The URL can be used to link to this page

Home My WebLink AboutHIPAA Draft PolicyPolicy # RM - 2, Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policy 1 Deschutes County Administrative Policy No. RM-2 Effective Date: April 15, 2012 Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Policy STATEMENT OF PRIVACY AND SECURITY POLICY It is the policy of Deschutes County to have an established process to comply with HIPAA for the use, disclosure and security of Protected Health Information (PHI). Goals for this policy are: To ensure the confidentiality, integrity, and availability of all protected health and electronic protected health information the County creates, receives, maintains, or transmits. To protect against any reasonably anticipated threats or hazards to the security or integrity of all PHI. To reasonably prevent any possible uses or disclosures of all PHI that are not permitted by law. DEFINITIONS “Health Insurance Portability and Accountability Act” (HIPAA) Security Rule regulations require the county to comply with standards to protect the confidentiality, integrity, and availability of electronic protected health information. “Protected Health Information (PHI)” refers to individually identifiable health information (information about the past, present or future physical or mental health or condition, or provision of health care) including demographic data (but excluding data maintained by an employer in its role as employer) that can identify an individual. The source can be manual, maintained, or transmitted using electronic media (electronic). Media transmitted via voice or telephone (voice) is not considered to be electronic in nature. APPLICABILITY This policy applies to all county employees. County Departments likely to have access to PHI include: Clerk’s Office Community Justice Health Services Legal Counsel Personnel Risk Management Sheriff’s Office 9-1-1 County Service District This policy is intended to cover the minimum guidelines under HIPAA privacy and security standards. Exhibit A provides guidelines for directors and managers that work in departments with PHI to design, implement, monitor and comply with these privacy and security standards. Department procedures may be more extensive but shall incorporate these basic procedures. Policy # RM - 2, Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policy 2 EMPLOYEE OR VOLUNTEER RESPONSIBILITIES All employees are required to be aware of their responsibilities under Deschutes County’s Privacy Notice Document (Exhibit B), Confidentiality Agreement (Exhibit C). Employees will fully comply with all policies related to the protection of patient medical information. Violations related to the use and disclosure of personal patient medical information is a serious and egregious act. According to HIPPA, employees of Deschutes County will be subject to sanctions and legal action should they violate the privacy and confidentiality rights of patients as described in Federal, State, County and/or Departmental policy. Employees who knowingly and willfully violate State or Federal law regarding the improper use and disclosure of a patient’s health information may also be subject to criminal investigation, prosecution, or civil monetary penalties. Employees are responsible for following established policies and procedures and for alerting their department head of privacy or security breaches. 1. All employees with access to PHI are required to receive a minimal level of awareness training of their responsibilities under Deschutes County’s privacy and security policy, provided by the Risk Management Department. Departments with additional training requirements may opt out of the Risk Management HIPAA training if the department provides alternative training and documents such sessions. 2. Employees shall take responsibility for safeguarding paper, electronic, and verbal access to PHI at all times. Physical and electronic access safeguards include but are not limited to: a. Locating facsimile machines in non-public areas. b. Positioning computer monitor to minimize public viewing. c. Covering computer monitor with privacy screen. d. Logging-off of workstation. e. Using passwords with screensavers. f. Locking office door to prevent unauthorized access by others when not at their workstation. g. Storing PHI in locked file cabinets. h. Sending confidential electronic information in an encrypted format. Approved by the Board of County Commissioners April 11, 2012. _____________________________ Erik Kropp Interim County Administrator Policy # RM - 2, Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policy 3 EXHIBIT A: Management Guidelines COUNTY RESPONSIBILITIES: 1. The County Administrator will designate a County Privacy Coordinator. The County Privacy Coordinator will ensure compliance with the HIPAA Privacy and Security Rule through the implementation, management and monitoring of county and department security policies. a. The County Privacy Coordinator will maintain a log of all reports, the investigation and the outcome or disposition. b. The County Privacy Coordinator will periodically review the effectiveness of departmental policies and procedures for HIPAA. 2. Through Deschutes County Administrative Policy No. IT 1, the County has established an Information Security Program that complies with HIPAA Security and Privacy regulations, State privacy regulations and State DHS policies. 