The URL can be used to link to this page

Browse Search

Home My WebLink About20211960.tiffRESOLUTION RE: APPROVE DATA USE AGREEMENT FOR COLORADO ALL PAYER CLAIMS DATA AND AUTHORIZE CHAIR TO SIGN ELECTRONICALLY - CENTER FOR IMPROVING VALUE IN HEALTH CARE WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to Colorado statute and the Weld County Home Rule Charter, is vested with the authority of administering the affairs of Weld County, Colorado, and WHEREAS, the Board has been presented with a Data Use Agreement for Colorado All Payer Claims Data between the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, on behalf of the Department of Public Health and Environment, and the Center for Improving Value in Health Care, commencing upon full execution of signatures, with further terms and conditions being as stated in said agreement, and WHEREAS, after review, the Board deems it advisable to approve said agreement, a copy of which is attached hereto and incorporated herein by reference. NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Weld County, Colorado, that the Data Use Agreement for Colorado All Payer Claims Data between the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, on behalf of the Department of Public Health and Environment, and the Center for Improving Value in Health Care, be, and hereby is, approved. BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized to electronically sign said agreement. The above and foregoing Resolution was, on motion duly made and seconded, adopted by the following vote on the 14th day of July, A.D., 2021. BOARD OF COUNTY COMMISSIONERS ddrIf4A) �,�,/t,WELD COUNTY, COLORADO ATTEST: G •�Cjo;or. Steve oreno, Chair Weld County Clerk to the Board ou ty A :rney Date of signature: 07/2-0 Cc: HL&&) 07/27/2( 2021-1960 HL0053 Memorandum TO: Steve Moreno, Chair Board of County Commissioners FROM: Mark Lawley, Executive Director Department of Public Health & Environment DATE: July 9, 2021 SUBJECT: All Payer Claims Database (APCD) Data Use Agreement for Health Assessment For the Board's approval is a Data Use Agreement between the Center for Improving Value in Health Care (CIVHC) and the Board of County Commissioners of Weld County for the use and benefit of the Weld County Department of Public Health and Environment (WCDPHE). WCDPHE would like to obtain a data set to assess health needs of the community. We wish to complete analyses as part of the Department's ongoing community health assessment function to look at a number of areas including mental health, chronic condition prevalence, and how patients are accessing the health care system in our area compared to neighboring regions and Colorado overall. Our objective is to report on where there are needs and opportunities for the Department along with its community partners to potentially improve health outcomes for county residents. This dataset has only recently become available to public health. It provides a new way to gain a better understanding of current health needs of county residents. With the approval of the Board, WCDPHE will enter into a data use agreement (DUA) with CIVHC to obtain a de -identified dataset from the Colorado All Claims Payer Database for the years 2018 and 2019. The one-time cost is $9,450. The DUA begins June 30, 2021, and ends June 30, 2023, when the original dataset will no longer be retained. WCDPHE's application was reviewed and approved on June 22, 2021, by CIVHC's data release review committee to assure compliance with HIPAA. Activities associated with this DUA will be conducted by health department staff; no additional FTE is being requested. Assistant Weld County Attorney, Karin McDougal, has reviewed this Data Use Agreement and determined that its content is acceptable. The Board approved placement of this Data Use Agreement on the Board's agenda via pass -around dated July 6, 2021. I recommend approval of this Data Use Agreement with CIVHC. 2021-1960 BOARD OF COUNTY COMMISSIONERS PASS -AROUND REVIEW TITLE: All Payer Claims Database (APCD) Data Use Agreement for Health Assessment DEPARTMENT: PUBLIC HEALTH & ENVIRONMENT PERSON REQUESTING: Mark Lawley, Executive Director DATE: July 6, 2021 Brief description of the problem/issue: For the Board's review and approval is a Data Use Agreement between the Center for Improving Value in Health Care (CIVHC) and the Board of County Commissioners of Weld County for the use and benefit of the Weld County Department of Public Health and Environment (WCDPHE). WCDPHE would like to obtain a data set to assess health needs of the community. We wish to complete analyses as part of the Department's ongoing community health assessment function to look at a number of areas including mental health, chronic condition prevalence, and how patients are accessing the health care system in our area compared to neighboring regions and Colorado overall. Our objective is to report on where there are needs and opportunities for the Department along with its community partners to potentially improve health outcomes for county residents. This dataset has only recently become available to public health. It provides a new way to gain a better understanding of current health needs of county residents. With the approval of the Board, WCDPHE will enter into a data use agreement (DUA) with CIVHC to obtain a de -identified dataset from the Colorado All Claims Payer Database for the years 2018 and 2019. The one-time cost is $9,450. The DUA begins June 30, 2021, and ends June 30, 2023, when the original dataset will no longer be retained. WCDPHE's application was reviewed and approved on June 22, 2021, by CIVHC's data release review committee to assure compliance with HIPAA. Activities associated with this DUA will be conducted by health department staff; no additional FTE is being requested. Assistant Weld County Attorney, Karin McDougal, has reviewed this Data Use Agreement and determined that its content is acceptable. What options exist for the Board? (include consequences, impacts, costs, etc. of options): Approving and signing this Agreement will enable WCDPHE to conduct a robust community health assessment, fulfill a core public health function for the citizens of Weld County, and maintain compliance with the Public Health Accreditation Board regarding Domain 1, Community Health Assessment. Declining this contract would result in a missed opportunity for accessing population health data, and improving our knowledge of health issues and needs in Weld County. Recommendation: I recommend approval of this data use agreement with CIVHC. Approve Recommendation Perry L. Buck Mike Freeman Scott K. James, Pro-Tem Steve Moreno, Chair Lori Seine Schedule Work Session Other/Comments: APCD DUA #21.156 Weld County Dept Public Health Market Assessment DATA USE AGREEMENT AGREEMENT FOR USE OF COLORADO ALL PAYER CLAIMS DATA This Data Use Agreement ("Agreement" or "DUA") is made and entered as of June 14, 2021 (the "Effective Date") by and between the Center for Improving Value in Health Care ("CIVHC"), in its capacity as the APCD Administrator, and Weld County Department of Public Health and Environment (hereinafter, the "Receiving Organization"). This Agreement addresses the conditions under which the APCD Administrator will disclose and the Receiving Organization may obtain, use, reuse, and disclose the APCD data file(s) or reports specified in this Agreement and/or any derivative file(s) (collectively, the "Data" or "APCD Data"). This Agreement supersedes any and all agreements between the parties with respect to the use of APCD Data. The terms of this Agreement can be changed only by a written modification to this Agreement or by the parties adopting a new agreement. The parties agree further that instructions or interpretations issued to the Receiving Organization concerning this Agreement, or the Data specified herein, shall not be valid unless issued in writing by the APCD point -of - contact or the APCD signatory to this Agreement. 1. Project and Data Release Application. This Agreement pertains to the following projects entitled: Weld County Market Assessment as described in the Data Release Application ("Application") approved by the APCD Administrator and incorporated into this Agreement as Exhibit 1. 2. Reauested Data Elements or File. This Agreement pertains to access to the data elements specified in Exhibit 3 through an electronic interface or to the following specialized data file created in accordance with the specifications contained in the Application: Weld County Department of Public Health and Environment. 3. Permitted Data Uses and Purposes. The Receiving Organization will not use or disclose the Data for any other purpose or in any other way than the purpose and uses described in this Agreement. 4. Safeauards. The Receiving Organization agrees to establish appropriate administrative, technical, and physical safeguards to protect the confidentiality of and prevent unauthorized use of or access to the Data. The Receiving Organization acknowledges that -1- the use of unsecured telecommunications, including the Internet, to transmit individually identifiable, or deducible, information derived from the APCD Data is prohibited. Further, the Receiving Organization agrees that the Data must not be physically moved, transmitted, or disclosed in any way from or by the site indicated in the Receiving Organization's Data Management Plan without written approval from the APCD Administrator unless such movement, transmission, or disclosure is required by law. 5. Inspections. The Receiving Organization agrees to grant access to its personnel, facilities, and the Data to the authorized representatives of the APCD Administrator at the site indicated in the Receiving Organization's Data Management Plan for the purpose of inspecting to confirm compliance with the terms of this Agreement. 6. Cell Suppression Policy. The Receiving Organization agrees that any use of APCD Data in the creation of any document (manuscript, table, chart, study, report, etc.) concerning the specified purpose must adhere to APCD cell size suppression policy. This policy stipulates that no cell (e.g., admittances, discharges, patients, services, others) with less than eleven observations may be displayed. Also, no use of percentages or other mathematical formulas may be used if they result in the display of a cell displaying less than eleven observations. Individual level records may not be published in any form, electronic or printed. Reports and analytics must use complementary cell suppression techniques to ensure that cells with fewer than eleven observations cannot be identified by manipulating Data in adjacent rows, columns or other manipulations of the report. Examples of such data elements include, but are not limited to geographic location, age if > 89, sex, diagnosis and procedure, admission/discharge date(s), or date of death. 7. Identification of Individuals. Except as provided in the protocol described in detail in [Exhibits 1 and 2, referencing Section #10 of this document], which has been reviewed and expressly authorized by the APCD Administrator, the Receiving Organization will not attempt to identify individuals in the APCD data or to link records included in the APCD data to any other individually identifiable source of information. 8. Results and Reports. The Receiving Organization agrees to provide the APCD Administrator with a copy of any results derived from the APCD Data and information regarding the outcome of the project, as it is described in the Application. The Receiving Organization must obtain approval from the APCD Administrator to release any reports or outputs prior to distribution outside the named project team. Distribution includes but is not limited to: peer review, submission to any federal or state agency, presentation of findings, or synopsis of research. The APCD Administrator will review the report within six weeks of receipt to confirm: a. The Receiving Organization's compliance with minimum cell size and complimentary cell suppression rules; b. That the report or output has incorporated appropriate protections to prevent inferential identification; and c. That the report or output is consistent with the project description contained in -2- the Receiving Organization's Application, as approved. 9. Additional Projects. Use of the same Data for a project other than the one described in this Agreement must be approved through a separate application process. The Receiving Organization understands and agrees that original or derivative Data file(s) cannot be reused or further disclosed without prior written approval from the APCD Administrator. 10. Exhibits. The parties mutually agree that the following are part of this Agreement: 0 Exhibit 1: Approved Application for to the Release and Use of Colorado APCD Data 0 Exhibit 2: Receiving Organization's Data Management Plan 0 Exhibit 3: List of Requested Data Elements O Other 11. Reporting and Treatment of Unauthorized Uses or Disclosures of Data. The Receiving Organization will report any unauthorized use or disclosure of the Data to the APCD Administrator within two days. In the event that the APCD Administrator determines or has a reasonable belief that the Receiving Organization has made or may have made a use, reuse, or disclosure of the APCD Data that is not authorized by this Agreement, or another written authorization from the APCD Administrator, the APCD Administrator may, at its sole discretion, require the Receiving Organization to perform one or more of the following, or such other actions as the APCD Administrator, in its sole discretion, deems appropriate: a. promptly investigate and report to the APCD Administrator the Receiving Organization's determinations regarding any alleged or actual unauthorized use, reuse, or disclosure; b. promptly resolve any issues or problems identified by the investigation; c. submit a formal response to an allegation of unauthorized use, reuse, or disclosure; d. submit a corrective action plan with steps designed to prevent any future unauthorized uses, reuses, or disclosures; and e. return all Data or destroy the Data it has received under this Agreement. The Receiving Organization understands that as a result of the APCD Administrator's determination or reasonable belief that unauthorized uses, reuses, or disclosures have taken place, the APCD Administrator may refuse to release further APCD Data to the Receiving Organization for a period of time to be determined by the APCD Administrator. 