HIPAA Privacy and Security Training and Compliance Procedures

HIPAA Privacy & Security Policy 2013 Training and Compliance Procedures

1

HIPAA Privacy and Security Training and Compliance Procedures

Introduction to Training and Compliance Procedures For HIPAA Privacy and Security Policy

The Privacy and Security Rules The HIPAA Privacy and Security Compliance Policy was amended and adopted by the Mendocino County Board of Supervisors. This document will describe the practices and procedures the County of Mendocino Human Resources Benefits Administration will follow to comply with the HIPAA Privacy and Security Compliance Policy. The County of Mendocino administers a Self-Insured Employee Benefits Plan. The Self-Insured Employee Benefits Plan is required to comply with the Health Insurance Portability and Accountability Act (HIPAA). Since August 1996 the federal government has had the ability to mandate how healthcare plans, providers and clearinghouses store and transmit individuals’ personal healthcare information. The HIPAA Privacy and Security Rules establish regulations that all healthcare plans, providers and clearinghouses must comply with. The HIPAA Compliance is made up of two rules called The Standards for Privacy Rule, and secondly, The Security Standards Rule. The Privacy Rule essentially controls the use and disclosure of what is known as protected health information (PHI) and it enables the patient to control the disclosure of their own PHI to certain entities. The Security Rule focuses on requirements for covered entities, such as the County of Mendocino, to protect and safeguard the confidentiality, integrity, and availability of electronic protected health information (EPHI). Security Rules include, close observation and protection of the organization’s computer network, access to the network, and the method by which the organization stores and handles such data. Many of the Privacy Rules are simple and others are complex and actually afford the patient greater knowledge of the content of their medical record and how that content (PHI) is used. The Security Rule is written in broad terms intentionally, to allow entities the flexibility to scale their efforts and increases the entity’s ability to comply within their individual technological sophistication. The Security Rule is comprised of three security safeguards: administrative, physical and technical safeguards. This procedure will cover the Mendocino County Self-Insured Employee Benefits Plan as a covered entity; that conducts transactions covered by HIPAA Regulations, electronically or manually. It is intended to protect the confidentiality, integrity, and availability of electronic protected health information, and protected health information. This policy is in full effect for all aspects of the County of Mendocino’s Self-Insured Employee Benefits Plan, including its administration, any member participation, and all directly related health plan activities. This policy will also include all Business Associates that work with the Mendocino County SelfInsured Employee Benefits Plan. This will document and define the procedures to ensure compliance in the HIPAA Regulations.

2

HIPAA Privacy and Security Training and Compliance Procedures

I.

Privacy Rule ........................................................................................................................................................... 5 Privacy Rule Overview ............................................................................................................................................. 5 What is Protected Health Information (PHI)?.................................................................................................. 5 How HIPAA is Applicable to Mendocino County Employees? ................................................................. 5 Plan Sponsor and Plan Certification by Board Approved Policy............................................................. 5 Who Can Access PHI and EPHI? ....................................................................................................................... 6 Protected Health Information Authorized Releases ..................................................................................... 6 Permitted Uses and Disclosures of PHI and EPHI ....................................................................................... 6 Minimum Disclosure of Necessary Information ........................................................................................... 12 Summary Health Information and Permitted Uses and Disclosures .................................................... 13 Business Associate Agreements ........................................................................................................................ 13 Privacy Official- Job Description and Contact Information ....................................................................... 13 Responsibilities: ......................................................................................................................................................... 13 Contacting the Privacy Official:........................................................................................................................... 14 Privacy Complaints ...................................................................................................................................................15 Procedures: .................................................................................................................................................................15 Notice of Privacy Practices and Annual Notice Requirements ...............................................................16 Sanctions for Violating the Privacy or Security Rule ..................................................................................16 Procedures: .................................................................................................................................................................16 Mitigation of Harm Due to Improper Uses or Disclosures ........................................................................ 17 Procedures: ................................................................................................................................................................. 17 No Retaliation or Intimidation Rules .................................................................................................................. 17 Compliance with Breach Guidelines and Notices ........................................................................................18 Annual Risk Analysis Conducted........................................................................................................................18 Periodic Review of Privacy Rule Compliance ...............................................................................................18 Annual Notice of Privacy Practices and any Updates ................................................................................18 Privacy and Security Training and Annual Refresher Courses ..............................................................18

II.

Security Rules ................................................................................................................................................ 19 Security Rule Overview ......................................................................................................................................... 19 Risk Analysis .............................................................................................................................................................. 19 Security Official- Job Description and Contact Information .................................................................... 19 Contacting the Security Official: ......................................................................................................................... 21 Audit Controls ............................................................................................................................................................ 21 Workforce Clearance Requirements for access to EPHI ......................................................................... 21 User Identification and Authentication ............................................................................................................. 21 3

HIPAA Privacy and Security Training and Compliance Procedures Automatic Log-Off .................................................................................................................................................... 22 Transmission Security and Encryption Technology ................................................................................... 22 Protection From Malicious (Anti-virus) Software ......................................................................................... 22 Security Incidents ..................................................................................................................................................... 22 Firewalls ....................................................................................................................................................................... 22 Computer Backups .................................................................................................................................................. 23 Facility Security and Contingency Plans ........................................................................................................ 23 Computer Work Station Use ................................................................................................................................ 23 Sanction Provisions .................................................................................................................................................24 Workforce Termination........................................................................................................................................... 25 Annual Risk Analysis Conducted....................................................................................................................... 25 Periodic Review of Privacy Rule Compliance .............................................................................................. 25 Privacy and Security Training and Annual Refresher Courses ............................................................. 26 III.

Forms .................................................................................................................................................................. 27

County Of Mendocino Notice Of Privacy Practices .................................................................................... 30 Business Associate Agreement ......................................................................................................................... 39 Workforce Confidentiality Agreement ..............................................................................................................46 HIPAA Incident and Risk Assessment Form................................................................................................. 48

4

HIPAA Privacy and Security Training and Compliance Procedures

I.

Privacy Rule

Privacy Rule Overview The Privacy rule protects health information that is “individually identifiable” but does not include all forms of health information. Protected health information includes information created or received by a provider, health plan or employer and relates to the physical or mental health of an individual at any time, past, present or future (and includes payments for services). Also protected are any information sources someone could be individually identified and or is on the possession or control of the County of Mendocino Self-Insured Employee Benefits Plan.

What is Protected Health Information (PHI)? Protected Health Information (PHI) is defined as individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. PHI excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer. Electronic Protected Health Information (EPHI) is any Protected Health Information (PHI) that is transmitted by electronic media or maintained in electronic media. Protected Health Information (PHI) is a subset of Individually Identifiable Health Information (IIHI). IIHI is any health information (including demographic information) that is collected from the patient or created or received by a health care provider or other covered entity or employer that relates to:  The past, present or future physical or mental health or condition of an individual, or  The provision of healthcare, or  The past, present or future payment for the provision of healthcare by the County Plan, AND,  That could potentially identify an individual.

How HIPAA is Applicable to Mendocino County Employees? The County of Mendocino administers its Self-Insured Employee Benefits Plan which covers the County Employees, Retirees-while applicable, and their covered spouses and dependents. The County of Mendocino complies with the federal laws related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under HIPAA regulations, all PHI and EPHI, from administration of said Employee Benefits Plan, are applicable to this procedure and covered under the HIPAA policy.

Plan Sponsor and Plan Certification by Board Approved Policy The Plan Sponsor of the County of Mendocino Self-Insured Employee Benefit Plan is provided by the County of Mendocino and the County Benefits Office. The Plan Sponsor is responsible for the proper administration of the plan.

5

HIPAA Privacy and Security Training and Compliance Procedures

Who Can Access PHI and EPHI? The County of Mendocino Self-Insured Employee Benefit Plan and its authorized employees within the Human Resources department will come into occasional contact with covered members Protected Health Information in a variety of methods and formats. Third parties hired by the County of Mendocino to assist in administration of the health benefits will also have access to protected health information in a normal business context. Applicable County staff agrees to abide by current HIPAA rules and regulations and strictly adhere to the County’s policy and procedures defining HIPAA compliance. Third parties or contractors agree to comply with current HIPAA rules and regulations by entering into a binding Business Associate Agreement with each new contract period.

Protected Health Information Authorized Releases PHI can be accessed by individual members or their authorized representative with proper documentation and identification. If a plan participant wishes to request access to their PHI or EPHI they can do so by contacting the County of Mendocino Human Resources Department Benefits Division at 501 Low Gap Road Room #1326 Ukiah, CA 95482 If a plan participant wishes to authorize a representative to access their PHI or EPHI the plan participant would complete an Authorization Form to Use and Disclose Your Protected Health Information. (Located in the FORMS section of this document) An authorized representative would bring the original signed copy of your authorization form and photo identification to the County of Mendocino Human Resources Department Benefits Division at 501 Low Gap Road Room #1326 Ukiah, CA 95482 for approval of the authorization request. The County of Mendocino reserves the right to approve or deny the request, and may require further information to approve the request.

Permitted Uses and Disclosures of PHI and EPHI The uses and disclosures discussed in the procedures below are permitted without participant or beneficiary permission (written or otherwise), provided the particular requirements of these procedures and the Privacy Rule are met. 1.

2.

The following uses and disclosures of Mendocino County Self-Insured Employee Benefit Plan protected health information for “payment” purposes are permitted: a.

Additional uses and disclosures may also fall within the Privacy Rule’s definition of “payment.” The Human Resources Director/Privacy Official will determine on a case-by-case basis if a particular use or disclosure is a payment activity.

b.

All uses and disclosures of protected health information for payment activities will comply with Mendocino County Self-Insured Employee Benefit Plan Procedures for Minimum Disclosure of Necessary Information.

The following uses and disclosures of Mendocino County Self-Insured Employee Benefit Plan protected health information for “health care operations” purposes are permitted: a.

Additional uses and disclosures may also fall within the Privacy Rule’s definition of “health care operations.” The Human Resources Director/Privacy Official will

6

HIPAA Privacy and Security Training and Compliance Procedures determine on a case-by-case basis if a particular use or disclosure is a health care operations activity. b.

All uses and disclosures of protected health information for health care operations activities will comply with Mendocino County Self-Insured Employee Benefit Plan Procedures for Minimum Disclosure of Necessary Information.

3.

The additional uses and disclosures of Mendocino County Self-Insured Employee Benefit Plan protected health information are permitted as described in the remainder of these procedures.

4.

To Mendocino County Self-Insured Employee Benefit Plan service providers and business associates.

5.

For the treatment and payment activities of another covered entity.

6.

a.

Upon request by a health care provider, Mendocino County Self-Insured Employee Benefit Plan will disclose protected health information to a health care provider for that provider’s treatment activities.

b.

Upon request by another covered entity or a health care provider, Mendocino County Self-Insured Employee Benefit Plan will disclose protected health information for purposes of the requestor’s payment activities.

c.

Mendocino County Self-Insured Employee Benefit Plan assumes the information requested by a provider or another covered entity is the minimum necessary.

For the following health care operations activities of another covered entity. Upon request by another covered entity, Mendocino County Self-Insured Employee Benefit Plan will disclose protected health information for purposes of the requestor’s health care operations activities if the following conditions are met: a.

The other entity has or had a relationship with the participant or beneficiary who is the subject of the protected health information.

b.

The health care operation activity is one of the following types of activities:

c.

7.

i.

Quality assessment and improvement

ii.

Population-based activities relating to improving health or reducing health care costs

iii.

Case management

iv.

Conducting training programs

v.

Accreditation, certification, licensing, or credentialing

vi.

Health care fraud and abuse detection or compliance

Mendocino County Self-Insured Employee Benefit Plan assumes that the information requested by a covered entity is the minimum necessary.

As required by law. a.

Mendocino County Self-Insured Employee Benefit Plan will use or disclose protected health information as required by law.

b.

The following common or recurring uses or disclosures of protected health information are permitted as “required by law”:

7

HIPAA Privacy and Security Training and Compliance Procedures c.

The Human Resources Director/Privacy Official, in conjunction with the County Counsel Office, will determine on a case-by-case basis whether other uses and disclosures are required by law. If the use or disclosure will be common and recurring, it should be added to the list above.

d.

The Human Resources Director/Privacy Official will ensure that uses or disclosures required by law will be limited to the requirements of the law. Mendocino County Self-Insured Employee Benefit Plan minimum disclosure of necessary information policy does not apply to uses or disclosures required by law.

e.

