The URL can be used to link to this page

Browse Search

Home My WebLink About20031018.tiff HIPAA COMPLIANCE PLAN FOR WELD COUNTY DEPARTMENT OF PUBLIC HEALTH AND ENVIRONMENT 2003-1018 Weld County Department of Public Health and Environment Health Insurance Portability and Accountability Act (it O COLORADO 3/27/03 Weld County Public Health ii Weld County Department of Public Health and Environment Health Insurance Portability and Accountability Act Table of Contents: Page Section 1 General HIPAA Policies and Procedures ii 1. HIPAA Notice of Privacy Practices 1 Acknowledgement of Receipt 8 2. Policy on Uses and Disclosures of Protected Health Information 9 3. Policy and Procedure on Patient's Right to Access Health Information 12 4. Authorization for Release of Information 16 5. Policy and Procedure on Patient's Right to Request Amendment to Health Information 19 6. Policy and Procedure to Request Restrictions on Use and Disclosure of Protected Health Information 22 7. Policy and Procedure on Requesting Confidential Handling of Information 24 Request for Confidential Handling of Health Information 26 8. Policy and Procedure on the Handling of Privacy Complaints 27 Privacy Complaint Form 30 9. Policy on Minimum Necessary Information 31 10. Office Role Directory 35 11. Policy and Procedure for Informing Individuals Concerning Opportunity to Accept/Reject Certain Uses and Disclosures 36 12. Policy and Procedure on Accounting for Disclosures 38 Request for Accounting for Disclosures of Health 40 13. Business Associates Contract. 41 14. Job Description 46 15. Overview of Policies and Procedures on Privacy and Security 48 Employee Acknowledgement 53 16. Policy and Procedure on Personnel Discipline for Breach of Privacy or Confidentiality 54 Employee Acknowledgement 57 17. Policy and Procedure on Physical Security 58 18. Policy on Use of Electronic Mail, Internet and Facsimile Machines 61 3/27/03 Weld County Public Health ii Section 2 ACS @ Weld County Privacy Policies and Procedures Table of Contents Introduction 1 Section 1 2 Section 2 9 Section 3 18 Section 4 19 Section 5 29 Appendix 32 3/27/03 Weld County Public Health ii GENERAL HIPAA POLICIES AND PROCEDURES PHYSICAL AND TECHNICAL SAFEGUARDS: Weld County shall adopt and follow any policies, procedures or forms dealing with physical and technical safeguards for information technology systems promulgated by ACS, unless Weld County specially adopts a policy in-lieu of ACS for information technology systems. The physical and technical safeguards of ACS used by Weld County are: Application Development Security Clean Desk Policy Electronic Transmission of IIHI Encryption Network Security Password Management Screen aver of Logoff Requirements At Home Workers E-mail Acceptable Use Fax Machine Acceptable Use WELD COUNTY PERSONNEL POLICIES AND HIPAA: Weld County's Personnel policy on confidential information applies in addition to any HIPAA policies on breach of privacy or confidentiality. Any HIPAA policies on personnel discipline for breach of privacy or confidentiality apply in addition those cited in the Weld County Personnel Policies. If there is conflict in any provision of the HIPAA policies concerning personnel discipline and Weld County Personnel Policies concerning discipline and grievance, Weld County Personnel Policies shall take precedence. PROGRAM POLICIES TAKE PRECEDENCE: Any policies, procedures, or forms promulgated by State of Colorado or Federal health grant programs which are equal to or more stringent than Weld County's policies will take precedence over Weld County's. The Weld County policies in this HIPAA compliance document are the minimum standard for which Weld County employees are held, however state or federal grant programs may choose or require additional or alternative policies, procedures, or forms to accomplish the same HIPAA compliance requirement. In those cases to insure that grant requirements are met and to avoid redundant effort the state or federal grant policies, procedures, and forms may be used as long as they meet the county's minimum standards specified in this HIPAA compliance document. Alternative grant policies, procedures, and forms must be approved by the Health Department's HIPAA Privacy Officer. 3/27/03 Weld County Public Health ii HIPAA PROCEDURE AND POLICY PROMULGATION: The Privacy Officer responsible for the departmental HIPAA compliance shall amend and promulgate HIPAA policies and procedures as necessary by securing the department head's approval, and submitting them to the Director of Finance and Administration for review. The changes shall then be forwarded to the Board of Weld County Commissioners for review by the Board members signing off on a cover sheet. If approved by the Board of Weld County Commissioners on the sign off sheet the changes shall be placed upon the Board's consent agenda for final approval. All HIPAA policies shall be reviewed at least annually by the Privacy Officer of each plan for any necessary updates or amendments. s 3/27/03 Weld County Public Health ii Health Insurance Portability and Accountability Act (HIPAA) Notice of Privacy Practices WELD COUNTY DEPARTMENT OF PUBLIC HEALTH AND ENVIRONMENT Effective Date: APRIL 13, 2003 This notice describes how health information about you may be used and disclosed and how you can get access to this information. Please review it carefully. If you have any questions about this notice, please contact Cheryl Weinmeister R.N., B.S.N., Privacy Officer at 970-304-6410. WHO WILL FOLLOW THIS NOTICE This notice describes Weld County Department of Public Health and Environment's privacy policy. All Weld County Department of Public Health and Environment employees will follow this notice. All Weld County sites and locations follow the terms of this notice. In addition, all Weld County sites and locations may share health information with each other for treatment, payment, or health care operations purposes described in this notice. OUR PLEDGE REGARDING HEALTH INFORMATION We understand that health information about you and your health care is personal. We are committed to protecting health information about you. We create a record of the care and services you receive from us. We need this record to provide you with quality care and to comply with certain legal requirements. This notice applies to all of the records of your care generated by this health care practice, whether made by your personal doctor or others working in this office. This notice will tell you about the ways in which we may use and disclose health information about you. We also describe your rights to the health information wo keep about you, and describe certain obligations we have regarding the use and disclosure of your health information. We are required by law to: • Make sure that health information that identifies you is kept private. • Give you this notice of our legal duties and privacy practices with respect to health information about you. • Follow the terms of the notice that is currently in effect. 3/27/03 Weld County Dept. of Public Health & Environment HOW WE MAY USE AND DISCLOSE HEALTH INFORMATION ABOUT YOU The following categories describe different ways that we use and disclose health information. For each category of uses or disclosures we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories. For Treatment: We may use health information about you to provide you with health care treatment or services. We may disclose health information about you to doctors, nurses, technicians, health students, or other personnel who are involved in taking care of you. They may work at our offices, at the hospital if you are hospitalized under our supervision, or at another doctor's office, lab, pharmacy, or other health care provider to whom we may refer you for consultation, to take x-rays, to perform lab tests, to have prescriptions filled, or for other treatment purposes. For example, a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian at the hospital if you have diabetes so that we can arrange for appropriate meals. We may also disclose health information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location. For Payment: We may use and disclose health information about you so that the treatment and services you receive from us may be billed to and payment collected from you, an insurance company, or a third party. For example, we may need to give your health plan information about your office visit so your health plan will pay us or reimburse you for the visit. We may also tell your health plan about a treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment. For Health Care Operations: We may use and disclose health information about you for operations of our health care practice. These uses and disclosures are necessary to run our practice and make sure that all of our patients receive quality care. For example, we may use health information to review our treatment and services and to evaluate the performance of our staff in caring for you. We may also combine health information about many patients to decide what additional services we should offer, what services are not needed, whether certain new treatments are effective, or to compare how we are doing with others and to see where we can make improvements. We may remove information that identifies you from this set of health information so others may use it to study health care delivery without knowing the identity of our specific patients. Health-Related Services and Treatment Alternatives: We may use and disclose health information to tell you about health-related services or recommend possible treatment options or alternatives that may be of interest to you. Please let us know if you do not wish us to send you this information, or if you wish to have us use a different address to send this information to you. • 3/27/03 Weld County Dept. of Public Health & Environment 2 Research: Under certain circumstances, we may use and disclose health information about you for research purposes. For example, a research project may involve comparing the health and recovery of all patients who received one medication to those who received another, for the same condition. All research projects, however, are subject to a special approval process. This process evaluates a proposed research project and its use of health information, trying to balance the research needs with patients' need for privacy of their health information. Before we use or disclose health information for research, the project will have been approved through this research approval process; but we may disclose health information about you to people preparing to conduct a research project. For example, we may help potential researchers look for patients with specific health needs, so long as the health information they review does not leave our facility. We will always ask for your specific permission if the researcher will have access to your name, address, or other information that reveals who you are, or will be involved in your care. As Required By Law: We will disclose health information about you when required to do so by federal, state, or local law. To Avert a Serious Threat to Health or Safety: We may use and disclose health information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat. Military and Veterans: If you are a member of the armed forces or separated/ discharged from military services, we may release health information about you as required by military command authorities or the Department of Veterans Affairs as may be applicable. We may also release health information about foreign military personnel to the appropriate foreign military authorities. Workers' Compensation: We may release health information about you for workers' compensation or similar programs. These programs provide benefits for work-related injuries or illness. - - Public Health Risks: We may disclose health information about you for public health activities. These activities generally include the following: • To prevent or control disease, injury or disability. • To report births and deaths. • To report child abuse or neglect. • To report reactions to medications, immunizations or problems with products. • To notify people of recalls of products, (ex. immunization vaccine, contraceptives, etc.), they may be using. • To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition. 3/27/03 Weld County Dept. of Public Health & Environment 3 • To notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect, or domestic violence. We will only make this disclosure if you agree or when required or authorized by law. Health Oversight Activities: We may disclose health information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws. Lawsuits and Disputes: If you are involved in a lawsuit or a dispute, we may disclose health information about you in response to a court or administrative order. We may also disclose health information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested. Law Enforcement: We may release health information if asked to do so by a law enforcement official: • In response to a court order, subpoena, warrant, summons or similar process • • To identify or locate a suspect, fugitive, material witness, or missing person • About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person's agreement • About a death we believe may be the result of criminal conduct • About criminal conduct at our facility • In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description, or location of the person who committed the crime Coroners, Health Examiners and Funeral Directors: We may release health information to a coroner or health examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release health information about patients to funeral directors as necessary to carry out their duties. National Security and Intelligence Activities: We may release health information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law. Protective Services for the President and Others: We may disclose health information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations. Inmates: If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release health information about you to the correctional institution or law enforcement official. This release would be necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the 3/27/03 Weld County Dept. of Public Health & Environment 4 health and safety of others; or (3) for the safety and security of the correctional institution. YOUR RIGHTS REGARDING HEALTH INFORMATION ABOUT YOU You have the following rights regarding health information we maintain about you: Right to Inspect and Copy: You have the right to inspect and copy health information that may be used to make decisions about your care. Usually, this includes health and billing records. This does not include psychotherapy notes. To inspect and copy health information that may be used to make decisions about you, you must submit your request in writing to Cheryl Weinmeister, R.N., B.S.N., Privacy Officer. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies and services associated with your request. Any fees will be in accordance with Weld County fee structure. We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to health information, you may request that the denial be reviewed. Another licensed health care professional chosen by our practice will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review. Right to Amend: If you feel that health information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as we keep the information. To request an amendment, your request must be made in writing, submitted to Cheryl Weinmeister, R.N., B.S.N., Privacy Officer, and must be contained on one page of paper legibly handwritten or typed in at least 10-point font size. In addition, you must provide a reason that supports your request for an amendment. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that: • Was not created by us, unless the person or entity that created the information is no longer available to make the amendment • Is not part of the health information kept by or for our practice • Is not part of the information, which you would be permitted to inspect and copy • Is accurate and complete Any amendment we make to your health information will be disclosed to those with whom we disclose information as previously specified. 3/27/03 Weld County Dept. of Public Health & Environment 5 Right to an Accounting of Disclosures: You have the right to request a list accounting for any disclosures of your health information we have made, except for uses and disclosures for treatment, payment, and health care operations, as previously described. To request this list of disclosures, you must submit your request in writing to Cheryl Weinmeister, R.N., B.S.N., Privacy Officer. Your request must state a time period, which may not be longer than six years and may not include dates before April 13, 2003. The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. Any fees will be in accordance with Weld County fee structure. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred. We will mail you a list of disclosures in paper form within 30 days of your request, or notify you if we are unable to supply the list within that time period and by what date we can supply the list; but this date will not exceed a total of 60 days from the date you made the request. Right to Request Restrictions: You have the right to request a restriction or limitation on the health information we use or disclose about you for treatment, payment, or health care operations. You also have the right to request a limit on the health information we disclose about you to someone who is involved in your care or the payment for your care, such as a family member or friend. For example, you could ask that we restrict a specified nurse from use of your information, or that we not disclose information to your spouse about a surgery you had. We are not required to agree to your request for restrictions if it is not feasible for us to ensure our compliance or believe it will negatively impact the care we may provide you. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment. To request a restriction, you must make your request in writing to Cheryl Weinmeister, R.N., B.S.N., Privacy Officer. In your request, you must tell us what information you want to limit and to whom you want the limits to apply; for example, use of any information by a specified nurse, or disclosure of specified surgery to your spouse. Right to Request Confidential Communications: You have the right to request that we communicate with you about health matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail to a post office box. There is an exception with some State Health programs when the client can request no mail or phone contact. Responsibility for billing arrangements must be made at the time of their appointment. To request confidential communications, you must make your request in writing to Cheryl Weinmeister, R.N., B.S.N., Privacy Officer. We will not ask you the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted. Right to a Paper Copy of This Notice: You have the right to obtain a paper copy of this notice at any time. To obtain a copy, please request if from Cheryl Weinmeister, R.N., B.S.N., Privacy Officer. You may also obtain a copy of this notice at our Web site, www.co.weld.co.us. 3/27/03 Weld County Dept. of Public Health & Environment 6 Even if you have received a notice electronically, you still retain the right to receive a paper copy upon request. If the first service delivery is delivered electronically, other than by telephone, we provide electronic notice in the same medium, automatically and contemporaneously in response to a first request for service. CHANGES TO THIS NOTICE We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for health information we already have about you as well as any information we receive in the future. We will post a copy of the current notice in our facility. The notice will contain on the first page, in the top right-hand corner, the effective date. In addition, each time you register for treatment or health care services, we will offer you a copy of the current notice in effect. COMPLAINTS If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with us, contact Cheryl Weinmeister, R.N., B.S.N., Privacy Officer. All complaints must be submitted in writing. You will not be penalized for filing a complaint. OTHER USES OF HEALTH INFORMATION Other uses and disclosures of health information not covered by this notice or the laws that apply to us will be made only with your written permission. If you provide us permission to use or disclose health information about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose health information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain.our records of the care that we provided to you. ACKNOWLEDGEMENT OF RECEIPT OF THIS NOTICE • We will request that you sign a notice acknowledging you have received a copy of this notice. If you choose, or are not able to sign, a staff member will sign their name and date it. This 'ACKNOWLEDGEMENT' will be filed in your medical record at the Weld County Department of Public Health and Environment. 3/27/03 Weld County Dept. of Public Health & Environment 7 Policy on Uses and Disclosures of Protected Health Information Overview of Weld County Department of Public Health and Environment's policy on privacy Policy It is the policy of Weld County Department of Public Health and Environment to protect the privacy and confidentiality of patients' protected health information by following the requirements of federal and state law and Weld County Department of Public Health and Environment's polices and procedures. This policy provides the basics of Weld County Department of Public Health and Environment's privacy compliance framework. More detailed information is contained in Weld County Department of Public Health and Environment's Policy and Procedures Manual and at our website, www.co.weld.co.us. "Protected health information," (PHI) means individually identifiable information about a person's present, past, or future health care or payment for health care, maintained in any form or medium. Responsibility The Weld County Department of Public Health and Environment Privacy Official is responsible for developing and implementing privacy policies and procedures. The Privacy Official is Cheryl Weinmeister, R.N., B.S.N. She can be reached at 907-304- 6420 or cweinmeister@co.weld.co.us. It is the responsibility of each member of Weld County Department of Public Health and Environment to understand and follow the privacy policies and procedures. Procedures A. Permissions needed Weld County Department of Public Health and Environment will use and disclose PHI only in accordance with Weld County Department of Public Health and Environment's notice of privacy practices and with the appropriate permission from the patient, or as otherwise permitted or required by law. See Authorization Policy and Notice of Privacy Practices. B. Permitted disclosures Weld County Department of Public Health and Environment may disclose a patient's PHI to the patient himself or herself, the patient's legally authorized personal representative, those involved with the person's care and treatment, to law enforcement personnel in appropriate situations, for public policy decisions as required by law, and for purposes of a patient's treatment, payment for services, or Weld County Department of Public Health and Environment's health care operations. Disclosure of PHI may also be made to business associates, or on the basis of and in accordance with a properly executed authorization. 1. Deceased individuals If an executor, administrator, or other person with authority to act on behalf of deceased patient or that person's estate, that person should be treated as patient's personal representative. 3/27/03 Weld County Dept. of Public Health & Environment 9 Weld County Department of Public Health and Environment may disclose PHI, without specific patient consent or authorization, to a coroner or medical examiner responsible for identification of the person, determination of the cause of death, or other duties authorized under state law. Weld County Department of Public Health and Environment may also disclose PHI to a funeral director, as permitted by state law. 2. Personal representatives and minors If person has legal authority to act on a person's behalf in making decisions related to health care, this person is a personal representative and can receive PHI. If a minor has authority to act on his or her own behalf with respect to all or certain Health care decisions, PHI may not be shared with parent without minor's consent, with respect to all relevant PHI. 3. Persons involved in care or treatment PHI may be disclosed to persons involved in the patient's care, as directly relevant to that care. If patient is present when PHI is to be disclosed, and has capacity, PHI can be disclosed to others present if it can reasonably be inferred , that patient would not object. If patient is not present when PHI is to be disclosed, or patient is incapacitated, PHI may be disclosed if, in the exercise of reasonable professional judgment, disclosure is in best interests of patient and disclosure is limited to PHI directly relevant to person's involvement with the patient's care. D. Required disclosures Weld County Department of Public Health and Environment may make disclosures without consent or authorization as required by law, as required for public health purposes, for certain health oversight activities, for certain judicial and administrative proceedings, for certain law enforcement activities, to coroners or medical examiners, E. Privacy official The privacy official of Weld County Department of Public Health and Environment is Cheryl Weinmeister, R.N., B.S.N. This person is responsible for implementing Weld County Department of Public Health and Environment's privacy policies. F. Complaint personnel The person(s) responsible for handling complaints related to privacy is Cheryl Weinmeister, R.N., B.S.N. All complaints related to privacy should be referred to Cheryl Weinmeister, R.N., B.S.N. G. Unique restrictions on disclosures If a patient requests a particular restriction on the use or disclosure of his or her PHI, refer the request to Cheryl Weinmeister, R.N., B.S.N. Do not agree to any restriction prior to contacting the Privacy Officer. H. Potential violations If you believe that Weld County Department of Public Health and Environment has violated a policy or provision of law related to privacy issues, contact the Privacy Officer immediately. Weld County Department of Public Health and Environment will nor retaliate against employees who report in good faith. Weld County Department of Public 3/27/03 Weld County Dept of Public Health & Environment 10 Health and Environment will take all reasonable steps to mitigate any damages caused by an improper use or disclosure of PHI. 3/27/03 Weld County Dept. of Public Health & Environment 11 Policy and Procedure on Patient's Right to Access Health Information WELD COUNTY DEPARTMENT OF PUBLIC HEALTH Date: April 13, 2003 Authority: Weld County Department of Public Health Responsibility: Cheryl Weinmeister, Privacy Officer Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to afford our patients the right to inspect and obtain a copy of health information about them. General Policy It is our policy to provide our patients the right of access to inspect and obtain a copy of health information about them, for as long as we maintain the information in our designated record set, with exceptions permitted by law. Definitions Access: patients may inspect their medical records and billing records under the supervision of a staff member for which an inspection fee is charged; or obtain a copy of all or a portion of their medical records and billing records for which a copying fee is charged. Designated record set: medical records and billing records that we use to make health care and payment decisions about patients. Procedure 1. Patients may request access to their medical records and/or billing records by submitting a request in writing on our Authorization for Release of Information Form to our Privacy Officer. This Form specifies that the access will be granted within 30 days of its receipt unless the patient is otherwise notified, and identifies the fees that will be charged for supervision of inspection, for copying all or portions of the record, or for summarizing the record. The request must state the type of access requested (inspection, copy, or if a summary will be accepted if there are reasons why a complete inspection or copy cannot be released, see step 3.b.), specify the dates and specific information requested, and be signed by the patient. 2. When a request for access to the medical record and/or billing record is made by a patient: a. Obtain the patient's medical record and verify the patient's demographic information and signature on the Authorization for Release of Information Form with demographic information and signature on the consent for use and disclosure of health information, or other document signed by the patient contained within the medical record. If the authenticity of the patient cannot be verified, send a request to the patient to have a new Authorization for Release of Information Form notarized. 3/27/03 Weld County Dept. of Public Health & Environment 12 b. Review the medical record and/or billing record according to the request to determine if: 1) The information requested is accepted from the patient's right of access (see step 3. Exceptions to access), in which case access must be denied. Follow the procedure in step 4. for Denial of access. 2) The information requested is complete. If the,information is not complete, inform the physician responsible for completion that a request for access has been made by the patient and the record will need to be completed within 30 days in order to comply with the patient's request or be found in non-compliance with HIPAA and subject to fines. If the record is not completed within 30 days, send a copy of the Authorization for Release of Information Form to the patient indicating that an extension to providing access will be required because the record is in the process of being completed and indicating the specific date on which access will be granted. This date must not exceed an additional 30 days. c. If access is not accepted and the information is complete and the patient requests inspection of the medical record and/or billing record or any portion thereof, schedule an appointment for the patient to visit the office. If the request is only for a portion of a record, remove that portion and place it in a separate folder for purposes of the inspection. Our Privacy Officer must be present with the patient during the time the patient is inspecting the record(s). A charge of $20.00 per hour can be assessed for this inspection to cover the cost of supervision. During this time, the patient may not remove any documents from the record(s) or write any information in the record(s). If the patient wishes to make an amendment to the record(s), follow the Policy and Procedure for Patient's Right to Request Amendment of Health Information. If the patient has any questions concerning the information in the medical record, inform the patient that an appointment must be made with the physician to discuss the information. If the patient has any questions concerning the information in the billing record, refer the patient to the Privacy Officer. d. If access is not accepted and the information is complete and the patient requests a copy of any or all of the medical record and/or billing record, make the specified copies and mail the information to the patient via postal mail. If the patient requests this information to be mailed to a different address, mailed to a different individual, or be given to someone else who physically presents to our office, this information must be authorized through the Authorization for Release of Information Form. If another individual is designated to physically pick up the copy of the information, verify the individual's identity by requesting a photo identification card and match the name on the card to the name on the Authorization for Release of Information signed by the patient. Have the individual sign the Authorization for Release of Information as having received the information. 3. Exceptions to access are limited to very specific situations. Certain exceptions are not subject to review, and for others we must permit the patient to request a review of our decision not to grant access. 3/27/03 Weld County Dept. of Public Health & Environment 13 --When the information was compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. --When the information is psychotherapy notes, which are specially protected. —When the information is subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a, to the extent the provision of access to the patient would be prohibited by law or exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 CFR 493.3(a)(2). --When the request is from an inmate of a correctional institution, and we have concerns regarding the health, safety, security, custody, or rehabilitation of the inmate or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or the safety of any person responsible for transporting the inmate. —When the patient has agreed to the denial of access when consenting to participate in a research study we are conducting that includes treatment, for the duration of the research study. --When the patient's access to the information that is contained in the medical record or billing record is subject to the Privacy Act, 5 U.S.C. § 552a, if the denial of access under the Privacy Act would meet the requirements of that law. When the information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information. —When a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the patient or another person. When the information makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person. When the request for access is made by the patient's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the patient or another person. 