3. The County, through the Information Technology Department, is responsible for implementing and maintaining technical safeguards. Technical safeguards are security controls (i.e., safeguards and countermeasures) applied to an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. DEPARTMENT RESPONSIBILITIES: County departments with PHI will obtain acknowledgement from employees and volunteers that have access to PHI a representation that they have reviewed Policy RM-2, HIPAA Privacy and Security Policy. 1. Assigned Security Responsibility a. Departments with specific HIPAA responsibilities will determine departmental data sensitivity and classification levels and should have an active role in designing access controls for their systems. Classification levels are varying access to protected information based on the business need and job duties of the specific position. Employees shall have the minimum level of access to protected information necessary to carry out their job functions. b. Department staff shall not disclose protected health information to non-covered entities except as permitted by this policy and department policies and procedures. 2. Training a. Departments with PHI shall be responsible for sending employees with access to PHI to the general Risk Management training on the topic or establishing training protocols for ensuring compliance with HIPAA privacy and security requirements. b. Departments with PHI shall establish policies and procedures for the identification of and reporting of security incidents. Security Incidents may include but are not limited to i. Loss of a password ii. Data loss or corruption that does not allow restoration iii. Data theft or misuse iv. Failure to implement or enforce access controls v. Failure to exercise due care with data vi. Unencrypted e-mail Policy # RM - 2, Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policy 4 3. Incident Reporting Standards Departments shall determine internal reporting procedures within their departments, but in all cases, reports shall immediately be provided to the County Privacy Coordinator. 4. Business Associate Agreements A Business Associate Agreement is a contract or agreement listing responsibilities and protocols associated with the sharing of PHI. Department contract representatives will implement a Business Associate Agreement, when PHI is shared with a business partner or contractor. 5. Physical Safeguards IT Departments shall implement processes to minimize the possibility of unauthorized physical access, tampering and theft of PHI 6. Security Safeguards a. Deschutes County Administrative Policy No. HR-3 describes the use of background checks as an administrative control to mitigate security risks. b. IT requires passwords to include a combination alpha, numeric, special characters, upper and lower case. c. IT maintains an asset inventory to track the movement and disposition of devices. d. Networks are protected by firewalls, network access controls and content filters, intrusion detection and other security devices. e. Encryption technologies are employed to protect data both at rest and in transit. f. Any suspected security breach will be reported to the Departmental Privacy Coordinator. If your department does not have an internal privacy coordinator, reports will be made to the County Privacy Coordinator. g. Examples include suspected hacking, a virus in your computer system, spam e - mail being sent from your county employee e-mail address or a stolen laptop. IT will be responsible to back up and restore software applications and the data associated with them. 7. Documentation Retention Deschutes County will maintain all documentation (e.g. policies, procedures) required by the HIPAA Security Rule for a period of six years from the date of its creation or the date when it last was in effect, whichever is later. 8. Disclosure and Authorization Forms a. PHI disclosure can occur through written, verbal or electronic means. b. PHI will be provided in the requested format, if reasonable and secure. c. Disclosure of PHI must be for a specific purpose. Only the minimum necessary health information related to the authorized request will be disclosed. d. Each department that generates PHI shall obtain a specific written authorization to disclose PHI to any other department or entity. e. Authorization Forms will be processed by an authorized records manager or designee. Policy # RM - 2, Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policy 5 f. Special Use/Authorization will be coordinated with the Departmental Privacy Coordinator. A compete list of “Special Use” disclosure situations are detailed in the County’s Privacy Notice. g. Some departments with specially protected health information such as alcohol and drug or STDs, will have further requirements for releasing information outlined in their departmental policies and procedures. h. Every disclosure must be logged in a retrievable system in accordance with HIPAA regulations. 9. Privacy Notice a. The County’s Privacy Notice informs affected individuals that Deschutes County will use and/or disclose PHI for treatment, billing/payment for services, or County operations without an authorization. b. For departments with PHI, Privacy Notices shall be posted in public areas including: lobbies, bulletin boards, health benefit plan documents, and on the County Internet and Intranet. c. Each employee, and/or client will be provided a Privacy Notice prior to receiving county services. 