The following uses and disclosures required by law have additional requirements, as discussed below in these procedures: i.

Relating to victims of abuse, neglect, or domestic violence

ii.

Judicial or administrative proceedings

iii.

Disclosures for law enforcement purposes

8.

For public health activities. Uses or disclosures of protected health information for public health activities will be rare. See the Human Resources Director/Privacy Official for any uses or disclosures potentially falling within this category.

9.

For health oversight activities Mendocino County Self-Insured Employee Benefit Plan will disclose protected health information for purposes of health oversight activities. a.

b.

Health oversight activities are those relating to oversight of: i.

The health care system;

ii.

Government benefit programs for which health information is relevant to beneficiary eligibility;

iii.

Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or

iv.

Entities subject to civil rights laws for which health information is necessary for determining compliance.

The following are some of the health oversight agencies to whom Mendocino County Self-Insured Employee Benefit Plan may make health oversight disclosures: 

U.S. Department of Labor  Pension and Welfare Benefits Administration



Federal general



Occupational Health and Safety  Administration



Social Security Administration



U.S. Food Administration



Medicaid fraud control units

offices

of

inspectors 

and



Drug 

8

EEOC (relating to enforcement of the Americans with Disabilities Act) U.S. Department of Justice Defense Services

Criminal

Investigative

HHS Office for Civil Rights State insurance agencies

HIPAA Privacy and Security Training and Compliance Procedures

10.

c.

Disclosures will be made under Mendocino County Self-Insured Employee Benefit Plan policy for disclosures for law enforcement purposes if (a) the use or disclosure relates to a particular individual, and (b) the oversight activity is not directly related to the receipt of health care or qualification for public benefits related to health care.

d.

Mendocino County Self-Insured Employee Benefit Plan assumes that information requested by a public official for health oversight activities is the minimum necessary.

Related to victims of abuse, neglect, or domestic violence. a.

b.

11.

If the Human Resources Director/Privacy Official determines, based on protected health information that legitimately came to his or her attention or to the attention of a Mendocino County Self-Insured Employee Benefit Plan workforce member, that a participant or beneficiary is the victim of abuse, neglect, or domestic violence, then this information may be disclosed as follows: i.

To a government authority authorized by law to receive reports of abuse, neglect, or domestic violence. The Human Resources Director/Privacy Official will consult with the County Counsel Office to determine the appropriate governmental authority.

ii.

The disclosure must be required by another law. The Human Resources Director/Privacy Official will consult with the County Counsel Office to ensure that the disclosure is required by law.

iii.

The Human Resources Director/Privacy Official must notify the participant or beneficiary of the disclosure (unless the Human Resources Director/Privacy Official determines notification would harm the participant or beneficiary, or if the appropriate disclosure would be to a personal representative, and it is the personal representative that is causing the abuse, neglect, or harm).

If the Human Resources Director/Privacy Official or other Mendocino County Self-Insured Employee Benefit Plan workforce member suspects a participant or beneficiary is the victim of abuse, neglect, or domestic violence, and that suspicion is not based on information in the Mendocino County Self-Insured Employee Benefit Plan records, the Privacy Rule and this policy do not apply to any disclosure of those suspicions to the appropriate authorities.

For judicial or administrative proceedings. a.

All legal documents seeking protected health information for judicial or administrative proceedings immediately should be directed to the Human Resources Director/Privacy Official, who will determine the appropriate response based on these procedures, in consultation with the County Counsel Office.

b.

Judicial orders and subpoenas. Mendocino County Self-Insured Employee Benefit Plan protected health information may be disclosed pursuant to a judicial order or subpoena from a court or an administrative tribunal. i.

The disclosure must be limited to the information expressly authorized in the order or subpoena.

ii.

Mendocino County Self-Insured Employee Benefit Plan Procedures for Minimum Disclosure of Necessary Information does not apply to this type of disclosure. 9

HIPAA Privacy and Security Training and Compliance Procedures c.

12.

Discovery requests and non-judicial subpoenas. If Mendocino County SelfInsured Employee Benefit Plan receives a discovery request or subpoena that is not issued by a court or administrative tribunal, then the Human Resources Director/Privacy Official, in consultation with the County Counsel Office, will comply if one of the following conditions is met: i.

The discovery request or subpoena is accompanied by a written statement showing that: (1) the requestor made a good faith attempt to provide written notice to the individual whose protected health information is requested; (2) the notice included enough information about the litigation such that the individual could raise an objection to the court/administrative tribunal; and (3) the time for the individual to raise objection has elapsed and no objections were filed or, if filed, have been resolved by the court.

ii.

The discovery request or subpoena is accompanied by a written statement showing that there is either a stipulated or court issued protective order that prohibits the use or disclosure of the protected health information outside the litigation, and requires that the protected health information be returned to the covered entity or destroyed at the conclusion of the proceeding.

iii.

If the discovery request or subpoena does not meet the requirements of either (i) or (ii) above, then the Human Resources Director/Privacy Official, in consultation with the County Counsel Office, may disclose the requested protected health information by ensuring that the requirements in (i) and (ii) above are met (that is, notify the individual as required or obtain a protective order).

For law enforcement purposes. The Human Resources Director/Privacy Official, in consultation with the County Counsel Office as appropriate, may disclose protected health information to a law enforcement official (i.e., someone having authority to investigate potential violations of law, or to prosecute or conduct criminal, civil, or administrative proceedings arising from alleged violations of the law) in the following circumstances: a.

When the disclosure is required by law.

b.

Pursuant to a court order, warrant, subpoena, or summons issued by a judicial officer (including a grand jury subpoena).

c.

Pursuant to an investigative request from an administrative body, but only if the following additional conditions are met:

d.

i.

The Human Resources Director/Privacy Official determines that the information sought is relevant and material to a legitimate law enforcement inquiry;

ii.

The request is specific and limited in scope in light of the purpose for which the information is sought; and

iii.

De-identified information cannot reasonably be used.

To identify or locate an individual, but only if officially requested. The protected health information from Mendocino County Self-Insured Employee Benefit Plan records that may be disclosed in such circumstances is strictly limited to:

10

HIPAA Privacy and Security Training and Compliance Procedures 

Name and address



Date and place of birth



Social security number



ABO blood type and rh factor



Type of injury



Date and time of treatment



A description of distinguishing  physical characteristics, including height, gender, race, hair and eye color, presence or absence of facial hair (beard or mustache), scars, and tattoos

Date and applicable

time

of

death,

if

Note: Information in The County of Mendocino’s non-group health plan records is not subject to the Privacy Rule. e.

f.

About individuals who are suspected to be crime victims, but only if (1) the individual agrees orally or in writing to the disclosure, or (2) if the individual is unable to agree because of incapacity, in which case the Human Resources Director/Privacy Official may determine that disclosure is appropriate, but only if the following conditions are met: i.

The law enforcement official states that he or she needs the information to determine whether another person has violated the law (and the information will not be used against the victim);

ii.

The law enforcement official states that immediate law enforcement activity would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and

iii.

In the Human Resources Director/Privacy Official’s professional judgment, the disclosure is in the potential crime victim’s best interest.

About a crime relating to Mendocino County Self-Insured Employee Benefit Plan.

13.

About decedents, Mendocino County Self-Insured Employee Benefit Plan will treat any person authorized to act as the personal representative of a participant or beneficiary that is deceased (e.g., an executor or administrator) as though he or she is the participant or beneficiary.

14.

To avert a serious threat to health or safety. The Human Resources Director/Privacy Official will determine when a disclosure of protected health information is necessary to avert a serious threat to health or safety. The following criteria apply to any such disclosure: a.

It must not conflict with other applicable law and standards of ethical conduct.

b.

It must be based on good faith.

c.

It must be necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

d.

It must be to a person or to people reasonably able to prevent or lessen the threat, including the target of the threat.

e.

It must be limited to the following information: 



Name and address

11

Date and place of birth

HIPAA Privacy and Security Training and Compliance Procedures

15.



Social security number



ABO blood type and rh factor



Type of injury



Date and time of treatment



A description of distinguishing physical characteristics, including height, gender, race, hair and eye color, presence or absence of facial hair (beard or mustache), scars, and tattoos



Date and applicable

time

of

death,

if

Relating to national security and intelligence activities. a.

The Human Resources Director/Privacy Official will, in consultation with the County Counsel Office, disclose protected health information to authorized federal officials for intelligence and other national security activities.

b.

Disclosures for national security and intelligence activities are not subject to the Privacy Rules.

16.

For workers’ compensation. Mendocino County Self-Insured Employee Benefit Plan will disclose protected health information in compliance with applicable state and federal workers’ compensation laws (i.e., any state or federal law that has the effect of providing benefits for work-related injuries or illness without regard to fault).

17.

To the personal representative of participant or beneficiary. a.

Adult or emancipated minor. Mendocino County Self-Insured Employee Benefit Plan will disclose protected health information to an adult or emancipated minor’s personal representative to the extent the protected health information is relevant to the personal representation.

b.

Unemancipated minor. Mendocino County Self-Insured Employee Benefit Plan will disclose protected health information to the parent, guardian, or other personal representative of an unemancipated minor only to the extent required, permitted, or prohibited by state law currently in effect.

c.

Exceptions: Mendocino County Self-Insured Employee Benefit Plan will not disclose protected health information to the personal representative of a participant or beneficiary if the Human Resources Director/Privacy Official reasonably believes, and documents that belief, that: i.

The participant or beneficiary has been or may be abused or neglected by the personal representative; or

ii.

The participant or beneficiary will be endangered if the personal representative relationship is recognized.

Minimum Disclosure of Necessary Information When a disclosure of necessary protected health information is needed for administration of the health plan or a member’s claim adjudication, the County of Mendocino will release only the minimum necessary information to complete the transaction with the appropriate party.

12

HIPAA Privacy and Security Training and Compliance Procedures

Summary Health Information and Permitted Uses and Disclosures Summary Health Information (SHI) is information that plan sponsors can use for certain “settlor” functions, such as amending the plan benefits or obtaining bids for health insurance coverage. To qualify as SHI, the health information must be in summary form. This means that it summarizes the claims history, claims expenses, or type of claims experience by individuals in the plan. (45 CFR §164.504(a).) If Summary Health Information is used by the County of Mendocino Self-Insured Employee Benefit Plan, for purposes of modifying, amending, or terminating the plan, or procuring bids from other health plans for health insurance coverage, the group health plan might be relieved of parts of the compliance burden. These uses of Summary Health Information are referred to as “Limited-Use SHI.” If the County of Mendocino uses Summary Health Information for other plan administration functions other than modifying, amending, or terminating the plan, or procuring bids from other health plans for health insurance coverage, the group heath plan will be subject to a heavier compliance burden. These uses of Summary Health Information are referred to as “UnlimitedUse SHI.”

Business Associate Agreements All Third Party Contractors that perform services for the Mendocino County Self-Insured Employee Benefit Plan will be required to enter into a Business Associate Agreement that legally binds compliance with all aspects and regulations of the Privacy and Security Rules as defined in HIPAA regulations. A sample Business Associate Agreement (Located in the FORMS section of this document.)

Privacy Official- Job Description and Contact Information The following information describes the duties and responsibilities of the Privacy Official. Position Title: Privacy Official-The Human Resources Director, or appointee, will serve as the Mendocino County Self-Insured Employee Benefit Plan’s Privacy Official. General Description: Mendocino County Self-Insured Employee Benefit Plan’s Privacy Official is an employee of The County of Mendocino, and is considered part of the Mendocino County Self-Insured Employee Benefit plan sponsor workforce. The privacy official is responsible for overseeing Mendocino County Self-Insured Employee Benefit Plan’s activities relating to its development and implementation of policies and procedures to ensure the privacy of, and access to, protected health information as set forth in the federal Privacy Rule. The privacy official is also responsible for overseeing the County of Mendocino Self-Insured Employee Benefit Plan’s maintenance of, and adherence, to these policies.

Responsibilities: 

Provide administrative oversight for the formation, implementation, and maintenance of Mendocino County Self-Insured Employee Benefit Plan s privacy policies and procedures.



Maintain and ensure proper distribution of Mendocino County Self-Insured Employee Benefit Plan’s privacy notice. 13

HIPAA Privacy and Security Training and Compliance Procedures 

Approve an annual review of the uses and disclosures of Mendocino County SelfInsured Employee Benefit Plan -related protected health information.