4. Denial of access is a serious matter under the law. Before the Privacy Officer may make such a denial decision, it is our policy to conduct an internal review of that denial. Any such case should be given to the Director, Mark Wallace, M.D.,M.P.H. who will authorize the denial. a. If access is denied for one of the reasons to deny access that are not subject to review, return a copy of the Authorization for Release of Information to the patient indicating that we are unable to comply with the request for access due to the applicable reason. Retain a copy of the Authorization for Release of Information sent to the patient in the patient's medical record. 3/27/03 Weld County Dept. of Public Health & Environment 14 b. If access is denied for one of the reasons that are subject to review, determine if a summary of the record may be made or portions of the record may be provided access such as to prevent the risk associated with denial. 1) If a summary or access to portions of the record would prevent risk, return a copy of the Authorization for Release of Information to the patient indicating we are not able to comply with the request for access for the specified reason but would be able to provide a summary of information in the record or access to portions of the record. 2) If such a summary or access to portions of the record is not possible, return a copy of the Authorization for Release of Information to the patient indicating we are not able to comply with the request for access for the specified reason. Indicate on this Form that the patient has the right to have this decision reviewed by another licensed health care professional. 3) If a request for review is received, give a copy of the Authorization for Release of Information Form, the medical record, and, if applicable, the billing record to the Chief Physician, who will make a final determination. Upon its review and a determination, send a response to the patient indicating the result of the review and how the patient may file a complaint with our office or to the Secretary of Health and Human Services (HHS). 4) File a copy of the Authorization for Release of Information Form and other documentation received from the patient in his/her medical record. Place a copy of the Authorization for Release of Information in our Risk Management file. 5) If a request for access to the medical record or billing record is made and the person was not a patient of ours, return a copy of the Authorization for Release of Information Form to the individual indicating we have no records. If we do not have records on this individual but know where the requested information may be maintained (such as at a hospital or other physician's office), return the Authorization for Release of Information Form to the individual and provide the name and address of the location where we believe the records may be maintained. Keep a copy of the Authorization for Release of Information Form in our Risk Management file. 3/27/03 Weld County Dept. of Public Health & Environment 15 Page 1 WELD COUNTY DEPARTMENT OF PUBLIC HEALTH AND ENVIRONMENT Authorization for Release of Information Patient: Last First MI Maiden or Other Name: Date of Birth: MO DAY YR SS#: - Medical Record Number#: Address: City: State: Zip Code: Day Phone: Evening Phone: I hereby authorize: Weld County Department of Public Health to release information from my medical record as indicated below to: Name: • Address: City: State: Zip Code: Day Phone: Evening Phone: Fax#: E-mail Address: 3/27/03 Weld County Dept. of Public Health & Environment 16 Page 2 Authorization for Release of Information (con't) INFORMATION TO BE RELEASED Dates: I specifically authorize the release of information relating to: ❑ History and physical exam ❑ Progress notes ❑ Substance abuse (including alcohol/drug abuse) , ❑ Lab reports ❑ Mental health (including psychotherapy notes)* ❑ X-ray reports ❑ HIV related information (AIDS related testing) ❑ Other X SIGNATURE OF PATIENT OR LEGAL GUARDIAN DATE *Please note that if this authorization is used for the purpose of psychotherapy notes that it may not be combined with any other authorization(s) unless for the purpose of psychotherapy notes. 3/27/03 Weld County Dept. of Public Health &Environment 17 Page 3 Authorization for Release of Information (con't) Purpose of Disclosure: ❑ Changing Physicians ❑ Consultation/second opinion ❑ Continuing Care ❑ Insurance ❑ Legal ❑ Research ❑ School ❑ Worker's Compensation ❑ Other(please specify): I understand that this authorization will expire after I have signed the form. I understand that if this authorization is used for the purpose of research, that it will expire at the end of research study or indefinite date if the authorization is used for the creation or maintenance of a research database or repository. I understand that I may revoke this authorization at any time by notifying the providing organization in writing, and it will be effective on the date notified except to the extent action has already been taken in reliance upon it. I understand that information used or disclosed pursuant to this authorization may be subject to re-disclosure by the recipient and no longer be protected by federal or state privacy regulations. I understand that I am being requested to release this information by: Weld County Department of Public Health and Environment for the purpose of: By authorizing this release of information, my health care and payment for my health care will not be affected if I do not sign this form. I understand I may see and copy the information described on this form if I ask for it (permitted by federal law or state law to the extent the state law provides greater access rights), and that I will get a copy of this form after I sign it. 3/27/03 Weld County Dept. of Public Health & Environment 18 Page 4 Authorization for Release of Information (con't) I have been informed that (Print Name of Provider): Weld County Department of Public Health and Environment will not receive financial or in-kind compensation in exchange for using or disclosing the health information described above. I understand that in compliance with: State of Colorado statute, I will pay a fee of: $ . There is no charge for medical records if copies are sent to facilities for ongoing care or follow up treatment. I understand that I may refuse to sign this authorization. SIGNATURE OF PATIENT • SDATE OR PARENT/LEGAL GUARDIAN/AUTHORIZED PERSON DATE RECORDS RECEIVED BY DATE _ RELATIONSHIP TO PATI ENT FOR OFFICE USE ONLY DATE REQUEST FILED: BY: TYPE OF IDENTIFICATION PRESENTED AND EXPIRATION: FEE COLLECTED: $ 3/27/03 Weld County Dept. of Public Health & Environment 19 Policy and Procedure on Patient's Right to Request Amendment to Health Information WELD COUNTY DEPARTMENT OF PUBLIC HEALTH AND ENVIRONMENT Date: April 13, 2003 Authority: Weld County Department of Public Health Responsibility: Weld County Department of Public Health Privacy Officer Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to afford our patients the right to request amendment to their protected health information. General Policy It is our policy to provide our patients the right to request amendment to their protected health information that we maintain in our designated record set, with exceptions permitted by law. Definitions Amendment: to add information to an existing record, which either provides additional • information, clarifies or corrects existing information, or provides an alternative view with respect to information that we have compiled about the patient in the patient's designated record set. Designated record set: Weld County Department of Health medical records and billing records that we use to make health care and payment decisions about patients. Procedure 1. A patient who believes there is an error in information in the medical record or billing record may approach the author of the entry, point out the error, and request the author to correct it. The author may accept any correction believed to be required, and will document the correction. This documentation must retain the original entry, state the correct information, and reflect the author's identity and date of correction. In electronic information system, the correction should be made in accordance with the vendor's specification for correcting errors such that an audit trail exists to show both the original entry and the new entry. In paper documents, a correction may be made in one of two ways: If an entry is simply erroneous and needs to be deleted, a line may be drawn through the erroneous information, initialed, and dated. If an entry is erroneous and requires correction, the entry should be noted as erroneous and correct information written in a separate note, which must be signed and dated. The author should inquire of the patient if the correction of the error should be disclosed to anyone who may have received this information in the past. If so, the patient should be directed to complete the Form to Request Amendment. 2. A patient may also request that information be added to the medical record or billing record. This request must be made in writing, on our Form to Request Amendment, to Weld County Department of Public Health Privacy Officer. This 3/27/03 Weld County Dept. of Public Health & Environment 19 Form serves as both documentary evidence of the request and our response, as well as a tracking mechanism to ensure response within 60 days of request (with not more than one 30-day extension) and duty to supply others with the information. This form will be processed in the following manner: a. Request the patient to complete the Form to Request Amendment in triplicate. If this is not received in person, verify the patient's signature on the Form with a sample in the medical record. The patient should keep the last copy of the Form. b. Place the remaining two copies of the Form in the patient's medical record or billing record, which ever is the subject of the amendment. Route the record to the author of the record. c. If the author accepts the patient's amendment, the author will sign and date the Form as amendment accepted and make a note at the site in the record to which the amendment applies that an amendment exists. The author may also add a comment to the Form. The second copy of the Form will be returned to the patient indicating that the amendment has been accepted. The original copy of the Form will be used to furnish copies of the amendment to those individuals or organizations the patient deems necessary. Such disclosures will be noted on the form as having been completed with the signature of the staff member who processed the disclosures. The original Form will be placed in the record. d. If the author rejects the patient's amendment, the author must indicate one of the following as reasons: 1) The information subject to amendment was not created by us. 2) The information subject to amendment is not part of the designated record set. 3) The information would not be available for access (see our policy on Patient's Right to Access Health Information) 4) The information contained in the existing record is accurate and complete. - The Form must be signed and dated, and the author must make a note at the site in the record to which the amendment applies that an amendment was requested. The second copy of the Form with this information will be retumed to the patient. The original copy of the Form will be filed in the record. The patient may request that the request for amendment and the denial be disclosed with any future disclosures of the information that is the subject of the amendment. e. If this processing cannot occur within 60 days of receipt of the request, notify the patient in writing that a 30-day extension will be necessary to process the request. f. The patient may choose to submit a written statement disagreeing with the denial. This statement must be contained on not more than one handwritten or typewritten page of at least 10-point font. Any additional information beyond the one page will be discarded. When this statement of disagreement is received, it should be forwarded to the author, who will determine whether a rebuttal will be prepared. The statement of 3/27/03 Weld County Dept. of Public Health & Environment 20 disagreement and any rebuttal must also be filed in the record and accompany any future disclosures of the information that is the subject of the amendment. 3. If we are informed by another provider of an amendment to one of our patient's records, Weld County Department of Public Health Privacy Officer will review its contents and advise the physician who attended the patient as to any information which appears to require our action. We will place the amendment information in our designated record set. 3/27/03 Weld County Dept. of Public Health & Environment 21 Policy and Procedure to Request Restrictions on Use and Disclosure of Protected Health Information WELD COUNTY DEPARTMENT OF PUBLIC HEALTH AND ENVIRONMENT Date: April 13, 2003 Authority: Weld County Department of Public Health and Environment Responsibility: 1. It will be the responsibility of the Cheryl Weinmeister, R.N., B.S.N., Privacy Officer to receive requests for and agree to any restrictions on use and disclosure of protected health information. 2. It will be the responsibility of the Cheryl Weinmeister, R.N., B.S.N., Privacy Officer to monitor any restrictions which the office agrees to follow. General Policy 1. We will supply any individual who requests restrictions placed on use and disclosure of protected health information a Form to Request Restrictions. 2. We will agree to requested restrictions if, in the judgment of a licensed health care professional, we believe the restriction will not limit our ability to provide quality health care treatment or manage our health care operations, and if our information management procedures and systems will permit us to comply consistently with the requested restrictions. We will also provide confidential communications by alternative means or to an alternative address provided by the patient if we obtain assurance that payment for our health care services will be handled and we receive specification of the alternative address or other method of contact. Procedure 1. When an individual requests restrictions, supply him or her with our Form to Request Restrictions. 2. Cheryl Weinmeister, R.N., B.S.N., Privacy Officer will review the Form to Request Restrictions and determine whether we are able to accept the restrictions. Cheryl Weinmeister, R.N., B.S.N., Privacy Officer will complete and sign the Form to Request Restrictions, supply the individual a copy and place the original in the individual's permanent health record and file a copy in our Risk Management file. Cheryl Weinmeister, R.N., B.S.N., Privacy Officer will also make the necessary postings to the individual's health record and/or billing record to enable the restrictions to be carried out. 3. If the individual makes the request for restrictions in our office, we will attempt to complete the Form to Request Restrictions during the time the individual is present in our office, but no later than 30 days after receipt. 4. If at any time we find that we cannot carry out the restrictions requested by an individual, we will prepare a written notice to send to him or her terminating our agreement, which will be applicable only to information created or received after such notice has been sent to the individual. 5. We will accept a written request from the individual to terminate the restrictions at any time or will document any oral request to terminate restrictions from the 3/27/03 Weld County Dept. of Public Health & Environment 22 individual. If an oral request is received, this will be documented on the original Form to Request Restrictions, a copy of which will be supplied to the individual. 3/27/03 Weld County Dept. of Public Health & Environment 23 Policy and Procedure on Requesting Confidential Handling of Information WELD COUNTY DEPARTMENT OF PUBLIC HEALTH AND ENVIRONMENT Date: April 13, 2003 Authority: Weld County Department of Public Health and Environment Responsibility: Cheryl Weinmeister, R.N., B.S.N., Privacy Officer Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to inform our patients of their right to request confidential handling of their protected health information when it is sent to them. General Policy It is our policy to accommodate reasonable requests regarding the confidential handling of protected health information, and to maintain that the use of Protected Health Information be consistent with the patient's request. Definitions and Regulatory Requirements Protected health information: Individually identifiable health information, including information that is maintained in our medical records and billing records. A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations. Conditions on providing confidential communications: 1. Weld County Department of Public Health and Environment may require the individual to make a request for a confidential communication in writing. Refer to the Authorization for Release of Information form or the Request for Confidential Handling of Health Information form to use for this communication. 