10. Individual’s Rights a. The County’s Privacy Notice lists specific rights an affected individual may exercise. A request to exercise a right regarding PHI must be requested in writing and may include the following requests. i. Right to Inspect and Copy ii. Right to Amend iii. Access to Records iv. Right of an Accounting of Disclosures v. Right to Request Restrictions/Right to Request Confidential Communications b. All requests will receive a written or verbal response within state and federal mandated timelines. 11. Complaint or Grievance Rights a. Each affected individual will have the right to lodge a complaint or grievance. Common complaints or grievances include situations where an affected individual’s request to exercise rights is not resolved to their satisfaction or they believe their PHI was mishandled or inappropriately used or disclosed. b. A written response to the complaint or grievance will be in accordance with HIPAA regulations and must include name of the affected individual, date of birth, current contact information and the nature of the privacy rule believed to have been violated. c. Appeals will be directed to Deschutes County’s Privacy Coordinator. 12. Law Enforcement and Juvenile Justice staff dealing with in custody or incarcerated individuals have additional compliance regulations outlined in departmental policy. Policy # RM - 2, Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policy 6 EXHIBIT B: Privacy Notice Document DESCHUTES COUNTY PRIVACY NOTICE SUMMARY The following information describes the type of medical information we gather about you, with whom that information may be shared and the safeguards we have in place to protect it. You have the right to the confidentiality of your medical information and the right to approve or refuse the release of specific information except when the release is required by law. If the practices described in this notice meet your expectations, there is nothing you need to do. If you prefer that we not share information we may honor your written request in certain circumstances described below. If you have any questions about this notice, please contact our privacy Coordinator at the address below. Who Will Follow This Notice This notice describes Deschutes County's practices regarding the use of your medical information and that of: Any health care professional authorized to enter information into your medical record. Any member of a volunteer group Deschutes County allows to help you while you are receiving medical treatment from Deschutes County. All employees, staff and other personnel who may need access to your information. All departments and divisions of Deschutes County follow the terms of this notice. In addition, County departments and divisions may share medical information with each other for treatment, payment or health care purposes described in this notice. Our Pledge Regarding Medical Information We understand that medical information about you and your health is personal. Protecting medical information about you is important. We create a record of the care and services you receive. We need this record to provide you with quality care and to comply with certain legal requirements. This notice applies to all of the records of your care generated by Deschutes County, whether made by health care professionals or other personnel. This notice will tell you about the ways in which we may use and disclose medical information about you. We also describe your rights and certain obligations we have regarding the use and disclosure of medical information. We are required by law to keep medical information that identifies you private; give you this notice of our legal duties and privacy practices with respect to medical information about you; and follow the terms of the notice that is currently in effect. How We May Use and Disclose Medical Information About You The following categories describe different ways that we may use and disclose medical information. For each category of uses or disclosures we will try to give some examples. Not every use or disclosure in a category will be listed. For Treatment. We may use medical information about you to provide you with medical treatment or services. We may disclose medical information about you to doctors, nurses, technicians, training doctors, or other health care professionals who are involved in taking care of you. We also may disclose medical information about you to non-County entities that may be involved in your medical care or that provide services that are part of your care. For Payment. We may use and disclose medical information about you so that the treatment and services you receive may be billed to and payment may be collected from you, an insurance company or a third party. We may also use and disclose medical information about you to obtain prior approval or to determine whether your insurance will cover treatment. Policy # RM - 2, Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policy 7 For Health Care Purposes. We may use and disclose medical information about you for health care purposes. This is necessary to make sure that all of our clients and patients receive quality care. For example, we may use medical information to review our treatment and services and to evaluate the performance of our staff in caring for you. We may also disclose information to doctors, nurses, technicians, training doctors, medical students, and other medical service personnel for review and learning purposes. We may remove information that identifies you from this set of medical information so others may use it to study health care and health care delivery without learning who the specific patients are. Appointment Reminders. We may use and disclose medical