Coordinate with any county compliance representatives to ensure ongoing compliance with the Privacy Rule and any applicable state privacy laws.



Direct the delivery of privacy training to the Mendocino County Self-Insured Employee Benefit plan sponsor workforce.



Process and approve appropriate business associate agreement provisions; assist in identifying business associate service providers; develop appropriate monitoring under the Privacy Rule of business associate arrangements.



Oversee the administration of participant and beneficiary rights under the Privacy Rule, including the right to access, right to request amendment, right to an accounting, and the right to request privacy protections.



Track all disclosures of protected health information that must be tracked and accounted for (upon participant or beneficiary request) under the Privacy Rule.



Administer a system for receiving, documenting, tracking, investigating, and taking action on all complaints concerning Mendocino County Self-Insured Employee Benefit Plan’s privacy policies and procedures or compliance with the Privacy Rule.



Monitor legal changes and advancements in technology to ensure continued compliance.



Maintain (or supervise the maintenance of) all documentation required by the Privacy Rule.



Establish sanctions for failure to comply with the group health plan’s privacy policies and procedures.



Cooperate with the U.S. Department of Health and Human Services, Office of Civil Rights, other legal entities, and the County of Mendocino’s compliance department in any compliance reviews or investigations.



Be the key contact and information source for all issues or questions relating to Mendocino County Self-Insured Employee Benefit Plan’s privacy treatment of participant and beneficiary protected health information.

Qualifications: 

Knowledge of the Privacy Rule and applicable state privacy laws.



Understanding of Privacy Rule as applied to group health plans.

Contacting the Privacy Official: The Human Resources Director/ Privacy Official can be reached by:    

Calling (707) 234-6600 Faxing (707) 468-3407 E-mailing [email protected] Mailing to Human Resources Director/Privacy Official 501 Low Gap Road Room #1326 Ukiah, CA 95482

14

HIPAA Privacy and Security Training and Compliance Procedures

Privacy Complaints The Mendocino County Self-Insured Employee Benefits Plan privacy contact, HR Director Privacy Official, will receive and respond to all complaints about The Mendocino County SelfInsured Employee Benefits Plan privacy policies, its adherence to those policies, or its compliance with the Privacy Rule.

Procedures: 1.

The HR Director/Privacy Official has responsibility for implementation of this policy.

2.

Upon receiving a complaint regarding The Mendocino County Self-Insured Employee Benefits Plan’s privacy policies, its adherence to those policies, or its compliance with the Privacy Rule, HR Director/Privacy Official will investigate and, with the assistance of County Counsel if necessary, determine if there is any validity to the complaint. a.

If the complaint is not valid, meaning the Health Plan has not violated its policies and procedures or the Privacy Rule, then the HR Director/Privacy Official will send a response to the individual who submitted the complaint.

b.

If the HR Director/Privacy Official determines that the complaint is valid, the following steps will be taken: i.

If the complaint is that The Mendocino County Self-Insured Employee Benefits Plan’s privacy notice, as written, does not comply with the Privacy Rule, and the complaint does not allege any improper use or disclosure of protected health information, then HR Director/Privacy Official will determine whether an amendment of the privacy notice (and of the Mendocino County Self-Insured Employee Benefits Plan’s policies and procedures) is necessary to correct the alleged violation.

ii.

If the complaint is that Mendocino County Self-Insured Employee Benefits Plan or one of its service providers used or disclosed protected health information in a way that violates the privacy policies and procedures or the Privacy Rule, then HR Director/Privacy Official will: (1)

Send a letter (drafted and/or approved by County Counsel) explaining what steps will be taken to correct any future improper uses or disclosures;

(2)

Determine whether there is any harm that should be mitigated, if practicable, under the Mendocino County Self-Insured Employee Benefit Plan’s mitigation of harm policy;

(3)

If the use or disclosure was by a County of Mendocino SelfInsured Employee Benefits Plan sponsor workforce member, consider whether sanctions should be imposed under County of Mendocino Self-Insured Employee Benefits Plan’s sanctions policy;

(4)

If the use or disclosure was by a service provider, determine whether further investigation or actions are necessary to ensure future violations do not occur;

(5)

Consider, in light of the nature of the improper use or disclosure of protected health information, if additional training should occur for one or more employees; and 15

HIPAA Privacy and Security Training and Compliance Procedures (6)

3.

Consider, in light of the nature of the improper use or disclosure of protected health information, whether any of County of Mendocino Self-Insured Employee Benefits Plan Group’s policies or procedures need to be amended.

Documentation. All complaints and their disposition (i.e., response letters) must be documented and retained for 6 years. These documents will be maintained by Human Resources.

Notice of Privacy Practices and Annual Notice Requirements The Plan is required by law to maintain the privacy of your protected health information. It is obligated to provide covered members with a copy of this Notice setting forth the Plan’s legal duties and its privacy practices with respect to covered members protected health information. The Plan must abide by the terms of The Notice of Privacy Practices (Located in the FORMS section of this document.) This Notice of Privacy Practices describes how the County of Mendocino Self-Insured Employee Benefits Plan may use and disclose their protected health information. This Notice will define the Plan’s legal obligations concerning your protected health information and describe covered members rights to access and control your protected health information. This Notice will be drafted in accordance with the HIPAA Privacy Rule, contained in the Code of Federal Regulations at 45 CFR Parts 160 and 164. Terms not defined in this Notice have the same meaning as they have in the HIPAA Privacy Rule.

Sanctions for Violating the Privacy or Security Rule The County of Mendocino Self-Insured Employee Benefits Plan will sanction any employee that uses or discloses a participant’s or beneficiary’s protected health information in violation of the County of Mendocino Self-Insured Employee Benefits Plan’s privacy policies and procedures or in violation of the Privacy Rule.

Procedures: 1.

The HR Director/Privacy Official has responsibility for implementation of this policy.

2.

Notification of Privacy Official. All uses and disclosures of protected health information that potentially violate the County of Mendocino Self-Insured Employee Benefits Plan’s privacy practices or procedures should be reported directly to The HR Director/Privacy Official.

3.

Identify nature of use or disclosure. The HR Director/Privacy Official should, in the first instance, determine whether the allegedly improper use or disclosure violates the County of Mendocino Self-Insured Employee Benefits Plan’s policies and procedures or the Privacy Rule.

4.

If there was a violation, The HR Director/Privacy Official should take the following steps: a.

Determine if the improper use or disclosure was intentional or unintentional;

b.

Determine if the improper use or disclosure was a one-time incident or constitutes a pattern or practice;

c.

Determine if there are any mitigating factors (such as self-reporting or lack of proper training or supervision); and 16

HIPAA Privacy and Security Training and Compliance Procedures d.

Based on the results of HR Director/Privacy Official’s investigation, sanction the employee or employees who improperly used or disclosed the protected health information as outlined in current Civil Service Riles and as per current applicable labor agreement.

5.

The HR Director/Privacy Official should determine whether the improper use or disclosure could harm the participant or beneficiary whose protected health information was improperly used or disclosed. If harm may occur, the HR Director/Privacy Official should implement the County of Mendocino Self-Insured Employee Benefits Plan’s policy relating to mitigation of harm.

6.

The HR Director/Privacy Official should consider, in light of the nature of the improper use or disclosure of protected health information, if additional training should occur for one or more employees.

7.

The HR Director/Privacy Official should consider, in light of the nature of the improper use or disclosure of protected health information, whether any of the County of Mendocino Self-Insured Employee Benefits Plan’s policies or procedures need to be amended.

8.

Documentation. The HR Director/Privacy Official or his/her designee will maintain records showing the sanctions imposed under this policy for six years following the date the sanctions are imposed. These documents will be maintained by Human Resources Department.

Mitigation of Harm Due to Improper Uses or Disclosures The Mendocino County Self-Insured Employee Benefits Plan will mitigate, to the extent practicable, any harm caused by a use or disclosure of a participant’s or beneficiary’s protected health information that is in violation of the Plan’s privacy policies and procedures or in violation of the Privacy Rule.

Procedures: 1.

The HR Director/Privacy Official has responsibility for implementation of this policy.

2.

Upon learning of an improper use or disclosure by a plan sponsor workforce member or service provider, The HR Director/Privacy Official will take the following steps: a.

Determine whether a participant or beneficiary could be or has been harmed by the improper use or disclosure;

b.

Determine whether there are any practicable steps that might have a mitigating effect with regard to the potential harm identified; and

c.

If so, implement the mitigating steps.

No Retaliation or Intimidation Rules The Mendocino County Self-Insured Employee Health Benefits Plan will not retaliate against any participant or beneficiary who chooses to exercise his or her individual privacy rights, including the right to access protected health information, the right to request amendment of protected health information, the right to an accounting of disclosures, and the right to request certain privacy restrictions. The Mendocino County Self-Insured Employee Health Benefits Plan also will not intimidate any participant or beneficiary who seeks to exercise those rights. Further, The Mendocino County Self-Insured Employee Health Benefits Plan will not retaliate against or intimidate any person or organization that files a complaint regarding The Mendocino 17

HIPAA Privacy and Security Training and Compliance Procedures County Self-Insured Employee Health Benefits Plan’s privacy practices with HHS, that participates in any investigation of its privacy practices, or that opposes any act of The Mendocino County Self-Insured Employee Health Benefits Plan that allegedly violates the Privacy Rule.

Compliance with Breach Guidelines and Notices The Mendocino County Self-Insured Employee Health Benefits Plan will conduct a complete a Risk Assessment and investigation in the event of any type of Breach, whether it is perceived or actual. The assessment will be conducted and appropriate action taken which complies with the regulations under the HIPAA (HITECH) regulations defined in 45 CFR Section 13402. The HIPPA Incident and Risk Assessment Form (Located in the FORMS section of this document) Forms will be retained for six years past the event, or current legal requirement.

Annual Risk Analysis Conducted On an annual basis the HR Director/Privacy Officer will direct staff to conduct a Risk Analysis that will audit the practices and procedures of all aspects of the Privacy Rule and Security Rule and comply with HIPAA Requirements.

Periodic Review of Privacy Rule Compliance On an annual basis the HR Director/Privacy Officer will direct staff to conduct an annual review of the compliance of the Privacy Rule regulations that will audit the practices and procedures of all aspects of the Privacy Rule and Security Rule and comply with HIPAA requirements.

Annual Notice of Privacy Practices and any Updates On an annual basis the Human Resource Department Benefits Division will distribute an annual notice of Privacy Practices to all applicable members as defined in the Privacy Rule requirements. Any annual updates to the Privacy and Security Rules will be provided at that time as well.

Privacy and Security Training and Annual Refresher Courses On an annual basis the Human Resource Department Benefits Division will provide applicable staff members an annual Privacy and Security Rule Training Course and annual refresher training.

18

HIPAA Privacy and Security Training and Compliance Procedures

II.

Security Rules

Security Rule Overview The Security Rule establishes requirements regarding the Mendocino County Self-Insured Employee Benefits Plan’s creation, receipt, storage, maintenance and transmission of Electronic Protected Health Information in a secure electronic environment. It applies not only to the transactions under HIPAA, but also to all Electronic Health Information that is maintained or transmitted by the County as a covered entity. The Security Rule does not apply to Protected Health Information that is transmitted in certain forms, including paper via facsimile, or via voice or telephone. A secure electronic environment is an environment that has administrative procedures, physical safeguards and technical security services and mechanisms in place.

Risk Analysis The Risk Analysis is conducted in order to comply with the HIPAA Security Rule that requires covered entities to conduct a risk analysis to identify any potential vulnerability to the confidentiality, integrity, and availability of EPHI. The annual review using the Security Rule Standard Matrix divides the review areas into three sections described below:  Administrative Safeguards- Formal documented practices for staff who work with EPHI  Physical Safeguards- Procedures to protect computer systems & data containing EPHI  Technical Safeguards- Procedures to protect access to EPHI such as encryption of files

Security Official- Job Description and Contact Information The following information describes the duties and responsibilities of the Security Official. Position Title: Security Official-The Human Resources Director, or appointee, will serve as the Mendocino County Self-Insured Employee Benefit Plan’s Security Official. General Description: The Security Official for the County of Mendocino Self-Insured Employee Benefit Plan oversees all ongoing activities related to the development, implementation, maintenance of, and adherence to the organization’s policies and procedures related to the security of plan participants’ electronic protected health information (EPHI) in compliance with federal and state laws and the organization’s security policies and procedures. Responsibilities: 

Ensures the confidentiality, integrity, and availability of plan participants’ EPHI.



