the Gramm-Leach-Bliley Act are met.
All references to IIHI(Individually Identifiable Health Information) in these policies and
procedures should be construed to also apply to individually identifiable financial
information.
All staff must sign an Access and Confidentiality Agreement which is filed in their personnel
folder.
Policy Maintenance
These policies will be maintained on the ACS Weld County Intranet at a location to be determined
by Ripley Casdorph, Web Administrator. Once completed, policies will be reviewed by
management at least once per year, and staff will be notified if the policies are updated.
Each section of the policies will reference the associated corporate policy.
Any staff member who is aware of any situation where the privacy of individual information is at
risk must report the risk to his/her manager so that appropriate policy or procedure changes can
be implemented to protect the privacy of that information.
County policies take precedence
Any policies or procedures promulgated by Weld County which are more stringent than ACS
policies will take precedence over ACS policies. The ACS policies in this document are the
minimum standard to which ACS employees are held, however the County may choose to
implement additional policies and procedures.
ACS Weld Privacy_Policy 1 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS c Weld County
Privacy Policies and Procedures
A C s°
Section 1
Privacy Policy Statements
1.1 ACS Privacy Compliance Policy
Policy:
Each Business Unit and Location must comply with Privacy Policy Statements.
Business Units or Locations determined to be Covered Entities must comply with the
Privacy Policy Statements and the Privacy Standards.
Procedures:
> Maintain familiarity with and comply with all Privacy Policy Statements;
> Draft, implement and maintain applicable Privacy Policies and procedures so that such
policies and procedures relate to the functions and activities performed within the
Business Unit or Location;
> Train the Business Unit and Location Workforce, as required, to allow the Workforce to
understand, adhere to, and utilize the Privacy Policies and any policies and procedures
developed thereunder;
> Document any Privacy Policies and procedures that are modified and training conducted
thereunder; and
> Promptly investigate, document, and cooperate in pursuing any suspected violation of a
Privacy Policy.
1.2 Allowable Use and Disclosure
Policy:
As a Business Associate or an ACS entity handling IIHI (Individually Identifiable Health
Information), allowable Use and Disclosure is limited to that which is permitted or required by the
client contract.
Procedures:
> Any changes to the ACS contract with Weld County will be reviewed to determine if
changes to policy and procedures are required.
> Any requests for information in any format which contains or may contain individually
identifiable information shall only be accepted from:
o The department which produced that information
o Those departments or individuals to which distribution has been authorized by
the department producing the information.
o A representative of law enforcement(Request must be in writing and reviewed by
ACS and County management prior to release of the information.)
o Requests received from any other source will be referred to the department
which produced the information.
ACS_Weld_Privacy_Policy 2 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS @ Weld County ���`
Privacy Policies and Procedures
A C s°
1.3 Applicability to location and workforce
Policy:
All members of the Workforce, which include those who work at home and any temporary
employees or subcontractors who have access to IIHI, must comply with the Policy Statements.
Procedures:
All members of the Workforce are required to:
> read these policies (this document)
> take ACS HIPAA Overview and Privacy training (and obtain a passing score on the
associated tests) unless they are temporary staff excluded by the conditions of the
Supplemental Services Agreement.
> sign the Access and Confidentiality Agreement.
1.4 Documentation Requirements
Policy:
A Business Unit or Location must maintain in written or electronic form all policies and procedures
and other forms of documentation required by the Privacy Standards and Privacy Overview for a
minimum of six years and in compliance with the ACS document retention policy and applicable
state law. All documentation must be maintained in a location available to all employees.
In addition, Business Units or Locations shall retain, for a minimum of six (6) years,
documentation relating to any complaints, investigations or sanctions that are applied as a result
of non-compliance with the Allowable Uses and Disclosure Policy of IIHI.
Procedures:
Policies will be maintained online for ease of access.
Hardcopies of policies, procedures and any complaints received will be kept in HIPAA archives by
the Office Manager. The HIPAA archive will contain:
S. The Privacy Overview and local Privacy Policies and procedures
> Issues identified in the course of Privacy Policy development and implementation
> Business decisions and determinations of applicability
> Supporting documentation for the assessment and selection of physical and technical
measures to provide"reasonable safeguards" in accordance with the Privacy Standards
> Privacy Policy meeting minutes
> Privacy Policy training records
> All other related documentation
ACS Weld_Privacy_Policy 3 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS c Weld County A
Privacy Policies and Procedures
A C S.
1.5 Modifying Policies as a Result of Change in Law
Policy:
Upon notification from ACS corporate of a modification in the Privacy Standards or ACS
corporate policy, each these Privacy Policies and Procedures, as appropriate, must be promptly
modified to comply with applicable changes.
Procedures:
Upon notification of modifications, the site HIPAA contact or Account Manager will advise local
management of the need to review and update policies and procedures. The management team
shall designate staff to draft changes and present them to the management team for review,
approval, and dissemination.
1.6 Organizational Requirements
Policy:
Under HIPAA Privacy Standards, ACS at Weld County is designated as a Business Associate of
the County.
Procedures:
Designated status will be reviewed by the Account Manager whenever there are changes in
HIPAA regulations.