12. Breach. Receiving Organization acknowledges its legal responsibility resulting from any breach of this Agreement by Receiving Organization, or any breach of APCD Data arising from Receiving Organization's breach, or failure to perform, pursuant to this Agreement and agrees to be responsible to CIVHC for same. If the APCD Administrator, in its sole discretion, determines that the risk of harm created by such a breach or alleged breach of APCD Data requires notification of affected individuals and/or other remedies, the Receiving Organization agrees to carry out such remedies under the direction of and without cost to the APCD Administrator. -3- 13. Antitrust Compliance. Receiving Organization agrees to treat APCD Data confidentially, as specified in this Agreement, and not to use, or enable any other parties to use, the APCD Data for anticompetitive or other unlawful purposes, including but not limited to price-fixing, market or customer allocation, service or output restriction, price stabilization, or any other agreement or coordination among parties that in any way restricts or limits competition. Receiving Organization further agrees that it shall not attempt to identify, "reverse engineer," decompile, or in any other way attempt to discern the identities of specific parties that have been de -identified in the APCD Reports, nor shall Receiving Organization try to translate, convert, adopt, alter, modify, enhance, add to, delete, or tamper with any APCD Data or in any other way attempt to calculate or determine specific parties' prices from the APCD Data. 14. Project Workforce. All of the Receiving Organization's employees, contractors, and clients must adhere to the requirements contained in the Application and this Agreement. Any person or entity that processes or receives the Data and its agents must be obligated, by contract, to adhere to the terms of this DUA and agree to follow the Data privacy, security, and protection requirements, prior to being granted access to APCD Data. The following named individuals, and only these individuals, will have access to the APCD Data. The Receiving Organization will notify the APCD Administrator when an individual leaves the project. The Receiving Organization will obtain written approval from the APCD Administrator for any additions to this list, prior to granting such individuals with access to APCD Data. Cindy Kronauge, MPH, PhD Senior Health Data Specialist Weld County Dept of Public Health Elizabeth McEvoy Health Data Specialist I Weld County Dept of Public Health 15. Data Retention and Destruction. The Receiving Organization agrees to notify the APCD Administrator within 30 days of the completion of the Project Purpose (as specified in Section I of the Application) if the project is completed before the Last Day of the Data Retention Period (as specified in the Project Schedule). Upon such notice or the Last Day of the Data -4- Retention Period, whichever occurs sooner, the Receiving Organization agrees to destroy all APCD Data, in accordance with the methods established by the "Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals," as established by the U.S. Department of Health and Human Services (HHS). The Receiving Organization may request an extension of the Data Retention Period by submitting a written request that includes justification to the APCD Administrator. When retention of the Data is no longer justified and/or required by law, the Receiving Organization agrees to destroy the Data and send a completed "Certification of Project Completion & Destruction or Retention of Data" form (Appendix 1 to this Agreement) to the APCD Administrator within 30 days. The Receiving Organization agrees not to retain any APCD Data, or any parts thereof, or any derivative files that can be used in concert with other information to identify an individual, either directly or indirectly, after the aforementioned file(s) and Data are destroyed unless the APCD Administrator grants written authorization. The Receiving Organization acknowledges that such date for retention of Data is not contingent upon action by the APCD Administrator. 16. Term and Termination. The APCD Administrator or the Receiving Organization may terminate this Agreement at any time for any reason upon 30 days written notice. Upon notice of termination by either party, the APCD Administrator will cease releasing Data to the Receiving Organization under this Agreement and will notify the Receiving Organization to destroy all Data. This Agreement will remain effective in its entirety until the completed "Certification of Project Completion & Destruction or Retention of Data" has been received by the APCD Administrator. Sections 11, 12, 13, and 15 of this Agreement shall survive termination of the other provisions of this Agreement. By signing this Agreement, the Receiving Organization agrees to abide by all provisions set out in this Agreement SIGNATURES: For the CO APCD: CIVHC Signature:S�: For Receiving Organization: Weld County Signature: Steve Moreno IO Digitally signed by Steve Moreno Date: 2021.07.14 11:22:00 -06'00' Name: Pete Sheehan Name: Steve Moreno Title: VP of Client Solutions & State Initiatives Title: Chair, Board of County Commissioners Date: 06/15/2021 Date: 7/14/21 -5- CENTER FOR IMPROVING Its4 HEALTH u nt a rtm ent of Health En Cs'Ufltv Market Asscssment ata R les se F !j F) ;1 Pr.:1.±ct:'21.15 /15/2021 n The Center for Improving Value in Health Care (CIVHC), in its commitment to supporting the achievement of Triple Aim goals through data transparency and performance measurement, proposes to provide Cindy Kronauge of Veld County Department of Health y, Environment, with a CO APCD Standard Level 3 Data Set upon payment of the Non -Public Data Release Fee described below. The Project purpose, including its benefit to Colorado residents, and the specific data elements in the Data Set are described in detail in Application, Supplemental Application, and the related Data Elements Dictionary, herein referred to as 'APPLICATION'. Deliverable to CIVHC In accordance with the terms of CIVHC's Data Use Agreement, the Receiving Organization agrees to provide the APCD Administrator with a copy of any results derived from the APCD Data and information regarding the outcome of Project #21.156 within 12 months of CIVHC's fulfillment of the requested Data Set Disclaimer CIVHC aims to fulfill this non-public data release in accordance with the terms of the Application and related DEDt However, if in the course of data analysis and fulfillment, CIVHC discovers any concerns liPa related to compliance with HIPAA, HITECH or other state or federal data privacy and security laws and regulations; Federal Trade Commission or Department of Justice anti-trust safe harbor guidelines; CMS guidelines regarding minimum cell size and complimentary cell suppression, and / or APCD statutory and regulatory requirements, then CIVHC will promptly inform, and work with, the data requester on an alternative deliverable that meets the requester's needs and satisfies all legal requirements for the non- public release of data from the CO APCD. Fees Based Price of Standard Level 3 Dataset Including Commercial, Medicare Advantage, and Medicaid Data $14,000 CIVHC Financial Assistance Initiative (-25%) -$3,500 Incentive to Receive Final Signed Documents by June 23, 2021 (-10%) -$1,050 Total Non -Public Data Release Fee for #21.156 Weld County Market Assessment $9,450. Data Release Fees are based on a number of factors including labor and data analytics costs, time required to compile data sets, number of unique and specific data elements, output type, any professional services / consultation requested and indirect costs to CIVHC. The Non -Public Data Release Fees described herein are intended to cover the costs associated with preparation of the CO APCD Data Set described in the Application. Any changes to the Project scope, including any additional elements or custom analytics, may be subject to additional fees above what is reflected herein. Should the scope of this project change from the scope outlined in the APPLICATION and APPLICATION SUPPLEMENT, additional licensing fees will be applied. The licensing fee includes one revision not to exceed 5 hours of additional analytics, consulting or project management work. Any additional work beyond 5 hours will be billed at a rate of $250 per hour. Acknowledgment and Payment Terms: 1.) By signing below and sending this signed Data Release Fee Agreement back to CIVHC, you understand and agree to remit the "Data Requester's Non -Public Release Fee," which is payable to CIVHC in accordance with the invoice to be sent upon execution of this agreement. Requestor: CIVHC: Name (Printed): Steve Moreno Name (Printed): Pete Sheehan Signature: Digitally signed by Steve Moreno Signature: c--' SteveMoreno SIGVG MOre IO Date: 2021.07.141122x41 -06'00' / , — '1 t� � e%_____ Title: Chair, Board of County Commissioners Title: VP of Client Solutions & State Initiatives Date: Date: 06/15/2021 7/14/21 21 iP a ao,z/-i960 Exhibit I e Colorado rfY 9 'aver °aims Database Data &ease e a s e ¢!T� H<a1 t f CENTER FOR IMPROVING VALUE IN HEALTH CARE Thank you for your interest in obtaining data from the CO APCD® As you fill out this application, please let us know if you h=ve any questi }ns or concerns by reaching out to ColoradoAPCD@civhc.org. We are here to help! Also, please be aare that if you are requesting Protected Health Information (PHI), y our request requires a recommendation for ::approval by the Data Release Review Committee (D ` C)0 Data elements that ar considered PHI under HIP;-. _4 are indicated bel.fwe If HI is requested,, a CIVHC Account Executive will help you successfully co plete an applicati 5n and navigate the DRRC process. Please use this application to submit information regarding your request for data from the Colorado All Payer Claims Database (CO APCD). This information will help the Center for Improving Value in Health Care (CIVHC), the Administrator of the CO APCD, answer any questions you have regarding your data request and assist us in helping you complete the data application form. ote: Please reference the CO APCD Data Elements Request For- found at http://www.civhc.or et-cfata/data®release/ when completing this firms Introduction: Section 10 CCR 2505-5-1.200.5 describes how the CO APCD Administrator addresses Requests for Data and Reports: 1.200.5.A. A state agency or private entity engaged in efforts to improve health care or public health outcomes for Colorado residents may request a specialized report from the CO APCD by submitting to the administrator a written request detailing the purpose of the project, the methodology, the qualifications of the research entity, and by executing a Data Use Agreement (DUA), to comply with the requirements of HIPAA. 1.200.5. R. A data release review committee shall review the request and advise the administrator on whether release of the data is consistent with the statutory purpose of the CO APCD, will contribute to efforts to improve health care for Colorado residents, and complies with the requirements of HIPAA. The administrator shall include a representative of a physician organization, hospital organization, non - physician provider organization and a payer organization on the data release review committee. This Data Release Application serves as the written request for information noted in section 1.200.5.A. CO APCD APPLICATION FY21 V3.1 I Updated 6/26/2020 CENTER FOR IMPROVING VALUE IN MEAT CARE t eyr - %" / :� >. :r>x� e^t S< / „/ - it; ✓ N w }�,. / ,r ` FS' c.3 . s "G ,tr . , r , y ... .. g ,,, ('w9xY%/// .. .i / / T.y/ 4 /.. //� F., '/%✓/.f//<9 ....%v.//:r{../ /iir f.,.r� 'T // N .r ./' iii 8//.i%r r / ,,.//.."//%...,/: /._./� s! ::r v//./. T.,i .,../!/i i//%rY,.•,/ / ....G_ / �, G /../�• `.' !% ./.'. -;. ;f'�.wru/� /i. / /<: e, .(' ,3 G, ./. .. / r -J/ ..y . ,/ ,rrr� rJ... r. ha /,E. /. / u�".d. /, ,./ //la./1.,.-,//..:/1^ / `in �rar/G'roa,//G YyI. >/.,.rr,t., / ,/„ ��/ .eJu szs„Y /,^/.;✓)-1 ,. vrf. is,;/a, �/� /'"Y�,j, / �J;/ >s ,x -„• / <!./� .,d'G ./9/y t//s 7.5/.c _i.. �/ \, .s/:C. �/ .///. �/. ///d. ), , J /.. G/,), /g,O�,%% ✓ 4!<. ,.. ! % . //.dl'v/n/.r.44 ti. , ✓. ,r /mot. /.: :.G: 0, .. 1,� i) :P , .✓'" �f.R:?Y y ./u/3'.a;d!' / / f� . %r. f4y,iG ' : „d9: r.>." %ar/// / „% `?� a .c, / '-f- h .,afr / ,.- .✓/. .s. '/X..;" J!Ps' ,s/ /u. .< Ir ffi, oi/? xt , r,.r Y. � n'. r x / rte. " i /y„,( :/,>r/%l/. O i. .... 4:.. �.,./ (.,; :<.,/Y «...%'../>< _J'..,.. ,. /Fd ,.... �_ /../hfL ,/: x../ )/ z. ./ .fir ,$, 1. ...,r..r l„>'. -.n ,,.::.: , ,.,: /.//,.. , .... : ,&, _,/v. /'... Lr t L ,.../ i ,��%-.r rxr .::$%. %.1�/. C(l(r /... ,.✓ /). ./"_.-.. : l.v.��/ /.//... :/) ..yy/:: >�.(i/ ✓:' ..../<d/P .lrv�., l/ irr. //[ ,,/..✓ i /'/�I � /l , /il ,� h/ 3L'lnv// p� ,/:,./r/ 1/).)/ Y✓{. �/ J l _. ..../L. .. ,.., ,/..- FF e. :.... p,rSi..,. / � �n ..,,, J f.. �l �na ,f,,.d ...//, ..✓ ./.:�,h.. �/.,..� — ,: ✓ 1�.. 3 7 s; / cao :.b a.lv n El' / 1r & i ..�,,Y tv ,d'Mt!. 'PA ."Y' / 6/^/ M / /f n f. / / a 1; .. / / f lay ,7/ i � dr >N�y ,. E ti '.m/ �!'; '/ /' " ./6 / '/ ! .; 0 ."J ' ,§' , / 5 .: / ,� d$ �.''�+. 'sur /• . v i Aye i.: aw�r` /./, G x �. �•/f!�% •1,44. 9O / � � >Y � 0'-n it � >uS .//., :. z,,, ,:::{. v .:.G- Project Title: 21.156 Weld County Dept Public Health Market Assessment Date: June 14, 2021 Organization Requesting Data: Weld County Department of Health & Environment Contact Person: Cindy Kronauge, MPH, PHD Title: Senior Health Data Specialist E-mail: ckronauge@weldgovacom Phone Number: 970-400-2221 Person (if different Responsible than for the above): Project N/A Title: E-mail: Phone Number: Project Purpose: Project questions to be discussed with client representative: e Please describe your project and project goals/objectives. The Weld County Department of Health and Environment works to promote :;public health through the delivery of relevant, innovative, and cost effective services. To achieve the oest results it is important that we leverage data at every opportunity that makes sense. We are interested in obtaining a de -identified CO APCD data set, including both commercial and Medicaid claims c'ata, in order to assess a number of areas of interest° we wish to complete analyses to look at a number of areas including mental health and chronic condition prevalence and how patients are accessing the health care system in our area compared to neighboring regions as well as to the state of CO overall. Our objective is to determine where there are needs and oaportunities for the Department of Health along with its community partners to recommend or develop new programs to support public health ©r perhaps enhance existing programs. * What specific research question(s) are you trying to answer or problem(s) are you trying to solve with this data request? (Please list and number the individual questions.) what is the prevalence of chronic lealth cob hitions (e0g0 diabetes, Leart failure, COPD, etc.) in Weld county compared to neighboring cunties and the state of COoveraf ? Additionally,, how does this vary in we[, Cunty across the c.mrnercial and V edicaid popu atuon ? CO APCD APPLICATION FY21 V3.1 I Updated 6/26/2020 CIVHC CENTER FOR IMPROVING VALUE IN HEALTH CARE 2. What does nealth care S ilizatioiu (including csts) look Dike in Weld County compared to neighboring counties and tie state , f Colorado overall? How does tills vary across commercial and Medicaid populations? o� o. 3. To what extent are members of our community utilizing the emergency . R rT department for mental health issues (e.g. depression, anxiety, etc.)? Additionally, how does this vary in Weld County across the cornrnercial and Medicaid populla ion? o e 0� 4. Assess most cornnon reasons for ED visits as well as overar physician visits and identify whether the "e are opportunities to better coordinate care or provide education to support those wit i cha'lenging health care neecso H.: .w will this project benefit Colorado or Colorado residents? (this is a statutory requirement for all non-public releases of CO APCD data) Gaining a bei:ter understanding the health care needs of community residents through an analysis of these claims data will allow our department along with its community partners to fulfill its mission of delivering relevant and cost-effective services. We will focus on identifying where needs exist and where there is variation in our county compared to similar or neighboring counties and other regions in CO. The findings from this project will help Weld County Coloradans gain the opportunity to live healthier lives. ® Please answer all applicable questions below (Note that your project must meet one or more of the Triple Aim criteria below to generate a benefit for Colorado): o If applicable, how will your project support lowering health care costs? Identifying health care needs in our community and opportunities to intervene at earlier stages in for inaividualls with mental health and / or chronic conditions will help to lower overall costs over time. o If applicable, how will you project help improve the health of Coloradans? We plan to use this information to have meaningful discussions around change with our community partners, including health care partners, and consumers in We d Cm_nty. o If applicable, how will your project improve the quality of care or patient experience? * Do you need a claims data set or would you like a custom report generated by CIVHC that addresses the specific questions/problems your project seeks to address? Claims Data set Do you need Protected Health Information (PHI)? No PHI Needed o Do you need patient -specific dates (e.g., dates of service or DOB) or 5 digit zip code. If so, this is a request for a limited Data Set. o Do you need direct patient identifiers such as name, address, or city? If so, this is a request for an Identifiable Data Set (requires IRB approval). o If you do not require any PHI, please only complete PART ONE of the application. Co APCD APPLICATION FY21 V3,1 Updated 6/26 2020 GWEN 22_ CIVHC CENTER FOR IMPROVING VAti E IN HEALTH CARE Please note: your CIVHC representative will work with you to complete Addendum I ® Analyst Supplement to address data warehouse specific questions. I. T pe of Co APCD Analytic Data Set Requested (Not olicable f it Custm Report Requests) Please select the type of data set that you are requesting by checking one of the boxes below (select only ONE op₹i • n). Details on each type of CO APCD data set can be found in The CO APCD Companion Instruction Guide (available from your CIVHC representative): ypes f lytic * ata Sets (Please select 4 `il E below) For users interested in a wide range of data to analyze on their own. x De -Identified Data Set Limited Data Set* Identified Data Set * *These types of data requests include Protected Health Information (PHI). Under HIPAA, PHI may only be released in limited circumstances for public health, health care operations, and research purposes under the terms of a HIPAA compliant data use agreement (DUA). 