ORDER N0. ~8~58 AF='F'0 I NT CDMM I TTEE TU I N I T I AT'E F'DL I C T E5 APdD F' RDCEDU RE5 TD COMF'L'r WITH H I F'AA F'R I VACY RULE Dn tl-7is the c8th day of April, ~~~~,, ~_~pon a~ation made by Commissioner Haldwin, seconded lay Cammissioner Williams, the Co~_~rt ~_~nanimo~.tsly approved by a vote of 4-Q~-0, to appoint a HIF'AA committee with the representatives as designated by Commissioner Paldwin to review and prepare policies and proced~_~res for present atian to this Co~_~rt as may be req~_-ired by the HIF'AA privacy r~_~les. ;,~ ~ a ,:., , ~ COMMISSIONERS' COURT AGENDA REQUEST PLEASE FURNISH ONE ORIGINAL AND NINE COPIES OF THIS REQUEST AND DOCUMENTS TO BE REVIEWED BY THE COURT. MADE BY: Pat Tinley OFFICE: Coun Jud MEETING DATE: Apri128, 2003 SUBJECT: (PLEASE BE SPECIFIC) TIME PREFERRED: Consider and discuss compliance with HIPAA Privacy Rule by adopting policies & procedures regarding Protected Health Information (PHI) and authorize the County Judge to execute agreements of compliance. EXECUTIVE SESSION REQUESTED: (PLEASE STATE REASON) NAME OF PERSON ADDRESSING THE COURT: ESTIMATED LENGTH OF PRESENTATION: IF PERSONNEL MATTER -NAME OF EMPLOYEE: County Jude Time for submitting this request for Court to assure that the matter is posted in accordance with Title 5, Chapter 551 and 552, Government Code, is as follows: Meeting scheduled for Mondays: THIS REQUEST RECEIVED BY: THIS REQUEST RECEIVED ON: All Agenda Requests will be screened by the County Judge's Office to determine if adequate information has been prepared for the Court's formal consideration and action at time of Court Meetings. Your cooperation will be appreciated and contribute towards you request being addressed at the earliest opportunity. See Agenda Request Rules Adopted by Commissioners' Court. 5:00 P.M. previous Tuesday. TEXAS ASSOCIATIOI~I OF CO~II~ITIES 1204 San Antonio • Austin, TX 78701 ~y o~ P.O. Box 2131 • Austin, TX 78768-2131 Sam D. Seale • Executive Director `+~~'' MEMORANDUM TO: County Judges, County Treasurers, County Auditors FROM: Quincy Quinlan, Assistant General Counsel, ~~ TAC Legal Department DATE: March 25, 2003 SUBJECT COMPLIANCE WITH HIPAA PRIVACY RULE This memorandum discusses the rule concerning privacy of protected health information promulgated pursuant to the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The Legal Department of the Texas Association of Counties ("TAC") distributes this memorandum as a public service. This memorandum is not legal advice. It does not take the place of discussions with your county attorney or other competent legal advisors or HIPAA consultants. As required by HIPAA, the United States Department of Health and Human Services ("HHS") has published a rule regarding the privacy of health information at 45 Code of Federal Regulations Parts 160 and 164 ("Privacy Rule"). You can view a copy of the complete rule at http://www.hhs.gov/ocr/combinedregtext.pdf. Individuals or entities covered by the Privacy Rule must be in compliance with the Privacy Rule by April 14, 2003; small health plans with under $5,000,000.00 in premiums have until April 14, 2004 to comply. HHS has promulgated a second rule in the area of the transmission of protected health information, specifically governing electronic health care transactions and code sets. Covered Entities must begin testing software and systems by April 16, 2003, and must be in full compliance by October 16, 2003. A third rule governing electronic security measures for covered entities requires the measures to be in place by April 21, 2005; small plans have until April 21, 2006 to comply. This memorandum does not discuss those two additional rules. WHAT IS THE RULE ABOUT The Privacy Rule establishes the concept of Protected Health Information ("PHI"). PHI is defined as individually identifiable health information that is transmitted by electronic media, or maintained in electronic media, or transmitted or maintained in any other form or medium. Individually identifiable health information does not include information in employment records or worker's compensation records. The county that is a covered entity can use or disclose PHI only if such use or disclosure is permitted or required by the Privacy Rule. (512)-478-8753 1-(800)-456-5974 FAX (512)-478-0519 WHO IS COVERED BY THE RULE A Covered Entity under the Privacy Rule is a health plan, or a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by the Privacy Rule. A health plan is any individual or group plan that provides, or pays the cost of, medical care. The definition of health plan includes group health plans, which is a term that encompasses employee welfare benefit plans. It appears that if a county offers health coverages to its employees through the Texas Association of Counties Health and