ACS_Weld_Privacy_Policy 4 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS @ Weld County A
Privacy Policies and Procedures
A C S°
1.7 Privacy Official Designation
Policy:
ACS will designate a Privacy Director who is responsible for ensuring compliance with the Privacy
Overview and that applicable Business Units and Locations carry out the ACS policies and
directives included therein.
Each Business Unit or Location shall designate a Privacy Official or contact person to coordinate
the Business Unit or Location's activities in order to carry out the Privacy Policies and directives
included in the Privacy Overview. The Privacy Official or contact person will facilitate and
respond to communication regarding the protection of IIHI between Covered Entity clients, third
parties, the Business Unit management, and the ACS Privacy Director. This person shall also
develop and oversee the effective implementation of policies and procedures for the Business
Unit or Location, as they relate to IIHI, in coordination with the ACS Privacy Director
Procedures:
ACS at Weld County has designated the following individuals:
> Julie Jordan, User Services Manager, is acting as the contact person to facilitate
communication and coordination of initial policies and procedures.
> The Technical Services Manager, Frank DeFelippis, will act as contact for both security
and privacy for ongoing HIPAA coordination
> Nila Walters, Office Manager, will coordinate compliance with all training and other HR
requirements.
1.8 Responding to requests from State or Federal Agencies
Policy:
ACS will cooperate with state and federal agency complaint investigations and compliance
reviews by providing records and compliance reports and permitting access to information when
required. Prior to releasing information, including any IIHI, to a state or federal agency, the
procedures below must be followed in order to maintain and account for proper Disclosures.
Procedures:
When presented by a request from a State or Federal agency:
> Request that the agency present their request to the County rather than to ACS
> Notify the direct supervisor and the Account Manager that a request has been made
> If the agency requests information without notification of the County, the Account
Manager or his designated representative will:
o Validate and document the identity of the person making the agency request
o Notify the ACS Privacy Director and the Business Unit's Legal Counsel of the
request by the state or federal agency
o Obtain assistance from the ACS Privacy Director in confirming that the request is
made under authorized circumstances in which a state or federal agency may
require Disclosures.
o Keep detailed records of all conversations, correspondence, and materials
provided in response to the request. These records will be given to the Office
Manager for filing in the HIPAA archive records.
ACS Weld Privacy_Policy 5 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS c Weld County
Privacy Policies and Procedures
A C s•
1.9 Time Frames for Privacy Implementation_
Policy:
ACS at Weld County will comply with corporate timelines:
➢ All staff will have completed Privacy training by March 1, 2003
> All existing and future privacy policies and procedures will be_continuously enforced.
ACS_Weld 6 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS @ Weld County itPrivacy Policies and Procedures
A C se
Section 2
Administrative Requirements
2.1 - Business Associates
Policy:
A"Business Associate Agreement"will be executed with every business partner or sub-contractor
which has or may have access to confidential information.
At this time no contracts have been identified which constitute a Business Associate relationship
with ACS.
Procedures:
Each contract for services which is executed by ACS shall be reviewed for the potential of access
to confidential information. A signed copy of the"Access and Confidentiality Agreement"will be
obtained and filed with the contract.
2.2 Document Destruction
Policy:
When deemed necessary and appropriate, documents containing IIHI shall be safely and
securely destroyed. Proper accountability for the destruction of documents will be maintained.
Procedures:
Paper documents:
Any documents received for or printed for Weld County which contains IIHI shall either be given
to the designated County staff, or shall be destroyed by processing through a cross cut shredder.
Any documents containing health related information regarding ACS staff shall be retained in
accordance with current law and regulations and when no longer needed will be destroyed using
a cross cut shredder.
Two shredders are currently available:
• High volume and general purpose shredder located in the utility room behind the
receptionist
• Low volume shredder located in the Office Manager's office.
Electronic documents:
Hard drives, removable drives, cartridges, and tapes which may at any time have contained IIHI
will be subjected to complete erasure prior to disposal. Low level reformat or magnetic erasure
will be used to ensure that no data can be recovered from the media.
ACS_Weld_Privacy_Policy 7 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS c Weld County
Privacy Policies and Procedures
A C S'
2.3 Duty to Mitigate Effects of Disclosure
Policy:
ACS staff are responsible for taking action to minimize, to the extent practicable, any harmful
effects of a known Use or Disclosure of IIHI in violation of established policies and procedures.
Procedure:
Upon becoming aware of any prohibited disclosure of information the following steps are to be
taken:
• Immediately report the violation to your manager(see 2.5 Reporting Inappropriate Use or
Disclosure)
• Management staff shall determine the steps necessary to minimize the results of an
inappropriate Use or Disclosure and act in a timely manner. Steps may include:
o Retrieval of any documents inappropriately released
o Discussion of privacy concerns with the person(s)who received the inappropriate
disclosure
o Disciplinary action against ACS staff if the inappropriate disclosure was
deliberate.
o Review of procedures and retraining of staff to prevent any future inappropriate
disclosure.
o This shall include, after consultation with the ACS Privacy Director and the
Business Unit's Legal Counsel, notification to the County if required by a
Business Associate Agreement.
• Any incident, and the action taken to minimize the effects of an inappropriate Disclosure,
shall be documented in writing and retained by the Office Manager in accordance with
the Documentation Requirements Policy.
