HomeMy WebLinkAbout013 04
e;. Ila, JQ¡/rtf:--) _ '
If k(L /1·.') , IJtj
/I ;efÞ1 /
STATE OF WASHINGTON
County of Jefferson
In the Matter of Adopting a Policy }
Regarding Privacy of Health }
Information under the Health }
Insurance Portability and }
Accountability Act of 1996 }
("HIP AA") }
RESOLUTION NO. 13-04
WHEREAS, in 1996, Congress adopted the Health Insurance Portability and
Accountability Act (Pub. L. 104-19I)(HIPAA) in order to improve the efficiency of the nation's
health care system and protect the security and confidentiality of health information; and
WHEREAS, on August 14,2002, the United States Department of Health and Human
Services published final regulations implementing requirements relating to privacy of
individually identifiable health information, set out at 45 C.F.R. 160 and 45 C.F.R. subpart E
(collectively the "HIP AA privacy regulations"); and
WHEREAS. Jefferson County must comply with applicable requirements of the HIP AA
privacy regulations; and
WHEREAS, on February 20, 2003, the United States Department of Health and Human
Services published final regulations implementing requirements relating to security of electronic
protected health information, set out at 45 C.F.R. 160 and 45 C.F.R. subpart C (collectively the
"HIP AA security standards"); and
WHEREAS, Jefferson County must comply with applicable requirements ofthe HIP AA
security standards no later than April 21, 2005: and
WHEREAS, Jefferson County desires to enact provisions necessary to implement the
requirements under the HIP AA privacy regulations and HIP AA security standards;
NOW, TPEREFORE, BE IT RESOL VED, by the Jefferson County Board of
commÃ" ssi rs th,~tt~~~o~ing policy be adopted as A TI ACHMENT A to this resolution.
.. .J ~ · ~ J,' \ JEFFERSON COUNTY
.; . ~I . ,\..~ .!- ' BOARD OF CO SSIO
SEA . " . . ¡ I' ~;a'
. .. \ ~ . I ';'
I II , .
" )~..
... ' i.
.,.....- ~ _,1.-:
,,"--.-.,¡J., .
A TIES . '.. ". "
. It ,. \
.) J" ".
Ç)IJ.;J.. 7JI~ erlfG
~lie Matthes, CMC
Deputy Clerk of the Board
Patrick M. Rodgers, Member
ATTACHMENT "A"
POLICY
Health Insurance Portability
And Accountability Act of 1996 (HIPAA)
Section 1 - Subject
Compliance with the Health Insurance Portability And Accountability Act of 1996 (HIP AA)
Section 2 - Purpose
The purpose of this chapter is to ensure compliance with the Health Insurance Portability and
Accountability Act of 1996 (Pub. L. 104-1 91) and its implementing administrative regulations set forth
in 45 C.F .R. parts 160-164.
Section 3 - Affected Parties
Relating to Privacy of Health infonnation under HIP AA and Adopting Chapter 2.5IA sac - 2
Jefferson County is a hybrid entity. This chapter shall apply to all county programs which perfonn
health plan or health care provider activities that fall within the definition of a covered function.
Section 4 - References
Health Insurance Portability And Accountability Act of 1996 (HIPAA) (pub. L. 104-191)
HIPAA privacy regulations - 45 C.F.R. 160 and 45 C.F.R. subpart E
HIPAA security standards - 45 C.F.R. 160 and 45 C.F.R. subpart C
Section 5 - Definitions
The following definitions shall apply to tenns used in this policy:
Business associate has the same meaning as that phrase is defined in 45 C.F.R. 160.103.
Covered component has the same meaning as the phrase "health care component" defined in 45 C.F.R.
164.103.
Covered function has the same meaning as that phrase is defined in 45 C.F.R.
164.103.
Electronic protected health information has the same meaning as that phrase is defined in 45 C.F.R.
160.103.
HIP AA means the Health Insurance Portability and Accountability Act of 1996 (Pub. L. 104-191).
HIP AA privacy regulations means those regulations set out at 45 C.F.R. 160 and 45 C.F .R. subpart E.
HIPAA security standards means those regulations set out at 45 C.F.R. 160 and 45 C.F.R. subpart C.
Hybrid entity has the same meaning as that phrase is defined in 45 C.F.R. 164.103.
Page I of 4
JEFFERSON COUNTY POLICY Health Insurance Portability And Accountability Act of 1996 (HIP AA)
Protected health information has the same meaning as that phrase is defined in 45 C.F.R. 160.103.
Section 6 - Policies
The rules and requirements set forth in this chapter shall be construed in favor of giving effect to the
HIP AA privacy regulations and HIP AA security standards.
6.1 HIP AA Privacy Officer - Appointment and Responsibility
The Director of Health and Human Services shall be the county-wide HIP AA privacy officer.
The HIP AA privacy officer shall:
(a) Develop, adopt with the approval of the County Administrator and maintain HIPAA privacy
policies and procedures to provide for:
(i) Training of County employees working within covered components, as necessary to carry
out their respective functions, in accordance with 45 C.F.R. 164.530(b), and
documentation of such training;
(ii) Ensuring appropriate administrative, technical and physical safeguards are in place to
protect protected health information from unauthorized use or inadvertent disclosure to
persons other than the intended recipient;
(iii) Assisting in the identification of business associates;
(iv) Limitations on access to protected health information;
(v) Conditions for use and disclosure of protected health information;
(vi) Individual rights regarding protected health information maintained by the County;
(vii) A process for complaints concerning HIPAA policies and procedures, or covered
components' compliance with HIP AA policies and procedures, or other requirements
under the HIP AA privacy regulations;
(viii) Mitigation for any use or disclosure of protected health information that is in violation of
the county's HIP AA privacy policies and procedures;
(ix) Such policies and procedures necessary to comply with amendments or additions to the
HIP AA privacy regulations.