Maintain current knowledge of applicable federal and state security laws.



Oversee, monitor or edit any security policies and ensure that the integrity of any security policies is maintained at all times.



Report regularly to the organization governing body and officers and/or owners (as applicable) regarding the status of any security policies.

19

HIPAA Privacy and Security Training and Compliance Procedures 

Work with legal counsel, consultants, management, and committees to ensure that the organization maintains appropriate administrative materials in accordance with legal requirements.



Establish and administrate a process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization’s security policies and procedures in coordination and collaboration with other similar functions, and, when necessary, with legal counsel.



Oversee, direct, deliver, or ensure the delivery of security training and orientation to all employees, volunteers, medical and professional staff, and other appropriate personnel (organization workforce).



Monitor attendance at all Security Policies training sessions and evaluate participants’ comprehension of the information provided at training sessions as well as maintain appropriate documentation of security training.



Monitor organization compliance with Security Policies including periodic security risk assessments.



Monitor and evaluate, on no less than an annual basis, the Security Policies success in meeting the organization’s goal for protection of EPHI.



Coordinate and participate in disciplinary actions related to the failure of organization workforce members to comply with the organization’s Security Policies and/or applicable law.



Monitor access controls to EPHI. Maintain access to EPHI only by authorized personnel.



Monitor technological advancements related to electronic protected health information protection and security for consideration of adaptation by the organization.



Coordinate and facilitate the allocation of appropriate resources for the support of and the effective implementation of the Security Policies.



Initiate, facilitate, and promote activities to foster security information awareness within the organization.



Cooperate with CMS, other legal entities, and organization officers or owners in any compliance reviews or investigations.



Review periodic risk assessments and ongoing compliance monitoring activities at each organization location.



Act as point of contact for the organization’s legal counsel in an ongoing manner and in the event of a reported violation.



Maintain all business associate contracts and respond appropriately if problems arise.



Act as the point of contact for receiving, documenting, and tracking all complaints concerning security policies and procedures of the organization.



Maintain documentation of the organization’s Security Policies and Procedures for a minimum of six years from the date the organization created the policies and procedures or last updated the policies and procedures.



Monitors the maintenance of the organization’s hardware and software, tracking hardware and software inventory.



Monitors and oversees the installation and connectivity of computer equipment.

20

HIPAA Privacy and Security Training and Compliance Procedures 

Responsible for monitoring daily, weekly, and monthly backup procedures and responsible for disposal and media re-use.

Skills: 

Able to facilitate change.



Possess knowledge and understanding of federal and state security laws and of the medical organization’s information technology.

Contacting the Security Official: The Human Resources Director/ Security Official can be reached by:    

Calling (707) 234-6600 Faxing (707) 468-3407 E-mailing [email protected] Mailing to Human Resources Director/Security Official 501 Low Gap Road Room #1326 Ukiah, CA 95482

Audit Controls It is the County of Mendocino Self Insured Employee Benefits Plan’s practice to conduct audit reviews to regularly track the identification and authentication of those accessing the computer system and to maintain records of the activity performed within the computer system. The practice will control access to files and permit access to authorized individuals only. The practice must periodically monitor user activity, including password activity, to include when passwords are changed, who changed them, and when access privileges to software were changed and who changed them. The audit control reports must be kept in a secure location and retained for three years. Any abnormalities must be documented and immediately followed up on. Abnormalities include suspicious log-in attempts, unusually frequent password changes, and computer file changes and/or deletions.

Workforce Clearance Requirements for access to EPHI The County of Mendocino Self-Insured Employee Benefits Plan, and Privacy/Security Official, will ensure that only designated workforce staff assigned to the benefits division will have access to EPHI. The workforce assigned to work with EPHI will have signed Confidentiality Agreements (located in FORMS) in their personnel files.

User Identification and Authentication Access is the ability to interact with a computer system (e.g., use, change, or view). Users of the County of Mendocino computer system must have access to certain information in order to adequately perform their assigned duties, pursuant to their individual job description. The County of Mendocino uses user IDs and unique passwords to control access to County computer systems. The County of Mendocino expects organization information to be available when it is needed, to be accurate, and to be safeguarded from access by unauthorized 21

HIPAA Privacy and Security Training and Compliance Procedures individuals. Mendocino County Information Services has established management controls for granting, changing, and terminating access to the computer system. These controls are essential to the security of the information systems.

Automatic Log-Off All workforce staff assigned to The County of Mendocino Self-Insured Employee Benefits Plan will utilize the automatic log-off feature that is permanently installed in each County computer and will not override the feature. This feature further protects and reduces access to PHI.

Transmission Security and Encryption Technology The County of Mendocino Self-Insured Employee Benefits Plan will utilize the security and encryption technology available to the County of Mendocino for all documents containing any EPHI, when that information is needed to be delivered electronically.

Protection From Malicious (Anti-virus) Software The County of Mendocino adheres to current accepted industry guidelines around protection against malicious software and County Information Services Division will keep the software up to date and functioning.

Security Incidents The County of Mendocino will determine through a variety of security mechanisms, such as User IDs, password protection, anti-virus software, and audit controls when security incidents have occurred. The County of Mendocino will periodically monitor user activity, including password activity, virus scans, and audit trails to determine if any security incidents have occurred. Following the identification of a security incident, the County’s first priority must be to communicate the details of the incident to the relevant technical staff, such as the Information Services Division to expeditiously log and begin resolving the issue. Once alerted to the incident, the appropriate staff will access the appropriate part of the computer system as quickly as possible. If more than one incident occurs simultaneously, the most critical issue will be addressed first. The incident(s) will be immediately logged on a security incident log. The County will take necessary and reasonable steps to respond to and address all identified and confirmed security incidents. All responses will be logged into a security incident log. The log will be kept for 6 years.

Firewalls The County of Mendocino Information Services Division maintains all aspects of firewalls for the County network and computer systems to ensure protection for all systems including the County of Mendocino Self-Insured Employee Benefits Plan and EPHI.

22

HIPAA Privacy and Security Training and Compliance Procedures

Computer Backups It is the practice of the County of Mendocino Information Services to implement backup procedures in order to protect the confidentiality, integrity, and availability of the electronic protected health information (EPHI) of our employees.

Facility Security and Contingency Plans It is the practice of The County of Mendocino Self-Insured Employee Benefits Plan to establish contingency plans in order to protect the confidentiality, integrity, and accessibility of our electronic protected health information from vulnerability in the event of an emergency. It is the purpose of The County of Mendocino Self-Insured Employee Benefits Plan to enable sustained operation of the information systems in the event of an extraordinary event that causes these systems to fail minimum production requirements. The County of Mendocino will assess the needs and requirements so that it be prepared to respond to the event in order to regain efficient operation of the systems that are damaged. 1. Every member of the County of Mendocino Self-Insured Employee Benefits Plan’s workforce is responsible for the integrity of The County of Mendocino Self-Insured Employee Benefits Plan’s electronic protected health information. 2. The Security Official (or other designated person) will respond to the Facility Security Analysis in order to determine if there are any vulnerabilities to the electronic protected health information of The County of Mendocino Self-Insured Employee Benefits Plan. 3. The Security Official (or other designated person) will respond to any contingency plan steps for The County of Mendocino Self-Insured Employee Benefits Plan. 4. The County of Mendocino Self-Insured Employee Benefits Plan will establish procedures in order to reduce the risk of vulnerability determined by any facility security analysis. 5. Any contingency plan will be an ongoing responsibility and will be reviewed by the Security Official of The County of Mendocino Self-Insured Employee Benefits Plan necessary to include quarterly and annual reviews. 6. The Security Official (or other designated person) will train the workforce of The County of Mendocino Self-Insured Employee Benefits Plan on the procedures of any contingency plans. 7. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Computer Work Station Use All County of Mendocino Self-Insured Employee Benefits Plan Workforce Staff will adhere to County policies regarding County computer use. All County of Mendocino Self-Insured Employee Benefits Plan workforce staff will also adhere to all guidelines to protect PHI.

23

HIPAA Privacy and Security Training and Compliance Procedures

Sanction Provisions The County of Mendocino Self-Insured Employee Benefits Plan will sanction any employee that uses or discloses a participant’s or beneficiary’s protected health information in violation of its privacy policies and procedures or in violation of the Privacy Rule. 1. HR Director/Privacy Official has responsibility for implementation of this policy. 2. Notification of Privacy Official. All uses and disclosures of protected health information that potentially violate The County of Mendocino Self-Insured Employee Benefits Plan’s privacy practices or procedures should be reported directly to HR Director/Privacy Official. 3. Identify nature of use or disclosure. HR Director/Privacy Official should, in the first instance, determine whether the allegedly improper use or disclosure violates The County of Mendocino Self-Insured Employee Benefits Plan’s policies and procedures or the Privacy Rule. 4. If there was a violation, HR Director/Privacy Official should take the following steps: a. Determine if the improper use or disclosure was intentional or unintentional; b. Determine if the improper use or disclosure was a one-time incident or constitutes a pattern or practice; c. Determine if there are any mitigating factors (such as self-reporting or lack of proper training or supervision); and d. Based on the results of HR Director/Privacy Official’s investigation, sanction the employee or employees who improperly used or disclosed the protected health information as outlined in current Civil Service Rules and as applicable in current labor agreement. 5. The HR Director/Privacy Official should determine whether the improper use or disclosure could harm the participant or beneficiary whose protected health information was improperly used or disclosed. If harm may occur, HR Director/Privacy Official should implement The County of Mendocino Self-Insured Employee Benefits Plan’s policy relating to mitigation of harm. 6. The HR Director/Privacy Official should consider, in light of the nature of the improper use or disclosure of protected health information, if additional training should occur for one or more employees. 7. The HR Director/Privacy Official should consider, in light of the nature of the improper use or disclosure of protected health information, whether any of The County of Mendocino Self-Insured Employee Benefits Plan’s policies or procedures need to be amended. 8. Documentation. The HR Director/Privacy Official or his/her designee will maintain records showing the sanctions imposed under this policy for six years following the date the sanctions are imposed. These documents will be maintained by The County of Mendocino.

24

HIPAA Privacy and Security Training and Compliance Procedures

Workforce Termination The Security Official will be responsible for ensuring the following procedures take place immediately upon notification of an individual’s termination from the workforce of The County of Mendocino Self-Insured Employee Benefits Plan. Doing so will revoke an individual’s access to the physical office as well as access to the computer system. Prior to the individual’s departure, the Security Official will: 

Contact a locksmith to change the practice locks, if necessary.



Secure a full computer backup tape.



Instruct individual whether or not to clean out his/her computer hard drive, if appropriate.



Retrieve the following from the individual prior to departure: 

Backup tapes



Keys    



Office Safe Desk Filing cabinets Computer System Passwords   

Network passwords Email passwords Additional passwords



Retrieve and secure practice property, including laptops, personal data assistants (PDAs), and cell phones.



Have office locks changes, if needed. If the practice utilizes a door lock with a key pad, the key pad numbers must be changed.



Circulate new keypad code numbers and office keys to pertinent practice employees, if necessary.



Change or delete (as applicable) passwords to the computer workstation, network, and all email/internet accounts.

Annual Risk Analysis Conducted On an annual basis the HR Director/Security Officer will direct staff to conduct a Risk Analysis that will audit the practices and procedures of all aspects of the Privacy Rule and Security Rule and comply with HIPAA Requirements.

Periodic Review of Privacy Rule Compliance On an annual basis the HR Director/Security Officer will direct staff to conduct an annual review of the compliance of the Security Rule regulations that will audit the practices and procedures of all aspects of the Privacy Rule and Security Rule and comply with HIPAA requirements.

25

HIPAA Privacy and Security Training and Compliance Procedures

Privacy and Security Training and Annual Refresher Courses On an annual basis the Human Resource Department Benefits Division will provide applicable staff members an annual Privacy and Security Rule Training Course and annual refresher training.

26

HIPAA Privacy and Security Training and Compliance Procedures

III.

Forms

The HIPAA forms listed below can be found on the County of Mendocino Human Resources Website.     