If an ACS Workforce member is approached by a member of the media regarding ACS Privacy
Policies or practices related to the Disclosure of IIHI, the employee shall not comment'and shall
immediately direct the inquiry to the State and Local Solutions unit Privacy Official (see Apendix A
- HIPAA Contacts at the end of this document).
ACS Weld_Privacy Policy 8 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS @ Weld County it
Policies and Procedures
A c s®
2.4 Policies andProcedures
Policy:
ACS at Weld County is required to develop and maintain written documentation of policies and
procedures it adopts related to the privacy of IIHI in accordance with the ACS corporate Privacy
Overview.
Procedures:
This document constitutes the required written documentation of policies and procedures.
It is maintained to meet the corporate requirements for HIPAA compliance and to meet ACS
responsibilities as a Business Associate of the County. It will therefore be maintained using the
document management and version control procedures of the County ISD Portal. It will be
available for read access by both ACS staff and County personnel.
Each policy and procedure will be reviewed and updated as required at least annually. Review
will occur:
• Whenever policy changes are distributed from ACS corporate
• Whenever contract or Business Associate Agreements are being reviewed or updated
with the County
• When new services are contracted from ACS by the County which involve health
information
• When County privacy policies and procedures are reviewed (schedule will be at least
annually as developed by the County)
The Office Manager will notify all staff via email whenever changes are made to Privacy Policies
and Procedures. Changes will be discussed in conjunction with monthly staff meetings as
needed to ensure staff understanding of the changes.
The Office Manager will maintain printed copies of all published versions of these Privacy Policy
and Procedures in accordance with the Documentation Requirements policy.
ACS Weld Privacy_Policy 9 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last pentad 3/25/2003 3:35 PM
ACS c@Weld County
Privacy Policies and Procedures
a c s•
2.5 Reporting Inappropriate Use or Disclosure of IIHI
Policy:
A member of the Workforce must report any improper Use or Disclosure of IIHI to his/her
appropriate management, and his/her Business Units Privacy Official after following site reporting
procedures. The Privacy Official shall coordinate any necessary communication with the ACS
Privacy Director, the Business Unit's Legal Counsel, and/or the client as appropriate.
Procedure:
ACS staff members shall report any improper Disclosure of IIHI to their immediate supervisor as
soon as they become aware that a violation has occurred. This report must be made regardless
of whether the violation was accidental or deliberate.
This reporting will be verbal followed by an email or other written documentation with all the facts
known about the disclosure. This information shall include:
• When the violation occurred
• What information was inappropriately used or disclosed
• Who was involved in the inappropriate use of discloser
• Any actions taken immediately by the staff member to mitigate the impact of the
inappropriate use or disclosure
If the staff member's immediate supervisor is not available, or was involved in the inappropriate
use or disclosure, this report shall be made to any other available member of the management
staff.
The supervisor or manager shall immediately:
• Advise the employee that no retribution or retaliation for reporting the violation will occur,
so long as the employee reports in good faith. However, if the individual reporting was
also the source of the improper Use or Disclosure, appropriate sanctions may be
employed.
• Report the alleged violation to the Account Manager
• Provide copies of all documentation regarding the incident to the Office Manager for
retention in accordance with 1.4 Documentation Requirements
• Report the alleged violation to the Business Unit management and Privacy Official (see
Appendix A- HIPAA Contacts at the end of this document)
Management and staff will cooperate with any investigation or reporting requested by Business
Unit management or the ACS Privacy Director.
ACS_weld_Privacy_Policy 10 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS c Weld County
s
Privacy Policies and Procedures
A C S•
2.6 Subcontractors and Agents as Business Associates
Policy:
ACS will ensure that any subcontractors or agents to whom it provides IIHI received from or
created or received by ACS on behalf of the.County agree to the same restrictions and conditions
that apply to ACS with respect to such information.
Procedure:
See section 2.1 Business Associates for policy and procedures in relation to subcontractors or
agents of ACS acting as a Business Associate of ACS.
Subcontractors, volunteers, and temporary employees who are under the direct control of ACS,
whether or not they are paid by ACS, are considered a part of the Workforce and must be trained
in compliance with section 2.7 Training of the Workforce Policy. Formal classroom or on-line
training requirement will be waived for temporary PC support personnel if the County states in the
Supplemental Services Agreement that no IIHI will accessible in the areas where these personnel
will be working. A confidentiality agreement must still be read, understood, and signed by
temporary personnel.
•
ACS_Weld_Privacy_Policy 11 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS @ Weld County it
Privacy Policies and Procedures
A C S`
2.7 Training of the Workforce
Policy:
ACS at Weld County has a responsibility to train its Workforce, including all employees and third
parties having access to IIHI under their control, such as temporary employees or subcontractors.
All initial training shall be completed by no later than the Privacy Standards compliance date, and
subsequent training for new employees shall occur within thirty(30) days of their starting
employment and before being given access to live client IIHI data. Training shall include, but not
necessarily be limited to, ACS' required HIPAA training and a review of the Business Unit or
Location's Privacy Policies and procedures as applicable to the Workforce member's role within
ACS.
Procedures:
All full time staff will complete ACS online HIPAA Awareness and Privacy training.
The Office Manager will monitor compliance and maintain documentation of completion of
training.
All staff will be given access to this document for local Privacy Policies and Procedures. It will be
part of the new hire packet and the hiring manager will review it with the employee at hire and at
the time of each performance review.