(b) Establish, with the approval of the County Administrator and publish sanctions for employees
who fail to comply with the county's HIP AA privacy policies and procedures. Sanctions will be
appropriate to the nature of the violation and will not apply to whistleblower activities, nor to
complaints or investigations. Sanctions will be imposed upon County employees in a manner
consistent with any controlling collective bargaining agreement.
( c) Designate the County programs which are covered components using standards set out in the
HIP AA privacy regulations, update the designations as necessary, and document the
designations as provided in 45 C.F.R. 164.530(1).
6.2 No Retaliation
No covered component or County employee may intimidate, threaten, coerce, discriminate against or
take other retaliatory action against any individual for the exercise by the individual of any right under,
or for participation by the individual in any process established by the HIP AA privacy regulations,
including the filing of a complaint or as otherwise prohibited under the HIP AA privacy regulations.
6.3 No Waiver of Rights
No covered component or County employee may require any individual to waive his or her right to file
a complaint with the Secretary of the United States Department of Health and Human Services as a
condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
Page 2 of 4
JEFFERSON COUNTY POLICY Health Insurance Portability And Accountability Act of 1996 (HIP AA)
6.4 HIP AA Security Officer - Appointment and Responsibility
The Central Services Director shall be the county-wide HIP AA security officer.
(1) The HIP AA security officer must ensure the confidentiality, integrity, and availability of all
electronic protected health infonnation created, received, maintained or transmitted by the
County; protect against any reasonably anticipated threats or hazards to the security or integrity
of such infonnation; protect against any reasonably anticipated uses or disclosures of such
infonnation that are not pennitted under the HIP AA privacy regulations; and ensure compliance
by the county's workforce.
(2) To accomplish these responsibilities, the HIP AA security officer shall:
(a) Develop, adopt with the approval of the County Administrator and maintain HIPAA
security policies and procedures:
(i) To prevent, detect, contain, and correct security violations;
(ii) To ensure that all members of the county workforce have appropriate access to
electronic protected health infonnation (including technical procedures);
(iii) To prevent access to electronic protected health infonnation by those workforce
members who do not have authority under the HIP AA privacy regulations
(including technical procedures);
(iv) To address security incidents;
(v) To respond to emergencies or other occurrences (for example, fire, vandalism,
system failure, and natural disaster) that damage systems that contain electronic
protected health infonnation;
(vi) To create and maintain retrievable exact copies of electronic protected health
infonnation and to restore any loss of data;
(vii) To enable continuation of critical business processes for protection of security of
electronic protected health infonnation while operating in emergency mode;
(viii) To limit physical access to its electronic infonnation systems and the facility or
facilities in which they are housed, while ensuring that properly authorized access
is allowed;
(ix) To specify the proper functions to be perfonned, the manner in which those
functions are to be perfonned, and the physical attributes of the surroundings of a
specific workstation or class of workstation where electronic protected health
infonnation can be accessed;
(x) To govern the receipt and removal of hardware and electronic media that contain
electronic protected health infonnation into and out of a facility, and the
movement of these items within the facility;
(xi) To address the final disposition of electronic protected health infonnation, and/or
the hardware or electronic media on which it is stored;
(xii) For removal of electronic protected health infonnation from electronic media
before the media are made available for re-use;
(xiii) To protect electronic protected health infonnation from improper alteration or
destruction
(xiv) To verify that a person or entity seeking access to electronic protected health
infonnation is the one claimed; and
(xv) Such policies and procedures necessary to comply with amendments or additions
to the HIP AA security standards.
(b) Implement a security awareness and training program for all members of the county
workforce (including management);
Page 3 of 4
JEFFERSON COUNTY POLICY Health Insurance Portability And Accountability Act of 1996 (HIP AA)
(c) Perform a periodic technical and nontechnical evaluation, based initially upon the
HIP AA security standards and subsequently, in response to environmental or operational
changes affecting the security of electronic protected health information, that establishes
the extent to which the county's security policies and procedures meet the requirements
of the HIP AA security standards;
(d) Implement all necessary safeguards for all workstations that access e]ectronic protected
health information to restrict access to authorized users only;
(e) Implement hardware, software, and/or procedural mechanisms that record and examine
activity in information systems that contain or use electronic protected health
information;
(f) Implement technical security measures to guard against unauthorized access to electronic
protected health information that is being transmitted over an electronic communications
network; and
(g) Establish, with the approval of the County Administrator, and publish the sanctions for
employees who fail to comply with the county's HIP AA security policies and
procedures. Sanctions will be appropriate to the nature of the violation and will not apply
to whistleblower activities, nor to complaints or investigations. Sanctions will be
imposed upon County employees in a manner consistent with any controlling collective
bargaining agreement.
#< !1¡.l' ,
...../f' -- day of / ¿GL
JEFFERSON COUNTY
BOARD OF COMMISSI
, 2004.
¡.;
..
r'7(~, C/l¡~
Julie Matthes, CMC
Deputy Clerk of the Board
APPROVED AS TO FORM
Prosecuting Attorney
Page 4 of 4