2® Request fat d Y.ata Elements — Limiter a p !: d Fully Identifiable Data ets The CO APCD is committed to protecting the privacy and security of Colorado's health care claims data. The CO APCD will limit the use of the data to purposes permitted under applicable laws, including APCD Statute/Rule and HIPAA/HITECH, to information reasonably necessary to accomplish the project purpose as described in this Application. Data Element Selection and Justification If you have not already done so, please use the Data Element Dictionary (DED) to identify the specific data elements that are required for this project. In keeping with the minimum necessary standard established under HIPAA, CO APCD policy is to release only those data elements that are required to complete your project. Street Address City Zip Code Health Plan Beneficiary Numbers Dates (including Day and Month detail.) Specify which date fields are needed and why. Provider Identifying Information CO APCD APPLICATION! FY21 V3.1 I Updated 6/26/2020 CENTER FOR IMPROVING VALUE IN HEALTH CARE A. Cc*u ts, T talk and ther Su _,,.. mary Statistics The CO APCD seeks to provide aggregated summary data whenever possible. Applicants are encouraged to request counts, totals, rates and other summary values whenever such information can reasonably accomplish the purpose of the project (add rows to the table below if necessary). The Co APCD supports the federal CMS minimum cell size suppression policy that requires any cell in any report or data table, printed or electronic, with less than eleven records or observations to be replaced by "Less than eleven" or similar text. You must also apply complementary cell suppression techniques to ensure that cells with fewer than eleven records cannot be identified by manipulating data in adjacent rows and columns. r•" r nii� >.rnl', r/ ' s 4�' ./ r r /,"� r r/ / o r:. 'on. 's ''!5 g r ✓ '' l / d/ S? / / a'` (%:aFa4V�%<6% J �' / / / !f r� _ /• r �Y ' ru+•^_ [add rows as needed] B. Li ka _ es tf :t ,per Data Sets The CO APCD seeks to ensure that data cannot be re -identified if it is linked to or combined with information obtained from other sources. If this project requires claims line level detail or includes linkages to other databases, or if CO APCD data will be combined with other information, provide a justification for each proposed linkage. Be sure to describe how this will contribute to achieving the project purpose, including whether the project can be completed without this linkage, and the steps you will take to prevent the identification of individual patients: sly you link the Co ACD data tanother data s.: ,mrce? X No Yes. If yes, please answer the following questions. ® Which CO APCD identifying data elements will be used to perform the linkage? ® Once the linkage is made, what non -CO APCD data elements will appear in the new linked file? Have all necessary approvals been obtained to receive and link with the other data files (e.g., IRB or Privacy Board approval)? Yes, if so please provide copy In progress, anticipated approval date: No or N/A, reason: CO APCD APPLICATION FY21 V3,1 pdated 6/26/2020 CIVHC CENTER FOR IMPROVING VALUE IN flEALTt 4 CARE C. kktribn fthe Report or Pr.Suct: Prk rr Re iew by the c r CD Administrator If you are producing a report for publication in any medium (print, electronic, lecture, slides, etc.) the CO APCD Administrator must review the report prior to public release. The CO APCD Administrator will review the report for compliance with CMS cell suppression rules; risk of inferential identification; and consistency with the purpose and methodology described in this Application. ® Please describe your audience and how to you will make your project publicly available? ® If the report is not to be made publicly available, then briefly describe how the information derived from this data will be used and by whom: Other Organizations: Do you intend to engage third parties who will have access to the data requested as part of this project? If so, list the organizations below, describe their role(s); and explain why they will be granted access to the requested data. Organization/Company Name: Contact Person: Title: Y Address: Telephone Number: E-mail Address: Role or responsibility in this project [add rows as needed] Project Schedule: Proposed Project Start Date: J une 30, 2021 Project End Date: June 30, 2023 Proposed Publication or Release Date: TBD End of Date Retention Period: December 30, 2023 CO APCD APPUCA ION FY21 V3a1 Updated 6/26/2020 NHC CENTER FOR IMPROVING VAl.,JE IN HEALTH CARE Frequency Data in the CO APCD Warehouse is refreshed every other month and data products can be provided on a one time basis or under a subscription model (e.g., quarterly, bi-annually or annually). Please select frequency below. One Time OR Subscription (Please select subscription model below) Quarterly Bi-annually Annually E. Project eporting CIVHC highlights projects and data analysis on the public website: www.civhc.org/change- agents. This display of CO APCD projects provides future data requesters with ideas of how they can structure their analysis, and allows CIVHC's stakeholders to see how CO APCD data recipients are working to accomplish the Triple Aim for Colorado. Data recipients have the option of choosing whether to be identified or to not be identified. X Yes, it is okay for CIVHC to identify my organization No, I do NOT wish for CIVHC to identify my organization If you are requesting a Custom Report with analytics to be provided by CIVHC; please stop here and submit the information above to your CIVHC representative. CO APCD APPLICATION FY21 V3.1 ( Updated 6/26/2020 CENTER FOR IMPROVING VA€.UE IN HEALTH CARE j i Ll �J cable for stom Report Request: I. r rganizational Ca aa As an Attachment, please provide copies of the Data Privacy and Security Policies and Procedures for the Requesting Organization as well as those of any third parties that will have access to the requested CO APCD data. Attached • Has the Requesting Organization or any member of the project team ever been involved with a project that experienced a data security incident? If so, describe the incident, the response procedures that were followed and any subsequent changes in procedures, processes or protocols to mitigate the risk of further events. b.I To the extent that the Data Privacy and Security Policies and Procedures, provided as an Attachment, do not already do so, please answer or attach answers for the following: ® Physical Possession and Storage of Ct ` .PCD Data Files: o Describe how you will maintain an inventory of CO APCD data files and manage physical access to them for the duration of the project: o Describe your personnel/staffing safeguards, including: Confidentiality agreements in place with individuals identified as being assigned to this study. Include, for example, agreements between the Principal Investigator or Data Custodian and others, including research team members, and information technology and administrative staff: Staff training programs you have in place to ensure data protections and stewardship responsibilities are communicated to the research team: • Procedures to track the active status and roles of each member of the research team throughout the project and a process for notifying the CO APCD of any changes to the team: o Describe your technical and physical safeguards. Examples include: ® Actions taken to physically secure data files, such as site and office access controls, secured file cabinets and locked offices. Safeguards to limit access to CO APCD data and analytical extracts among the research team (Note: if the distribution of analytical data extracts among the researcher team is part of your data management plan, the extracts remain subject to the terms of your Data Use Agreement). o Provide a brief description of your policies and procedures for ensuring that CO APCD data are protected when stored on a server. Describe how your organization prevents the copying or transfer of data to local workstations and other hard media devices (CDs, DVDs, hard drives, etc.). Note that Applicants are required to encrypt CO APCD data both in motion and at rest: o Data Reporting and Publication CO APCD APPLICATION FY21 V3.1 ; Updated 6/26/2020 MA 0 CENTER FOR IMPROVING VALUE IN HEALTH CARE ® Your organization must ensure that all analytic extracts, analyses, findings, presentations, reports, and publications based on CO APCD data files adhere to specific requirements of the Data Use Agreement (DUA: refer to sections 6, 7 and 8 in the Data Use Agreement). Briefly describe your plan for demonstrating that data reporting and publication processes will be consistent with the DUA, including adhering to CO APCD cell suppression policies: 2. Completion of Research Tasks and Data Destruction Your organization must ensure that it has policies and procedures in place to destroy the CO APCD data files upon completion of the project and that you have safeguards to ensure the data are protected when researchers terminate their participation in the research project. Describe your plan for demonstrating that your organization has policies and procedures in place to reliably destroy the data files upon completion of the research: 3. Request for Privacy Board Approval (Only Applicable to Identifiable Data Requests) Projects that request Identifiable information for a research purpose may require approval from the DRRC acting as a Privacy Board if an IRB is not available. ® The DRRC, acting as a Privacy Board, may approve a waiver of the individual authorization normally required to release PHI under CFR § 164308 if: ® It would be impracticable for researchers to obtain written authorization from patients that are the subject of the research; and • The research could not practicably be conducted without access to and use of the PHI. ® The DRRC, acting as a Privacy Board, is required to evaluate certain criteria in considering whether to approve an authorization waiver. If you are requesting Identifiable Information for a research purpose, explain why your proposed use of PHI involves no more than a minimal risk to the privacy of patients that are the subject of the research. Evidence of minimal risk to the privacy of patients that should be addressed in your explanation includes: ® An adequate plan to protect PHI identifiers from improper use and disclosure; • An adequate plan to destroy PHI identifiers at the earliest opportunity; and ® Adequate written assurances that PHI will not be reused or disclosed. CO APCD APPLICATION FY21 V3.1 i Updated 6/26/2070 rasa CIVEAC CENTER FOR IMPROVING VALUE IN HEALTH CARE ppena CertFflca6on 4 Pr etention of Data (Pleas Save) cm kid S n and Destruct or Name: Title: . Organization: Address: Tel Number: Fax Number: E-mail Address; Project Title: Data Sets: Years: ® Certification of Data Destruction Date the Data was Destroyed: !l Request to Retain Data Date Until Data Will Be Retained: Instructions: Data must be destroyed so that it cannot be recovered from electronic storage media in accordance with the methods established by the "Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals," as established by the U.S. Department of Health and Human Services (HHS). I hereby certify that the project described in the Application is complete as of this date 20 Complete the appropriate section, below: /we certify that we have destroyed all Data received from the Co APCD Administrator in connection with this project, in all media that were used during the research project. This includes, but is not limited to data maintained on hard drive(s), diskettes, CDs, etc. I/we certify that we are retaining the data received in connection with the afrementioned project, pursuant to the following health or research justification (provide detail, use as much additional space as necessary and state how long the data will be retained). I/uve hereby certify that we are retaining the Data received from the APCD Administrator in connection with the aforementioned project, as required by the following law. [Reference the appropriate law and indicate the timeframe]. CO APCD APPLICKnON FY21 Vj.1 Updated 6/26/2020 MINIM. CWWHC VAWE N MEAD'S CARE By signing this Agreement, the Receiving Organization agrees to abide by all provisions set out in this Agreement. SIGNATURES: For the CO APCD: Signature: For Receiving Organization: Weld County Signature: Steve Moreno Name: Pete Sheehan Name: Steve Moreno Dgitany signed by Steve Moreno Date: 2021.07.14 11:23:10 -06'00' Title: VP of Client Solutions & State initiatives Title: Chair, Board of County Commissioners Date: 2 ( a- ( a- Date: 7114/21 CO APCD APPLICATION FY21 V3,1 Updated 6/26`2020 UM. C CENTER FOR. lMPkII.viIvu VALUE IN HEALTI, CARE Addendum I - Analyst Supplement Colorado All Payer Claims Database Application Project Description and Data Objective Project Title and number: 21.156 Weld County Dept Public Health Market Assessment Date Range or Years Requested — What years of claims do you need to meet your project purpose? (If you want a range of data with specific month and day start and end dates, please supply the start and end dates next to the appropriate year.) Check all that apply: ❑ 2012 ❑ 2013 ❑ 2014 ❑ 2015 ❑ 2016 ❑ 2017 ® 2018 ❑ 2019 ❑ 2020* *Please consult the Data Warehouse refresh schedule to learn what is currently available for 2020 Medicare FFS data: Data requests are only available for research purposes and must be approved and financially supported by HCPF. Check all that apply: ❑ 2012 ❑ 2013 ❑ 2014 • 2015 ❑ 2016 ❑ 2017 ❑ 2018 ❑ 2019 Lines of Business: Which payers do you need for your project purpose? Please check all that apply Commercial Payer Claims - Data available with appropriate levels of aggregation Need to discuss appropriate level of aggregation for client request type; would need analyst input ►Z� Individual Small Group Plans Large Group Plans ■ Currently available: Medical Claims AND Pharmacy Claims from 2012-2020 1_4 CO APCD ANALYST APPLICATION SUPPLEMENT FY21 V12 I Updated 06/26/2020 CDVHC CENTER FOR IMPROVING VALUE IN HEALTH CARE The folio Clan s Eligibility Servicin= and Billing Provider inf ormation Fully insured Employer Plans Self -Insured ERISA and nn-ER!SA based Employer Plans (note: ERISA-based plans are voluntary submitters and are not all represented in the CO APCD) Currently available: Medical Claims AND Pharmacy claims 4-4 Claims Eligibility Servicing and ► illing Provider informati. n Medicare Advantage - data is available with appropriate levels of aggregation Need to discuss appropriate level of aggregation for client request type; would need analyst input Currently available: Medical AND Pharmacy claims from 2012-2020 Claims e Eligibility ® Servicing and Billing Prvider information Health First C lorado (C =1 rad s Medicaid Program) - Data requests must be reviewed by the Colorado Department of Health Care Policy and Financing (HCPF) to ensure alignment with administration of the Medicaid program as required by federal law a Currently available: Medical Claims AND Pharmacy Claims from 2012-2020 Claims Eli ibility Servicing and Billing Provider information ing lines ti sf busin ss, when r :quested, require CRAW Data Release Review Committee review as w II as HCPF review, appr al, and financial suppc:•yrt® Medic re F ee F r S=ervice (FF) - Data requests are only available for research purposes and must be approved and financially supported by HCPF. Currently cvaitzwsble0 Medical Claims AND Pharmacy Claims from 2012-2018 yermS •Y� ® Claims Eligibility S rvicin and filling Provider information edif k Details — Do you need to limit claims to particular health insurance coverage types? Yes If YES, please indicate the specific information you would like to include: o Payer Line . ';f Business Coercial A I ,, Payer ame: Please note Anti-trust guidelines will be followed. (DRRC review maybe also be required) Co APCD ANALYST APPLICATION SUPPLEMENT E ; 2i. V3.2 I Undated 06/26/2020 et:3 Ka 5 + '` fix#OMR u'. h C o Please provide listing of payer names and health plans merci Prosffuct Line(s): ■ PP{..