The URL can be used to link to this page

Home My WebLink AboutMINUTES - 04152003 - C82 w w TO: BOARD OF SUPERVISORS NO `- -.% Contra ow FROM: William B. Walker, M.D. Costa p DATE: April 9 2003 .ti srA-c-°U County .gZ C SUBJECT: Health Insurance Portability and Accountability Act (HIPAA) SPECIFIC REQUEST(S)OR RECOMMENDATION(S)&BACKGROUND AND JUSTIFICATION RECOMMENDATION: (1) DESIGNATE Contra Costa County as a hybrid entity for purposes of the Health Insurance Portability and Accountability Act(HIPAA). 2) DESIGNATE the Health Services Department's HIPAA Privacy Officer as the Contra Costa County HIPAA Privacy Officer for purposes of HIPAA Compliance. (3) DELEGATE to the Privacy Officer, under the direction of the Health Services Director, the responsibility for: • Developing privacy policies and procedures consistent with applicable laws, rules, and regulations. • Administering company-wide privacy training programs and, in conjunction with the Security Officer, a security awareness and training program. • Ensuring that processes are implemented to maintain compliance with Federal and State laws related to privacy, security, confidentiality, and protection of information resources and health care information. This includes coordination with the Security Officer in evaluating and monitoring operations and systems development for security and privacy requirements. • Implementing and administering the process to allow individuals to exercise their rights to inspect, amend, and restrict access to protected health information in accordance with applicable State and Federal Laws. CONTINUED ON ATTACHMENT: X YES SIGNATURE: --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- _ RECOMMENDATION OF COUNTY ADMINISTRATOR RECOMMENDATION OF BOARD COMMITTEE APPROVE OTHER SIGNATURE(S): ACTION OF B ON A i r 11 15 , 2003 APPROVE AS RECOMMENDED X OTHER VOTE OF S RVISORS I HEREBY CERTIFY THAT THIS IS A TRUE Tr ; AND CORRECT COPY OF AN ACTION TAKEN �'• UNANIMOUS(ABSENT ) AND ENTERED ON THE MINUTES OF THE BOARD OF SUPERVISORS ON THE DATE AYES: NOES: SHOWN. ABSENT: ABSTAIN: DISTRICT III SEAT VACANT ATTESTED April 15 , 2003 CONTACT: Patrick Godley 370-5005 JOHN SWEETEN,CLERK OF THE BOARD OF SUPERVISORS AND COUNTY ADMINISTRATOR CC: Patrick Godley,HSD Bud DeCesare,HSD Health Services,20 Allen St. Kelly Flanagan,County Counsel - Sara Hoffman,CAO BY `"f ,DEPUTY HIPAA Page 2 • Administering a process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organizations privacy policies and procedures. • in with Human Resources to develop appropriate sanctions for employees or Working p business partners that fail to comply with the privacy policies and procedures. • Performingperiodic privacy risk assessments to measure the effectiveness, performance, and quality of the privacy program. BACKGROUND The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets national standards for thep rotection of health information as applied to three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct certain health care transactions electronically. By the compliance date of April 14, 2003, covered entities must implement standards to protect and guard against the misuse of individually identifiable health information. Failure to implement these standards may, under certain circumstances, trigger the imposition of civil or criminal penalties. As a first step in HIPAA compliance, the County must designate which of its functions fall within the scope of HIPAA law. The Health Services Department, County Counsel and the County Administrator's Office have coordinated the effort to determine which County departments, beyond Health Services, handle individually identifiable health information under circumstances covered by HIPAA. After careful review by the Health Services Department, County Counsel, and the County Administrator's Office, it has been determined that Contra Costa County qualities as a hybrid entity and. has designated the Health. Services Department and the Human Resources benefits section as our health care components. To qualify as a hybrid entity under HIPAA, an organization.must satisfy the following eleme. ts: • The organizati.o.n must be a single legal entity tli.at cannot be further differentiated into units each With their own legal identities. • The organiza.tlon must be a covered entity Whose business activities include both Covered and non-covered functions. • The hvhrid entity must designate the health care components that will be subject to the privacy standards. It is anticipated that the departments, programs and functions that comprise the HIPAA-covered component of the County hybrid entity may change from time to time. The responsibility for documenting the County's covered component is delegated to the County Privacy Officer under the authority of the Health Services Director. HIPAA STANDARDS Implementing rules for HIPAA were written by the Department of Health and Human Services (HHS) and are formally known as the "Standards of Privacy of Individually Identifiable Health Information." These standards represent the first major federal initiative in an area that has been governed primarily by various state laws and a few scattered federal laws. The Office of Civil Rights has been designated as the department responsible for implementing and enforcing the privacy regulation. This act and the subsequent implementation HIPAA regulations impose a variety of requirements on public and private entities to protect the privacy of individually identifiable health information. Under HIPAA, patients have the legal right to: • Be given a written notice from a provider explaining how the provider will use and disclose their information. w. IIT T-f PA I A Page 3 • Access medical records,, meaning patients can see their record and obtain a copy of their record, with some limitations. • Request amendments to their medical record. • Obtain an accounting of the disclosures of their medical information, with limited exceptions. • Request that certain information be restricted from uses or disclosures that would otherwise be permitted. • Authorize the release of their information for purposes not related to treatment, payment, or health care operations, with certain exceptions. In order to comply with HIPAA, health care providers must: • Provide a written Notice of Privacy Practices to patients, informing them about their privacy rights and how their information will be used. • Develop policies,procedures, and systems to protect patient privacy. • Train staff on these procedures. • Appoint a Privacy Officer to make sure privacy procedures are developed, adopted, and followed. • Secure patient records that contain individually identifiable health information from those who should not see them. • Account for specific disclosures of protected health information, with certain exceptions. • Establish a complaint mechanism for privacy concerns. • Establish and enforce a system of sanctions for workforce members who violate privacy policies and procedures. HIPAA IMPLEMENTATION More than any other department, Health Services will be affected by HIPAA. As such, they have acted as the lead agency in coordinating HIPAA implementation throughout the County. To oversee the implementation of HIPAA compliance within the areas affected by HIPAA, the Health Services Department, under the authority of the Health Services Director and under the direction of the Chief Operating Officer, has appointed a Privacy Officer. It is appropriate for the Health Services Privacy Officer to also be designated as the Privacy Officer for Contra Costa County. This will help ensure consistency in our compliance efforts To facilitate HIPAA implementation within the Health Services Department, a Divisional HIPAA Committee comprised of representatives from each of the Health Services Divisions affected by HIPAA was convened early in 2001. This committee was given the responsibility of reviewing and assessing existing privacy practices throughout the organization, developing and adopting policies and procedures to ensure that important decisions affecting an individual's privacy rights comply with HIPAA requirements, developing the Contra Costa County Notice of Privacy Practices, and coordinating HIPAA training within their Divisions. Committee members have also been charged with reviewing existing contracts within their Divisions to determine those contractors with whom we share protected health information. These contractors are considered Business Associates under HIPAA, and a confidentiality agreement, known as a Business Associate contract addendum, has been executed with these contractors to ensure the privacy of shared protected health information.