Employee Benefits Pool ("HEBP"), the county does not have a health plan for purposes of the Privacy Rule because HEBP is the health plan in that context. A similar analysis would also apply if a county has purchased health insurance for its employees from an insurance company. Aself-insured county would appear to be classified as a health plan under HIPAA, however, and thus the administration of the health plan would need to comply with the Privacy Rule. The determination of whether a county is completely free of HIPAA requirements does not end with the analysis concerning the health plan. A health care clearinghouse is an entity, including a billing service, repricing company, community health management information system or community health information system, that either: (1) processes or facilitates the processing of health information received from another entity in anon-standard format or containing non-standard data content into standard data elements or a standard transaction; or (2) receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity. This letter will not discuss health care clearinghouses, as we do not believe counties are engaging in these types of activities. A health care provider means a provider of services as defined in 42 United States Code 1395x(u); a provider of medical or health services as defined in 42 USC 1395x(s), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. A provider of services as defined in 42 USC 1395x(u) means a hospital, skilled nursing facility, comprehensive outpatient rehabilitation facility, home health agency, or hospice program. A provider of medical or health services as defined in 42 USC 1395x(s) includes (please see statute for exhaustive list): physicians' services; services and supplies furnished as an incident to a physician's professional services; hospital services; outpatient diagnostic services furnished by a hospital; outpatient physical therapy and occupational therapy services; rural health clinic services and Federally qualified health center services; home dialysis supplies and equipment, and institutional dialysis services and supplies; physician assistant services, when performed under the supervision of a physician (but physician does not get paid); nurse practitioner or clinical nurse specialist services (where nurse works in collaboration with a physician); certified nurse-midwife services; qualified psychologist services; clinical social worker services; x-ray services; surgical dressings, and splints, casts and other devices used for reduction of fractures and dislocations; durable medical equipment; ambulance service where the use of other methods of transportation is contraindicated by the individual's condition, but only to the extent provided in regulations; screening mammography, screening pap smear and screening pelvic exam; and bone mass measurement. A county would be considered a 2 healthcare provider for purposes of the HIPAA Privacy Rule to the extent it provides any of the services listed above, or in the referenced statute, or furnishes, bills, or is paid for health care in the normal course of business. A health care provider has to conduct certain transactions, as listed below, in electronic form in order to be a covered entity under the Privacy Rule. The term "transaction" is defined as the transmission of information between two parties to carry out financial or administrative activities related to health care. Although the term "electronic form" is not defined in the Privacy Rule, a companion rule issued by HHS defines the term "electronic media" as: ... the mode of electronic transmission. It includes the Internet (wide- open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media. 45 CFR 162.103. HHS has stated that a regular fax (placing a sheet of paper on a fax machine) is not an electronic transmission, but an electronic fax (faxing a document from a computer to another destination) is an electronic transaction. The transactions covered by the Privacy Rule are: (1) health care claims or equivalent encounter information; (2) health care payment and remittance advice; (3) coordination of benefits; (4) health care claim status; (5) enrollment and disenrollment in a health plan; (6) eligibility for a health plan; (7) health plan premium payments; (8) referral certification and authorization; (9) first report of injury; and (10) health claims attachments. HHS has also reserved the right to add additional transactions at a later date. If a county is a health care provider, and it performs any of these ten transactions using the technology listed above, it is a covered entity and needs to comply with the requirements of the Privacy Rule. If the county has health care provider services, but it does not do any of the ten