�.r Ho P05 Supplemrntal In r:mnity Other- Please specify o Please provide listing of other product lines Iorads Exch: nge, Cnett for Health C Irado, Pro Ruct Lines: Cc old Silver Br::,, ze ■ CIVHC CENTER FOR € PROVING VALUE IN HEALTH CARE Payment Type - Which elements of total paid amount on each claim do you need to support your project purpose? (Check all that apply) Chat) .ed u! t Ian Paid A,%-:.. ,unt* .mo Me ter Liars itv 1 Le am unt the member is responsible for (check all that ap C=}insurance De€. uctible Ct.pay Total II • t:y ;ed Am unt — (summation of plan paid and member liability) Prepaid Amount — (to be considered for capitated payment plans only) dical Claims - Which types of claims do you need for your project purpose? Check all that apply ,7. ly) InpC! tient (IP) — Related to individuals who receive care in hospital settings Outpatient (OP) — Related to an individual receiving medical treatment in any setting other than a hospital admission (i.e. ambulatory surgery center; doctor's office, imaging center, Emergency Room, home health, etc.) Professional (PR F) — Related to medical procedures within professional settings (e.g. physician office, imaging center, etc.) and clinics Pharmacy Claims - Do you need prescription drug -based claims for your project purpose? Yes No If YES, and you need pharmacy claims limited to specific drug types, please list the 11 -digit NDC codes you would like to receive (®Iii N T INCLUDE DASHES ,fit ,; PROVIDE LEADING ZEFl S) CO APCD ANALYST APPLICATION SUPPLEMENT FY21 V3.2 I Updated 06/26/.2020 CENTER FOR IMPROVING VALUE €N HEALTH -3 CARE , Please provide listing Dente. I CIA_.� s - Do you need dental claims for your project purpose? Yes No Site of Service Detail - Do you need to look at claims that occurred in specific care settings for your project purpose? i.e., do you need to limit services by site of service? Yes No If YES, please indicate the specific information you would like to include: Hospital ambulatory Surgery C nters o Outpatient F ciities Physician offices Specialty offices R:; sme Health Urgent Care Emair enReorn ( kite: cannot differentiate between majority of Free -Standing and 1 • hr ;{spita&mbased ERs) El Other (specify) Please list other site of service details ProAdeHeel ,, et it - Do you need claims limited to specific providers or provider type(s) ie. (Provider IDs, locations, hospitals, medical groups, etc.) for your project purpose? Yes No ® If YES, please indicate the specific provider types you would like to include or provide a list of providers: Facilities (hospitals, ambulatory surgery centers, etc.) ® Please provide listing Professionals Ea Please provide listing Provider Taxi nomy m Specialty Designati ns Please provide listing National Provider Identifier ® Please provide listing Other Please provide listing CO APCD ANALYST APP,l JCA T !ON SUPPLEMENT FY21 V3.. { Updated 06/26/20.20 man non rasa CIVHC CENTER FOR IMPROVING VALUE IN WEALTH CARE Geography- Do you need claims data limited by geography or location for your project purpose? Yes No ■ • If YES, please indicate the geographic groupings you would like to include: Provider location address IM Need full address of all providers in CO Member location address ® Please provide listing Zip 3 • Please provide listing Health Statistic Region http://www.cohid.dphe.state.co.us/brfssdata.html ■ ■ • Please provide listing County (Potential PHI) ■ Please provide listing Zip 5 (PHI) • Please provide listing Other • Please provide listing Age and/or Gender - Do you need claims data limited by age or gender for your project purpose? Yes N o • If YES, please indicate the groupings you would like to include: Age bands/range (in years) requested (i.e. 0-21, 22-39, 40-55, etc.) Please specify specific bands and/or ranges ■ Please specify how you would like age to be calculated (i.e. Patient age at the end of year, at the time of service, etc.) Gender ■ ■ ■ Male Female Unspecified Membermlevel Detail - Do you need claims filtered at the member level for your project purpose? i.e., do you need claims limited to specific members for your project? ■ Yes N o • If YES, please indicate the information you would like to include: ■ De -identified member information CO APCD ANALYST APPLICATION SUPPLEMENT FY21 V3.2 I Updated 06/26/2020 I.- e• ■/MN ICMMO CIVHC VALUE �N CAE6 ❑ Unique member and person ID ❑ Gender O Age: (at time of service) ❑ 3 -digit zip O Protected Health Information (PHI) — Any of the below requires DRRC approval process ❑ Names (first, last, middle) (PHI) O Street Address (PHI) ❑ City (PHI) O 5 Digit Zip (PHI) ❑ DOB -Dates of Birth (PHI) ❑ DOS -Dates of Service (PHI) Diagnosis Detail — Do you need claims limited to a specific diagnosis or multiple diagnoses for your project purpose? O Yes ® No • If YES, please indicate the specific diagnosis code(s) you would like to include (DO NOT USE DECIMAL POINTS AND DO NOT REMOVE LEADING AND TRAILING ZEROS): o Please provide listing Procedure/Revenue Code Detail — Do you need claims limited to specific procedure or revenue code(s) for your project purpose? ❑ Yes ® No • If YES, please indicate the specific procedure/revenue code(s) you would like to include under each type requested: ❑ CPT4 Please provide listing ❑ CDT Please provide listing ❑ Revenue code Please provide listing ❑ APR-DRG Please provide listing ❑ ICD9 or ICD10 (Please indicate whether the codes you provide are ICD 9 or 10 codes) Please provide listing CO APCD ANALYST APPLICATION SUPPLEMENT FY21 V3 2 j Updated 06/26/2020 ---- soma CIVIC Acknowledgement of Review and Approval of the Data Elements Dictionary that Accompanies the Project - Steve Tig6aAy signed by Steve Moreno Moreno Tate: 2021.07.14 Initials: „23:46-06'00' DED filename and/or version number: vl0.4 Additional Requests/Info Not Included Above - Is there any additional information you would like for us to know to fulfill your request? By signing this Agreement, the Receiving Organization agrees to abide by all provisions set out in this Agreement. SIGNATURES: For the CO APCD: For Receiving Organization: Weld County Digitally signed try Steve Moreno Signature: Signature: Steve Moreno Date: 202107.,a,,:z3:59-06'00' Name: Pete Sheehan Name: Steve Moreno Title: VP of Client Solutions & State Initiatives Title: Chair, Board of County Commissioners Date: rj / a _/ Date: 7/14/21 CO APCD ANALYST APPLICATION SUPPLEMENT FY21 V3.2 Updated 06/26/2020 txnit It 1. CHAPTER 3 - Human Resources ARTICLE XV HIPAA Policies and Procedures ARTICLE XV HIPAA Policies and Procedures Sec. 3-15-10. Purpose, authority and applicability. A. On August 14, 2002, the U.S. Department of Health and Human Services (HHS) published final regulations for Standards for Privacy of Individually Identifiable Health Information (the "Privacy Rule"). The Privacy Rule was established to provide national standards for the protection and privacy of Protected Health Information. The purpose of this Article is the establishment of the Health Insurance Portability and Accountability Act Policies and Procedures ("HIPAA Policies and Procedures") for the employees of the Covered Departments of the County (collectively, the "Covered Employees"). B. This Article provides a comprehensive outline of the County's responsibilities for compliance with federal HIPAA Privacy Regulations. Any policies, procedures or forms promulgated by state or federal health grant programs which are equal to or more stringent than the County's policies will take precedence over the County's. The County policies in this Article are the minimum standard for Covered Employees; however, state or federal grant programs may choose or require additional or alternative policies, procedures or forms to accomplish the same HIPAA compliance requirement. In those instances, to ensure that grant requirements are met and to avoid redundant effort, the state or federal grant policies, procedures and forms may be used as long as they meet the minimum standards specified in this Article. Alternative grant policies, procedures and forms must be approved by the HIPAA Privacy Officer. C. The County's policy on confidential information applies in addition to any HIPAA policies on breach of privacy or confidentiality. Any HIPAA policies on personnel discipline for breach of privacy or confidentiality as set forth in this Article apply in addition those cited in the County's Personnel Policies set forth in Chapter 3 of this Code. If there is conflict in any provision of the HIPAA policies concerning personnel discipline and the County's Personnel Policies concerning discipline and grievance, the County's Personnel Policies shall take precedence. D. All members of Covered Departments shall be trained regarding HIPAA privacy policies and procedures with respect to PHI, as necessary and appropriate to carry out their duties and responsibilities. (Weld County Code Ordinance 2012-10) Sec. 3-15-20. Definitions. For the purposes of this Article, the following terms, phrases, words and their derivations shall have the meanings given herein: Business associate means a person or entity (not a member of a covered entity's workforce) that helps a covered entity with a function or activity involving the use or disclosure of Individually Identifiable Health Information, or offers service to the covered entity which involves the disclosure of Individually Identifiable Health Information. Covered Departments mean those departments of the County, or any programs under the authority of such departments, which constitute a covered health care component under HIPAA. This includes the following departments: a. The Weld County Department of Public Health and Environment (Health). b. The Weld County Department of Human Resources (HR). Weld County, Colorado, Charter and County Code (Supp. No. 70) Created: 2021-05-03 14:18:57 (EST] Page 1 of 24 c. The Weld County Department of Accounting (Accounting). d. The Weld County Jail (Jail). e. The Area Agency on Aging (Area Agency). De -identified information means health information that does not identify an individual and, with respect to which there is no reasonable basis to believe that the information can be used to identify an individual, is not individually identifiable health information. Health information means any information, whether oral or recorded in any form or medium, that: a. Is created or received by a Covered Department or other covered entity; and b. Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual. HIPAA means the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d - 1320d8, as amended, and the regulations thereunder, 45 C.F.R. Parts 160 and 164. Individually identifiable health information means a subset of health information collected from an individual that: a. Is created or received by a health care provider, health plan, employer or health care clearinghouse; and b. Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and c. Identifies the individual; or d. With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Routine health information meeting the above definition will be automatically designated as PHI immediately upon its creation or receipt by the Covered Employees. Payment means the activities undertaken by: a. A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or b. A health care provider or health plan to obtain or provide reimbursement for the provision of health care. Protected health information (PHI) means individually identifiable information, including demographic information collected from an individual, about a person's past, present or future health care or payment for health care, maintained in any form or medium or transmitted electronically. Psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint or family counseling session and that are separated from the rest of the individual's medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests and any summary of the following items: diagnosis, functional status, treatment plan, symptoms, prognosis and progress to date. Treatment means the provision, coordination or management of health care and related services by one (1) or more health care providers, including the coordination or management of health care by a health Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 2 of 24 care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one (1) health care provider to another. Sec. 3-15-30. Privacy Officer and Privacy Policy. A. The HIPAA Privacy Officer ("Privacy Officer") shall be the Director of Human Resources or in his or her absence, the Human Resources Risk Manager. The Privacy Officer's primary responsibilities include: 1. Development of the HIPAA Privacy Policies and Procedures. This shall include an annual review to ensure compliance with federal and state law. 2. Oversight of the HIPAA Privacy Policies and Procedures implementation. 3. Preparation and oversight of distribution of the HIPAA Privacy Notice. 4. Providing assistance to Covered Departments in determining potential risks and vulnerabilities to the integrity of PHI. 5. Development, coordination and participation in the education and training for the Covered Employees. 6. Development of an atmosphere to encourage staff to report possible noncompliance by the County, health insurance carriers and/or Third Party Administrators (TPA). 7. Acting on matters related to privacy compliance. This includes the design and coordination of internal reviews and any needed corrective action (e.g., revisions to HIPAA Privacy Policies and Procedures, institution of additional training, etc.). 8. Coordination of disciplinary sanctions associated with violations of the HIPAA Privacy Policies and Procedures. 9. Coordination of mitigating efforts in the event of a violation of the Privacy Rules. 10. Review and accommodation, if appropriate, of individual requests for confidential communications of PHI. 11. Review and accommodation, if appropriate, of individual requests for restrictions on use and disclosure of their own PHI. 12. Review and accommodation, if appropriate, of individual requests for amendments to their own PHI. This includes notification of approval or denial of the amendment to the individual and/or any relevant Business Associate, as necessary. 13. Preparation of PHI summaries, upon an individual's request for access to his or her own PHI records, in accordance with Section 3-15-130 of this Article. 14. Periodic revision of the HIPAA Privacy Policies and Procedures as a result of changes of Federal and state law. 15. Receiving complaints against Covered Departments. B. General Privacy Policy. It is the policy of the County to protect the privacy and confidentiality of patients' PHI by following the requirements of federal and state law and the County's policies and procedures. The policy provides the basics of the County's privacy compliance framework. The policy should be provided to each individual as necessary to make informed decisions about his or her own PHI, and shall be generally available from the Privacy Officer. 1. Required disclosures. The County may make disclosures without consent or authorization as required by law, as required for public health purposes, for certain health oversight activities, for certain judicial Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 3 of 24 and administrative proceedings and for certain law enforcement activities, to coroners or medical examiners. 2. Unique restrictions on disclosures. A patient's request for a particular restriction on the use or disclosure of his or her PHI shall be referred to the Privacy Officer. 3. Potential violations. Any person believing that the County has violated a policy or provision of law related to privacy issues must contact the Privacy Officer immediately. The County will not retaliate against employees who report in good faith. The County will take all reasonable steps to mitigate any damages caused by an improper use or disclosure of PHI. C. Minimum necessary information. Covered Employees shall follow proper procedures to ensure that only the minimum amount of PHI necessary to accomplish the specific purpose of a use or disclosure is actually used or disclosed. D. Covered Employees shall request only the minimum amount of PHI necessary to accomplish the specific purpose of the request. This includes routine and/or recurring requests. 