Additional HIPAA security training will be required for staff whose duties involve the maintenance
of physical or electronic security effecting access to IIHI.
Duties of temporary of short term contract staff will be reviewed by the hiring manager. A
determination will be made whether or not the staff member is likely to encounter IIHI in the
course of their assigned work. The manager will then determine if a review of local Privacy
Policies and Procedures will be sufficient training or if the online HIPAA Awareness and Privacy
training will be required.
Successful completion of required HIPAA training is a condition of initial and ongoing
employment. Any changes in HIPAA regulations and associated policy and procedures will
result in staff being provided with updated training.
Documentation of training completed will be maintained by the Office Manager in the following
forms:
• Print of training database reports from the ACS online training
• Privacy Policy review reports from managers performing policy training with new
employees, contracts, and temporary employees.
• Privacy Policy review reports from managers performing policy reviews during
performance reviews.
ACS_Weld_Pdvacy Policy 12 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS @ Weld County itPrivacy Policies and Procedures
A C S'
2.8 Workforce Sanctions _
ACS Weld Privacy_Policy 13 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS c Weld County
Privacy Policies and Procedures
A c s•
Applies to all Business Units and Locations that have access to, receive,
collect, process, store, transmit, or create Individually Identifiable Health
Applicability Information (IIHI).
January 1, 2003 •
Effective
This policy establishes guidelines for the appropriate application of
Purpose sanctions as applied to a member of the Workforce as a result of an
unauthorized Use or Disclosure of IIHI.
Each Business Unit or Location has the responsibility to report any
Policy violation, whether inadvertent/accidental or malevolent/purposeful, related
to the inappropriate Use or Disclosure of IIHI in the time and manner set
forth in the Reporting Inappropriate Use or Disclosure of IIHI Policy and to
administer sanctions or disciplinary actions associated as a result of the
violation. The application of any sanctions and their resolution shall be
documented in accordance with the Documentation Requirements Policy.
Workforce sanctions are intended to support and enforce ACS and Business Unit
and Location policies as well as client contract requirements related to the
protection of IIHI. The application of appropriate sanctions will be addressed
through the cooperative efforts of the Business Unit's manager, the Business Unit's
Privacy Official, the ACS Human Resources Department, the Business Unit's Legal
Counsel, and/or the ACS Privacy Director.
Sanctions may vary in severity from re-training to disciplinary action up to and
including termination depending on the nature of the violation and whether the
violation itself was accidental, deliberate, neglectful, or malicious in nature.
1. Upon receipt of the violation where an employee believes a disclosure
of information may have occurred, the information must be reported to
Guidelines the appropriate management. Management wil in consultation with the
Business Unit's manager, the Business Unit's Privacy Official, the ACS
Human Resources Department, the Business Unit's Legal Counsel,
and/or the ACS Privacy Director, as appointed, investigate each such
matter brought to his attention.
2. Manager should encourage employees to step forward and self-report
any mistakes of accidental disclosure. Management will work with the
employee to mitigate the situation. Management should then look at
process improvement and/or retraining to prevent the accidental
disclosure from occurring again.
3. Dependant on the severity of the violation, a formal corrective action
ACS_Weld_Privary Policy 14 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS @ Weld County A
Privacy Policies and Procedures
A C S.
plan, including any follow-up, Workforce member re-training or sanction
activity must be documented and is required. This corrective action
plan must be placed in the employee personnel file and any other filing
system as required by the Business Unit. A copy must be forwarded to
the ACS Corporate representative.
4. The employee's Manager will be responsible for ensuring the corrective
action plan has been appropriately administered. The Business Unit's
Privacy Officer is responsible for oversight of any corrective action and
final outcome.
5. All documentation associated with this action will be documented and
maintained on site in accordance with the Documentation Requirements
Policy. Management is responsible for forwarding the documentation to
the ACS Privacy Official, Corporate Representative and to the ACS
Human Resources department for filing in the employee's personnel file.
6. If required by client contract, ACS management shall forward
documentation, as appropriate, of the Disclosure, mitigation, and
sanction activities and resolution to the client which was the subject of
the violation.
7. This policy does not address any sanctions or action required as a
result of a Disclosure by a subcontractor or agent. Each Business Unit
or Location should establish appropriate and, at a minimum, equivalent
sanctions, for subcontractors and agents and document such sanction
in a policy or in the subcontractors' contract as appropriate.
(Numbering is for reference only and is not an indication of order or priority)
Documentation Requirements (1.4)
See Also Duty to Mitigate Effects of a Disclosure (2.3)
Reporting Inappropriate Use or Disclosure of IIHI (2.5)
Our Reputation—ACS Code of Ethnical Business Conduct
CFR 45 §164.502(j)(1) and (2); §164.530(e)(1) and (2); §164.530(g);
Citations §164.530(j)
Preamble Discussion: pp. 82501-02; 82636; 82562; and 82745
Last Update September 1, 2002
Revision
History
ACS_Weld_Privacy_Policy 15 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS c Weld County
Privacy Policies and Procedures
A C Ss
Section 3
Individual Rights
Section 3 of the ACS HIPAA Privacy Overview relates to responsibilities of ACS locations which
are considered "covered entities" and do not apply to ACS at Weld County. No local policies and
procedures will be developed in this area.