2. Weld County Department of Public Health and Environment may condition the provision of a reasonable accommodation on: a. When appropriate, information as to how payment, if any, will be handled; and b. Specification of an alternative address or other method of contact. 3. A covered health care provider may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis. Procedure 1. Patients may request confidential handling of health information by submitting a request in one of the following ways: a. In person, on our Request for Confidential Handling of Health Information Form b. By mail, either on our Request for Confidential Handling of Information Form or in a letter containing the necessary information specified below. All requests should be mailed to: 3/27/03 Weld County Dept. of Public Health & Environment 24 Weld County Department of Public Health and Environment Attn: Privacy Officer 1555 N. 17th Ave., Greeley, CO 80631 Determine what forms of communication your office will accept to request confidential handling of patient information — in writing, by fax or by telephone. Include information regarding each method you will accept in your policy. All requests should be directed to Cheryl Weinmeister, R.N., B.S.N., Privacy Officer. The request must supply the following details about the protected health information the individual wants confidentially handled: a. The type of information, specifying if the request is limited to a particular illness or treatment or all health information exchanges. b. The time period for which the request applies. c. The manner in which payment will be received, if confidential handling of billing matters pertaining to the type of information is also requested. d. The manner in which the patient wishes to receive confidential communications, with any alternate information necessary to deliver information in the requested manner. 2. When a patient makes a request for confidential handling of their PHI: a. Validate the request with the individual. If the request is received by mail, call existing contact phone number and ask to speak with the patient to confirm the request. If the request is made in person, request confirmation of identity, if needed. b. If the request involves billing information, confirm that the commitment for payment will be satisfied and hold confidential mailing until any payment due is received. For future billing, ensure that an agreement to pay at the time of visit is signed. Place a prominent note in the file or have a flag in your scheduling system that payment is required at the time of visit. c. If the request is for an alternate address, enter the address into the patient's address file as the required confidential address. d. If the request is to pick-up the confidential information in person, highlight the requirement for easy recognition by staff handling correspondence. e. If the request is time limited, flag the end date for confidential handling of information in the appropriate files and systems. f. Place a copy of the Request for Confidential Handling of Information Form in the patient's medical record. Place a copy of the Request for Confidential Handling of Health Information Form in our Risk Management file. 3/27/03 Weld County Dept. of Public Health & Environment 25 Request for Confidential Handling of Health Information (print name), request confidential handling of correspondence regarding my health information for the period: From: To: This request applies to health information involving: Please be as specific as possible, e.g., treatment regarding a given illness or diagnosis. Do you wish confidential handling of billing matters pertaining to the information described above? 0 Yes 0 No If yes, please read and sign the following: I agree to pay all charges at the time of my visits. If for any reason the bill remains unpaid for 30 days, then I understand the following organization Will bill the original fiscally responsible individual on record. SIGNATURE OF PATIENT DATE I have selected to receive confidential communications in the following way: ❑ Patient will pick up communications at the provider's office. _ ❑ Patient will receive any information at an alternate mailing address. Please use the following mailing address for all health information communications that fit in the description provided above. (Please Print) Mailing Address: City: State: Zip Code: If you have any questions concerning this confidential handling, please contact: Signature (Person responsible for handling information) Title Print Name Phone Number 3/27/03 Weld County Dept. of Public Health & Environment 26 Policy and Procedure on the Handling of Privacy Complaints Weld County Department of Public Health and Environment Date: April 13, 2003 Authority: Weld County Department of Public Health and Environment Responsibility: Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer—970-304-6420 Purpose The purpose of this policy is to comply with the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to afford our patients the right to file a complaint, have the complaint investigated and, if appropriate, receive the disposition of the complaint pursuant to the HIPAA privacy rules and our implementing policies and procedures. General Policy It is our policy to keep a record of all complaints and to investigate all valid complaints to determine the circumstances surrounding any concerns our patients raise regarding privacy. If a patient's privacy rights have been infringed upon in any way, or there is evidence that our staff or associates have not adhered to the privacy standards or our policies and procedures, we will take actions consistent with the HIPAA regulations and our Policy and Procedure on Personnel Discipline for Breach of Privacy or Confidentiality and document these actions accordingly. The HIPAA privacy regulations give all individuals the right to file complaints to Weld County Department of Public Health and Environment and the Office of the Secretary in the Federal Department of Health and Human Services. Under no circumstances will the fact that an individual has filed a complaint affect the services provided to that individual. Any staff found to be treating any individual differently in light of a complaint will be sanctioned. Any retaliation is prohibited by law. Procedure 1. Patients may file privacy complaints by submitting them in one of the following ;vays a. In person, on our Privacy Complaint Form. b. By mail, either on our Privacy Complaint Form or in a letter containing the necessary information specified below. All requests should be mailed to: Weld County Department of Public Health and Environment Attn: Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer 1555 N. 17th Avenue, Greeley, CO 80631 c. By telephone at 970-304-6420 d By facsimile machine at 970-304-6412. e. By e-mail to cweinmeister@co.weld.wo.us All privacy complaints should be directed to Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer at 970-304-6420. 3/27/03 Weld County Dept. of Public Health & Environment 27 The complaint must describe the privacy concern in as much detail as possible including when the infraction of the standards or mishandling of protected health information was believed to have occurred, and who, if known, was believed to have acted inappropriately with respect to protected health information or an individual's privacy rights. The complaint must include the following information: a. The type of infraction the complaint involves (i.e. inappropriate handling of PHI, appropriateness of privacy policies and processes) b. A detailed description of the privacy issue c. The date the incident or problem occurred, if applicable d. The mailing address 2. When a patient files a privacy complaint: a. Validate the complaint with the individual. If the complaint is received by mail, phone, fax or e-mail, call existing contact phone number and ask to speak with the patient to confirm the complaint. If the complaint is made in person request confirmation of identity, if needed, and validate the facts of the complaint. b. If the complaint appears to be a misunderstanding of the requirements or your policies and procedures, contact the patient and determine if, based on a more in depth discussion of the concern, the individual still wants to file a complaint. Be • as courteous as possible. UNDER NO CIRCUMSTANCES SHOULD A PATIENT FEEL PRESSURED OR COERCED EVEN IF YOU BELIEVE THEY ARE STILL MISUNDERSTANDING THE RULES OR POLICIES. If the individual does not want to pursue the complaint any further, indicate "no further action required based on clearer understanding", record the date and time, and file under dismissed complaints. c. Once validated and if not dismissed, log the complaint by placing a copy of the complaint form in the complaint file and the patient's medical record. d. Investigate the complaint by reviewing the circumstances with the relevant staff and reviewing any audit and monitoring logs that may have relevance to the complaint. If the complaint involves any issues with an individual's rights that have attendant documentation (e.g., consent or authorization processes or confidential requests), pull all relevant forms. Complete the complaint investigation section of the complaint form with a summary of your findings. e. If you determine the complaint is invalid, draft a letter stating the reasons the complaint was found invalid. Initially, an impartial, knowledgeable staff person or lawyer should review all letters for tone and rationale. Standard letters will likely emerge over time. File a copy of the letter and form in the investigated complaints file. f. If you are uncertain about your findings, get a second opinion from your HIPAA privacy committee or your lawyer. g. If you determine the complaint is valid and linked to a required process or an individual's rights, follow your office sanction policy to the extent that an individual is responsible. If the complaint involves your office's compliance with the standards that do not involve a single individual (e.g., policies and procedures themselves versus adherence to them), then begin the process to revise your current policies and procedures. 3/27/03 Weld County Dept. of Public Health & Environment 28 h. Once an appropriate sanction or action has been taken with respect to a complaint with merit, or if the response will take more than 30 days, draft a letter explaining the findings and the associated response or intended response. Use the same review process as for the invalid complaint letter in item e in the list above. Document the disposition of the complaint on the complaint form and file the letter and form in the investigated complaints file. i. Place a copy of the complaint form in the patient's medical record. j. Review complaint files, both invalid and investigated complaints, at least annually to determine if there are any emerging patterns. 3/27/03 Weld County Dept. of Public Health & Environment 29 WELD COUNTY DEPARTMENT OF PUBLIC HEALTH & ENVIRONMENT Privacy Complaint Form (print name), am registering a formal complaint regarding Weld County Department of Public Health and Environment. The complaint involves: ❑ Issue relating to Weld County Department of Public Health and Environment's privacy policies and processes O Specific concern regarding the handling of my protected health information ❑ Other A detailed description of the privacy issue involved in the complaint is provided below: The incident or problem occurred on (month/day/year), if applicable I can be reached at (please provide day-time number) Please use the following mailing address for a formal response to this complaint. MAILING ADDRESS (Please Print): City: State: Zip Code: Patient Signature: If you would like to follow up on the status of your complaint,please contact: Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer at 970-304-6420 For Office Use Only Date received: Received by: 3/27/03 Weld County Dept. of Public Health & Environment 30 Policy on Minimum Necessary Information Weld County Department of Public Health and Environment Date: April 13, 2003 Authority: Weld County Department of Public Health and Environment Responsibility: It is crucial that every staff member understands the minimum necessary policy for use, disclosure and request of protected health information. Health care providers and staff are entitled to use protected health information (PHI) consistent with their roles in this organization. Each staff member must also understand that with this role comes certain responsibilities, such as limiting the viewing, use, disclosure and requesting of PHI to only that data necessary for patient treatment, reimbursement for treatment and health care operations. It is considered a breach of policy and the patient's trust to seek information beyond what is appropriate for the staff role and the patient needs. In the event of an emergency, the strict limits of access may be breached when appropriate for the benefit of the patient, specifically when the potential benefit to the patient is judged to outweigh the risk to patient privacy. Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to ensure our patients' rights to the minimum necessary use and disclosure of their protected health information. General Policy 1. When using or disclosing protected health information or when requesting protected health information from another covered entity, each staff member of Weld County Department of Public Health and Environment must take reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. • This requirement does not apply to disclosures to a health care provider for treatment, uses or disclosures made to the individual, uses or disclosures made pursuant to an authorization for release signed by the patient or the patient's representative, disclosures made to the Secretary of Health and Human Services, disclosures that are required by law (as described by Sec. 164.512(a) of the privacy regulations) and uses or disclosures that are required for compliance with the privacy regulations. 2. It is necessary that the different roles in Weld County Department of Public Health and Environment be defined so that each staff member understands their own roles and responsibilities with regard to handling PHI. Role Categories - Director, Supervisor, Health Educator, Environmental Specialist, Office Technician, Medical Doctor, Nurse Practitioner, Nurse, Lab Technician. Direct Health care Provider—A licensed health care professional who provides direct or indirect patient care or consulting services. 