1. This policy does not apply to the following uses or disclosures: a. Disclosure to, or requests by, a provider for treatment. b. Uses or disclosures made to the individual who is the subject of the information. c. Uses or disclosures pursuant to an Authorization. d. Disclosures made to the Covered Departments. e. Uses or disclosures required by law or for compliance with applicable laws and regulations, as determined by the Privacy Officer. 2. All proposed uses or disclosures of PHI shall be reviewed by persons having an understanding of these privacy policies and practices and sufficient expertise to understand and weigh the necessary factors. 3. Covered Department employees shall only use, disclose or request an entire medical record when the entire medical record is specifically justified as being reasonably necessary to accomplish the purpose of the use, disclosure or request. Covered Employees shall document the request and justification for disclosure of the entire medical record, except when the entire medical record is disclosed to a provider for purposes of providing care. 4. Within the Covered Departments, only appropriate personnel shall have access to PHI, as determined by the department director in conjunction with the Privacy Officer. Such individuals shall maintain the appropriate levels of access to PHI on a routine basis to appropriately accomplish their duties and responsibilities. 5. The following criteria shall be used in limiting the amount of PHI requested (disclosed) by the Covered Employees: a. Do the individuals who are requesting or disclosing the PHI have a complete understanding of the purpose for the use or disclosure of the PHI? b. Are all of the individuals identified for whom the requested use or disclosure of the PHI is required? c. A request for an entire medical record requires the requestor to justify disclosure of the entire medical record to be reasonably necessary. 6. Requests for disclosures of PHI shall be reviewed on an individual basis in accordance with criteria listed in the policy. Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 4 of 24 7. Covered Department employees may reasonably rely on requests by: a. Public health and law enforcement agencies in determining the minimum necessary information for certain disclosures; b. Other Covered Entities in determining the minimum necessary information for certain disclosures; or c. A professional who is a member of its workforce or is a Business Associate of a Covered Department for the purpose of providing professional services to the Covered Department, if the professional represents that the information requested is the minimum necessary for the stated purpose. 8. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. E. De -identified information shall not be disclosed if those Covered Department employees creating or disclosing the information, or any other employees of the Covered Department, have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. De -identification requires the removal of names, addresses, birthdates, ages, telephone/fax numbers, social security numbers, account numbers, license numbers, fingerprints, full -face photographs or any other unique identifier. Such de -identified information may be used or disclosed as a limited data set for research, public health or health care operations and may be provided to Business Associates pursuant to a written agreement. F. Covered Departments, with the assistance of the Privacy Officer, shall comply with any other duty required by the Secretary of DHHS. (Weld County Code Ordinance 2012-10 ; Weld County Code Ordinance 2014-12 ) Sec. 3-15-40. Authorization for disclosure of PHI. A. For all uses and disclosures of an individual's PHI, the Covered Department shall obtain a signed authorization from the individual, unless the use or disclosure is required or otherwise permitted without an authorization for treatment, payment or health care operations or as otherwise permitted by 45 C.F.R. Part 164 (the Privacy Rule). The Covered Department shall be permitted, but not required, to obtain consent for disclosure related to treatment, payment or health care operations. B. The Covered Department shall comply with the requirements set forth in 45 C.F.R. § 164.508, to obtain authorization to use or disclose PHI. C. The Covered Department shall not condition treatment, payment or enrollment in the health plan or eligibility for benefits on the provision of an authorization, unless the authorization sought is for the health plan's eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations. D. The Covered Department shall obtain a signed authorization from all individuals before using or disclosing their PHI for purposes other than treatment, payment or health care operations. Additionally, PHI may be disclosed without a signed authorization under certain circumstances, as listed in the Privacy Policy. E. Authorization is required for the disclosure of psychotherapy notes, except to the originator of the notes, for treatment, payment or health care operations. F. The authorization shall be written in plain language and shall allow individuals to request that their PHI be used or disclosed for specific purposes. Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 5 of 24 G. When the Covered Department initiates an authorization to use or disclose PHI for its own purposes, the Covered Department shall provide individuals with any facts they need to make an informed decision as to whether to allow release of the information. H. The authorization shall not be combined with another document to create a compound authorization unless: 1. The other document is a similar authorization; or 2. If the authorization is for the disclosure of psychotherapy notes, the other document is also an authorization for the disclosure of psychotherapy notes. I. Whenever a Covered Department requests an authorization from an individual, the Covered Department shall use a form which complies with this policy and with HIPAA generally. Nothing in this policy prohibits a Covered Department from jointly using any form with other Covered Departments or other treatment providers in which the Covered Department shares information pursuant to an Organized Health Care Arrangement. The form must be completed in full, including a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. J. In the event that the authorization is signed by a personal representative of the individual, the authorization shall contain a description of the representative's authority to act for the individual. K. The Covered Department shall provide the individual with a copy of the signed authorization. L. The Covered Department shall invalidate the authorization if: 1. Any material information in the authorization is known by the Covered Department to be false or revoked; 2. The requirements of the authorization have not been filled out completely; or 3. The expiration date has passed or the expiration event is known by the Covered Department to have occurred. M. The Covered Department shall document and retain the signed authorization for a period of at least six (6) years from the date of its creation or the date when it last was in effect, whichever is later. N. The Covered Department shall not condition an individual's treatment, payment, enrollment or eligibility for benefits on the provision of an authorization to use or disclose PHI. All authorization forms for the use or disclosure of PHI shall include a statement that the individual's treatment and payment for services shall not be conditioned on provision of the authorization except as permitted by law. O. The Covered Department shall allow an individual to revoke an authorization to use or disclose his or her PHI, except in situations where: 1. The Covered Department has taken action in reliance thereon. 2. The authorization was obtained as a condition of obtaining insurance coverage and state law provides the insurer with the right to contest a claim under the policy or the policy itself. P. The Covered Department shall take all necessary steps to honor and comply with an individual revocation of an authorization to use or disclose PHI, unless stated otherwise in this policy. The Covered Department shall not impose a time restriction on when an individual may revoke authorization to use or disclose his or her PHI. The Covered Department shall require individuals to request the revocation of authorization to use or disclose PHI in writing. (Weld County Code Ordinance 2012-10) Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 6 of 24 Sec. 3-15-50. Disclosure of PHI without authorization or objection of individual. A. The Covered Department may disclose PHI without a valid authorization in limited circumstances if the individual is given the opportunity to object to such disclosure. B. A Covered Department which is a health care provider may, under this Section: 1. Maintain a facility directory including the individual's name, location at the facility, condition (in general terms) and religious affiliation (which is only to be provided to members of clergy). 2. Disclose the individual's specific health information to family, close friends or anyone else identified by the individual to be involved in relevant care, payment or necessary notification. C. The individual must be informed of the opportunity to object, unless impracticable due to emergency circumstances. If the individual is present, PHI may be disclosed if the individual agrees, does not object or it can be reasonably inferred that the individual does not object. If the individual is not present or unable to agree or object, PHI may be disclosed if in the individual's best interests, in the provider's professional judgment. (Weld County Code Ordinance 2012-10) Sec. 3-15-60. Disclosure of PHI required by law. A. Disclosure of PHI should first be made pursuant to an authorization, as described in Section 3-15-40 above. If no authorization exists, disclosure may be made pursuant to this Section. 1. Permitted disclosures. The County may disclose a patient's PHI without the patient's signed authorization to the patient himself or herself, the patient's legally authorized personal representative, those involved with the person's care and treatment, or law enforcement personnel in appropriate situations, for public policy decisions as required by law and for purposes of a patient's treatment, payment for services or the County's health care operations. Disclosure of PHI may also be made to business associates or on the basis of, and in accordance with, a properly executed authorization. 2. Required disclosures. The County may make disclosures without consent or authorization as required by law, as required for public health purposes, for certain health oversight activities, for certain judicial and administrative proceedings and for certain law enforcement activities, to coroners or medical examiners. 3. Unique restrictions on disclosures. If a patient requests a particular restriction on the use or disclosure of his or her PHI, refer the request to the Privacy Officer. 4. Deceased individuals. Covered Departments must protect the PHI of deceased individuals. If an executor, administrator or other person has authority to act on behalf of a deceased patient or that person's estate, that person should be treated as the patient's personal representative. The County may disdose PHI, without specific patient consent or authorization, to a coroner or medical examiner responsible for identification of the person, determination of the cause of death or other duties authorized under state law. The Coroner may also disclose PHI to a funeral director, as permitted by state law. 5. Persons involved in care or treatment. PHI may be disclosed, without the patient's signed authorization, to persons involved in the patient's care, as directly relevant to that care. If the patient is present when PHI is to be disclosed and has the capacity to make health care decisions, PHI can be disclosed to others present if it can reasonably be inferred that the patient would not object. If the patient is not present when PHI is to be disclosed or if the patient is incapacitated, PHI may be Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 7 of 24 disclosed if, in the exercise of reasonable professional judgment, disclosure is in best interests of the patient and disclosure is limited to PHI directly relevant to the person's involvement with the patient's care. 6. If federal, state and/or local law requires a use or disclosure of PHI, the Covered Department may use or disclose PHI to the extent that the use or disclosure complies with such law and is limited to the requirements of such law. B. In the event that two (2) or more laws or regulations governing the same use or disclosure conflict, the Covered Department shall comply with the more restrictive laws or regulations. C. The Covered Department may use or disclose PHI to the extent that such use or disclosure is required by law, including but not limited to: 1. For public health activities required by law. 2. For disclosures about victims of abuse, neglect or domestic violence. 3. In order to comply with judicial release. 4. To comply with law enforcement. 5. For a health release. 6. To avert a serious threat to health or safety. 7. To comply with special government functions or requests. Such requests shall be referred to the Privacy Officer. 8. For purposes of workers' compensation investigations and claims, as permitted or required by law. 9. Uses and disclosures for health oversight activities. 10. Uses and disclosures for cadaveric organ, eye or tissue donation purposes. (Weld County Code Ordinance 2012-10) Sec. 3-15-70. Requests for disclosure of PHI. A. Covered Departments shall verify the identity and authority of individuals requesting PHI. B. Once it is determined that use or disclosure is appropriate, personnel with appropriate clearance shall access the individual's PHI using appropriate procedures. C. The requested PHI shall be delivered to the individual in a secure and confidential manner, such that the information cannot be accessed by employees or other persons who do not have appropriate access clearance to that information. D. The proper personnel shall appropriately document the request and delivery of the PHI. E. In the event that the identity and legal authority of an individual or entity requesting PHI cannot be verified, personnel shall refrain from disclosing the requested information and report the case to the Privacy Officer in a timely manner. F. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. (Weld County Code Ordinance 2012-10) Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 8 of 24 Sec. 3-15-80. Notice of disclosure of PHI. A. The Covered Department shall give adequate notice to individuals regarding the use or disclosure of their PHI, their rights with respect to such use or disclosure and the Covered Department's legal duties pursuant to 45 C.F.R. § 164.520. The Covered Department shall comply with the contents of such notice. B. The content of the notice regarding the use and disclosure of PHI pursuant to 45 C.F.R. § 164.520 shall comply with the policies and procedures that are described herein. The notice shall reserve the right of the Covered Department to amend the notice and any of its privacy policies, procedures and practices. C. Notice given to an individual regarding the use and disclosure of PHI must be written in plain language and contain the statement prominently displayed: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." D. The Notice must contain descriptions in sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by HIPAA and other applicable laws, including: 1. A description and at least one (1) example of the types of uses and disclosures that the Covered Department is permitted by law to make for each of the following purposes: treatment, payment and health care operations. 