Authorization to Disclose PHI Form Notice of Privacy Practices Form HIPAA Business Associates Agreement Form Workforce Confidentiality Form HIPAA Incident and Risk Assessment Form

27

HIPAA Privacy and Security Training and Compliance Procedures

Individual Authorization For Use Or Disclosure Of Protected Health Information Section 1: I hereby request and authorize the use or disclosure of my (or my child’s) “protected health information” (PHI) as described below. ________________________________ _______________________ __________________________ Patient Name Patient Date of Birth Patient SS# or Plan ID# ________________________________ _______________________ __________________________ Patient Address City, State & Zip Code Patient Phone # ____________________________________________ _________________________________________ Subscriber/Member name (if different from patient) Subscriber/Member ID# Section 2: The individual(s) or entity(ies) authorized to disclose the protected health information is/are: Doctor:______________________________ Carrier: ___________________________________ Hospital:_____________________________ Lab: _____________________________________ Other: ________________________________ Section 3: The individual(s) or entity(ies) authorized to receive the protected health information is/are: _______________________________________________________________________________________ _____________________________________________________________ __________________ Phone or fax # Section 4: The types of protected health information which may be disclosed include: (Check all that apply, and specify “from [date] to [date]” if you wish to limit by dates)  Name and contact information only  Name and contact information, diagnosis and treatment. Specific dates or illnesses or injuries: ________________________________________________________________________________  Complete medical records.  X-rays and X-ray reports. Dates: ______________________________________________________  Lab tests & results. Dates:___________________________________________________________  Pre- and post-op and surgery records. Specific surgeries or records?__________________________ _________________________________________________________________________________  Claims records, claims status, and patient management records.  Other: ___________________________________________________________________________ _________________________________________________________________________________ Note: The protected health information disclosed to the entity you listed in Section 3 may include information on chronic diseases, behavioral health conditions, including alcohol or substance abuse, communicable diseases, including HIV/AIDS, and/or genetic marker information. Section 5: The purpose for which the disclosure may be made is: (Check only one.)  At the request of the individual.  Other(s): __________________________________________________________________________ __________________________________________________________________________________ _________________________________________________________________________________ 28

HIPAA Privacy and Security Training and Compliance Procedures Section 6: This authorization shall be in force and effect until: (Check one.)  [Specify Date]: ______________________________________________________________________  [Specify event, such as “termination of my employment with current employer”]_____________________ _________________________________________________________________________________ If neither of above items are checked or completed, this Authorization will expire as of one year from the date this Authorization is signed. You have the right to revoke this Authorization at any time, by sending written notice to the individual or entity you listed above in Section 2. However, if you revoke this Authorization after protected health information has been disclosed, the disclosing entity will not be able to take back the information previously disclosed. Section 7: This Authorization and request for disclosure is voluntary. I understand that my eligibility for benefits and payment for services covered by this group health plan will not be affected if I do not sign this form. However, if I do not complete and sign this form, providers (such as hospitals and doctors) and the group health plan cannot release protected health information to the party(ies) I have listed in Section 3. I hereby request and authorize the use or disclosure of my (or my child’s) “protected health information” (PHI) as described above. I understand that if the organization authorized to receive the information is not a health plan or health care provider, the released information may no longer be protected by federal privacy regulations. ________________________________________________________________ Signature of health plan member (or parent or legal representative, if applicable) ___________________________________________________ Print name of plan member or legal representative*

____________ Date

___________________________ Relationship to plan member

*If this Authorization is being signed by the legal representative of the individual to whom the protected health information pertains, you must furnish a copy of the power of attorney or other relevant document designating you as the legal representative.

RETURN THE COMPLETED FORM TO: Plan Administrator County of Mendocino County Human Resources Department – Employee Benefits 501 Low Gap Road Room #1326 Ukiah, CA 95482

OR FAX COMPLETED FORM TO: Plan Administrator (707) 468-3390

PLEASE CALL JUST BEFORE FAXING THIS FORM IF YOU WANT US TO PICK UP YOUR FAX IMMEDIATELY, TO PROTECT THE CONFIDENTIALITY OF THIS INFORMATION. THE PHONE NUMBER TO CALL IS: (707) 234-6603 or (707) 234-6604 THE PERSON SIGNING THIS FORM SHOULD RETAIN A COPY OF IT, OR THE HUMAN RESOURCES DEPARTMENT SHOULD MAKE A COPY IF THE INDIVIDUAL DOES NOT ALREADY HAVE ONE. 29

HIPAA Privacy and Security Training and Compliance Procedures

County Of Mendocino Notice Of Privacy Practices THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Effective Date of Notice: October 15, 2013 This Notice of Privacy Practices ("Notice") is made in compliance with the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Standards") set forth by the U.S. Department of Health and Human Services ("HHS") pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"). The County of Mendocino (plan sponsor) and Delta Health Systems (third party administrator) (the "Plan") is required by law to take reasonable steps to ensure the privacy of your Protected Health Information ("PHI"), as defined below, and to inform you about: (1) (2) (3) (4) (5)

the Plan's uses and disclosures of PHI; your privacy rights with respect to your PHI; the Plan's duties with respect to your PHI; your right to file a complaint with the Plan and with the Secretary of HHS; and the person or office to contact for further information about the Plan's privacy practices.

The term "Protected Health Information" (PHI) includes all "Individually Identifiable Health Information" transmitted or maintained by the Plan, regardless of form (oral, written or electronic). The term "Individually Identifiable Health Information" means information that: Is created or received by a health care provider, health plan, employer or health care clearinghouse; Relates to the past, present or future physical or mental health or condition of an individual; The provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual; and Identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. Section 1. Notice of PHI Uses and Disclosures Required PHI Disclosures: Upon your request, the Plan is required to give you access to certain PHI to inspect and copy it and to provide you with an accounting of disclosures of PHI made by the Plan. For further information pertaining to your rights in this regard, see Section 2 of this Notice. The Plan must disclose your PHI when required by the Secretary of HHS to investigate or determine the Plan's compliance with the Privacy Standards. 30

HIPAA Privacy and Security Training and Compliance Procedures Permitted uses and disclosures to carry out treatment, payment and health care operations: The Plan, its business associates, and their agents/subcontractors, if any, will use or disclose PHI without your consent, authorization or opportunity to agree or object, to carry out treatment, payment and health care operations. The Plan will disclose PHI to a business associate only if the Plan receives satisfactory assurance that the business associate will appropriately safeguard the information. In addition, the Plan may contact you to provide information about treatment alternatives or other health-related benefits and services that may be of interest to you. The Plan will disclose PHI to the "Plan Sponsor" for purposes related to treatment, payment and health care operations. The Plan Sponsor has amended its plan documents to protect your PHI as required by the Privacy Standards. The Plan Sponsor will obtain an authorization from you if it intends to use or disclose your PHI for purposes unrelated to treatment, payment and health care operations. Treatment is the provision, coordination or management of health care and related services by one or more health care providers. It also includes, but is not limited to, consultations and referrals between one or more of your providers. For example, the Plan may disclose to a treating orthodontist the name of your treating dentist so that the orthodontist may ask for your dental X-rays from the treating dentist. Payment means activities undertaken by the Plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the Plan, or to obtain or provide reimbursement for the provision of health care. Payment includes, but is not limited to, actions to make eligibility or coverage determinations, billing, claims management, collection activities, subrogation, reviews for medical necessity and appropriateness of care, utilization review and pre-authorizations. For example, the Plan may tell a doctor whether you are eligible for coverage or what percentage of the bill might be paid by the Plan. Health care operations means conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, contacting health care providers and patients with information about treatment alternatives, reviewing the competence or qualifications of health care professionals, evaluating health plan performance, underwriting, premium rating and other insurance activities relating to creating, renewing or replacing health insurance contracts or health benefits. It also includes disease management, case management, conducting or arranging for medical review, legal services and auditing functions including fraud and abuse detection and compliance programs, business planning and development, business management and general administrative activities. For example, the Plan may use information about your claims to refer you to a disease management program, project future benefit costs or audit the accuracy of its claims processing functions. Uses and disclosures that require your written authorization: Your written authorization generally will be obtained before the Plan will use or disclose psychotherapy notes about you from your psychotherapist. Psychotherapy notes are separately filed notes about your conversations with your mental health professional during a counseling session. They do not include summary information about your mental health treatment. The Plan may use and disclose such notes without authorization when needed by the Plan to defend against litigation filed by you. Disclosures that require that you be given an opportunity to agree or disagree prior to the disclosure: The Plan may disclose to a family member, other relative, close personal friend of yours or any other person identified by you, PHI directly relevant to such person's involvement with your care or payment for your health care when you are present for, or otherwise available prior to, a disclosure and you are able to make health care decisions, if: 

The Plan obtains your agreement; 31

HIPAA Privacy and Security Training and Compliance Procedures  The Plan provides you with the opportunity to object to the disclosure and you fail to do so; or 

The Plan infers from the circumstances, based upon professional judgment that you do not object to the disclosure.



The Plan may obtain your oral agreement or disagreement to a disclosure

However, if you are not present, or the opportunity to agree or object to the disclosure cannot practicably be provided because of your incapacity or an emergency circumstance, the Plan may, in the exercise of professional judgment, determine whether the disclosure is in your best interests, and, if so, disclose only PHI that is directly relevant to the person's involvement with your health care. Uses and disclosures for which consent, authorization or opportunity to agree or object is not required: Use and disclosure of your PHI is allowed without your consent, authorization or opportunity to agree or object under the following circumstances: (a) When required by law, provided that the use or disclosure complies with and is limited to the relevant requirements of such law. (b) When permitted for purposes of public health activities, including disclosures to (i) a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect and (ii) a person subject to the jurisdiction of the Food and Drug Administration (PDA) regarding an FDA-regulated product or activity when necessary to report product defects, to permit product recalls and to conduct postmarketing surveillance. PHI also may be disclosed to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if authorized by law. (c) Except for reports of child abuse or neglect permitted by part (b) above, when required or authorized by law, or with your agreement, the Plan may disclose PHI about you to a government authority, including a social service or protective services agency, if the Plan reasonably believes you to be a victim of abuse, neglect, or domestic violence. In such case, the Plan will promptly inform you that such a disclosure has been or will be made unless (i) the Plan believes that informing you would place you at risk of serious harm or (ii) the Plan would be informing your personal representative, and the Plan believes that your personal representative is responsible for the abuse, neglect or other injury, and that informing such person would not be in your best interests. For the purposes of reporting child abuse or neglect, it is not necessary to inform the minor that such a disclosure has been or will be made. Disclosure generally may be made to the minor's parents or other representatives although there may be circumstances under federal or state law when the parents or other representatives may not be given access to the minor's PHI. (d) The Plan may disclose your PHI to a health oversight agency for oversight activities authorized by law. This includes civil, administrative or criminal investigations; inspections; licensure or disciplinary actions (for example, to investigate complaints against providers); and other activities necessary for appropriate oversight of: (i) the health care system, (ii) government benefit programs for which health information is relevant to beneficiary eligibility, (iii) entities subject to government regulatory programs for which health information is needed to determine compliance with program standards, or (iv) entities subject to civil rights laws for which health information is needed to determine compliance. (e) The Plan may disclose your PHI in the course of a judicial or administrative proceeding in response to an order of a court or administrative tribunal, provided that the Plan discloses only the PHI expressly authorized by such order, or in response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court of administrative tribunal if certain conditions are met. One of those conditions is that satisfactory assurances must be given to the Plan that the requesting party has made a good faith attempt to provide written notice to you, and the notice provided sufficient information about the 32