ACS Weld Privacy_Policy 16 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS @ Weld County L�4
Privacy Policies and Procedures
A C S'
• Section 4
Physical and Technical Safeguards
4.1 Application Development Security
Policy:
All access to IIHI through software applications must be managed to ensure secured access.
Application design and development within ACS will be done using methodologies that support
the Privacy Policies including, but not limited to, those related to physical and technical security
measures and the Minimum Necessary Standard Policy. When application design, development,
or testing requires the use of IIHI, fabricated test data, rather than real IIHI, should always be
used'. This security model must be maintained through the entire life cycle of the software
development process.
*Where the County requires the use of a copy of production data for testing, the County
requirement will supersede this policy. _
Procedures:
The following measures will be taken to ensure the security of data during or subsequent to
development activities:
• Source will be maintained in directory structures or libraries which are secured for access
only by development personnel.
• On systems where the County has provided the required resources, source management
which provides an audit trail of maintenance access will be utilized.
• Source directories and libraries will be included in routine backup schedules.
• Test versions of applications will have the same security as the production systems, or
more restrictive security, with the exception of allowing developers to have access
required for testing.
• Any application designed and developed by ACS staff which has the potential of
providing access to individually identifiable health or financial data will incorporate
security which requires unique user ids and passwords and provides for role based
access control. This security may be:
o Internal to the application. Internal application security must also provide
functionality for the appropriate user staff to perform security administration.
o Network security. Utilization of Windows NT or Active Directory security. .
• When live data is required for adequate testing, the users responsible for that data will
determine what data is used and who will be allowed to access it.
ACS_Weld_Privacy_Policy 17 • Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS @ Weld County
Privacy Policies and Procedures
ACS•
4.2 Application Security Administration
Policy:
Access to applications that contain IIHI shall be granted to members of the Workforce only on a
need-to-know basis and in compliance with the Minimum Necessary Standard Policy. Role
Based Access shall be established for each member of the Workforce, modified upon that
person's change in job functions, and terminated at the end of that person's employment or
contract.
Procedures:
The following measures will be taken to ensure security of individually identifiable health or
financial data accessed via applications which are developed, configured or maintained by ACS:
• The appropriate County security personnel will provide the security parameters for
application access. Wherever possible, County personnel with responsibility for the data
will also carry responsibility for application security administration.
• Documentation of approved application roles and the functions within those roles is the
responsibility of the County personnel who have responsibility for the data.
• Database access will be password secured. Any ODBC access will be associated with a
role based user id which limits the data access and functions to the minimum necessary.
• For any application secured by Windows NT or Active Directory security, the
administration will be performed by ACS Network Administration staff based on formal
requests from designated users with appropriate security authority. A security change
confirmation message will be sent to the users for documentation and safeguarding
against invalid requests.
• When an ACS staff member changes roles within the organization the immediate
supervisor(s) will review all application, database, file, and network access to determine
what changes should be made in security access. Requests for security changes will be
made to the appropriate network, system, and application security administrators.
• When an ACS staff member terminates employment, their immediate supervisor will
immediately request that their network logon be locked, and request that system and
application security administrators delete their user id.
The listing of applications which are determined to have HIPAA privacy impact will be provided by
the County, however the procedures above will be applied to all applications regardless of the
HIPAA status of the application.
ACS WeldPrivacy_Policy 18 Last saved 3/25/2003 3:00 PM
Last saved_by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS @ Weld County A
Privacy Policies and Procedures
4.3 Clean Desktop Policy
Policy:
The protection from inadvertent exposure of IIHI requires constant vigilance by members of the
Workforce. Awareness of surroundings, understanding of classification of the information and the
need to protect it, and implementation of sound technical procedures will provide reasonable
protection at each workstation.
Procedures:
In ACS staff work areas:
• No reports or other data printouts containing IIHI will be left where it can be viewed by
others.
o In the printer room reports will be appropriately boxed or have a cover sheet
which does not contain individually identifiable data
o In staff work areas, any printed individually identifiable data will be covered with a
blank sheet if the staff member leaves the work area temporarily while working
with the data. At the end of the work day, any printouts will either be shredded if
no longer needed, or put away in drawers or filing cabinets.
o Printed data being passed to another ACS staff member or authorized user will
be placed in a sealed envelope or box during transit.
• On screen viewing of individually identifiable data will be secured from accidental viewing
by:
o Positioning the display so that visitors can not accidentally view the data
o Invoking system lock or screen saver lock whenever the staff member leaves
their work area.
o See also 4.9 Screen Saver or Logoff Requirements
• Documents must not be left on unattended printers or fax machines and should be picked
up and stored or disposed of immediately.
• Documents or electronic media containing IIHI should not be placed in a trash receptacle,
open recycle bins, or unsecured containers. IIHI must be destroyed in compliance with
the Document Destruction Policy.
4.4 Electronic Transmission of IIHI
Policy:
The County is responsible for ensuring that all transactions processed meet HIPAA transaction
code standards.
Procedures:
ACS staff will not modify the content of data transmissions without a specific formal request from
the County personnel who are responsible for the data being transferred.
ACS staff will not transmit IIHI to anyone other than the users who created the data without a
formal request from the users who are responsible for the data.