transactions electronically, it does not need to comply with HIPAA for the health care provider services. A county may also want to analyze whether it qualifies as a hybrid entity under the Privacy Rule. A hybrid entity is a single legal entity that is a covered entity (health plan or health care provider) whose business activities include covered and non-covered functions, and that designates the parts of the organization that engage in the covered activities as health care components. As an example, a county that owns a county hospital could designate itself as a hybrid entity, and designate the hospital as a health care component of the hybrid entity. The advantage of the hybrid entity designation is that the Privacy Rule requirements would apply only to the designated health care component. WHAT DOES A COVERED ENTITY HAVE TO DO There are many procedures and policies that must be adopted and implemented if a county is classified as a health plan or a health care provider under the Privacy Rule. Achieving compliance with the Privacy Rule requires an extensive effort. If the county 3 officials who have access to protected health information have not already evaluated the Rule and assessed their operations, they should start immediately. We recommend that any county that believes it may be covered by the Privacy Rule should retain legal counsel or other HIPAA experts to assist in the development of a comprehensive plan that suits the needs of the county. If your office does not have primary responsibility for administering the county employee benefits program or the county's health care provider services (if applicable), you may wish to distribute a copy of this memorandum to the official or employee who has such responsibility. Because of each county's unique circumstances, and because the Privacy Rule is extremely complex, it is not possible for us to develop a compliance plan for the counties. However, the following steps should probably be taken as part of any compliance plan, if the determination is made that the county is a Covered Entity under the Privacy Rule: • Obtain a copy of the rule and read it. The Privacy Rule is published at 45 CFR Parts 160 and 164. It can also be found on the Internet at http://www.hhs.gov/ocr/combinedregtext.pdf. A copy of this memorandum is also on the TAC website. Instructions on accessing the website are given below. If you download the memorandum in RTF format, you will be able to click on the link in this paragraph that will take you directly to the Privacy Rule. • The Commissioners Court may wish to appoint a Privacy Official and document the appointment. This person will be in charge of organizing the effort to achieve compliance. • The Commissioners Court may wish to appoint a contact person who is responsible for receiving complaints about the use or disclosure of PHI. The Commissioners Court should document the appointment. • The Commissioners Court may wish to appoint a committee to identify compliance issues, formulate a strategy for achieving compliance and establish policies to ensure the county's operations comply with the Rule. • The HIPAA Committee may wish to identify the county employees that have access to PHI, the persons or entities that send PHI to the county and the persons and entities to whom the county discloses PHI. • The HIPAA Committee may wish to identify the locations in the various county offices where PHI is stored and develop and implement such policies as are necessary to ensure that access to this information is limited to those employees who need PHI to perform plan administration functions or health care provider treatment and administrative functions. • The HIPAA Committee may wish to develop a policy (to be ratified by the Commissioners Court and each elected officer) that requires the county, when requesting PHI from another person or entity, to identify the purpose for which the PHI is needed and request only the minimum amount of PHI necessary to accomplish the purpose. • The HIPAA Committee may wish to develop a policy (to be ratified by the Commissioners Court and each elected officer) to develop a policy that requires the county, when it discloses PHI to another person or entity, to identify the purpose for 4 which the PHI is being disclosed and disclose only the minimum amount of PHI necessary to accomplish the purpose. • The HIPAA Committee may wish to identify the uses and disclosures of PHI for which the county must obtain an authorization from the individual, and develop and use an authorization form for these occasions. • Those to whom the county must disclose PHI for the purposes of performing a function pertaining to the county's health plan operations or health care provider operations are the county's Business Associates. The