2. A description of each of the other purposes for which the Covered Department is permitted or required by the privacy regulations to use or disclose PHI without the individual's written authorization, including those purposes listed in Subsection 3-15-40.E. of this Article. If a use or disclosure described in Subsection 3-15-40.E. is prohibited or materially limited by other laws, the description of the disclosure must reflect the more stringent law. E. The notice must also contain the following statements or information: 1. A statement indicating that the other uses and disclosures shall be made only with the individual's written authorization and that the individual may revoke such authorization as permitted by the individual's rights under HIPAA. 2. A statement of the individual's rights with respect to PHI and a brief description of how the individual may exercise those rights: a. The right to request restrictions on certain uses and disclosures of PHI. A statement that the Covered Department is not required to agree to a requested restriction. b. The individual's right to receive confidential communications of PHI, as applicable. c. A statement and a brief description of how the individual may exercise his or her right to inspect, copy, amend and receive an accounting of disclosure of PHI. d. A statement and a brief description of how the individual may exercise his or her right to obtain a paper copy of the notice from the Covered Department, even if the individual has agreed to receive the notice electronically. 3. A statement that the Covered Department is required by law to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy practices with respect to PHI. 4. A statement that the Covered Department is required to abide by the terms of the notice that is currently in effect. Created: 2021-05-03 14:18:56 (EST] (Supp. No. 70) Page 9 of 24 5. A statement indicating that, for PHI that it created or received prior to issuing a revised notice, the Covered Department reserves the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains. 6. A statement that individuals may complain to the Covered Department and to the Covered Department of Health and Human Services if they believe their privacy rights have been violated. A brief description of how an individual may file a complaint with the Covered Department. A statement that the Covered Department shall not retaliate against the individual for filing a complaint. 7. The name or title and telephone number of a person or office within the Covered Department to contact for further information concerning the notice of privacy practices. 8. The date on which the notice is first in effect, which is not to be earlier than the date on which the notice is printed or otherwise published. F. If applicable, the description in the notice of the types of uses and disclosures that the Covered Department is permitted to make for purposes of treatment, payment and health care operations (see procedure D.1) must also include a separate statement indicating that: 1. A group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose PHI to the sponsor of the plan. 2. The Covered Department may contact the individual to provide appointment reminders or information about treatment alternatives or other health -related benefits and services that may be of interest to the individual. G. A statement that the Covered Department shall promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the Covered Department's legal duties or other privacy practices stated in the notice, and how it shall provide individuals with the revised notice. The Covered Department shall not implement a material change to any term of the notice prior to the effective date of the notice in which such material change is reflected, except when required by law. Upon making a change to a notice and policies and procedures due to a change in law, the Covered Department may use the notice revision date as the new effective date. H. For a Covered Department which is a health care provider, such notice shall be provided to the individual on the date services are provided or, in emergency situations, as soon as reasonably practicable thereafter. In emergency situations, an acknowledgement of receipt of such notice shall be obtained if possible. Such notice shall be provided prominently at the location of service and at the Covered Department's web address. I. The Covered Department which is also a correctional facility is not required to provide the notice described in this Section to inmates. J. Such notice shall also be provided to County employees at the time of enrollment in any County -sponsored group health plan, within sixty (60) days of any material revision to the notice and at least once every three (3) years. K. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. (Weld County Code Ordinance 2012-10) Sec. 3-15-90. Personal representatives. A. If, under applicable law, a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, the Covered Department shall treat such person as a personal representative with respect to PHI relevant to such personal representation. Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 10 of 24 B. With respect to unemancipated minors, deceased individuals and others, the Covered Department shall follow these procedures in determining whether to treat a person as a personal representative of an individual. C. The Covered Department shall treat a person as a personal representative of an individual with respect to disclosure of PHI if, under applicable law: 1. A parent, guardian or other person acting in loco parentis (in the place of a parent) has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care; or 2. An executor, administrator or other person has authority to act on behalf of a deceased individual or of the individual's estate. D. The Covered Department shall treat a person as a personal representative of a deceased individual with respect to the PHI relevant to such representation if, under applicable law, the person is an executor, administrator or other person with authority to act on behalf of the deceased individual or of the individual's estate. E. The Covered Department shall not treat a person as a personal representative of an unemancipated minor when the minor has authority to act with respect to his or her PHI pertaining to a health care service if: 1. The minor consents to such health care service, no other consent is required by applicable law and the minor has not requested that another person be treated as the personal representative; 2. Applicable law permits the minor to obtain such health care service without the consent of a parent, guardian or other person acting in loco parentis; and the minor, a court or another person authorized by law consents to such health care service; or 3. A parent, guardian or other person acting in loco parentis assents to an agreement of confidentiality between a covered health care provider and the minor with respect to such health care service. F. The Covered Department shall not treat a person as the personal representative of an individual if: 1. The Covered Department has a reasonable belief that the individual has been or may be subjected to domestic violence, abuse or neglect by such person; or treating such person as the personal representative could endanger the individual; and 2. The Covered Department, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative. G. The Covered Department shall follow the requirements and/or permissions of applicable state and other laws in determining whether to provide or deny access to a minor's PHI to a parent, guardian or other person acting in loco parentis. (Weld County Code Ordinance 2012-10) Sec. 3-15-100. Business associates. A. The Covered Department shall ensure contracts or other arrangements between the Covered Department and its business associates comply with the policies and procedures described herein and pursuant to 45 C.F.R. § 164.504(e). B. The Covered Department shall document satisfactory assurances of compliance with the policies and procedures herein through a written contract or other written agreement or arrangement with the business associate that establishes the permitted and required uses and disclosures of PHI. Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 11 of 24 C. Contracts or agreements between the Covered Department and a business associate shall prohibit a business associate from using or disclosing PHI in a manner that would violate HIPAA privacy regulations. D. If the Covered Department and the business associate are both government entities and the entities comply with the business associate contract provisions by entering into a memorandum of understanding, the Covered Department shall ensure that the memorandum of understanding or other applicable law contains terms that accomplish the objectives of the business associate contract provisions of the HIPAA privacy requirements. E. When a business associate is required by law to perform a function on behalf of the Covered Department and the Covered Department discloses PHI to the business associate to comply with the legal mandate without meeting the requirements of the HIPAA Privacy rule, the Covered Department shall attempt in good faith to obtain satisfactory assurances that the requirements applicable to the business associate accomplish the objectives of the business associate requirements and, if such attempt fails, document the attempt and the reasons that such assurances cannot be obtained; and, before omitting a termination authorization from its other arrangements, the Covered Department shall ensure that the authorization is inconsistent with the statutory obligations of the Covered Department or its business associate. F. The Covered Departments which form a contractual relationship with other businesses or entities and which expect to share protected health information as a result of that contractual relationship shall execute an appropriate Business Associate Contract (BAC) or Business Associate Agreement (BAA) to ensure compliance with this Article and with HIPAA generally. G. Nothing in this policy prohibits the County or a Covered Department from entering into an Organized Health Care Arrangement (OHCA) for the purpose of sharing protected health information between treatment providers, as permitted under HIPAA. H. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. (Weld County Code Ordinance 2012-10) Sec. 3-15-110. Confidential communications of PHI. A. The Covered Department, with the assistance of the Privacy Officer, shall take necessary steps to accommodate reasonable requests by individuals to receive confidential communications of PHI. 1. The Covered Department shall provide confidential communications by alternative means or at alternative locations pursuant to the HIPAA Privacy rule. 2. The Covered Department may require individuals to make a request for a confidential communication in writing. 3. The Covered Department shall not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis. 4. When appropriate, the Covered Department may condition the provision of a reasonable accommodation on information as to how payment, if any, shall be handled and specification of an alternative address or other method of contact. 5. An alternative means or location shall be designated on a case -by -case basis that is satisfactory to both the Covered Department and the individual, before communication of PHI is made. 6. The Privacy Officer, using professional judgment and considering all relevant factors, shall be responsible for deciding the alternative means or location to communicate PHI to an individual and shall otherwise comply with the disclosure requirements of Section 3-15-60 of this Article. B. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 12 of 24 (Weld County Code Ordinance 2012-10) Sec. 3-15-120. Requests for restricted use of PHI. A. The Covered Department shall, with the assistance of the Privacy Officer, allow an individual to request that uses and disclosures of his or her PHI be restricted in accordance with the HIPAA Privacy rule. B. The Privacy Officer, using professional judgment and considering all relevant factors, shall be responsible for approving or denying the requested restriction. The Privacy Officer is not required to agree to a restriction. C. Upon approval of such a restriction, the Covered Department shall not violate such restriction unless as specified within this Article. D. If a restriction is agreed upon, the Covered Department is not required to honor an individual's request when the individual who requested the restriction is in need of emergency treatment and the restricted PHI is needed to provide the emergency treatment. If restricted PHI is disclosed to a health care provider for emergency treatment, the Covered Department shall request that such health care provider not further use or disclose the information. E. If the Covered Department agrees to an individual's requested restriction, the restriction does not apply to the following uses and disclosures: 1. To an individual accessing his or her own PHI. 2. To an individual requesting an accounting of his or her own PHI. 3. Instances for which an authorization or opportunity to agree or object is not required. F. The Covered Department may terminate its agreement to a restriction in the following situations: 1. The individual agrees to or requests the termination in writing. 2. The individual orally agrees to the termination and the oral agreement is documented. 3. The Covered Department informs the individual that it is terminating its agreement to a restriction. Such termination is only effective with respect to PHI created or received after it has so informed the individual. G. The Covered Department shall document and retain the restriction for a period of at least six (6) years from the date of its creation or the date when it last was in effect, whichever is later. H. If the Covered Department does not agree to a request for restriction, it shall notify the individual who requested the restriction and advise him or her that the Covered Department shall not honor the restriction. (Weld County Code Ordinance 2012-10) Sec. 3-15-130. Requests to access, inspect and/or obtain copy of PHI. A. The Covered Department shall take necessary steps to address individual requests to access, inspect and/or obtain a copy of their PHI that is maintained in a designated record set in a timely and professional manner. B. Individuals may request to access, inspect and/or obtain a copy of their PHI that is maintained in a designated record set. In instances where the PHI is in more than one (1) record set or at more than one (1) location, the Covered Department shall produce the PHI only once in response to a request for access. Copy and retrieval fees, including postage, based on actual costs, may be applicable. Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 13 of 24 C. If the Covered Department does not maintain the PHI that is the subject of the individual's request for access and the Covered Department knows where the requested information is maintained, the Covered Department must inform the individual where to direct the request for access. D. Individuals do not have the right to access the following types of information: 1. Psychotherapy notes. 2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding. 3. PHI that is: a. Subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. § 263a, to the extent the provision of access to the individual would be prohibited by law; or b. Exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 C.F.R. § 493.3(a)(2). 