3/27/03 Weld County Dept. of Public Health & Environment 31 • Technical Staff-Staff who provide patient care at the request of a direct health care provider. Direct Support Staff—Staff who work within the office providing a variety of professional and direct administrative support that involves the delivery of patient care or billing operations. Indirect Support Staff—Staff who work within the office providing administrative support. Data Access Categories— Director, Supervisors, Health Educators, Environmental Specialists, Office Technicians, Doctors, Nurse Practitioners, Nurses, Lab Technicians. Full Health Information Access —Access to full health information as needed for health, payment or health operations. Staff in this category may access and read all appropriate information. Summary Data Access Access to summary data with treatment or diagnostic codes as needed to function. Staff in this category should confine the use of protected health information to the absolute minimum required and should not access or read full medical records. Minimum Information Access—Access to patient demographic data with only minimum reference to treatment or diagnostic information as needed to function. Emergency Information Access —Access to any individually identifiable health information should not be granted except in emergency situations. Usage Assignments Data Access Categories are assigned in accordance with the operational requirements for minimum necessary use. Each staff member has a separate access category. Choose whether they have: a. Full health information access b. Summary data access c. Minimum information access d. Emergency information access Direct Health care Providers have access to the patient medical record with the clear understanding that access and reading is limited to need for treatment, reimbursement, or operations. Technical Staff have access to the patient medical record with the clear understanding that access and reading is limited to need for treatment, reimbursement, or operations. Direct Support Staff have access to patient information for administrative and billing purposes with the clear understanding that access and reading is limited to need for treatment, reimbursement, or operations. Indirect Support Staff have access to patient information for administrative purposes with the clear understanding that access and reading is limited to need for treatment, -- reimbursement, or operations. Weld County Department of Public Health and Environment will maintain a current office role directory that lists every defined position within the office. This will ensure that each 3/27/03 Weld County Dept. of Public Health & Environment 32 position will be granted the correct access authorization as defined in the Usage Assignments section of this policy. It is incumbent on every staff member to report any observed violation of these usage rules to the Medical Records Manager or another senior staff member. Every staff member must be trained in their roles and responsibilities with reference to the minimum use and access to patient data policy. It is considered a breach of organization policies and the patient's trust to seek information beyond what is appropriate for the staff role and the patient needs. In the event of an emergency, the strict limits of access may be breached when appropriate for the benefit of the patient, specifically when the potential benefit to the • patient is judged to outweigh the risk to patient privacy. Disclosures for Treatment, Payment or Health Operations The regulations establish that routine and recurring disclosures of protected health information can be made for treatment, payment or health operations without specific patient authorization. The minimum necessary requirements still pertain to all of these disclosures. Minimum necessary determinations will be made for all routine and recurring disclosures for all categories (other than those that are excepted); these categories will include, for example, additional medical information for medical necessity determination, sample records for accreditation and audits, records review for protocol adherence, patient information for participation in a clinical trial, paper claims, phone referral certification information and other categories as determined necessary. Full health information will be provided to routine and recurring requests from: Refer to Exhibit A Summary data with treatment and/or diagnostic codes will be provided to routine and recurring requests from: Refer to Exhibit B Minimum information - patient demographic data with only minimum reference to treatment or diagnostic information -will be provided to routine and recurring requests from: See Exhibit C Every effort will be made to comply with these disclosure categories except where the cost of extracting information is not reasonable and the risk of breach of patient privacy is considered low. In all situations, the requestor will be informed of their responsibilities towards this data and appropriate agreements entered into. All non-routine and/or non-recurring requests will be considered on a case-by-case basis and determination of the level of response will take into account the minimum necessary requirements. 3/27/03 Weld County Dept. of Public Health & Environment 33 Requests for Information The regulation establishes that for routine and recurring requests, the responsibility for determining the minimum necessary data falls on the requestor. In all situations where data are requested, staff members must ensure that minimum necessary evaluation is made. In situations where the determination has not been made, questions should be directed first to the Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer and then to Mark Wallace M.D.,M.P.H or Linda Henry, Director of Nursing. Minimum necessary determinations will be made for all routine and recurring requests for all categories. These categories will include, for example: Reason for visit Vital medical stats Medical records for referral Referral authorization, if non-standard Test results Patient messages from an answering service 3/27/03 Weld County Dept. of Public Health & Environment 34 Weld County Department of Public Health and Environment Policy on Minimum Necessary Information EXHIBIT A Due to current policy, no entities apply. 3/27/03 Weld County Dept. of Public Health & Environment Weld County Department of Public Health and Environment Policy on Minimum Necessary Information EXHIBIT B Due to current policy, no entities apply. 3/27/03 Weld County Dept. of Public Health & Environment Weld County Department of Public Health and Environment Policy on Minimum Necessary Information EXHIBIT C Quest Laboratories UNC Health Center/Nursing Larimer County Health/Nursing Third party billing • 3/27/03 Weld County Dept. of Public Health & Environment Office Role Directory Weld County Department of Public Health and Environment The following is a current list of all Weld County Department of Public Health and Environment staff positions. They are listed according to the office role category (as defined in the Policy on Minimum Necessary Information) to which they belong. The office role category determines the type of information access each position requires to perform its functions. Direct Health care Providers Physician and/or Resident on staff and/or scheduled for clinic, Nurse Practitioner's on staff. Technical Staff Nurses and Lab Technicians. Direct Support Staff Nurses, Lab Technicians, Supervisors, Billing Technicians Indirect Support Staff Office Technicians Refer to Employee Emergency Report for individual listings. Report kept by authorized management. • 3/27/03 Weld County Dept. of Public Health & Environment 35 Policy and Procedure for Informing Individuals Concerning Opportunity to Accept/Reject Certain Uses and Disclosures Weld County Department of Public Health and Environment Date: April 13, 2003 Authority: Weld County Department of Public Health and Environment Responsibility It will be the responsibility of the Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer to exercise professional judgment to use or disclose information where consent or authorization is not required. The individual, however, must be given an opportunity to agree or object to the use or disclosure. General Policy Our Notice of Privacy Practices will identify the circumstances in which we may use or disclose protected health information for which consent or authorization is not required, but the individual must be given an opportunity to agree or object. These circumstances, include: 1. Uses and disclosures of protected health information that we believe in our professional judgment to be in the individual's best interest for purposes of care or for notification of the individual's general condition, location, or death. Such disclosures may include making health information directly relevant to the individual's care or payment related to care available to a family member, other relative, close personal friend, or any other person identified by the individual as involved in care or payment of care. We may disclose health information to notify a family member, personal representative, or another person responsible for the individual's care concerning the individual's general condition, location, or death. We may also disclose health information about the individual to an entity assisting in a disaster relief effort so that the individual's family can be notified about the individual's general condition, location, or death. 2. Using and disclosing protected health information to contact the individual as a reminder that the individual has an appointment. We must give the individual the right to request that such confidential communication be sent to an alternative location or by an alternative means. 3. Using and disclosing protected health information to tell the individual about non- health-related products or services. Such marketing communications must indicate whether we are being paid for the marketing. Procedure 1. When an individual is present or otherwise available prior to a use or disclosure for which a consent or authorization is not required but the individual must be given an opportunity to agree or object, we may obtain the individual's oral agreement, inform him/her of our intent and provide the individual the opportunity to object, or reasonably infer from the circumstances that the individual does not object to the disclosure. For example, if we request an individual to complete an appointment reminder post card, we may infer from the individual's completion of the card that 3/27/03 Weld County Dept. of Public Health & Environment 36 there is no objection to this disclosure. If we plan on calling the individual, however, we will inform him/her that a call will be made and ask if there is any objection or alternative telephone number for us to call. 2. If the individual is not present or the opportunity to agree or object cannot practicably be provided because of the individual's incapacity or an emergency circumstance, we may exercise professional judgment to determine whether the disclosure is in the best interest of the individual. If so, we will disclose only the protected health information that is directly relevant to the person's involvement with the individual's health care. For example, we will infer there is no objection if a person is acting on behalf of the individual to pick up filled prescriptions, medical supplies, x-rays, or other similar forms of protected health information. However, if a known family member, other relative, close personal friend, or other person involved in the individual's care is present in our office and does not volunteer to act on behalf of the individual, we will not infer that there is no objection to disclosing protected health information and we will not disclose such information. 3. If the individual is sent any marketing or fundraising communications for which we do not have specific restrictions on file, we will ensure they meet the requirements set forth in HIPAA's privacy rule and will include a description of how the individual may-opt out of receiving any further such communications. 4. If the individual has filed a Form to Request Restrictions that cover any of the above disclosures of protected health information, we will accept such restrictions and take every measure practicable to not disclose such information. 3/27/03 Weld County Dept. of Public Health & Environment 37 Policy and Procedure on Accounting for Disclosures Weld County Department of Public Health and Environment Date: April 13, 2003 Authority: Weld County Department of Public Health and Environment Responsibility: Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer at 970-304-6420 Purpose The purpose of this policy is to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to afford our patients the right to request and receive an accounting of disclosures we make concerning their health information. General Policy It is our policy to keep an accurate accounting of all applicable disclosures that we make of our patients' protected health information; and to provide an accounting of those disclosures to patients who may request an accounting, as permitted by law. Definitions Disclosure—the release, transfer, provision of access to, or divulging in any other manner of information outside of this office. Applicable disclosure — refers only to those disclosures of patients' protected health information made for reasons other than: • to carry out treatment, receive reimbursement, or carry out our operations • to the patients themselves • to persons involved in a patient's care • for national security or intelligence purposes (as specified in our policy on Authorization for Release of Information) • to correctional institutions or law enforcement officials under certain circumstances (as specified in our policy on Authorization for Release of Information) • those that occurred prior to April 14, 2003 Protected health information — individually identifiable health information, including that information maintained in our medical records and billing records. Procedure 1. Patients may request an accounting of disclosures by submitting a request in writing on our Request for Accounting for Disclosures Form to Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer. The request must state the time period for which the accounting is to be supplied, which may not be longer than six years and may not _ include dates before April 14, 2003. 2. When a request for an accounting of disclosures is made by a patient: a. Obtain the patient's medical record. b. Review the medical record to determine if it contains a written statement from a health oversight agency or law enforcement official that such an accounting to 3/27/03 Weld County Dept. of Public Health & Environment 38 the patient must be suspended because such an accounting would impede the agency's activities. If such a statement exists, review the time period of the suspension. If the suspension is for less than 60 days from the date of receiving the request, hold the request until the suspension period has ended and then process the request. If the suspension is for more than 60 days from the date of receiving the request, send the Accounting for Disclosures Form indicating that we are temporarily unable to process the accounting due to a suspension required by law, but will comply with the request when the suspension has been lifted, and specify the date on which the suspension will be lifted. If the time period for suspension has passed, proceed to process the request. c. Review the section of the medical record that contains authorizations and requests for disclosures to determine which disclosures are applicable to the accounting (see Definitions above) and within the time period being requested. d. Complete the Accounting for Disclosures Form to supply the date(s) of disclosure(s), name(s) and address(es) of organizations or persons to whom the disclosure(s)were made, a brief description of the protected health information disclosed, the purpose of the disclosure(s), and the name of our Cheryl Weintheister, R.N.,B.S.N., Privacy Officer and date the form was mailed. e. Send the Accounting for Disclosures Form to the patient within 60 days of receiving the request. If we are unable to complete this process within 60 days, send the Accounting for Disclosures Form to the patient indicating we will need a 30-day extension to complete the process, indicate the date on which we will supply the accounting, and check off the reason for the delay. f. Place a copy of the Accounting for Disclosures Form in the patient's medical record. Place a copy of the Accounting for Disclosures Form in our Risk Management file. 3. We will provide the first accounting to a patient in any 12-month period without charge. For any subsequent request within the 12-month period, we will charge the current fee as determined by Weld County, as specified on the Request for Accounting for Disclosures Form. (A patient who does not wish to pay for subsequent accountings may withdraw the request and no accounting will be made.) 3/27/03 Weld County Dept. of Public Health & Environment 39 Weld County Department of Public Health and Environment Request for Accounting for Disclosures of Health I. (print name), request an accounting for disclosures of my health information for the period: From: To: I understand that this accounting for disclosures will include disclosures made only to those organizations or persons other than: • to those for whom use and disclosure of my health information was made to carry out • my treatment, process payment for my health care, or carry out your operations • to myself or persons involved in my care for national security or intelligence purposes • to correctional institutions or law enforcement officials under certain circumstances, as specified in our Notice of Privacy Practices, that occurred prior to April 14, 2003 ❑ I understand that I may receive the first accounting for disclosures within a 12-month period at no charge. ❑ I understand that I am requesting a second or subsequent accounting in a 12-month period and will pay the current fee determined by Weld County for this accounting. Send this accounting to: (Please Print) Mailing Address: City: State: Zip: SIGNATURE OF PATIENT DATE 3/27/03 Weld County Dept. of Public Health & Environment 40 This is the contract format that is used for each Business Associate. The orignal contract will be kept separately with Business Associate file. Business Associates Contract THIS CONTRACT is entered into on this April 13, 2003, between Weld County Department of Public Health and Environment and [BUSINESS ASSOCIATE]. WHEREAS, Weld County Department of Public Health and Environment will make available and/or transfer to [BUSINESS ASSOCIATE]. Protected Health Information, in conjunction with goods or services that are being provided by [BUSINESS ASSOCIATE] to Weld County Department of Public Health and Environment, that is confidential and must be afforded special treatment and protection. WHEREAS, [BUSINESS ASSOCIATE]will have access to and/or receive from Weld County Department of Public Health and Environment Protected Health Information that can be used or disclosed only in accordance with this Contract and the HHS Privacy Regulations. NOW, THEREFORE, Weld County Department of Public Health and Environment and [BUSINESS ASSOCIATE] agree as follows: 1. Definitions. The following terms shall have the meaning ascribed to them in this 'Section. Other capitalized terms shall have the meaning ascribed to them in the context in which they first appear. a. Contract shall refer to this document. b. BUSINESS ASSOCIATE shall mean [BUSINESS ASSOCIATE]. c. COVERED ENTITY shall mean Weld County Department of Public Health and Environment. d. HHS Privacy Regulations shall mean the Code of Federal Regulations ("C.F.R.") at Title 45, Sections 160 and 164. e. Individual shall mean the person who is the subject of the Protected Health Information, as defined by 45 C.F.R. 164.501. f. Protected Health Information shall mean any individually identifiable health information provided and/or made available by Weld County Department of Public Health and Environment to [BUSINESS ASSOCIATE], and has the same meaning as the term "protected health information" as defined by 45 C.F.R. 164.501. g. Parties shall mean [BUSINESS ASSOCIATE] and Weld County Department of Public Health and Environment. h. Secretary shall mean the Secretary of the Department of Health and Human Services (HHS) and any other officer or employee of HHS to whom the authority involved has been delegated. 