information to contact you as a reminder that you have an appointment for treatment or medical care. We may leave appointment reminders on voice-mail or answering machines. Treatment Alternatives. We may use and disclose medical information to tell you about or recommend possible treatment options or alternatives that may be of interest to you. Health-Related Benefits and Services. We may use and disclose medical information to tell you about health-related benefits or services that may be of interest to you. Individuals Involved in Your Care or Payment for Your Care. We may release medical information about you to a friend or family member who is involved in your medical care. We may also give information to someone who helps pay for your care. In addition, we may disclose medical information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location. Research. Under certain circumstances, we may use and disclose medical information about you for research purposes. For example, a research project may involve comparing the health and recovery of all patients who received one medication to those who received another, for the same condition. All research projects, however, are subject to a special approval process. As Required By Law. We will disclose medical information about you when required to do so by federal, state or local law. To Avert a Serious Threat to Health or Safety. We may use and disclose medical information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat. Special Situations Organ and Tissue Donation. If you are an organ donor, we may release medical information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation. Military and Veterans. If you are a member of the armed forces, we may release medical information about you as required by military command authorities. Workers' Compensation. We may release medical information about you for workers' compensation or similar programs. These programs provide benefits for work-related injuries or illness. Public Health Risks. We may disclose medical information about you for public health activities. These activities generally include the following: to prevent or control disease, injury or disability; to report births and deaths; to report child abuse or neglect; to report reactions to medications or problems with products; to notify people of recalls of products they may be using; Policy # RM - 2, Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policy 8 to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; to notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence. Health Oversight Activities. We may disclose medical information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws. Lawsuits and Disputes. We may disclose medical information about you in response to a subpoena, discovery request, or other lawful order from a court. Law Enforcement. We may release medical information if asked to do so by a law enforcement official as part of law enforcement activities; in investigations of criminal conduct or of victims of crime; in response to court orders; in emergency circumstances; or when required to do so by law. Coroners, Medical Examiners and Funeral Directors. We may release medical information to a coroner or medical examiner. This may be necessary for example, to identify a deceased person or cause of death. Protective Services for the President, National Security and Intelligence Activities. We may release medical information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations, or for intelligence, counterintelligence, and other national security activities authorized by law. Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release medical information about you to the correctional institution or law enforcement official. This release would be necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution. Your Rights Regarding Medical Information About You You have the following rights regarding medical information we maintain about you: Right to Inspect and Copy. You have the right to inspect and copy medical information that may be used to make decisions about your care. Usually, this includes medical and billing records, but does not include psychotherapy notes. To inspect and copy medical information that may be used to make decisions about you, you must submit your request in writing to our Privacy Coordinator at the address below. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies associated with your request. We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to medical information, you may request that the denial be reviewed by Deschutes County's Privacy Coordinator. Right to Amend. If you feel that medical information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept. To request an amendment your request must be made in writing and submitted to our Privacy Coordinator. In addition, you must provide a reason that supports your request. Policy # RM - 2, Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policy 9 We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request íf you ask us to amend information that: Was not created by us, unless the person or entity that created the information is no longer available to make the amendment; Is not part of the medical information kept by Deschutes County; Is not part of the information which you would be permitted to inspect and copy; or Is accurate and complete. Right to an Accounting of Disclosures. You have the right to request an "accounting of disclosures." This is a list of the disclosures we made of medical information about you. To request this list or accounting of disclosures, you must submit your request in writing to our Privacy Coordinator. Your request must state a time period that may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, on paper, electronically). The first list you request within a l2 -month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred. Right to Request Restrictions. You have the right to request a restriction or limitation on the medical information we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the medical information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. We are not required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment. To request restrictions, you must make your request in writing to our Privacy Coordinator a t the address below. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply. Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. To request confidential communications, you must make your request in writing to our Privacy Coordinator. We will not ask you the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted. Right to a Paper Copy of This Notice. You have the right to a paper copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice. To obtain a paper copy of this notice, please request one in writing from our Privacy Coordinator at the address below. Changes To This Notice We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for medical information we already have about you as well as any information we receive in the future. We will post a copy of the current notice. The notice will contain on the first page, in the top right-hand corner, the effective date. Policy # RM - 2, Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policy 10 Complaints If you believe your privacy rights have been violated, you may file a complaint with Deschutes County's Privacy Coordinator or with the Secretary of the Department of Health and Human Services. To file a complaint with Deschutes County, contact our Privacy Coordinator at the address and phone number below. All complaints must be submitted in writing. You will not be penalized for filing a complaint. Other Uses of Medical Information Other uses and disclosures of medical information not covered by this notice or the laws that apply to us will be made only with your written permission. If you provide us permissi on to use or disclose medical information about you, you may revoke that permission, in writing, at any time. If you revoke your permission thereafter, we will no longer use or disclose medical information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission and that we are required to retain our records of the care that we provided to you. Privacy Officer: Erik Kropp Deschutes County Risk Management 1300 NW Wall St. Suite 200 Bend, OR. 97701 Policy # RM - 2, Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security policy 11 EXHIBIT C: Confidentiality Agreement CONFIDENTIALITY AGREEMENT DESCHUTES COUNTY EMPLOYEE OR VOLUNTEER Deschutes County employees and volunteers have an obligation to safeguard confidential information and records to which they have access or become aware of during the performance of their job duties. Confidential information is information which is private or which the law prohibits disclosure of to unauthorized persons. For example, medical records, mental health records, personal information and financial records of individuals and businesses are confidential. It is important that you understand your obligation to maintain the confidentiality of information and records you may access or become aware of while working for Deschutes County. Improper disclosure or release of confidential information or records can be damaging or embarrassing and can result in personal legal liability or criminal penalties. Also, any employee or volunteer who improperly uses, discloses or releases confidential information or records will be subject to disciplinary action, up to and including termination of employment or volunteer status with Deschutes County. Except as is necessary to perform official work for Deschutes County, no employee or volunteer of Deschutes County is authorized to use, disclose or release any information or records to which the employee or volunteer has access or becomes aware of during his or her work for Deschutes County without the express approval of the employee's or volunteer's supervisor or Department Head. As an employee of or volunteer with Deschutes County, you need to agree to abide by the laws and policies governing confidentiality by signing this Confidentiality Agreement. If, at any time, you have any questions regarding confidentiality laws or policies or regarding your obligation to maintain the confidentiality of any information or records, you are to contact your supervisor, Department Head or Deschutes County Legal Counsel. BY SIGNING BELOW, I CERTIFY THAT I HAVE READ AND UNDERSTAND THIS AGREEMENT THAT, AS AN EMPLOYEE OF OR VOLUNTEER WITH DESCHUTES COUNTY, I HAVE A DUTY TO ABIDE BY THE LAWS AND POLICIES REGARDING CONFIDENTIAL INFORMATION AND RECORDS AND THAT I WILL ABIDE BY THOSE LAWS AND POLICIES. I FURTHER UNDERSTAND AND AGREE THAT, IF I IMPROPERLY USE, DISCLOSE OR RELEASE CONFIDENTIAL INFORMATION OR RECORDS, I WILL BE SUBJECT TO DISCIPLINARY ACTION, UP TO AND INCLUDING TERMINATION OF MY EMPLOYMENT OR VOLUNTEER STATUS WITH DESCHUTES COUNTY. _______________________________________________ Employee or Volunteer (Print) _______________________________________________ __________________ Signature Date