HIPAA Privacy and Security Training and Compliance Procedures proceeding to permit you to raise an objection, and the time to object has expired and either no objections were raised or any objections were resolved in favor of disclosure by the court or tribunal. (f) The Plan may disclose your PHI to a law enforcement official when required for law enforcement purposes. The Plan may disclose PHI as required by law, including laws that require the reporting of certain types of wounds. Also, the Plan may disclose PHI in compliance with (i) a court order, court-ordered warrant, or a subpoena or summons issued by a judicial officer, (ii) a grand jury subpoena, or (iii) an administrative request, including an administrative subpoena or summons, a civil or authorized investigative demand, provided certain conditions are satisfied. PHI may be disclosed for law enforcement purposes, including for the purpose of identifying or locating a suspect, fugitive, material witness or missing person. Under certain circumstances, the Plan may disclose your PHI in response to a law enforcement official's request if you are, or are suspected to be, a victim of a crime. Further, the Plan may disclose your PHI if it believes in good faith that the PHI constitutes evidence of criminal conduct that occurred on the Plan's premises. (g) The Plan may disclose PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death or other duties as authorized by law. Also, disclosure is permitted to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. (h) The Plan may use or disclose PHI for research, subject to certain conditions. (i) When consistent with applicable law and standards of ethical conduct, the Plan may use or disclose PHI if the Plan, in good faith, believes the use or disclosure: (i) is necessary to prevent or lessen a serious and imminent threat to health or safety of a person or the public and is to person(s) able to prevent or lessen the threat, including the target of the threat, or (ii) is needed for law enforcement authorities to identify or apprehend an individual, provided certain requirements are met. (j) When authorized by and to the extent necessary to comply with workers' compensation or other similar programs established by law. Except as otherwise indicated in this Notice, uses and disclosures will be made only with your written authorization, subject to your right to revoke such authorization. You may revoke an authorization at any time, provided your revocation is done in writing, except to the extent that the Plan has taken action in reliance upon the authorization, or if the authorization was obtained as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy or the policy itself. Section 2: Rights of Individuals Right to Request Restrictions on PHI Uses and Disclosures: You may request the Plan to restrict uses and disclosures of your PHI to carry out treatment, payment or health care operations, or to restrict disclosures to family members, relatives, friends or other persons identified by you who are involved in your care or payment for your care. However, the Plan is not required to agree to your requested restriction. If the Plan agrees to a requested restriction, the Plan may not use or disclose PHI in violation of such restriction, except that, if you requested a restriction and later are in need of emergency treatment and the restricted PHI is needed to provide the emergency treatment, the Plan may use the restricted PHI, or it may disclose such information to a health care provider, to provide such treatment to you. If restricted PHI is disclosed to a health care provider for emergency treatment, the Plan must request that such health care provider not further use or disclose the information. A restriction agreed to by the Plan is not effective to prevent uses or disclosures when required by the Secretary of HHS to investigate or determine the Plan's compliance with the Privacy Standards or uses or 33

HIPAA Privacy and Security Training and Compliance Procedures disclosures that are otherwise required by law. The Plan may terminate its agreement to a restriction, if: 

You agree to or request the termination in writing;



You orally agree to the termination and the oral agreement is documented; or



The Plan informs you that it is terminating its agreement to a restriction, except that such termination is only effective with respect to PHI created or received after the Plan has informed you of the termination.

If the Plan agrees to a restriction, it will document the restriction by maintaining a written or electronic record of the restriction. The record of the restriction will be retained for six years from the date of its creation or the date when it last was in effect, whichever is later. You or your personal representative will be required to request restrictions on uses and disclosures of your PHI in writing. Such requests should be addressed to the following individual: Human Resources Director/Privacy Official 501 Low Gap Road Room # 1326 Ukiah, CA 95482 707-234-6600

Right to Request Confidential Communications of PHI: You may request to receive communications of PHI from the Plan by alternative means or at alternative locations if you clearly state that the disclosure of all or part of the information to which the request pertains could endanger you. The Plan will accommodate all such reasonable requests. However, the Plan may condition the provision of a reasonable accommodation on: 

When appropriate, information as to how payment, if any, will be handled; and



Specification by you of an alternative address or other method of contact.

You or your personal representative will be required to request confidential communications of your PHI in writing. Such requests should be addressed to the following individual: Human Resources Director/Privacy Official 501 Low Gap Road Room # 1326 Ukiah, CA 95482 707-234-6600

Right to Inspect and Copy PHI: You have a right to inspect and obtain a copy of your PHI contained in a "designated record set," for as long as the Plan maintains PHI in the designated record set. 'Designated Record Set" means a group of records maintained by or for a health plan that is enrollment, payment, claims adjudication and case or medical management record systems maintained by or for a health plan; or used in whole or in part by or for the health plan to make decisions about individuals. Information used for quality control or peer review analyses and not used to make decisions about individuals is not in the designated record set. The Plan will act on a request for access no later than 30 days after receipt of the request. However, if the request for access is for PHI that is not maintained or accessible to the Plan on-site, the Plan must take action no later than 60 days from the receipt of such request. The Plan must take action as follows: if the Plan grants the request, in whole or in part, the Plan must inform you of the acceptance and provide the access requested. However, if the Plan denies the request, in whole or in part, the Plan must provide you with a written denial. If the Plan cannot take action within the required time, the Plan may extend the time for such action by no more than 30 days if the Plan, within the applicable time limit, provides you with a written statement of the reasons for the delay and the date by which it will complete its action on the request. If the Plan provides access to PHI, it will provide the access requested, including inspection or obtaining a 34

HIPAA Privacy and Security Training and Compliance Procedures copy, or both, of your PHI in a designated record set. The Plan will provide you with access to the PHI in the form or format requested if it is readily producible in such form or format; or, if it is not, in a readable hard copy form or such other form or format as agreed to between you and the Plan. The Plan may provide you with a summary of the PHI requested, in lieu of providing access to the PHI or may provide an explanation of the PHI to which access has been provided in certain circumstances. The Plan will arrange with you for a convenient time and place to inspect or obtain a copy of the PHI, or mail a copy of the PHI at your request. If you request a copy of PHI or agree to a summary or explanation of PHI, the Plan may impose a reasonable, cost-based fee. If the Plan denies access to PHI in whole or in part, the Plan will, to the extent possible, give you access to any other PHI requested, after excluding PHI as to which the Plan has grounds to deny access. If access is denied, you or your personal representative will be provided with a written denial setting forth the basis for the denial, if applicable, a statement of your review rights, including a description of how you may exercise those review rights and a description of how you may complain to the Plan or to the Secretary of the HHS. If you request review of a decision to deny access, the Plan will refer the request to a designated licensed health care professional for review. The reviewing official will determine, within a reasonable period of time, whether to deny the access requested. The Plan will promptly provide you with written notice of that determination. If the Plan does not maintain the PHI that is the subject of your request for access, and the Plan knows where the requested information is maintained, the Plan will inform you where to direct the request for access. You or your personal representative will be required to request access to your PHI in writing. Such requests should be addressed to the following individual; Human Resources Director/Privacy Official 501 Low Gap Road Room # 1326 Ukiah, CA 95482 707-234-6600

Right to Amend PHI: You -have the right to request the Plan to amend your PHI or a record about you in a designated record set for as long as the PHI is maintained in the designated record set. The Plan may deny your request for amendment if it determines that the PHI or record that is the subject of the request: 

Was not created by the Plan, unless you provide a reasonable basis to believe that the originator of PHI no longer available to act on the requested amendment;



Is not part of the designated record set;



Would not be available for your inspection under the Privacy Standards; or



Is accurate and complete.

The Plan has 60 days after the request is made to act on the request. A single 30-day extension is allowed if the Plan is unable to comply within that deadline provided that the Plan, within the original 60-day time period, gives you a written statement of the reasons for the delay and the date by which it will complete its action on the request. If the Plan accepts the requested amendment, the Plan will make the appropriate amendment to the PHI or record that is the subject of the request by, at a minimum, identifying the records in the designated record set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment. The Plan will timely inform you that the amendment is accepted and obtain your identification of and agreement to have the Plan notify the relevant persons with which the amendment needs to be shared as provided in the Privacy Standards. If the request is denied in whole or part, the Plan must provide you with a written denial that (i) explains the basis for the denial, (ii) sets forth your right to submit a written statement disagreeing with the denial and how to file such a statement, (iii) states that, if you do not submit a statement of disagreement, you may request 35

HIPAA Privacy and Security Training and Compliance Procedures that the Plan provide your request for amendment and the denial with any future disclosures of the PHI that is the subject of the amendment, and (iv) includes a description of how you may complain to the Plan or to the Secretary of HHS. The Plan may reasonably limit the length of a statement of disagreement. Further, the Plan may prepare a written rebuttal to a statement of disagreement, which will be provided to you. The Plan must, as appropriate, identify the record or PHI in the designated record set that is the subject of the disputed amendment and append or otherwise link your request for an amendment, the Plan's denial of the request, your statement of disagreement, if any, and the Plan's rebuttal, if any, to the designated record set. If a statement of disagreement has been submitted, the Plan will include the above-referenced material, or, at the Plan's election, an accurate summary of such information, with any subsequent disclosure of the PHI to which the disagreement relates. If you do not submit a written statement of disagreement, the Plan must include your request for amendment and its denial, or an accurate summary of such information with any subsequent disclosure of the PHI only if requested by you. You or your personal representative will be required to request amendment to your PHI in a designated record set in writing. Such requests should be addressed to the following individual: Human Resources Director/Privacy Official 501 Low Gap Road Room # 1326 Ukiah, CA 95482 707-234-6600.

All requests for amendment of PHI must include a reason to support the requested amendment. Right to Receive an Accounting of PHI Disclosures: At your request, the Plan will provide you with an accounting of disclosures by the Plan of your PHI during the six years prior to the date on which the accounting is requested. However, such accounting need not include PHI disclosures made: (a) to carry out treatment, payment or health care operations; (b) to individuals about their own PHI; (c) to certain persons involved in your care or payment for your care; (d) to notify certain persons of your location, general condition or death; or (e) prior to the compliance date. You may request an accounting of disclosures for a period of time less than six years from the date of the request. The accounting will include disclosures of PHI that occurred during the six years (or such shorter time period, if applicable) prior to the date of the request for an accounting, including disclosures to or by business associates of the Plan. For each disclosure, the accounting will include: 

The date of the disclosure;



The name of the entity or person who received the PHI and, if known, the address of such entity or person;



A brief description of the PHI disclosed; and



A brief statement of the purpose of the disclosure that reasonably informs you of the basis for the disclosure, or, in lieu of such statement, a copy of a written request for disclosure.



If during the period covered by the accounting, the Plan has made multiple disclosures of PHI to the same person or entity for a single purpose, the accounting may, with respect to such multiple disclosures, provide the above-referenced information for the first disclosure; the frequency, periodicity or number of the disclosures made during the accounting period; and the date of the last disclosure.

If the accounting cannot be provided within 60 days after receipt of the request, an additional 30 days is allowed if the individual is given a written statement of the reasons for the delay and the date by which the accounting will be provided. If you request more than one accounting within a 12-month period, the Plan will charge a reasonable, costbased fee for each subsequent accounting unless you withdraw or modify the request for a subsequent accounting to avoid or reduce the fee. 36

HIPAA Privacy and Security Training and Compliance Procedures You or your personal representative will be required to request an accounting of your PHI disclosures in writing. Such requests should be addressed to the following individual: Human Resources Director/Privacy Official 501 Low Gap Road Room # 1326 Ukiah, CA 95482 707-234-6600.

The Right To Receive a Paper Copy of This Notice Upon Request: You have a right to obtain a paper copy of this Notice upon request. To request a paper copy of this Notice, contact the following individual: Human Resources Director/Privacy Official 501 Low Gap Road Room # 1326 Ukiah, CA 95482 707-234-6600.

A Note About Personal Representatives: You may exercise your rights through a personal representative. Your personal representative will be required to produce evidence of his/her authority to act on your behalf before that person will be given access to your PHI or allowed to take any action for you. Proof of such authority may include, but is not limited to, the following: (a) a power of attorney for health care purposes, notarized by a notary public; (b) a court order of appointment of the person as the conservator or guardian of the individual; or (c) an individual who is the parent of a minor child. The Plan retains discretion to deny access to your PHI to a personal representative to provide protection to those vulnerable people who depend on others to exercise their rights under these rules and who may be subject to abuse or neglect. This also applies to personal representatives of minors. Section 3: The Plan's Duties Notice The Plan is required by law to maintain the privacy of PHI and to provide individuals (participants and beneficiaries) with notice of its legal duties and privacy practices with respect to PHI. This Notice is effective beginning on the effective date set forth on Page 1 of this Notice, and the Plan is required to comply with the terms of this Notice. However, the Plan reserves the right to change the terms of this Notice and to make the new revised notice provisions effective for all PHI that it maintains, including any PHI received or maintained by the Plan prior to the date of the revised notice. If a privacy practice is changed, a revised version of this Notice will be provided to all individuals then covered by the Plan. If agreed upon between the Plan and you, the Plan will provide you with a revised Notice electronically. Otherwise, the Plan will mail a paper copy of the revised Notice to your home address. In addition, the revised Notice will be maintained on any web site maintained by the Plan to provide information about its benefits. Any revised version of this Notice will be distributed within 60 days of the effective date of any material change to the uses or disclosures, the individual's rights, the duties of the Plan or other privacy practices stated in this Notice. Minimum Necessary Standard When using or disclosing PHI or when requesting PHI from another covered entity, the Plan will make reasonable efforts not to use, disclose or request more than the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request, taking into consideration practical and technological limitations. However, the minimum necessary standard will not apply in the following situations: (a) disclosures to or requests by a health care provider for treatment; (b) uses or disclosures made to the individual; (c) disclosures made to the Secretary of HHS. (d) uses or disclosures that are required by law; 37

HIPAA Privacy and Security Training and Compliance Procedures (e) uses or disclosures that are required for the Plan's compliance with the Privacy Standards; and (f) uses or disclosures made pursuant to certain authorizations. This Notice does not apply to information that has been de-identified. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. It is not individually identifiable health information. In addition, the Plan may use or disclose "summary health information" to the Plan Sponsor for obtaining premium bids or modifying, amending or terminating the group health plan. Summary health information summarizes the claims history, claims expenses or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan, and from which identifying information has been deleted in accordance with the Privacy Standards. Section 4: Your Right to File a Complaint With the Plan or the HHS Secretary: If you believe that your privacy rights have been violated, you may complain to the Plan. Any complaint must be in writing and addressed to the following individual: Human Resources Director/Privacy Official 501 Low Gap Road Room # 1326 Ukiah, CA 95482 707-234-6600.