ACS_Weld_Privacy_Policy 19 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS c@Weld County it
Privacy Policies and Procedures
A C S•
4.5 Encryption
Policy:
Wherever it is within ACS control and the County has provided the necessary resources, all
transmission and storage of IIHI shall include encryption to reduce inappropriate or unauthorized
Disclosure.
Procedures:
Data files stored on servers:
• All data files containing IIHI stored on servers shall be stored in encrypted files under the
following circumstances:
o Files received from another system are being held for further processing.
o Files have completed processing and are waiting to be transmitted to another system
for further processing.
o Files are between processing steps, and the delay between processing is of
indeterr:iinate length.
• Data stored on secure servers or networks, in accordance with ACS standards for secure
servers, need not be encrypted.
Data files transmitted by electronic means such as the Internet, Intranet, or dial-up:
• All data files containing IIHI transmitted or received through the Internet, Intranet, or dial-
up shall be sent or received in encrypted files or through encrypted paths (e.g., VPN).
Encrypted data or files shall mean data encrypted with either 128-bit encryption algorithms or
using industry approved encrypted technology, such as asymmetric or symmetric key encryption.
ACS_weId_Privacy_Poiicy 20 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS c@Weld County
Privacy Policies and Procedures
A C s•
4.6 Facility Security
Policy:
Proper physical security and operating safeguards are necessary to protect IIHI at ACS facilities.
The goal is to protect and preserve IIHI by reducing its exposure to vulnerabilities.
Procedures:
All facility security standards created by the County will be enforced.
Current procedures include:
• Secured access to the main computer room via
o Building security with perimeter and motion sensors active during times when staff is
not present or only Operations staff are present.
o Key pad access with codes communicated verbally by the Operations Manager.
Codes are changed at random periods, and when staff knowing a code leave ACS
employment or change roles to one not requiring computer room access.
• Secured access to the Sheriff computer room via
o Sheriff administered security of the building
o Individual key card access to the computer room
• Staff are to wear County issued picture ID badges visible above the waist line at all times
when in County facilities
• Visitor log is maintained at the front desk.
• Non-County staff are escorted when inside the building
• UPS, generator, and emergency lighting have been implemented.
• Development and maintenance of Disaster Recovery Plans
• Compliance with all safety and fire prevention regulations
ACS WeldPrivacy_Policy 21 Last saved 3/25/2003 3:00 PM
Last saved_by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS @ Weld County
Privacy Policies and Procedures
C S'
4.7 Network Security
Policy:
All access to IIHI through computer networks will be managed to ensure secured access. Access
to networks and network devices by members of the-Workforce shall be limited in accordance
with the Minimum Necessary Standard Policy.
Procedures:
To the extent possible with the authority and resources provided by the County, the following will
be enforced:
1. Domain security:
• Individual usernames and passwords will be assigned
• Members of the Workforce may not share passwords.
• Passwords will be changed no less frequently than every 90 days
• Strong passwords will be enforced.
2. NTFS security permissions/share security:
• All server shares must limit access to only those who need access.
3. Full server auditing must be turned on for areas-containing IIHI:
• All user access will be audited, both successes and failures.
• Procedures must be in place to correlate and periodically review the activity logs.
4. Local Area Network (LAN) Security:
• Firewalls should be employed to protect LAN segments and resources.
• Specific types of firewalls should be implemented based upon the requirements of the
resource to be protected.
• Each Business Unit or Location should be on its own LAN or separate isolated and
protected segments.
5. Intrusion Detection Systems (IDS) should be installed:
• Network based IDS should be employed on the WAN and LAN.
• Host based IDS should be employed on specific use servers.
6. External public access servers should be segregated in a DMZ protected by firewalls.
• Public access servers should be installed on dedicated, single purpose servers.
• Only required services should be turned on (e.g., FTP, HTTP, etc.).
7. Desktops will have an approved operating system, such as Windows 2000/XP Professional.
• Desktop operating system must support multiple users with individual settings.
• Must be able to "lock"the system whenever the user gets up from the PC.
8. All Wireless Access Points (WAP) for a Wireless Local Area Network (WLAN) must be
secured.
9. VPN access must be restricted on a need-to-use basis.
• VPN access will be limited in accordance with County policy and must be approved by
the County CIO.
• Additionally, VPN access requested by a member of the Workforce must be approved by
the immediate supervisor.
• VPN access requested by a County Business Associate must also be approved by the
head of the department for which the Business Associate is performing services.
10. All network policies and procedures as implemented by the County must be documented,
published to the Workforce, and available for review. These policies and procedures will be
supported with employee training.
•
ACS_Weld 22 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS c Weld County APrivacy Policies and Procedures
A C S'
4.8 Password Management
Policy:
All computerized access to IIHI must be done through user login and password controls. ACS at
Weld County is responsible for management of passwords for all members of the Workforce with
rights to access IIHI. While members of the Workforce may have multiple passwords based on
need, security level, and application, no member of the Workforce shall: (i) share passwords with
others or disclose or post their passwords in such a way that others may determine their
passwords; nor(ii) attempt to determine the passwords of others.
Procedures:
To the extent possible using the resources provided by the County, the following procedures will
be enforced for security which allows access to IIHI:
1. A unique user log-on code and initial password code will be provided to each member of the
Workforce to grant access to IIHI required to perform assigned job functions in compliance
with the Minimum Necessary Standard and Application Security Administration policies.
