File #: 17-0866    Version: 1
Type: Agenda Item Status: Approved
File created: 7/26/2017 In control: Board of Supervisors
On agenda: 8/29/2017 Final action: 8/29/2017
Title: Chief Administrative Office recommending the Board: 1) Approve revisions to Board of Supervisors Policy L-1, Privacy, General; 2) Repeal the following policies: a) L-2 Privacy: General b) L-3 Privacy: Client Rights c) L-4 Privacy: Use and Disclosure of Protected Health Information d) L-5 Privacy: Minimum Necessary e) L-6 Privacy: Administrative, Technical, and Physical Safeguards f) L-7 Privacy: Research Use And Disclosure g) L-8 Privacy: De-Identified Protected Health Information, Limited Data Sets, Data Use Agreements h) L-9 Privacy: Business Associates i) L-10 Privacy: Sanctions, Penalties, And Whistleblowers j) L-11 Privacy: Group Health Plans; and 3) Adopt the El Dorado County Privacy & Security Policies and Procedures in compliance with the Health Insurance Portability and Accountability Act. (Est. Time: 10 Min.) FUNDING: General Fund.
Attachments: 1. A - Policy L-1 Revised 8-15-17, 2. B - HIPAA PRIVACY RULE Policies and Procedures 8-15-17, 3. C - HIPAA SECURITY RULE Policies and Procedures 8-15-17, 4. D - General Computer and Network Usage Policy 8-15-17, 5. E - Business Associate Deccision Tool DRAFT 8-15-17, 6. F - Notice of Privacy Policy and Acknowledgement 8-15-17, 7. G - HIPAA Privacy Complaint Form 8-15-17, 8. H - Training Acknowledgement Form Draft 8-15-17, 9. I - HIPAA Phase II Assessment for HHSA - Example 8-15-17
Related files: 22-2241, 21-1400, 23-0589, 22-1077

Title

Chief Administrative Office recommending the Board:

1) Approve revisions to Board of Supervisors Policy L-1, Privacy, General;

2) Repeal the following policies:

a) L-2 Privacy: General

b) L-3 Privacy: Client Rights

c) L-4 Privacy: Use and Disclosure of Protected Health Information

d) L-5 Privacy: Minimum Necessary

e) L-6 Privacy: Administrative, Technical, and Physical Safeguards

f)  L-7 Privacy: Research Use And Disclosure

g) L-8 Privacy: De-Identified Protected Health Information, Limited Data Sets, Data Use Agreements

h) L-9 Privacy: Business Associates

i) L-10 Privacy: Sanctions, Penalties, And Whistleblowers

j) L-11 Privacy: Group Health Plans; and

3) Adopt the El Dorado County Privacy & Security Policies and Procedures in compliance with the Health Insurance Portability and Accountability Act. (Est. Time: 10 Min.)

 

FUNDING:  General Fund.

Body

DEPARTMENT RECOMMENDATION

Chief Administrative Office recommending the Board adopt the El Dorado County Privacy & Security Policy in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

 

DISCUSSION / BACKGROUND

The Health Insurance Portability and Accountability Act (“HIPAA”) was enacted in 1996 to create a national standard to protect and enhance the rights of individuals by providing access to their health information and to control and limit the use and disclosure of protected health information (“PHI”). As a covered entity, El Dorado County is required to maintain written documentation of individual rights with respect to PHI.  Updates to the policy are required to ensure compliance with current HIPAA requirements. 

 

El Dorado County is designated as a covered hybrid entity, defined by HIPAA as an organization that uses or discloses protected health information for only a part of its business operations, and is required to comply with 45 CFR § 160-164. Privacy regulations, under 45 CFR §164.105, require hybrid entities to implement formal written policies and procedures to ensure compliance with the Rule.

 

On January 23, 2007, the Board approved and adopted the El Dorado County Privacy Policies in compliance with HIPAA. A HIPAA Policies/Procedures Workgroup was established to satisfy the current requirements of HIPAA. The workgroup included members from the County's health care components, including the CAO, County Counsel, Auditor-Controller, Treasurer/Tax Collector Revenue Recovery, Information Technologies, Public Health, Mental Health, Human Services, and Risk Management.

 

Attachment A is revised policy L1, Protected Health Information (HIPAA), General. Previously this Board Policy was titled "Privacy, General." The change in name reflects the incluson of the Security policies, which comply with the HIPAA Security Rule. This item also includes the repeal of the remainder of Section L (L-2 through L-11). The detailed policies required for HIPAA compliance have instead been compiled into a two-part policies and procedures manual that covers both the privacy and security aspects of HIPAA.  The policy changes were developed in collaboration with subject matter experts from the Health & Human Services Agency, County Counsel, Risk Management and Information Technology, and then shared with all departments heads for feedback and input.

 

The Workgroup expects to reconvene following the selection and hire of a Privacy Officer. Revisions or additions to the policy manual may result, and would come to the Board for review and approval.

 

OTHER DEPARTMENT / AGENCY INVOLVEMENT

Health and Human Services Agency

Information Technologies

Risk Management

County Counsel

 

CAO RECOMMENDATION

The Chief Administrative Office recommends the Board approve this item.

 

FINANCIAL IMPACT

The approval of the policies and the HIPAA Privacy and Security Policy Manual will not directly impact funding. However, the policies refer to a Privacy Officer position to be tasked with ensuring that policies are implemented and updated as needed to maintain compliance with HIPAA law. Funding for this position was included in the FY 2016-17 Budget and Humans Resources/Risk Management personnel allocation.

 

CLERK OF THE BOARD FOLLOW UP ACTIONS

Post approved policy to the Board of Supervisors policies webpage.

 

CONTACT

Don Ashton, Chief Administrative Officer