You also may file a complaint with the Secretary of the U.S. Department of Health and Human Services, by writing to him at the following address: The Hubert H. Humphrey Building, 200 Independence Avenue, S.W., Washington, D.C. 20201. The Plan will not retaliate against you for filing a complaint. Section 5: Whom to Contact at the Plan for More Information: If you have any questions regarding this Notice or the subjects addressed in it, you may contact the following individual Human Resources Director Privacy Official 501 Low Gap Road Room # 1326 Ukiah, CA 95482 707-234-6600.

Conclusion: PHI use and disclosure by the Plan is regulated by a federal law known as HIPAA. You may find these rules at 45 Code of Federal Regulations Parts 160 and 164. This Notice attempts to summarize the Privacy Standards. The Privacy Standards will supersede any discrepancy between the information in this Notice and the Privacy Standards.

38

HIPAA Privacy and Security Training and Compliance Procedures

Business Associate Agreement This Business Associate Agreement (the Agreement) is entered into and deemed effective as of September 23, 2013 (“Effective Date”) by The County of Mendocino Self-Insured Employee Benefits Plan, as the sponsor (“Sponsor”) of one or more health plans (collectively referred hereafter to as the “Plan”) and INSERT NAME HERE as the (Business Associate). WHEREAS, the Sponsor has independently contracted with Business Associates to provide services to, for or, on behalf of the Plan; and WHEREAS, Plan wishes to allow the Business Associate to have access to Protected Health Information (PHI) including but not limited to, Electronic Protected Health Information (EPHI) that is either provided to the Business Associate by the Plan or received and created by the Business Associate on behalf of the Plan in the course of providing its services to, for or on behalf of the Plan; WHEREAS, the Plan is required to comply with HIPAA (including, but not limited to, its Privacy Rule and Security Rule), and other governmental regulations relating to the privacy and security of individuals’ personally identifiable information. NOW, THEREFORE, for good and valuable consideration, the receipt of which is hereby acknowledged, Plan and Business Associate agree as follows: DEFINITIONS Catch-all definition: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 CFR §§ 160.103 and 164.501. Specific definitions: (a) Business Associate “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to this Agreement, shall mean Keenan & Associates. (b) Breach shall have the same meaning as the term “breach” in 45 CFR § 164.402 (c) Covered Entity shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to this Agreement shall mean the health and welfare benefits plans sponsored by the entity that is signatory to this Agreement. (d) Individual shall have the same meaning as the term “individual” in 45 CFR § 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(g). (e) Privacy Rule shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E. (f) Protected Health Information (“PHI”) shall have generally the same meaning as the term “protected health information” in 45 CFR § 164.501, and for this Agreement shall be limited to the information created or received by Business Associate from or on behalf of the Covered Entity.

39

HIPAA Privacy and Security Training and Compliance Procedures (h) Secretary shall mean the Secretary of the Department of Health and Human Services or his designee. (i) Security Rule shall mean the Security Standards for the Protection of Electronic Health Information at 45 CFR Part 160 and Part 164, Subpart A and C. (j) 160.103.

Electronic PHI (E-PHI) shall have the meaning found in the Security Rule 45 CFR, Section

(k) Security Incident shall have the same meaning as the term “security incident” in 45 CFR Parts 160 and 164, subparts A and C (l) HIPAA Rules shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164. (m) Designated Record Set shall have the same meaning as the term “designated record set” in 45 CFR 164.501. (n) Subcontractor shall have the same meaning as the term “subcontractor” in 45 CFR §160.103 (0) Unsecured PHI shall have the meaning given the term “unsecured protected health information in 45 CFR § 164.402.

OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE Business Associate agrees to: (a) Business Associate agrees to not request, use, or further disclose PHI other than as permitted or required by the Agreement or as permitted or required by law. (b) Business Associate agrees that it shall utilize appropriate physical, administrative and technical safeguards to ensure that the PHI is not used or disclosed in any manner inconsistent with this Agreement. Such safeguards shall include, but not be limited to: (1) establishing policies and procedures to prohibit any employee of Business Associate, who does not have a reasonable need for the PHI in order to accomplish an authorized use or disclosure, from accessing such information and to inform all employees of Business Associate whose services may be used to fulfill obligations under this Agreement of the terms of this Agreement; and (2) disclosing to any agent, Subcontractor or other third party, and requesting from Covered Entity, only the minimum PHI necessary to accomplish the intended purpose of the use, disclosure or request. (“Minimum necessary” shall be interpreted in accordance with the HIPAA Rules.) Business Associate shall provide Covered Entity with such information concerning the safeguards as Covered Entity may reasonably request from time to time. (c) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI, to prevent use or disclosure of PHI other than as provided for by the agreement. (d) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of this Agreement. (e) Business Associate agrees to report to Covered Entity, in writing, any use or disclosure by Business Associate of PHI not permitted by this Agreement promptly after Business Associate’s first 40

HIPAA Privacy and Security Training and Compliance Procedures awareness thereof, including but not limited to, any discovery of any inconsistent use or disclosure by Subcontractor of Business Associate. (f) Report to Covered Entity any use or disclosure of PHI not provided for by the Agreement of which it becomes aware, including breaches of Unsecured PHI information as required at 45 CFR 164.410 (without unreasonable delay, and, in no case later than 10 calendar days after discovery of a Breach), and any security incident of which it becomes aware. (g) Business Associate agrees to require that any Subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, execute a Business Associate Agreement acknowledging its compliance with the HIPAA Rules. (h) Business Associate agrees to provide access to PHI, at the request of Covered Entity, and in the time and manner reasonably designated by Covered Entity, to Covered Entity, or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524 (within 30 days after receipt of the request unless there is a 30 day extension.) (i) Business Associate agrees to make any amendment(s) to PHI that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526, and in the time and manner reasonably designated by Covered Entity, in a Designated Record Set, or take other measures as necessary to satisfy Covered Entity’s obligations under 45 CFR 164.526 no later than 60 days after the receipt of the request. (j) Business Associate agrees to make its internal practices, books and records relating to the use and disclosure of the PHI available to the Secretary or the Secretary’s designee for the purposes of determining Covered Entity’s compliance with the HIPAA Rules. Business Associate shall immediately notify Covered Entity of its receipt of any such request for access, but in no case later than 60 days after the receipt of the request. (k) Business Associate agrees to document such disclosures of PHI to the extent necessary for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528 no later than 60 days after the receipt of the request. (l) Maintain and make available the information required to provide an accounting of disclosures to either the Covered Entity, or the Individual, as necessary to satisfy Covered Entity’s obligations under 45 CFR 164-528 within 60 days after receipt of the request. (m) Business Associate agrees to provide Covered Entity, in the time and manner reasonably designated by Covered Entity, information collected in accordance with Section 2(i) of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR 164.528 no later than 60 days after the receipt of the request. (n) Business Associate agrees to provide information and documentation concerning Business Associate’s compliance with this Agreement to the extent reasonably requested by Covered Entity as necessary to permit to respond to third parties’ inquiries of and/or claims against Covered Entity relating to use and/or disclosure of PHI and/or for Covered Entity to comply with law(s) relating to its monitoring of compliance with this Agreement. Business Associate shall, upon Covered Entity’s request, certify to Covered Entity that it complies with the terms of this Agreement (no later than 60 days after the receipt of the request.

PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE

41

HIPAA Privacy and Security Training and Compliance Procedures (a) Except as otherwise limited in this Agreement, Business Associate may obtain and/or use PHI as necessary to perform its obligation to provide services to, for, or on behalf of the Plans, so long as such access and/or use is either permitted or required by law and, provided further, that Business Associate has met all legal requirements for such access and/or use. This specifically includes, but is not limited to, Business Associate’s access and/or use of PHI as necessary to perform the services set forth in the Service Agreement. (b) Business Associate may not use or disclose PHI in a manner that would violate the HIPAA Rules. If the Agreement permits the Business Associate to use or disclose PHI for its own management and administration and legal responsibilities, or for data aggregation services, then disclosure is permitted for the specific uses and disclosures set forth below. i)

Business Associate may use PHI for proper management and administration of the Business Associate, or to carry out the legal responsibilities of the Business Associate.

ii)

Business associate may disclose PHI for the proper management and administration of Business Associate or to carry out the legal responsibilities of the Business Associate, provided the disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that the information will remain confidential and used, or further disclosed, only as required by law or for the purposes for which it was disclosed to the person, and the person notifies Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.

iii)

Business Associate may provide data aggregation services relating to the health care operations of the Covered Entity.

OBLIGATIONS OF COVERED ENTITY (a) Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 CFR § 164.520, as well as any changes to such notice. (b) Neither Sponsor nor Covered Entity shall request Business Associate to use or disclose PHI in any manner that would not be permitted or required by law if done by Covered Entity. (c) Covered Entity shall notify Business Associate in writing of any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR § 164.522.

INDEMNIFICATION (a) Business Associate agrees to indemnify, defend, and hold harmless the Covered Entity, its trustees, officers, directors, employees, agents, or representatives, from any claim or penalty arising out of any improper use and/or disclosure of PHI in violation of the Privacy Regulation, to the extent that such improper use and/or disclosure resulted from Business Associate’s negligence or failure to comply with the terms of this Agreement or the Privacy Regulation. (b) The Sponsor and Covered Entity agree to indemnify, defend and hold harmless Business Associate and/or all of Business Associate’s officers, directors, employees, agents, or representatives, from 42

HIPAA Privacy and Security Training and Compliance Procedures any claim or penalty from any improper use and/or disclosure of PHI, to the extent that such improper use and/or disclosure resulted from the Sponsor’s or Covered Entity’s negligence, failure to comply with the terms of this Agreement or the Privacy Regulation, or was based upon the Sponsor’s or Covered Entity’s written direction to use and/or disclose PHI in the manner challenged. SECURITY Business Associate agrees to: i) Implement safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of the Covered Entity; ii) Ensure that any Subcontractor, to whom it provides this information agrees to implement reasonable and appropriate safeguards; iii) Report on a quarterly basis to the Covered Entity, in writing, any Security Incident involving Covered Entity’s data. If, however, a Security Incident results in the unauthorized disclosure of Unsecured PHI, Business Associate shall notify Covered Entity in accordance with the Breach notification provisions below. iv) Unsecured PHI.1

Notify Covered Entity no later than ten (10) days after discovery of a Breach of

v) Perform the four factor risk assessment of any Breach that is discovered in accordance with the HIPAA Rules to determine if notification is required, and advise Covered Entity of its findings. vi) Make its policies and procedures, and documentation required by this subpart relating to such safeguards, available to the Secretary for purposes of determining the Covered Entity’s compliance with 45 CFR Parts, 162 and 164 and; vii) Authorize termination of the contract by the Covered Entity if the Covered Entity determines that the Business Associate has violated a material term of the contract. Term and Termination (a) The Term of this Agreement shall be effective as of the effective date herein and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy PHI, protections are extended to such information, in accordance with the termination provisions in this Section or on the date Covered Entity terminates for cause as authorized in paragraph (b) of this Section, whichever is sooner. (b) Upon Covered Entity’s knowledge of a material Breach by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement. If the Business Associate does not cure the breach or end the violation within the time specified by Covered Entity; Covered Entity shall have the right to immediately terminate this Agreement. Such termination shall not abrogate any rights which Covered Entity has against Business Associate for violation of this Agreement. 1

Covered Entity has 60 days from the discovery date of a reportable Breach to report said Breach to the Individual and HHS (if Breach involves 500 or more Individuals.) 43

HIPAA Privacy and Security Training and Compliance Procedures (c) Upon termination of this Agreement for any reason, Business Associate, with respect to PHI received from Covered Entity, or created, maintained, or received by Business Associate on behalf of Covered Entity, shall: i) Retain only that PHI which is necessary for Business Associate to continue its proper management and administration or to carry out its legal responsibilities; ii) Return to Covered Entity (or, if agreed to by Covered Entity, destroy) the remaining PHI that the Business Associate still maintains in any form; iii) Continue to use appropriate safeguards and comply with the HIPAA Rules regarding the use and disclosure of the PHI, for as long as Business Associate retains the PHI; iv) Not use or disclose the PHI retained by Business Associate other than for the purposes for which such PHI was retained and subject to the same conditions which applied prior to termination; and v) Return to Covered Entity (or, if agreed to by Covered Entity, destroy) the PHI retained by Business Associate when it is no longer needed by Business Associate for its proper management and administration or to carry out its legal responsibilities.