Passwords shall be assigned only to grant access to IIHI on a need-to-know basis.
2. Each password will initially begin with a "known" value, such as the name of the member of
the Workforce or fixed word. This initial value must be changed to a new value selected by
the user upon the first login and prior to any access to IIHI.
3. Passwords shall be made up of a combination of alphabetic letters, numbers, and special
characters. Members of the Workforce are encouraged to select passwords that are easy to
remember, but not associated with an obvious personal attribute (such as a name or
birthday). Passwords shall be a minimum of eight characters long.
4. Passwords shall not be posted in public areas or where other members of the Workforce can
easily see passwords. Passwords may be written down in a secured private area but must
not be associated with a login code.
5. Members of the Workforce must change their passwords every thirty (30) to ninety (90) days.
Members of the Workforce will be reminded that their passwords shall become obsolete
within five (5) days of invalidation. Applications shall support this requirement wherever
possible.
6. A Member of the Workforce who forgets their password must be assigned a new password.
A manager in the direct line of the requestor must authorize all requests for new logins or
requests to reset an existing account password.
7. Passwords shall be invalidated and user codes removed immediately upon the termination of
employment of a member of the Workforce or when access to IIHI is no longer authorized or
required by job functions.
B. Visitors to Business Units and Locations with access to IIHI shall NOT be granted "guest" log-
ins that have access to IIHI.
9. As directed by the County, Network, security, and production management shall run tests on
the security of the password management systems from time to time. Such tests shall
include procedures to verify that old accounts are inactive and that current passwords are in
accordance with published procedures. These tests shall be both planned on a regular basis
and unannounced on a random basis.
ACS_Weld_Pnvacy_Policy 23 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS c Weld County
Privacy Policies and Procedures
A C S°
4.9 Screen Saver or Logoff Requirements
Policy:
All access to IIHI through software applications or database lookups must be appropriately closed
when a member of the Workforce is absent from his or her workstation for more than five (5)
minutes.
Procedures:
Each member of the Workforce is required to control their own computer workstation access
including logging out of the system during planned breaks or at the end of the work day. A
member of the Workforce who habitually leaves his or her computer workstation active during
absences shall be subject to disciplinary action. A member of the Workforce shall control access
to his or her computer workstation access while away from the workstation by one of the following
methods:
• Screen Saver. Workstation screens shall be cleared by either a blank screen or
graphical motion known as a "screen saver." Screen saver images shall be automatically
set to come on within at least five (5) minutes after no activity on the workstation (such as
a keystroke or mouse move) has occurred if IHII is accessible. All screen savers shall be
password protected. - -
• System Lock Workstation access shall be locked with password protection prior to
leaving the workstation for any period of time (CTRL+ALT+DEL ENTER or equivalent
shortcut)
4.10 N/A
4.11 At Home Workers
Policy:
When acting as a Business Associate of Weld County, ACS must ensure that at-home
members of the Workforce and all those working away from facilities controlled by ACS
take adequate precautions to protect IIHI. In transporting or transmitting IIHI to an at-
home worker, ACS must establish proper technical safeguards to prevent unauthorized
receipt of the IIHI by third parties.
Procedures:
Although ACS at Weld County does not have any members of the workforce whose primary work
location is the home or any other non-County location, there are instances when application,
operations, or network support are provided remotely. The following applies to those situations:
• All at-home workers must use adequate measures to protect IIHI while working at home.
• The worker's immediate supervisor will evaluate potential threats presented by having a
member of the Workforce who handles IIHI work off-site and will advise management of
these threats. At-home workers will be appropriately trained to address these concerns.
• The immediate supervisor will evaluate the jobs done by at-home workers and ensure that
the IIHI available to such workers is the minimum necessary for each job function.
ACS Weld Privacy_Policy 24 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS c@Weld County A
Privacy Policies and Procedures
A C S°
• Members of the workforce must avoid printing materials which contain IIHI whenever
possible. If material must be printed, it must be disposed of in accordance with 2.2
Document Destruction. If the worker does not have a cross-cut shredder available, the
documents should be brought back to the office for shredding.
• All policies and procedures in this document apply to work at home or another non-County
site as well as to work in a County office. If these procedures can not be followed at home,
the worker will not have approval to perform work from home.
• All electronic transmissions between the at-home worker's computer system and any other
system that contains images or data files of IIHI shall be encrypted. The County's secure
VPN solution will be used.
• Programs used to access IIHI will be password protected. The worker is prohibited from
sharing these passwords with other members of the household.
• The worker is prohibited from saving IIHI to their local system beyond that necessary for the
current working session.
• Approval for VPN access will be controlled jointly by the worker's manager and the County
CIO in accordance with County policy. Records of approval for VPN access will be
maintained by the Technical Services Manager or designee.
•
ACS_Weld 25 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS @ Weld County itPrivacy Policies and Procedures
A C S•
Section 5
Use and Disclosure
The majority of Section 5 of the ACS HIPAA Privacy Overview relates to responsibilities of_ACS
locations which are considered "covered entities"and do not apply to ACS at Weld County. Local
policies and procedures have been developed for only a sub-set of the policies in this area.