2. Term. The term of this Contract shall commence as of April 13, 2003 and shall expire when all of the Protected Health Information provided by Weld County Department of Public Health and Environment to [BUSINESS ASSOCIATE] is destroyed or returned to Weld County Department of Public Health and Environment pursuant to Clause 26 of this contract. 3. Limits On Use And Disclosure Established By Terms Of Contract. [BUSINESS ASSOCIATE] hereby agrees that it shall be prohibited from using or disclosing the Protected Health Information provided or made available by Weld 3/27/03 Weld County Dept. of Public Health & Environment 41 County Department of Public Health and Environment for any purpose other than as expressly permitted or required by this Contract. (ref. 164.504(e)(2)(i)). 4. Stated Purposes For Which BUSINESS ASSOCIATE May Use Or Disclose Protected Health Information. The Parties hereby agree that [BUSINESS ASSOCIATE] shall be permitted to use and/or disclose Protected Health Information provided or made available from Weld County Department of Public Health and Environment for the following stated purposes: To carry out treatment, receive reimbursement, or carry out operations, to the patient themselves, to persons involved in patient's care, for national security or intelligence purposes, to correctional institutions or law enforcement officials under certain circumstances. 5. Use Of Protected Health Information For Management, Administration And Legal Responsibilities. [BUSINESS ASSOCIATE] is permitted to use Protected Health Information if necessary for the proper management and administration of [BUSINESS ASSOCIATE] or to carry out legal responsibilities of [BUSINESS ASSOCIATE]. (ref. 164.504(e)(4)(i)(A-B)). 6. Disclosure Of Protected Health information For Management, Administration and Legal Responsibilities. [BUSINESS ASSOCIATE] is permitted to disclose Protected Health Information received from Weld County Department of Public Health and Environment for the proper management and administration of [BUSINESS ASSOCIATE] or to carry out legal responsibilities of [BUSINESS ASSOCIATE], provided: a. The disclosure is required by law; or b. The [BUSINESS ASSOCIATE] obtains reasonable assurances from the person to whom the Protected Health Information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, the person will use appropriate safeguards to prevent use or disclosure of the Protected Health Information, and the person immediately notifies the [BUSINESS ASSOCIATE] of any instance of which it is aware in which the confidentiality of the Protected Health Information has been breached. (ref.164.504(e)(4)(ii)). 7. Data Aggregation Services. [BUSINESS ASSOCIATE] is also permitted to use or disclose Protected Health Information to provide data aggregation services, as that term is defined by 45 C.F.R. 164.501, relating to the health care operations of Weld County Department of Public Health and Environment. (ref.164.504(e)(2)(i)(B)): 8. Limits On Use And Further Disclosure Established By Contract And Law. [BUSINESS ASSOCIATE] hereby agrees that the Protected Health Information provided or made available by Weld County Department of Public Health and Environment shall not be further used or disclosed other than as permitted or required by the Contract or as required by law. (ref. 45 C.F.R. 164.504(e)(2)(ii)(A)). 9. Appropriate Safeguards. [BUSINESS ASSOCIATE] will establish and maintain appropriate safeguards to prevent any use or disclosure of the Protected Health Information. (ref. 164.504(e)(2)(ii)(B)). 10. Reports Of Improper Use Or Disclosure. [BUSINESS ASSOCIATE] hereby agrees that it shall report to Weld County Department of Public Health and 3/27/03 Weld County Dept. of Public Health & Environment 42 Environment within two (2) days of discovery of any use or disclosure of Protected Health Information not provided for or allowed by this Contract. (ref. 164.504(e)(2)(ii)(C)). 11. Subcontractors And Agents. [BUSINESS ASSOCIATE] hereby agrees that any time Protected Health Information is provided or made available to any subcontractors or agents, [BUSINESS ASSOCIATE] must enter into a subcontract with the subcontractor or agent that contains the same terms, conditions and restrictions on the use and disclosure of Protected Health Information as contained in this Contract. (ref. 164.504(e)(2)(ii)(D)). 12. Right Of Access To Protected Health Information. [BUSINESS ASSOCIATE] hereby agrees to make available and provide a right of access to Protected Health Information by an Individual. This right of access shall conform with and meet all of the requirements of 45 C.F.R. 164.524, including substitution of the words "Covered Entity" with [BUSINESS ASSOCIATE] where appropriate. (ref. 164.504(e)(2)(ii)(E)). 13. Amendment And Incorporation Of Amendments. [BUSINESS ASSOCIATE] agrees to make Protected Health Information available for amendment and to incorporate any amendments to Protected Health Information in accordance with 45 C.F.R. 164.526, including substitution of the words "Covered Entity" with [BUSINESS ASSOCIATE] where appropriate. (ref. 164.504(e)(2)(ii)(F)). 14. Provide Accounting. [BUSINESS ASSOCIATE] agrees to make Protected Health Information available as required to provide an accounting of disclosures in accordance with 45 C.F.R. 164.528, including substitution of the words "Covered Entity" with [BUSINESS ASSOCIATE] where appropriate. (ref. 164.504(e)(2)(ii)(G)). 15. Access To Books And Records. [BUSINESS ASSOCIATE] hereby agrees to make its internal practices, books, and records relating to the use or disclosure of Protected Health Information received from, or created or received by [BUSINESS ASSOCIATE] on behalf of the Weld County Department of Public Health and Environment, available to the Secretary or the Secretary's designee for purposes of determining compliance with the HHS Privacy Regulations. (ref. 64.504(e)(2)(ii)(H)). _ 16. Return Or Destruction Of Protected Health Information. At termination of this Contract, [BUSINESS ASSOCIATE] hereby agrees to return or destroy all Protected Health Information received from, or created or received by [BUSINESS ASSOCIATE] on behalf of Weld County Department of Public Health and Environment. [BUSINESS ASSOCIATE] agrees not to retain any copies of the Protected Health Information after termination of this Contract. If return or destruction of the Protected Health Information is not feasible, [BUSINESS ASSOCIATE] agrees to extend the protections of this Contract for as long as necessary to protect the Protected Health Information and to limit any further use or disclosure. If[BUSINESS ASSOCIATE] elects to destroy the Protected Health Information, it shall certify to Weld County Department of Public Health and Environment that the Protected Health Information has been destroyed. (ref. 164.504(e)(2)(ii)(I)). 17. Mitigation Procedures. [BUSINESS ASSOCIATE] agrees to have procedures in place for mitigating, to the maximum extent practicable, any deleterious effect from the use or disclosure of Protected Health Information in a manner contrary to this Contract or the HHS Privacy Regulations. (ref. 164.530(f)). 3/27/03 Weld County Dept. of Public Health & Environment 43 18. Sanction Procedures. [BUSINESS ASSOCIATE] agrees and understands that it must develop and implement a system of sanctions for any employee, subcontractor or agent who violates this Agreement or the HHS Privacy Regulations. (see 164.530(e)(1)). 19. Property Rights. The Protected Health Information shall be and remain the property of Weld County Department of Public Health and Environment. [BUSINESS ASSOCIATE] agrees that it acquires no title or rights to the Protected Health Information, including any de-identified Protected Health Information, as a result of this Contract. 20. Termination of Contract [BUSINESS ASSOCIATE] agrees that Weld County Department of Public Health and Environment has the right to immediately terminate this Contract and seek relief if Weld County Department of Public Health and Environment determines that [BUSINESS ASSOCIATE] has violated a material term of this Contract. (ref. 164.506(e)(2)(iii)). 21. Grounds For Breach. Any non-compliance by [BUSINESS ASSOCIATE] of this Contract or the HHS Privacy Regulations will automatically be considered to be a Grounds For Breach, if[BUSINESS ASSOCIATE] knew or reasonably should have known of such non-compliance and failed to immediately take reasonable steps to notify Weld County Department of Public Health and Environment and cure the noncompliance. 22. Governing Law. This Contract shall be governed by the laws of Colorado. 23. Injunctive Relief. Notwithstanding any rights or remedies provided for in this Contract, Weld County Department of Public Health and Environment retains all rights to seek injunctive relief to prevent or stop the unauthorized use or disclosure of Protected Health Information by [BUSINESS ASSOCIATE] or any agent, contractor or third party that received Protected Health Information from [BUSINESS ASSOCIATE]. 24. Binding Nature and Assignment This Contract shall be binding on the Parties hereto and their successors and assigns, but neither Party may assign this Agreement without the prior written consent of the other, which consent shall not be unreasonably withheld 25. Notices. Whenever under this Contract one party is required to give notice to the other, such notice shall be deemed given if mailed by First Class United States mail, postage prepaid, and addressed as follows: COVERED ENTITY: BUSINESS ASSOCIATE: Weld County Department of Public [PUT IN ADDRESS] Health and Environment 1555 N. 17th Avenue Greeley, CO 80631 Either Party may at any time change its address for notification purposes by mailing a notice stating the change and setting forth the new address. 26. Article Headings. The article headings used are for reference and convenience only, and shall not enter into the interpretation of this Contract. 3/27/03 Weld County Dept. of Public Health & Environment 44 27. Force Majeure. [BUSINESS ASSOCIATE] shall be excused from performance under this Contract for any period [BUSINESS ASSOCIATE] is prevented from performing any services pursuant hereto, in whole or in part, as a result of an Act of God, war, civil disturbance, court order, labor dispute or other cause beyond its reasonable control, and such nonperformance shall not be grounds for termination. 28. Entire Agreement. This Contract consists of this document, and constitutes the entire agreement between the Parties. There are no understandings or agreements relating to this Agreement which are not fully expressed in this Contract and no change, waiver or discharge of obligations arising under this Contract shall be valid unless in writing and executed by the Party against whom such change, waiver or discharge is sought to be enforced. IN WITNESS WHEREOF, [BUSINESS ASSOCIATE] and Weld County Department of Public Health and Environment have caused this Contract to be signed and delivered by their duly authorized representatives, as of the date set forth above. BUSINESS ASSOCIATE: COVERED ENTITY: X X Print name Print Name Title Title Job Description • Weld County Department of Public Health and Environment 3/27/03 Weld County Dept. of Public Health & Environment 45 Job Description Job Title: Privacy Officer Summary The Privacy Officer oversees all ongoing activities related to the development, implementation, maintenance of, and adherence to Weld County Department of Public Health and Environment's policies and procedures covering the privacy of and access to patients' protected health information in compliance with federal and state laws and Weld County Department of Public Health and Environment's information privacy practices. Duties 1. Identifies need for, develops, implements, and maintains Weld County Department of Public Health and Environment's policies and procedures for protecting individually identifiable health information, in coordination with Weld County Commissioners. 2. Performs information privacy/security risk assessment and conducts related ongoing compliance monitoring activities in coordination with Weld County Department of Public Health and Environment's other compliance and operational assessment functions. 3. Works with Weld County Department of Public Health and Environment's County Commissioners and legal counsel to develop and maintain appropriate consent forms, authorization forms, notice of privacy practices, business associate contracts, and other documents required under HIPAA's standards for the privacy and security of individually identifiable health information. 4. Ensures compliance with Weld County Department of Public Health and Environment's privacy/security policies and procedures and consistent application of sanctions for failure to comply with these policies for all members of the practice's workforce (as defined in HIPAA's Standards for Privacy of Individually Identifiable Health Information) and business associates. 5. Establishes and administers a process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning Weld County Department of Public Health and Environment's privacy/security policies and procedures. • 6. Oversees, directs, delivers, or ensures delivery of, including the tracking of attendance, information privacy/security training for Weld County Department of Public Health and Environment and other appropriate parties. Initiates, facilitates, and promotes activities to foster information privacy/security awareness within Weld County Department of Public Health and Environment. 7. Reviews all information system-related security plans to ensure alignment between security and privacy practices. 8. Cooperates with the Office of Civil Rights, other legal entities, and Weld County Attorney's office in any compliance reviews or investigations. 9. Serves as a member of the practice's privacy board, which it has constituted for the purpose of overseeing use of individually identifiable health information without the individual's authorization or with an altered form of authorization for purposes of research. 3/27/03 Weld County Dept. of Public Health & Environment 46 Reporting Relationship For this function, the Privacy Officer reports to the Weld County Commissioners. Qualifications • Experience in the administration and functions of a Public Health Department. • Current knowledge of applicable federal and state privacy laws and accreditation/licensure standards pertaining to health care • Familiar with advancements in information privacy strategies and technologies to ensure practice adaptation and compliance • Experience in health information access controls, release of health information, and health information release control strategies and technologies • Demonstrated organization, facilitation, communication, and presentation skills • Professional certification as a Registered Health Information Administrator(RHIA), Registered Health Information Technician (RHIT) or other appropriate certification 3/27/03 Weld County Dept. of Public Health & Environment 47 Overview of Policies and Procedures on Privacy and Security Weld County Department of Public Health and Environment Date: April 13, 2003 Authority: Weld County Department of Public Health and Environment Purpose A copy of this document should be given to each staff member. While there are many policies directed at singular aspects of privacy and confidentiality, this overview is directed at developing a simple overall guideline for the understanding of " the relationship between the staff and the clients of Weld County Department of Public Health and Environment. The electronic and paper record resources of Weld County Department of Public Health and Environment are provided for the singular purpose of facilitating patient care and business processes. Any person who uses Weld County Department of Public Health and Environment's paper records and/or computing resources for non-business or unauthorized purposes may be subject to disciplinary action, up to and including termination, and civil or criminal legal action. Management at all levels is responsible for monitoring the actions of its staff and enforcing the intent of this overview. All questions, concerns or infractions should be directed to Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer. Prohibited Activities The following are examples of prohibited activities: 1. Using Weld County Department of Public Health and Environment's computing systems or data for personal business or gain; 2. Specific violations of Weld County Department of Public Health and Environment's electronic mail, Internet and facsimile machine policy; - 3. Unauthorized browsing of patient, personnel, financial, or other records for the purpose of personal curiosity or with the intent of impropc:,y disclosing the information contained in those records; 4. Interfering with the operation of any of Weld County Department of Public Health and Environment's computing systems or using a Weld County Department of Public Health and Environment's computer to disrupt any external computing system 5. Altering or deleting any of Weld County Department of Public Health and Environment's data or software, except when performing authorized business functions; and 6. Installing unauthorized or illegally-copied software on any of Weld County Department of Public Health and Environment's computer terminals. 