Miscellaneous (a) A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended, and for which compliance is required. (b) No modification, amendment, or waiver of any provision of this Agreement will be effective unless in writing and signed by the party to be charged. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Business Associate and Covered Entity to comply with the requirements of the HIPAA Rules. (c) Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits both parties to comply with the HIPAA Rules and/or other applicable law. (d)

Notices: (i) All reports or notices to Covered Entity pursuant to this Agreement shall be sent to the names and addresses listed on the signature page, or to such other individuals and/or addresses as a party may later designate in writing. Unless expressly prohibited under the HIPAA Rules, such notices and reports may also be sent via email. (ii) All such reports or notices shall be sent by First Class Mail or express courier service, and shall be deemed effective when delivered, or if refused, when delivery is attempted. (e) Nothing expressed or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the Sponsor, Covered Entity, Business Associate, and their respective successors or assigns, any rights, remedies, obligations or liabilities whatsoever. (f) This Agreement constitutes the complete agreement of the parties relating to the access, use, disclosure and security of PHI and, except as otherwise provided herein, supersedes all prior representations or agreements, whether oral or written, with respect to the confidentiality and security of PHI.

44

HIPAA Privacy and Security Training and Compliance Procedures (g) The parties hereby agree and affirm that the subject matter of this Agreement is unique, and that it may be impossible to measure the damages which would result to Covered Entity from violations by Business Associate of the agreements set forth herein. Accordingly, in addition to any other remedies which Covered Entity may have at law or in equity, the parties hereby agree that either party shall have the right to have all obligations and other provisions of this Agreement specifically performed by the other party, as applicable, and that either party shall have the right to seek preliminary and permanent injunctive relief to secure specific performance, and to prevent a breach or contemplated breach, of this Agreement, without, in any case, proof of actual damages.

(h) Governing Law: This Agreement shall be deemed to have been executed in the State of California and shall be governed by and construed in accordance with the laws of the State of California without regard to the internal conflict of laws or rules thereof which might otherwise govern the laws applicable to this Agreement. As evidenced by their signatures, the parties signify their consent to the exclusive jurisdiction of and venue in Mendocino County, California, in the event of any legal action in connection with this Agreement. (i) Attorney Fees and Costs: If any action at law or in equity is necessary to enforce or interpret the terms of this Contract, the prevailing party shall be entitled to reasonable attorney's fees, costs, and necessary disbursements in addition to any other relief to which such party may be entitled. (j) Construction: This Agreement shall not be construed against the party preparing it, but shall be construed as if both parties prepared this Agreement and any uncertainty and ambiguity shall not be interpreted against any one party.

IN WITNESS WHEREOF, the parties hereto hereby set their hands as of the date first above written.

45

HIPAA Privacy and Security Training and Compliance Procedures

HUMAN RESOURCES – MENDOCINO COUNTY

Workforce Confidentiality Agreement I______________________________________, understand that The County of Mendocino has a legal and ethical responsibility to maintain patient privacy, including obligations to protect the confidentiality of patient information and to safeguard the privacy of patient information. I understand that The County of Mendocino has a legal and ethical responsibility to maintain the confidentiality, integrity, and accessibility of protected health information maintained in hard copy or electronic format. In addition, I understand that during the course of my employment/assignment/affiliation at The County of Mendocino, I may see or hear other confidential information such as financial data and operational information pertaining to the practice that The County of Mendocino is obligated to maintain as confidential. As a condition of my employment/assignment/affiliation with The County of Mendocino, understand that I must sign and comply with this agreement. By signing this document I understand and agree that: 

I will disclose Patient Information and/or confidential information only if such disclosure complies with The County of Mendocino policies and is required for the performance of my job.



My personal access code(s), user ID(s), access key(s), and password(s) used to access computer systems or other equipment are to be kept confidential at all times.



I will not access or view any information other than what is required to do my job. If I have any question about whether access to certain information is required for me to do my job, I will immediately ask my supervisor for clarification.



I will not discuss any information pertaining to the practice or its patients in an area where unauthorized individuals may hear such information (for example, in hallways, on elevators, in the cafeteria, on public transportation, at restaurants, and at social events). I understand that it is not acceptable to discuss any practice information in public areas even if specifics such as a patient’s name are not used. I will not make inquiries about any practice information for any individual or party who does not have proper authorization to access such information.



46

HIPAA Privacy and Security Training and Compliance Procedures 



I will not make any unauthorized transmissions, copies, disclosures, inquiries, modifications, or purgings of patient information or confidential information. Such unauthorized transmissions include, but are not limited to, removing and/or transferring patient information or confidential information from The County of Mendocino’s computer system to unauthorized location (for instance, home). Upon termination of my employment/assignment/affiliation with The County of Mendocino



I will immediately return all property (e.g. keys, documents, ID badges, etc.) to The County of Mendocino.



I agree that my obligations under this agreement regarding patient information will continue after the termination of my employment/assignment/affiliation with The County of Mendocino.



I understand that violation of this Agreement may result in disciplinary action, up to and including termination of my employment/assignment/affiliation with The County of Mendocino and/or suspension, restriction, or loss of privileges, in accordance with The County of Mendocino’s policies, as well as potential personal civil and criminal legal penalties. I understand that any confidential information or patient information that I access or view at The County of Mendocino does not belong to me.



I have read the above agreement and agree to comply with all its terms as a condition of continuing employment.

47

HIPAA Privacy and Security Training and Compliance Procedures

HUMAN RESOURCES – MENDOCINO COUNTY

HIPAA Incident and Risk Assessment Form This form is to be used to record and document HIPAA Incidents and record the Risk Assessment process to comply with the provisions under (HITECH) regulations described in 45 CFR Section 13402. Complete this form and retain for six years past the date of the event. Date informed of the possible Breach_____________________________________. Date the possible Breach occurred________________________________________. How we learned of the event_____________________________________________. Brief description of what took place________________________________________. ____________________________________________________________________ ____________________________________________________________________ ____________________________________________________________________

Risk Assessment Step 1

2

Step

Question

Yes

Unsecured PHI Was the impermissible use/disclosure of If yes, move to unsecured PHI? (was the data next question unprotected, or not rendered unusable, unreadable, indecipherable to unauthorized individuals through the use of technology or methodology) Minimum Necessary Was more than the minimum necessary If yes, move to for the purpose accessed, used or next question disclosed?

No If no,(meaning data was protected or locked) notification not required. End of process- document

May determine low risk and not provide notificationsdocument Was there a significant risk of harm to the individuals as a result of the impermissible use or disclosure? Question Yes No 48

HIPAA Privacy and Security Training and Compliance Procedures 3

4

5

6

7

8

9

10

Was it received and/or used by another entity governed by the HIPAA Privacy & Security Rules or a Federal Agency obtained to comply with the Privacy Act of 1974 or FISA of 2002? Were immediate steps taken to mitigate an impermissible use/disclosure (e.g. Obtain the recipients’ assurances the information will not be further used/disclosed or will be destroyed)? Was the PHI returned prior to being accessed for an improper purpose (e.g. A laptop is lost/stolen, then recovered & forensic analysis shows the PHI was not accessed, altered , transferred or otherwise compromised)?

May determine low risk and not provide notificationsdocument May determine low risk and not provide notificationsdocument May determine low risk and not provide notificationsdocument

If no, move to next question

If no, move to next question

If no, move to next question

What type and amount of PHI was involved in the impermissible use of disclosure? Does it pose a significant risk of financial, High riskMay determine low risk reputation, or other harm? Should be and not provide reported notificationsdocument Did the improper use/disclosure only May determine If no, move to the next include the name and the fact services low risk and not question were received? provide notificationsdocument Did the improper use/disclosure include High riskIf no, move to the next the name and types of services received, Should be question services were from a specialized facility reported (such as substance abuse facility) or the information increases the risk of ID Theft (such as SS#, account #, mother’s maiden name)? Did the improper use/disclosure not High riskMay determine low risk include the 16 limited data set identifiers in Should be and not provide 164.541(e)(2) nor the zip codes or dates reported notificationsof birth? Note: take into consideration the document risk of re-identification (the higher the risk, the more likely notification should be made) Is the risk of re-identification so small that May determine If no, move to the next the improper use-disclosure poses no low risk and not question significant harm to any individuals (e.g. provide Limited data set included zip codes based notificationson population features doesn’t create a document significant risk to an individual that can be identified)?

49

HIPAA Privacy and Security Training and Compliance Procedures Step 11

12

13

14

15

Question Yes Specific Breach Definition Exclusions Was it an unintentional access/use or May determine disclosure by a workforce member acting low risk and not under the organization’s authority, made in provide good faith, within his/her scope of authority notifications(workforce member was acting on the document organization’s behalf at the time) and didn’t result in further use/disclosure (e.g. billing employee receives an e-mail containing PHI about a patient mistakenly sent by a nurse (co-worker). The billing employee alerts the nurse of the misdirected e-mail and deletes it)? Was access unrelated to the workforce High riskmember’s duties (e.g. did a receptionist Should provide look through a patient’s records to learn of notification their treatment)? Was it an inadvertent disclosure by a May determine person authorized to access PHI at a low risk and not Covered Entity or Business Associate or provide another person authorized to access PHI notificationsat the same organization, and the document information was not further used or disclosed (e.g A workforce member who has the authority to use/disclose PHI in that organization discloses PHI to another individual in that same organization and the PHI is not further used or disclosed)? Was a disclosure of PHI made, but there is May determine a good faith belief that unauthorized low risk and not recipient would not have reasonably been provide able to retain it (e.g. EOB’s were notificationsmistakenly sent to wrong individuals and document were returned by the post office, unopened, as undeliverable)? Was a disclosure of PHI made, but there is May determine a good faith belief that the unauthorized low risk and not recipient would not have reasonably been provide able to retain it (e.g. A Nurse mistakenly notificationshands a patient discharge papers document belonging to a different patient, but quickly realized the mistake and recovers the PHI from the patient, and the nurse reasonably concludes the patient could not have read or otherwise retained the information)?

50

No If no, move to the next question

If no, move to the next question

If no, move to the next question

Continue to next question. Note: if the EOB’ were not returned as undeliverable, these should be treated as breaches Document findings

HIPAA Privacy and Security Training and Compliance Procedures Burden of Proof: Required to document whether the impermissible use or disclosure compromises the security or privacy of the PHI (Significant risk of financial, reputational, or other harm to the individual). Document the process after completing the above Risk Assessment. What corrective actions followed this event? Corrective Actions: _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ _____________________________________________________________________ Who is responsible for this event and how will it be prevented in the future? What action was taken? _____________________________________________________________________ _____________________________________________________________________ Will this event require any further follow up or monitoring? If so, who and what is needed? ____________________________________________________________________ ____________________________________________________________________ ____________________________________________________________________ Breach Notification Requirements Following a breach of unsecured protected health information covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities that a breach has occurred. Individual Notice Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means. These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a 51

HIPAA Privacy and Security Training and Compliance Procedures description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity. Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach. Media Notice Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice. Notice to the Secretary In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred. Notification by a Business Associate If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals. Document any required notifications as defined above: include a sample and the dates sent. ______________________________________________________________________ ______________________________________________________________________ Staff completing this form__________________________________________________________________ Reviewed by____________________________________________________________________ Further Review if Needed by____________________________________

52