5.13 E-Mail Acceptable Use
Policy:
The Electronic Messaging System is not a secure facility for the transmission of IIHI. It is not to
be used to transfer IIHI unless actions have been taken to encrypt and secure the transmission.
Procedures:
If an instance arises where email appears to be the only viable facility for transmission of IIHI, the •
worker must contact their manager and obtain the assistance of security personnel in developing
a method of transfer which will be secure. Such emails (or the data sent as an attachment) must
remain encrypted in storage or be deleted from email storage. The sender must also confirm that
each email was received by the intended recipient.
5.14 Fax Machine Acceptable Use
Policy:
A fax machine that receives or transmits IIHI shall be maintained in a secure location and
monitored regularly to minimize the accidental Disclosure of IIHI. When possible, the fax being
sent will de-identify any IIHI. A fax machine will be used to send IIHI only if alternative and more
secure means cannot meet the purpose of the transmittal of the IIHI.
Procedures:
If faxing of IIHI is required in support of County business, the location of the fax machine and
procedures for logging transmissions will be determined by the County.
If faxing of IIHI is required in support of ACS internal business, the fax machine in the Office
Manager's office shall be used to ensure confidentiality.
ACS_Weld_Privacy_Policy 26 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS c Weld County
Privacy Policies and Procedures
A C S•
•
5.17 Minimum Necessary Standards
Policy:
When acting as a Business Associate of the County of Weld, ACS may be required to limit Use,
Disclosure, or requests for Private Health Information (PHI) to that which is the minimum
necessary. If required by contract with the County, ACS will make reasonable efforts to limit
access of PHI to:
• The minimum necessary to accomplish the intended purpose of any Use, Disclosure or
request;
• Those members of the Workforce who need access to PHI to perform their duties; and
• Any subcontractor or agent performing work on behalf of the Business Unit or Location
and reasonably necessary to achieve the business purpose.
Procedures:
ACS guideline:
An entity(Business Unit, Location, or member of the Workforce) may rely, if such reliance is
reasonable under the circumstances, on a requested Disclosure as the minimum necessary for
the stated purpose when the information is requested by:
(i) a public official as described in the Privacy Standards;
another Covered Entity; or
a professional who is a member of its own Workforce or a Business Associate of the
Covered Entity for the purpose of providing services to the Covered Entity, if it is
represented to the Covered Entity that the information requested is the minimum
amount necessary for the stated purpose
ACS at Weld County policy:
Please see specific policy and procedures about disclosure of PHI found in Section 1.2 Allowable
Use and Disclosure.
•
ACS Weld_Privacy_Policy 27 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS c Weld County
Privacy Policies and Procedures
A c s°
5.19 Use and Disclosure Required by Law
Policy:
ACS must disclose private health information (PHI)when required to do so by law. PHI should
not be released by a member of the Workforce unless the member is knowledgeable of _
circumstances which warrant and allow for a Disclosure as Required by Law. Each
Disclosure Required by Law shall be documented and the documentation retained in
accordance with the 1.4 Documentation Requirements policy.
Procedures:
Upon receiving a request for PHI from a law enforcement officer or agency, the Worker shall:
• Request that the request be presented to the County rather than to ACS. If the request is
redirected to the County, no further action is required by ACS staff.
• Inform their immediate supervisor of the request. The supervisor is responsible for ensuring
that appropriate County and ACS management are aware of the request, and that agreement
is obtained from appropriate legal counsel regarding the validity of the request prior to
release of any information.
o If a request for a mandatory Disclosure Required by Law is received, an
authorization is not required to allow for the Disclosure. The Privacy Official or
contact person will work with the Business Unit's Legal Counsel in responding to
and coordinating the release of the information.
o If the Disclosure of PHI is permitted but not Required by Law, the Business Unit
must determine if the Disclosure comes within one of the other permissible
Disclosures. If the Disclosure does not, an authorization from the subject
Individual must be obtained prior to Disclosure or De-identification of the PHI
must occur before it is Disclosed.
• Keep a written record of all communication and actions in relation to the request and provide
that written documentation to the Office Manager for filing.
• Verify the identity of the requestor using both picture ID and communication with
management of the law enforcement agency being represented.
• Follow the policy and procedures detailed in these related policy sections:
o 1.2 Allowable Use and Disclosure
o 1.8 Responding to Request from State or Federal Agencies
ACS Weld_Privacy Policy 28 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
ACS c@Weld County
Privacy Policies and Procedures
A C S'
Appendix A
ACS HIPAA Contacts
• State and Local Solutions
Project Owner John Brophy
HIPAA Contact: Alice-Snow Robinson alice.snow-robinson(ct�.ACS-INC.COM
Information Management Services
Project Owner Mike McKenzie Mike.Mckenzie(a),ACS-INC.COM
HIPAA Contact: Al Landon AI.Landon(a.ACS-INC.COM
Weld
Project Owner: Anita Scrams Ascrams@co.weld.co.us
Privacy& Security: Technical Services Manager Fdefelippis@co.weld.co.us
HR &Training Nila Walters Nwalters@co.weld.co.us
ACS corporate project contacts are also maintained on the ACS HIPAA project website at
http://hipaa.acshealthcare.com.
ACS Weld Privary Policy 29 Last saved 3/25/2003 3:00 PM
Last saved by jjordanjjordan Last printed 3/25/2003 3:35 PM
Hello