3/27/03 Weld County Dept. of Public Health & Environment 48 Responsibilities 1. Every staff member is accountable for all computing activities he/she performs. 2. Users shall take the following precautions to safeguard systems and data: Users will minimize information when they are away from their work area or shut their computer down when they leave the building. Each user will have a screen saver with/without a password to get back on their computer. 3. User identification codes are not to be shared, except under special circumstances approved by Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer. 4. Passwords shall not be divulged, orally or in writing. 5. Workstations and terminals to be left unattended shall be logged off or locked up. 6. All suspected or known breaches of confidentiality or computer security shall be reported to Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer or another member of management immediately. Organizational Policies and Training The management of Weld County Department of Public Health and Environment will instruct users in Information Confidentiality, Privacy, and Security policies, standards and procedures, as well as in the principles of information confidentiality and computer security. Management of Weld County Department of Public Health and Environment shall make written policies on the management of private patient information and other protected data that is readily available to staff. Behavior in Interacting with Patients Staff or volunteers of Weld County Department of Public Health and Environment are obligated to make sure that patient information is not disclosed inappropriately, accidentally or negligently. In order to do this we must take appropriate precautions to safeguard medical information, as described below. 1. Do not allow medical information on terminals to be visible to patients. 2. Keep patient charts and encounter forms face down. Never leave them out where others can see them. 3. Use confidential trash bins or the paper shredder when disposing of patient information. Any document with a patient's name, insurance number or a partial patient record is considered protected health information. 4. Place patient record charts and other patient information outside exam rooms or clinical offices so that they face the door or wall. 5. Speak softly over the phone and try to avoid excessive use of the patient's name. 6. Do not discuss patient information with anyone in a social conversation. 7. Make a habit of speaking to patients in private offices and exam rooms only. 8. Do not discuss the reason for a patient's visit in the waiting area or in front of others. 9. Anticipate patient privacy needs when giving out test results, setting up appointments and obtaining or explaining referrals. 3/27/03 Weld County Dept. of Public Health & Environment 49 General Areas for Consideration Patient's Rights 1. Right to be Informed of their Rights. Responsibilities for implementing procedures for ensuring that the patient is informed of the policies related to patient information is defined. 2. Right to Privacy. Relevant patient information may only be disclosed to those directly involved in the care of the patient, for the protection of the public health as provided by law, for the payment of services as authorized by the patient, to assist researchers as authorized by the patient, or for any other purposes required by law or authorized by the patient. These rights are defined in the Policy and Procedure on Uses and Disclosures of Protected Health Information. 3. Right to Review Information. Patients are entitled to know which information about them is in the possession of the organization and are entitled to review that information. Any category of information that may be withheld from the patient in accordance with the law is defined in the Policy and Procedure on Patient's Right to Access Health Information. 4. Right to Clear and Complete Presentation of Information. Policies related to making information from the computer-based patient record available to the patient in a clear, logical, understandable format should be developed. Any policies for presenting information in a format not maintained by the organization are defined. The organization's policies related to the costs associated with presentation of information are defined. 5. Right to Amend Correct Information. Information cannot be deleted, but erroneous information can be marked as such and correct information amended. The rights of the patient to provide supplemental information or an appendix is defined in the Policy and Procedure on Patient's Right to Request Amendment of their Health Information. 6. Right to Restrict the Use and Disclosure of Specific Information. The patient's rights to segment information and block the release of specific information are clearly stated in the Policy and Procedure to Request Restrictions on Use and Disclosure of Protected Health Information. The rights of the organization to identify and explain any consequences of such blockage are included. 7. Right to an Accounting for Disclosures of Information. The patient's rights to know which individuals, organizations, and government agencies have authority to access, and have actually gained access to, specific information identified with the patient are clearly defined in the Policy and Procedure on Accounting for Disclosures. 8. Right to Protection of Information Released to Third Parties. The policy defines the commitment for protection required from a third party prior to the release of information to that organization. The policy also specifies the responsibility for monitoring these commitments. 9. Right to Integrity and Availability. Records must be protected from unauthorized modification and destruction. The patient has the right to expect that the organization will take reasonable precautions to protect the information from destruction by accident or vandalism, and by fire, flood, earthquake, or other disasters. Policies requiring that provisions be made for the patient records to survive the organization in the event of - mergers, bankruptcy, and similar events are established. 3/27/03 Weld County Dept. of Public Health & Environment 50 Protection of Caregiver Information 1. Privacy. The caregivers' personal privacy should be preserved. Relevant caregiver information may only be disclosed for the protection of the public health as provided by law, for any other purposes as required by law, or as authorized by the caregiver. 2. Review of Information. The caregiver is entitled to know which information about the caregiver is in the possession of the organization. Caregivers' are also entitled to know which information they have a legal right to review. Caregivers should have the right to review information they have placed in the patient's record. 3. Clear and Complete Presentation of Information. Information about the caregiver and patient information authorized to the caregiver should be made available in a clear, logical, understandable format. 4. Right to Append Corrected Information. The caregivers' rights to identify erroneous information and append correct information pertaining to their employment or contractual arrangements should be defined. 5. Release of Specific Information. The caregiver may be granted the right to segment information and block the release of specific information where permitted by law. 6. Notification of Disclosure of Information. The caregiver is entitled to know which individuals, organizations, and government agencies have authority to access and have actually gained access to information about the caregiver. 7. Protection of Information Released to Third Parties. The policy should define the commitment for protection required from a third party prior to the release of information to that organization. 8. Integrity and Availability of Records. Records must be protected from unauthorized modification and destruction. The caregiver has the right to expect that the organization protect the information from destruction by accident or vandalism, and by fire, flood, earthquake, or other disasters. Provisions will be made for the records to survive the organization in the event of closure, mergers, bankruptcy, and similar events. 9. Responsibility to Protect Information. The caregivers' responsibility tor the protection of the information to which the caregiver has access will be stated. The Release of Data Although the requirements for release of some patient information are defined by law, Weld County Department of Public Health and Environment has policies addressing the responsibilities and determining the methods of complying with these laws. The organization's policies related to complying with the law for the release of patient, caregiver, and institutional information to public health authorities should be defined. Factors to consider in the release and sharing of information include: • Which information may be released? • To whom may information be released? • What responsibility does the institution have regarding the protection of information it has released from its custody? 3/27/03 Weld County Dept. of Public Health & Environment 51 Data should never be released without the express, specific, written consent of the patient or a court order. In all cases, where there is any question as to the appropriateness of the release of data, Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer, or a member of management, must be contacted for a decision before any data is released. • 3/27/03 Weld County Dept. of Public Health & Environment 52 ACKNOWLEDGEMENT I have received a copy of Weld County Department of Public Health and Environment Policy and Procedure on Personnel Discipline for Breach of Privacy or Confidentiality and Overview of Policies and Procedures on Privacy and Security. I agree to keep all Weld County Department of Public Health and Environment's patient information, as outlined in the above documents, strictly confidential. I understand that a breach in patient confidentiality, as defined in the above documents, will result in disciplinary action, up to and including termination of employment. Signature Date: Print Name Witness Date: (Privacy Officer) (Employee Copy) ACKNOWLEDGEMENT I have received a copy of Weld County Department of Public Health and Environment Policy and Procedure on Personnel Discipline for Breach of Privacy or Confidentiality and Overview of Policies and Procedures on Privacy and Security. I agree to keep all Weld County Department of Public Health and Environment's patient information, as outlined in the above documents;, c“rictly confidential. I understand that a breach in patient confidentiality, as defined in the above documents, will result in disciplinary action, up to and including termination of employment. Signature Date: Print Name Witness Date: (Privacy Officer) (Weld County Department of Public Health and Environment copy) 3/27/03 Weld County Dept. of Public Health & Environment 53 Policy and Procedure on Personnel Discipline for Breach of Privacy or Confidentiality Weld County Department of Public Health and Environment Date: April 13, 2003 Authority: Weld County Department of Public Health and Environment Responsibility: Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer Purpose This plan provides guidance for the appropriate response to breaches in patient privacy and confidentiality at Weld County Department of Public Health and Environment. This guidance is intended to ensure that staff and management understand the appropriate seriousness of any breach and the stated penalties and actions. Weld County Department of Public Health and Environment has a very strong commitment to protecting the confidentiality of its patients' records and clinical information. To ensure compliance with the policy by all staff and to ensure consistency in the discipline and actions taken upon evidence of breach in patient confidentiality by staff, Weld County Department of Public Health and Environment has adopted the disciplinary process set forth below. General Policy Weld County Department of Public Health and Environment and its staff are entrusted with information regarding our patients and we recognize that the patient record is highly confidential and must be treated with great respect and care by all staff. Any breach in patient confidentiality by a staff person is subject to formal disciplinary action as delineated in this policy. A breach in patient confidentiality occurs when a member of the Weld County Department of Public Health and Environment staff: a. Views or accesses private patient health information for any reason not rerated to the provision of care and treatment or another authorized purpose; b. Discusses with or reveals to any individual(s), private patient health information for purposes not related to patient care and treatment or another authorized purpose; or c. Violates the provisions of Weld County Department of Public Health and Environment policy on the confidentiality of private patient health information as stated in the general overview policy as provided to the staff. For any breach in patient confidentiality, the staff member shall be subject to disciplinary actions as set forth in the "Procedures" section below. Every staff member should receive and read a copy of this document and "Overview of Policies and Practices in Privacy and Security." Procedures 1. Review. Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer, is responsible for the content and administration of this policy. The policy shall be reviewed and evaluated one year from its effective date with specific focus on the Disciplinary Process section, and then every two years thereafter. 3/27/03 Weld County Dept. of Public Health & Environment 54 2. Level of Breach. Breaches in patient confidentiality have been divided into the following three levels, with the corresponding disciplinary actions for each level of breach. A. Level 1 —Carelessness This level of breach occurs when a member of the Weld County Department of Public Health and Environment staff unintentionally or carelessly accesses, reviews or reveals patient information to him/herself or others without a legitimate need to know the patient information. Disciplinary Sanctions: 1. Depending upon the facts, counseling, oral warning, written warning, final written warning or suspension, documented in writing and maintained in the employee's personnel record, or termination 2. Except in the case of termination, the employee shall be required to repeat the confidentiality training module 3. Level 1 disciplinary sanctions shall be administered in a progressive manner 4. Disciplinary sanctions shall be reported to the applicable professional licensing board as appropriate B. Level 2—Curiosity or Concern (no personal gain) This level of breach occurs when an employee intentionally accesses or discusses patient information for purposes other than the care of the patient or other authorized purposes, but for reasons unrelated to personal gain. Disciplinary Sanctions: 1. First offense: Depending upon the facts, oral or written warning documented and maintained in the employee's personnel record 2. Second offense: Depending upon the facts, a final written warning and suspension for 3-30 days without pay, documented and maintained in the employee's personnel record, or termination 3. Third Offense: Terminatior. 