4. If the Covered Department is acting under the direction of a correctional institution upon an inmate's request for a copy of the PHI and obtaining a copy would jeopardize the health, safety, security, custody or rehabilitation of the individual or of other inmates or of any officer, employee or other person at the correctional institution or responsible for the transporting of the inmate. Any Covered Department receiving such a request from a current inmate must seek the assurance of the Department Head of the Jail that providing the copy of the inmate's requested PHI will not jeopardize the operations of the jail. 5. The individual's access to PHI that is contained in records that are subject to the Privacy Act, 5 U.S.C. § 552a, may be denied if the denial of access under the Privacy Act would meet the requirements of that law. 6. The individual's access may be denied if the PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information. E. The Covered Department may require individuals to direct requests for access, inspection or a copy of PHI to the Privacy Officer and complete a form request for health information. The individual shall be informed that request for access is required to be in writing. F. An appropriate request from an individual regarding PHI using a request form for health information shall, within a reasonable time period, be reported, along with the form, to records personnel with appropriate access clearance to PHI. G. Upon receipt of a request made, records personnel with appropriate clearance shall act on the request by: (1) informing the individual of the acceptance and providing the access requested; or (2) providing the individual with a written denial. H. Action upon the request must be taken: 1. No later than thirty (30) days after the request is made; or 2. If the request is for PHI that is not maintained or accessible onsite to the Covered Department, no later than sixty (60) days after the request. 3. If the Covered Department cannot take action on a request for access to PHI within the relevant time periods, the Covered Department may extend the time required by thirty (30) days. Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 14 of 24 4. In the event that the time period for the action must be extended, then the Covered Department shall provide the individual with a written statement of the reasons for the delay and the date by which the Covered Department shall complete its action on the request. Only one (1) extension is permitted. I. Records personnel with appropriate clearance shall access the individual's PHI using appropriate procedures. J. The individual shall be allowed access, inspection and/or copies of the requested PHI in a secure and confidential manner, such that the information cannot be accessed by employees or other persons who do not have appropriate clearance to that information. K. The Covered Department shall provide the individual with access to the PHI contained in a designated record set in the form or format requested by the individual if it is readily producible in such form or format. L. If the requested format is not readily producible, then the Covered Department shall provide the individual with access to the PHI in a readable hard copy form or such other form as agreed to by the individual. M. If requested by the individual, the Covered Department shall arrange with the individual for a convenient time and place to inspect or obtain a copy of the PHI, or mailing of PHI. The individual may request, in writing, that the PHI be disclosed by reasonable alternative means or in a reasonable alternative location, as permitted in Section 3-15-110 of this Article. Records personnel shall appropriately document the request and delivery of the PHI. N. A summary of the requested PHI shall be provided in lieu of access to the information only when the individual agrees in advance to a summary and to any related fees imposed. 1. An explanation of the requested PHI to which access has been provided shall accompany the access reply only when the individual agrees in advance to a summary and to any related fees imposed. 2. If a summary or explanation of the requested PHI is to be prepared, such summary or explanation shall be completed only by records or other applicable personnel with appropriate access clearance. O. The Covered Department shall document and retain designated record sets that are subject to access by individuals for a period of at least six (6) years from the date of its creation or the date when it last was in effect, whichever is later. P. In denying access in whole or in part, to the extent possible, records personnel shall give the individual access to any other PHI requested, after excluding the PHI that was denied. Q. When denying an individual access to PHI, the denial shall: 1. Be written in plain language. 2. Contain the basis for the denial. 3. Contain the following statement: "THE INDIVIDUAL HAS THE RIGHT TO HAVE THE DENIAL REVIEWED BYA LICENSED HEALTH CARE PROFESSIONAL, DESIGNATED BY [COVERED DEPARTMENT] TO ACT AS A REVIEWING OFFICIAL AND WHO DID NOT PARTICIPATE IN THE ORIGINAL DENIAL DECISION." 4. Contain a description of how the individual may complain to the Privacy Officer. The description of how the individual may complain shall include the name or title and telephone number of the contact person or office designated to receive such complaints. R. All denial reviews shall be conducted by a licensed health care professional who is designated by the Covered Department to act as a reviewing official and who did not participate in the original decision to deny. 1. The designated reviewing official shall be determined on a case -by -case basis by the Privacy Officer. 2. Records personnel shall promptly refer a request for review to the designated reviewing official. Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 15 of 24 3. The designated reviewing official shall determine, within a reasonable period of time, whether or not to deny the access requested based on the applicable standards. 4. Records personnel shall promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required to carry out the designated reviewing official's determination. S. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. (Weld County Code Ordinance 2012-10) Sec. 3-15-140. Requests to amend PHI. A. The Covered Department shall allow an individual to request an amendment to his or her PHI or a record in a designated record set for as long as the information is maintained in a designated record set. B. Records personnel, with the assistance of the Privacy Officer, shall be responsible for receiving, processing and responding to requests for amendments to PHI. C. All individual requests for amendments to PHI shall be in writing and directed to the Privacy Officer. The Privacy Officer shall inform the individual of the requirement to make requests for amendments in writing. D. Individuals must document the reasons to support the requested amendment. E. The Privacy Officer shall inform the individual, no later than sixty (60) days after receipt of such a request, if the amendment is accepted or denied. The time period for the action by the Covered Department shall be extended by no more than thirty (30) days. If the time period for the action is extended, records personnel shall, within thirty (30) days after receipt of the request, provide the individual with a written statement of the reasons for the delay and the date by which the Covered Department shall complete the action on the request. The time period for action shall not be extended more than once. F. If the requested amendment is accepted, records personnel shall: 1. Make the appropriate amendment; or 2. Arrange to have the necessary health care professional make the amendment. G. Upon accepting and completing a requested amendment, records personnel shall perform the following tasks: 1. Inform the individual, in a timely manner, and obtain the individual's identification of, and agreement to have the Covered Department notify, the relevant persons with which the amendment needs to be shared. 2. Make reasonable efforts to inform and provide the amendment within a reasonable time to persons identified by the individual as needing the amendment. 3. Make reasonable efforts to inform and provide the amendment within a reasonable time to persons, including business associates, that are known to have the affected PHI and that may have relied on or could foreseeably rely on such information to the detriment of the individual. 4. Identify the affected information in the designated record set and append or otherwise provide a link to the location of the amendment. H. In the event that another covered entity notifies the Covered Department of an amendment to an individual's PHI, records shall amend the respective information by, at minimum, identifying the affected information in the designated record set and appending or otherwise providing a link to the location of the amendment. Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 16 of 24 I. The Covered Department may deny an individual's request for amendment if it determines that the requested PHI or record: 1. Was not created by the Covered Department, unless the individual provides a reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment; 2. Is not part of a designated record set; 3. Would not be available for inspection under the requirements for individual rights to access PHI; or 4. Is accurate and complete. J. Records personnel, with the assistance of the Privacy Officer, shall be responsible for receiving, processing and responding to requests for amendments to PHI. K. Upon denying an amendment in whole or in part, the Covered Department shall provide the individual with a written denial. The denial shall be written in plain language and shall contain the following: 1. The basis for the denial; 2. The individual's right to submit a written statement disagreeing with the denial; 3. A description of how the individual may file such a statement; 4. A description of how the individual may file a complaint to the Covered Department pursuant to its complaint procedures, including the name or title and telephone number of the contact person or office designated to receive such complaints; 5. A description of how the individual may file a complaint with the Covered Department of Health and Human Services; 6. The following statement: "IF THE INDIVIDUAL DOES NOT SUBMIT A STATEMENT OF DISAGREEMENT, THEN THE INDIVIDUAL MAY REQUEST THE COVERED DEPARTMENT TO PROVIDE THE INDIVIDUAL'S REQUEST FOR AMENDMENT AND THE DENIAL WITH ANY FUTURE DISCLOSURES OF THE PHI THAT IS THE SUBJECT OF THE AMENDMENT." L. If the individual provides a statement of disagreement, the Covered Department may prepare a written rebuttal to the individual's statement of disagreement. The Covered Department shall provide the individual with a copy of the above rebuttal. M. The Covered Department shall append or otherwise link the following to the designated record set or PHI that is the subject of the disputed amendment: 1. The individual's request for an amendment; 2. The denial of the request; 3. The individual's statement of disagreement, if any; and 4. The Covered Department's rebuttal, if any. N. Any subsequent disclosures of the PHI to which an individual's written disagreement relates shall include the following: 1. The material appended as described above; or 2. An accurate summary of any such information. O. If the individual has not submitted a written statement of disagreement, the Covered Department shall include the individual's request for amendment and the Covered Department's denial, or an accurate Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 17 of 24 summary of such information, with any subsequent disclosure of the PHI only if the individual has requested such action. (Weld County Code Ordinance 2012-10) Sec. 3-15-150. Accountings of disclosures of PHI. A. The Covered Department shall document and maintain an accounting of when patients' PHI has been disclosed for purposes other than treatment, payment or health care operations. The Covered Department shall allow individuals to receive an accounting of all instances where PHI about them is used or disclosed. This requirement does not apply to instances where PHI was disclosed: 1. To carry out treatment, payment and health care operations; 2. Under the authority of a written authorization given by the subject of the PHI; 3. To the individuals about their own PHI; 4. For the facility's directory; 5. To persons involved in the individual's care or other notification purposes; 6. For national security or intelligence purposes; 7. To correctional institutions or law enforcement custodial situations; or 8. As de -identified information in a data set. B. The Covered Department is not required to include in an accounting of disclosures that were made incidental to another use or disclosure that is permissible under 45 C.F.R. Part 164; however, to minimize incidental disclosures, the Covered Department shall: 1. Take precautions to reasonably safeguard PHI as required by 45 C.F.R. § 164.530(c)(1); and 2. Disclose only the minimum amount of PHI necessary to accomplish the intended purpose of the disclosure. C. The Covered Department shall allow an individual to obtain an accounting of instances when his or her PHI has been disclosed by the Covered Department any time up to and including the six (6) years prior to the date on which the accounting is requested. D. The accounting shall be in writing and shall include disclosures made to, or by business associates of, the Covered Department. E. Each accounting of a disclosure shall include the following: 1. The date of disclosure. 2. The name of the entity or person who received the PHI and, if known, the address of such entity or person. 3. A brief description of the PHI disclosed. 4. A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement: a. A copy of the individual's written authorization to use or disclose the PHI; or b. A copy of a written request for a disclosure required by the DHHS Secretary to investigate or determine the Covered Entity's compliance with applicable laws and regulations. Created: 2021-85-03 14:18:56 [EST] (Supp. No. 70) Page 18 of 24 5. The frequency, periodicity or number of disclosures made during the requested period, if applicable, including the date of the last such disclosure. F. The Covered Department shall act on the individual's request for an accounting not later than sixty (60) days after receipt of the request by: 1. Providing the individual with the accounting requested; or 2. Extending the time to provide the accounting by no more than thirty (30) days. This one-time extension requires a written explanation. G. Any accounting shall be provided to an individual once in any twelve-month period without charge. Subsequent accountings in the same period may be subject to charges as determined by the Privacy Officer. H. The Covered Department shall document and retain the following for a period of at least six (6) years, or from the date of its creation or the date when it last was in effect, whichever is later: 1. The information required to be included in an accounting. 2. The written accounting that is provided to the individual. 3. The title of the person or officer responsible for receiving and processing requests for an accounting by the individual. I. The Covered Department shall temporarily suspend an individual's right to receive an accounting under this Section if a health oversight agency or law enforcement official requests such suspension due to the reasonable likelihood that it will impede an investigation. Such request made orally shall be documented and enforced for no more than thirty (30) days. Such request made in writing shall be enforced for the duration listed in the request. J. Business associates of the Covered Departments shall comply with the requirements of this Section. K. The Privacy Officer is responsible for responding to a request from an individual for an audit trail of instances when his or her PHI has been disclosed for purposes other than treatment, payment or health care operations. (Weld County Code Ordinance 2012-10) Sec. 3-15-160. Complaints regarding policies and procedures. A. As specified in 45 C.F.R. § 164.530(d), the Covered Department shall provide a process for individuals to make complaints concerning the Covered Department's policies and procedures regarding the use or disclosure of PHI, or its compliance with such policies and procedures. B. The Privacy Officer shall be the Covered Department's designated contact for individuals to file complaints pursuant to this policy. The Privacy Officer should be contacted in order to file complaints concerning the Covered Department's policies and procedures required by the HIPAA privacy rule, or its compliance with such policies and procedures. The Privacy Officer shall document all complaints. C. The Covered Department shall not require individuals to waive their rights to file a complaint with the Department of Health and Human Services as a condition of the provision of treatment, payment, enrollment in a health plan or eligibility for benefits. D. The Covered Department shall refer all complaints regarding potential HIPAA privacy violations to the Privacy Officer. The Privacy Officer shall document all complaints received, and their disposition, if any, for a period of at least six (6) years from the date of its creation or the date when it last was in effect, whichever is later. Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 19 of 24 E. It is the responsibility of all Covered Department employees to report perceived misconduct, including actual or potential violations of the Privacy Rules or these policies and procedures. F. The Covered Department shall maintain an "open-door policy" at all levels of management to encourage employees to report problems and concerns. (Weld County Code Ordinance 2012-10) Sec. 3-15-170. Policy prohibiting retaliation. A. The Covered Department shall follow all necessary procedures to protect against any retaliation toward any employee, individual or other for exercising his or her rights or participating in any process pursuant to internal policies, applicable law and/or regulation. B. Any Covered Employee who commits or condones any form of retaliation shall be subject to discipline up to and including termination. C. The Covered Department shall not retaliate against employees, individuals or others for: 1. Filing a complaint with the Covered Department; 2. Testifying, assisting or participating in an investigation, compliance review, proceeding or hearing; or 3. Opposing in good faith any act or practice made unlawful by the HIPAA privacy rule, provided that the manner of the opposition is reasonable and does not itself violate law. (Weld County Code Ordinance 2012-10) Sec. 3-15-180. Security of PHI. A. The Covered Department shall: 1. Protect individually identifiable health information transmitted or maintained by the Covered Department, regardless of form (e.g., patient name, patient number, address, telephone number, social security number, etc.). 2. Ensure that noncovered departments are restricted from accessing, using or disclosing PHI, as if the noncovered departments were separate legal entities. 3. Protect against reasonably anticipated threats, hazards or impermissible disclosures of PHI. B. The Director of the Covered Department, with the assistance of the Privacy Officer, shall: 1. Have the continuing responsibility to ensure that individual members of the Covered Department's workforce have appropriate access to the minimum amount of PHI necessary to their work duties. 2. Ensure that workforce members receive the necessary training in order to comply with these requirements. 3. Ensure that each individual with access to electronic PHI can be individually tracked with unique user identification. 4. Use hardware, software or procedural mechanisms to document electronic activity related to PHI and protect it from improper transmission, alteration or destruction. (Weld County Code Ordinance 2012-10) Created: 2021-05-03 14:18:56 [EST] (Supp. No. 70) Page 20 of 24 Sec. 3-15-190. Breach of security. A. Breach means the improper acquisition, access, use or disclosure of protected health information which compromises the security or privacy of the protected health information, which poses a significant risk of financial, reputational or other harm to the individual. Breach does not include de -identified information or good faith unintentional or inadvertent use or disclosure of PHI that does not result in further improper use or disclosure. B. The Covered Department, with the assistance of the Privacy Officer, shall: 1. Take all necessary steps to mitigate any harmful effect that is known to the Covered Department of a use or disclosure of PHI in violation of the Covered Department policies and procedures. 2. Establish procedures for responding to an emergency that damages PHI, including a data backup and recovery plan, and continuing to provide critical services. 3. Re-evaluate these procedures periodically to ensure compliance with HIPAA. C. Notice. In the event of a breach, the Covered Department, with the assistance of the Privacy Officer, shall: 1. Mail written notice to all individuals whose PHI has or may have been breached without unreasonable delay and in no case more than sixty (60) days. Such notice shall be written in plain language and include a brief description of what happened, the date, the type of PHI involved, any steps the individual should take to protect himself or herself from further harm, what the Covered Department is doing to investigate, mitigate and protect from further harm and contact procedures for further information. Such notice shall be provided to local media if the breach affects five hundred (500) or more individuals. 2. Notify the DHHS Secretary without unreasonable delay of any breach involving five hundred (500) or more individuals. All other breaches must be documented and submitted to the Secretary annually. 3. If the Covered Department received notice from a law enforcement official that sending the notice, as required by this Subsection, would impede a criminal investigation or cause damage to national security. Sending such notice shall be delayed by thirty (30) days if the request is made orally and for as long as may be requested in writing by such law enforcement official. D. The Covered Department shall utilize the following process to mitigate the effect of an unauthorized release of PHI by an employee: 1. Any unauthorized release of PHI shall be immediately reported to the Privacy Officer upon discovery of the release. 2. The Covered Department shall apply appropriate sanctions against members of its workforce who fail to comply with the Covered Department policies and procedures. 3. The type of sanction applied shall vary depending on the severity of the violation, whether the violation was intentional or unintentional, whether the violation indicates a pattern or practice of improper access, use or disclosure of health information and similar factors. E. Employees, agents and other contractors should be aware that violations of a severe nature may result in notification to law enforcement officials, as well as regulatory, accreditation and/or licensure organizations. F. The sanction policy and procedures contained herein do not apply specifically when members of the Covered Department's workforce: 1. Oppose any act made unlawful by the HIPAA privacy rule, provided that the individual or person has a good faith belief that the act opposed is unlawful and the manner of the opposition is reasonable and does not involve a disclosure of PHI in violation of the HIPAA privacy rule; Created: 2021-05-03 14:18:57 [EST] (Supp. No. 70) Page 21 of 24 2. Disclose PHI as a whistleblower and the disclosure is to a health oversight agency, public health authority or attorney retained by the individual for purposes of determining the individual's legal options with regard to the whistleblower activity; or 3. Is an employee who is a victim of a crime and discloses PHI to a law enforcement official, provided that the PHI is about a suspected perpetrator of the criminal act. G. Failure by any Covered Employee to comply with these policies or procedures shall subject such Covered Employee to disciplinary action, up to and including termination. (Weld County Code Ordinance 2012-10) Sec. 3-15-200. Destruction and disposal of PHI. The Covered Department shall make reasonable efforts to dispose of PHI in a manner that protects the confidentiality of the information. A. Destruction of PHI. 1. Destruction of paper copies and original documents (day-to-day disposal). a. Printed material (e.g., faxes, printed emails, etc.) containing PHI must not be discarded in trash bins, unsecured recycle bags or other publicly accessible locations. Instead, this information must be shredded, placed in a secured recycling bag or destroyed by cutting, tearing or burning. b. The user may elect to use either shredding, secure recycle bags or other options for the destruction of these documents, as long as the destruction is in accordance with this Article. It is the individual's responsibility to ensure that the document has been secured or destroyed, and it is the supervisor's responsibility to ensure that his or her employees are adhering to the policy. c. Microfilm or microfiche must be cut into pieces or chemically destroyed. d. After documents have reached their retention period, all PHI must be securely destroyed using the Covered Department record retention process governing destruction of records. 2. Destruction of electronic media. a. Secure methods shall be used to dispose of electronic data and output. The Information Services (IS) Covered Department is responsible for the destruction of electronic copies containing PHI, including any media that may be reused. However, employees may dispose of the electronic data themselves using the following methods: b. Deleting on-line data using the appropriate utilities. c. "Degaussing" computer tapes to prevent recovery of data. d. Removing PHI from mainframe disk drives being sold or replaced, using the appropriate initialization utilities. e. Erasing diskettes to be reused using a special utility to prevent recovery of data; or destroying discarded diskettes. 3. Hardcopy (bulk disposal). a. Secure methods shall be used to dispose of hardcopy data and output. Created: 2021-05-03 14:18:57 [EST] (Supp. No. 70) Page 22 of 24 b. PHI printed material shall be shredded and recycled by a firm specializing in the disposal of confidential records or be shredded by an employee of the Covered Department authorized to handle and personally shred the PHI. c. If hardcopy PHI (paper, microfilm, microfiche, etc.) cannot be shredded, it must be incinerated. B. Documentation of PHI disposal. 1. To ensure that it is in fact performed, employees or a bonded destruction service must carry out the destruction of PHI. 2. If the Covered Department personnel undertake the destruction of the records, the employee must use the records destruction form provided by designated personnel if the record is found on the record retention schedule for the Covered Department destroying the record. 3. If a bonded destruction company undertakes the destruction, the bonded destruction company must provide the Covered Department with the document of destruction that contains the following information: a. Date of destruction; b. Method of destruction; c. Description of the disposed records; d. Inclusive dates covered; e. A statement that the records have been destroyed in the normal course of business; and f. The signatures of the individuals supervising and witnessing the destruction. C. Enforcement. All supervisors are responsible for enforcing this policy. Individuals who violate this Section shall be subject to the disciplinary process as outlined in the disciplinary and sanctions policy. D. The Covered Department shall protect individually identifiable health information transmitted or maintained. The Covered Department is committed to safeguarding PHI in order to operate in a manner that is consistent with applicable federal and state laws and regulations. E. If there is need to destroy any information, it must be done either by shredder or placed in a confidential/secured trash bin. PHI must never be discarded in nonsecured trashcans. F. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. Sec. 3-15-210. Transmittal of PHI. A. Transmittal of PHI by fax. 1. PHI should be hand -delivered or mailed whenever possible. Faxing of protected health information internally to authorized employees is allowable at any time to facilitate treatment, payment and health care operations, provided that the guidelines outlined in this policy are adhered to. 2. Faxing of PHI outside of the facility is allowable in situations when health information is needed immediately for patient care purposes, continuing care placement or payment, or when mail or courier delivery will not meet a necessary timeframe. 3. Faxing of sensitive health information, such as that dealing with mental health, chemical dependency, sexually transmitted diseases, HIV or other highly personal information, is prohibited unless the requirements above are met. Created: 2021-05-03 14:18:57 [EST] (Supp. No. 70) Page 23 of 24 4. Each Covered Department must designate a fax machine in its area that will be utilized to send and/or receive PHI. This fax machine must not be accessible to the public and should only be accessible to staff directly involved in patient care or those authorized to handle faxed information. 5. The faxed information must be accompanied by a special fax cover sheet specifically designated for faxing of PHI. Each page of the intended fax should be stamped or marked "confidential." In the event of a misdirected fax, the recipient should be directed to immediately destroy the fax. 6. Covered Employees authorized to fax PHI must take reasonable steps to confirm the accuracy of the fax numbers and security of recipient machines. 7. When possible, a fax confirmation slip should be printed from the fax machine or e -fax for each outgoing transmission and machine operators must also verify that the intended destination matches the number on the confirmation. The confirmation should be attached to the document that was transmitted and kept as part of the individual's record. If the confirmation slip cannot be obtained from the fax machine, the sender must attempt to verify the recipient. 8. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. B. Receiving PHI by fax. 1. When expecting the arrival of a fax containing PHI, the designated employee shall schedule with the sender whenever possible to ensure that the faxed documents can be promptly removed from the fax machine. 2. Each Covered Department must designate employees who are authorized to handle PHI who will be responsible to check fax trays at scheduled intervals and disseminate their contents to the appropriate responsible parties. 3. Staff responsible for routing PHI must be sure that they leave it in a secure and confidential location. 4. If there is need to destroy any information, it must be done either by shredder or placed in a confidential and secured trash bin. PHI must never be discarded in nonsecured trashcans. 5. Knowledge of a violation or potential violation of this policy must be reported directly to the Privacy Officer. (Weld County Code Ordinance 2012-10) Created: 2021-05-03 14:18:57 [EST] (Supp. No. 70) Page 24 of 24 Exhibit 3. Omo w.� 6.14.41.0 Contract Form New Contract Request Entity Information Entity Name* CENTER FOR IMPROVING VALUE IN HEALTH CARE ID* 40981 New Entity? Contract Name* Contract ID CIVHC ALL PAYER CLAIMS DATABASE DATA USE AGREEMENT 5023 Contract Status CTB REVIEW Contract Lead* BMANRIQUEZ Contract Lead Email bmanriquez weldgov.com Parent Contract ID Requires Rnard Approval YES Department Project act Description* ALL PAYER CLAIMS DATABASE DATA USE AGREEMENT WITH THE CENTER FOR IMPROVING VALUE IN HEALTH CARE (CIVHC) TO BE USED FOR HEALTH ASSESSMENT FY21-23 Contract Description 2 Contract Type AGREEMENT Amount* $9,450.00 Renewable* NO Automatic Renewal NO Grant NO IGA NO Department HEALTH ent Email CM-Healthc.weldgov.c©m Department Head Email CM-Health- DeptHead e weldgov.com County Attorney GENERAL COUNTY Al I ORNEY EMAIL County Attorney Email CM- COUNTYA I I ORNEYILWELDG OV.COM Requested BOCC Agenda Date* 0714'2021 Due Date 07;10,2021 Will a work session with BOCC be require NO Does Contract require Purchasing Dept. to be included? If this is a renewal enter previous Contract ID If this is part of a MSA enter MSA Contract ID Note: the Previous Contract Number and Master Services Agreement Number should be left blank if those contracts are not in OnBase Contract Dates Effective fate Review Date* Renewal Date 03 01 '2023 Termination Notice Period Committed Delivery Date Expiration Date • ©6`30/2023 Contact Information Contact Name PUrcha si t Approval Proces Department Head TANYA GEISER OH Approved Date 07/09/2021 i al Appr o t BOCC Approved BOCC Signed Date BOCC Agenda Date 07?14,/2021 Originator R NRIQUEZ Contact Type Finance Approver CHRIS D'OV1DIO Contact Phone i Contact Phone 2 Purchasing Approved Date Finance Approved Date 07/ 091 2021 Tyler Ref # AG 071421 Legal Counsel CARE KALOUSEK Legal Counsel Approved Date 07/09/2021 Hello