4. Except in the case of termination, the employee shall be required to repeat the confidentiality training module 5. Disciplinary sanctions shall be reported to the applicable professional licensing board as appropriate. C. Level 3— Personal Gain or Malice This level of breach occurs when an employee accesses, reviews or discusses patient information for personal gain or with malicious intent. Disciplinary Sanctions: 1. First offense: Termination 2. Report to applicable professional licensing board 3. Disciplinary Process. The following process must be followed when an employee breaches, or is suspected of breaching, patient confidentiality. 3/27/03 Weld County Dept. of Public Health & Environment 55 A. Initial Reporting 1)An individual who observes or is aware of a breach reports it to his/her immediate supervisor, who in turn should report this incident to the Privacy Officer. 2) The Privacy Officer reports this to his/her reporting authority, who consults management as appropriate. 3) Failure to report a breach of which one has knowledge will result in appropriate disciplinary action. 4) Reporting of a breach in bad faith or for malicious reasons will result in appropriate disciplinary action. B. Activity Upon Clear Evidence of Breach of Confidentiality 1) The incident shall be reported to the Privacy Officer who shall investigate the incident and report the matter to appropriate management. C. Reporting and Filing Requirements 1) All incidents should be reported to your immediate supervisor and the Privacy Officer. D. Imposition of Appropriate Discipline 1) Based upon the severity of the breach, management shall take appropriate disciplinary actions provided under the employer's personnel policies. For all levels of breach, after final resolution, the initial report and all written documentation relating to the breach shall be filed in a confidential file in the Privacy Officer's office and a referring note placed in the Security Log. The disciplinary action and appropriate documentation shall also be placed in the employee's personnel file. 4. Upon investigation of a Level 2 breach, or higher, the following actions should be taken. - - a. The Privacy Officer should ensure that the access of the accused employee to any paper or electronic medical records is immediately suspended. b. The Privacy Officer should retrieve keys and/or badges from the accused employee that allow access to secure areas where patient records are kept. c. The Privacy Officer should inform all appropriate supervisors about the suspension or removal of the access privileges of the accused employee. d. The Privacy Officer should include a written report of all actions in a confidential file in the Privacy Officer's office and a referring note placed in the Security Log. The disciplinary action and appropriate documentation shall also be placed in the employee's personnel file. After reading this policy, sign and date the lower portion of this page and return it to your immediate supervisor. Detach the acknowledgement and retain the policy for your records. 3/27/03 Weld County Dept. of Public Health & Environment 56 ACKNOWLEDGEMENT I have received a copy of Weld County Department of Public Health and Environment Policy and Procedure on Personnel Discipline for Breach of Privacy or Confidentiality and Overview of Policies and Procedures on Privacy and Security. I agree to keep all Weld County Department of Public Health and Environment's patient information, as outlined in the above documents, strictly confidential. I understand that a breach in patient confidentiality, as defined in the above documents, will result in disciplinary action, up to and including termination of employment. Signature Date: Print Name Witness Date: (Privacy Officer) • (Employee Copy) ACKNOWLEDGEMENT I have received a copy of Weld County Department of Public Health and Environment Policy and Procedure on Personnel Discipline for Breach of Privacy or Confidentiality -and Overview of Policies and Procedures on Privacy and Security. I agree to keep all Weld County Department of Public Health and Environment's patient information, as outlined in the above documents, strictly confidential. I understand that a breach in patient confidentiality, as defined in the above documents, will result in disciplinary action, up to and including termination of employment. Signature Date: Print Name Witness Date: (Privacy Officer) (Weld County Department of Public Health and Environment copy) 3/27/03 Weld County Dept. of Public Health & Environment 57 Policy and Procedure on Physical Security Weld County Department of Public Health and Environment Date: April 13, 2003 Authority: Weld County Department of Public Health and Environment Responsibility: Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer Purpose A Physical Security policy document should exist detailing the measures taken to protect buildings in regard to disasters (flooding, fire, earthquakes, explosions, power outage), theft, physical access, computer rooms and wiring cabinets. General Policy All Weld County Department of Public Health and Environment staff should understand and support the control of access to the public, clients, general staff and staff with specific access privileges. Upon observation or detection of any breach of physical access, staff members should implement provisions of the procedures below according to their best judgment, but in all instances a follow-up report should be made to the Information Security Officer for action and record. The Privacy Officer has overall responsibility for physical security and for oversight of procedures listed below. In the event that the Privacy Officer is unavailable, Mark Wallace M.D., M.P.H. or Linda Henry, Director of Nursing will assume responsibility for the procedures in this policy. Procedures 1. Definition of Areas Zone 1: Areas open to the public _ • Zone 2: Areas not open to the public, open to Weld County Department of Public Health and Environment clients and staff Zone 3: Areas not open to the public, not open to Weld County Department of Public Health and Environment clients, open to staff only Zone 4: Protected areas, only accessible with identification, access strictly controlled 2. Warning Signs Signs clearly identifying the right of access to an area should be placed at every juncture between zones. All staff should be clearly aware of requirements and should not hesitate to challenge inappropriate persons. Specific badges and or actual tokens may be issued to validate authorized entry into different areas. 3. Emergency Telephone Numbers Emergency telephone numbers for private security, police, plumber, etc., should be placed at all telephone handsets. If possible, incidents or disasters should be managed by the Privacy Officer, but in emergency situations, any available staff 3/27/03 Weld County Dept. of Public Health & Environment 58 member should make the call. In all instances, follow-up reports should be made to the Privacy Officer for recording in a confidential file. 4. Response to Physical Intrusion or Any Disaster a. When staff, clients and/or patients are present: 1) Staff should take the immediate, appropriate action to safeguard the clients and/or patients, confidential patient information and the physical and electronic infrastructure. 2) The Privacy Officer, Mark Wallace M.D.,M.P.H. or Linda Henry, Director of Nursing should call the appropriate authorities to respond to the situation. 3) In all instances, follow-up reports should be made to the Privacy Officer for recording in a confidential file. b. Detected outside of hours of operation: 1) If immediate action is necessary, arrangements should be made for the office's security service to contact the Privacy Officer, Mark Wallace M.D.,M.P.H. or Linda Henry, Director of Nursing, who should contact the appropriate authorities and take any necessary steps to secure the premises until a complete evaluation of the damage can be made. 2) In all instances, follow-up reports should be made to the Privacy Officer for recording in a confidential file. 3) If no immediate action is necessary to mitigate the loss, reports should be made to the Privacy Officer for action and for recording in a confidential file. 5. Routine Destruction of Paper Records Paper records with protected health information printed on them should not be discarded as regular trash. All paper that has protected health information printed on it should be segregated from regular trash and destroyed only by methods that ensure the privacy and confidentiality of the information. 6. Routine Destruction of Defective Confidential Disks and Tapes Disks, tapes or any other storage medium with protected health information contained on it should not be discarded as regular trash. All storage mediums that have private health information contained on them should be segregated from regular trash and destroyed only by methods that ensure the privacy and confidentiality of the information. 7. Repair and/or Access to Computer Equipment Access to protected patient information by any service technician should be minimized either by direct supervision or by securing the information source. If possible, business associate contracts should be in place for each type of service technician. 8. Prevention a. Clear instructions on the right of access to an area should be posted at all junctures between zones. 3/27/03 Weld County Dept. of Public Health & Environment 59 b. All staff should be proactive about monitoring access to restricted zones. c. Access to restricted zones for repair or delivery should be minimized and those entrants should understand Weld County Department of Public Health and Environment's confidentiality requirements. d. Any support contracts that involve on-site, non-staff personnel should include standard Business Associate Contract language on privacy, confidentiality and security. e. Staff identification and/or badges should be implemented, if not already in use. f. Procedure on locking doors and windows should be clearly understood by all staff members. While all staff members should enforce the procedure, it is the responsibility of the Privacy Officer to monitor these physical security actions. In the event of the absence of the Privacy Officer, Mark Wallace M.D.,M.P.H. or Linda Henry, Director of Nursing will assume responsibility for monitoring these physical security procedures. g. Upon termination of a staff member for any cause, all office keys/badges should be retrieved from the departing staff member. , h. Key registers and logs should be maintained by the Privacy Officer. i. Keys that are marked "Do Not Duplicate" should be issued to staff members to avoid their making unauthorized copies of office keys. 9. Work Station Use a. Workstations should be placed, as much as possible, so that the screens are not seen by unauthorized persons. b. Systems should be configured so that monitors time out after ten minutes of non-use and require a password to re-enter. c. If there is no automatic screen shut down within the system configuration, users should logout of the computer system if the user leaves the terminal unattended. d. If the configuration of the workstations vary across the system, signage should be used ;u indicate the preferred mode of behavior at each station. 10. Record Handling a. Records should not be left on desks or cabinets unattended. b. Records pulled from cabinets for future treatment session should be left in a secured area until needed by staff members. c. All staff should pro-actively gather up unattended records and return them to a secured area. 3/27/03 Weld County Dept. of Public Health & Environment 60 Policy on Use of Electronic Mail, Internet and Facsimile Machines Weld County Department of Public Health and Environment Date: April 13, 2003 Authority: Weld County Department of Public Health and Environment Responsibility: Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer Purpose This plan provides guidance for the appropriate use of electronic mail, Internet and facsimile machines at Weld County Department of Public Health and Environment. This guidance is intended to ensure the privacy and confidentiality of patient data at Weld County Department of Public Health and Environment. General Policy Never forward patient-identifiable data to a third party without the patient's express permission. Material that is sexually explicit, obscene, embarrassing, fraudulent, hostile, harassing, or otherwise inappropriate or unlawful shall not be forwarded or sent by electronic communication or displayed on or stored on Weld County Department of Public Health and Environment's computer resources. Users receiving or viewing this kind of information shall immediately report the incident to the Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer. Unless expressly authorized by the Cheryl Weinmeister, R.N.,B.S.N., Privacy Officer, downloading, sending, transmitting, or otherwise disseminating proprietary information, trade secrets or other sensitive privacy act information is strictly prohibited. 1. Electronic Mail Weld County Department of Public Health and Environment owns the electronic mail service, and considers electronic mail private, direct communication between sender and recipient(s) or recipient(s)' designee(s); however, employees cannot expect absolute confidentiality. The contents will not be monitored, observed, viewed, displayed or reproduced in any form by anyone other than the sender and recipient(s) or recipient(s)' designee(s) unless specifically authorized by the Privacy Official, a law enforcement representative or the Information Security Officer. Electronic mail is considered official correspondence of Weld County Department of Public Health and Environment and users must avoid the inclusion of inappropriate or derogatory language in their messages. Electronic mail is maintained in computer systems and on backup media for varying lengths of time and may be recovered subsequent to deletion. The messages may be disclosed in the same manner as paper records. Reasons for recovery of electronic mail messages may include legal discovery, external investigations by law enforcement personnel and internal security investigations. Work-related mail is forwarded to the most appropriate employee in the case of employment termination or when an employee is absent for an extended period of time. 3/27/03 Weld County Dept. of Public Health & Environment 61 A recipient may designate another employee to receive and read work-related mail for business reasons. Personal messages are forwarded to the intended recipient. If that is not possible, they are destroyed. Messages are not examined further than is necessary to determine the category into which they fall. In anticipation of the finalization of the security regulation of HIPAA, no protected health information should be sent by public or private electronic networks without adequate safeguards against interception and/or misuse. 2. Internet Standard use of the Internet, via the office network, must be primarily for Weld County Department of Public Health and Environment business or professional development. Limited personal use is acceptable but discretion is necessary to ensure that individuals do not degrade Weld County Department of Public Health and Environment's public image through their activities or adversely affect the availability of network resources. 3. Facsimile Machines All staff shall take precautions when using facsimile (fax) machines to transmit documents. Facsimile machines shall not be located in areas accessible to the general public, unless the facsimile machine is intended for public use. In this case the publicly available facsimile machine should not be used by staff members to send or receive faxes containing patient information of any kind. Staff shall not use Weld County Department of Public Health and Environment's facsimile machines for transmitting personal documents. Facsimile machine cover pages shall include the following information: a. The sender's name, business address, business phone number, and business facsimile machine number b. The recipient's name, business address, business phone number, and business facsimile machine number c. Transmission time and date (if not stamped by facsimile machine or computer) d. Classification of the document (CONFIDENTIAL documents) Staff shall verify the facsimile machine number of the recipient before transmitting. A recipient of a document containing CONFIDENTIAL information (e.g., for the recipients eyes only or containing protected health information) must be notified by phone before the document is transmitted. If at all possible, this type of document should not be faxed. All pages, including the cover page of CONFIDENTIAL documents to be faxed, must be marked "Confidential" before they are transmitted. Time, date, sender, recipient and sender or recipient phone number for all materials sent and received by facsimile machine should be documented in a facsimile machine log to be kept with the facsimile machine. It is crucial that no protected health information be explicitly revealed in this log. 3/27/03 Weld County Dept. of Public Health & Environment 62 Hello