county's Business Associates must enter into Business Associates Agreements with a covered county. The Business Associates Agreements provide, among other things, that the Business Associates agree to use and disclose PHI only in compliance with the Privacy Rule. • The county that is a Covered Entity under the Privacy Rule must prepare and disseminate to every participant in its health plan a Notice of Privacy Rights that sets forth individuals' rights concerning their PHI. • If the county is a covered health care provider, and has a direct treatment relationship with individuals, each such person receiving medical services must be given a Notice of Privacy Rights that sets forth the individual's rights concerning their PHI. • The Commissioners Court and all elected officials should develop and implement such policies as are necessary to ensure that an employee's PHI cannot be considered in making any employment decisions, and that PHI is not discussed openly in any forum for any reason. • The Commissioners Court and elected officials may wish to develop policies that allow for an individual to access, amend and request restrictions on the use of his or her PHI. • The Commissioners Court and elected officials may wish to develop a system for documenting non-routine disclosures of PHI and a policy of allowing an individual to obtain an accounting of those disclosures. • The Commissioners Court and elected officials should train all employees by April 14, 2003 to ensure compliance with the HIPAA policies and the Privacy Rule, and document that training has occurred. If the Commissioners Court designates the county as a hybrid entity (an entity that has covered and non-covered functions), and designates the offices or departments that administer the health plan or the health care provider services as the health care component, then only the employees of the designated health care component would need to receive HIPAA training. Further, the health care component would be the only part of the county that would need to comply with the HIPAA Privacy Rule. • The Commissioners Court and elected officials may wish to develop and impose appropriate sanctions for violations. Please note that the statute includes civil monetary penalties of up to $25,000 and criminal penalties up to $250,000 and 10 years incarceration. We have posted the Business Associate Agreement, along with the policies, procedures and other forms that the Texas Association of Counties Health and Employee Benefits Pool will be using in its efforts to comply with the Privacy Rule. These documents can be viewed at TAC's website, htt~://www.county.or~. At the website, go to "Online Resources," then click on HIPAA Policies and Procedures. The documents may be 5 downloaded. Again, these documents are posted for your convenience only, and are not intended to be legal advice to your county. We hope that this information is helpful as the county determines whether it needs to comply with the Privacy Rule. 6 -~.,..,.._...._._ _.._,~ _._....,-.J,._,~_. I~ 1.1.1`• .1_'•~,(t{ I I I i I~ -.~ (.~Ul i t ila ()r line li~al~§>,Ili : ,~~ w County Data w County News w Laws and Codes N Legal Resources r Legislative ~ Library ~ New to Office ~ What's New J HIPAA Policies ~ Procedures Home Member Login About TAC Site Index Sea ~ ` County Member Services Education Center Online Resour ~ b ONLINE RESOUIt~ IiS HIPAA Policies & Procedures Overview This section contains policies and procedures concerning the privacy rule p pursuant to the Health Insurance Portability and Accountability Act ("HIPAA These policies and procedures will be presented for adoption by the Board of the Texas Association of Counties Health and Employee Benefits Pool. You may download and modify these documents as you wish. If you wish t a document, please read the memorandum (PDF File) that was sent to all Judges, County Auditors and County Treasurers. A link to the memorandum is located directly below this overview. 8 Memorandum (PDF File) Technical Tips To modify a document on your computer, choose the Rich Text Format option and use the save as command to save it to your computer. If you would like to print the document, choose the Portable Document (PDF) option. Policies and Procedures Document RTF HIPAA ASO Business Associate Agreement ,~-~- De-identified PHI Disclosures of PHI to those involved in Individuals Care ~] Disclosures of PHI to Plan Sponsor ~] Maintaining the Security of PHI in the workplace Minimum Necessary Disclosures for PHI Minimum Necessary Requests for PHI Minimum Necessary Uses of PHI Participant Privacy Rights l http://www.county.org/resources/HIPAA/ 4/15/03 Participant Request Confidential Communications =,] Privacy of the PHI of Deceased Participants Requests for Access to PHI Requests for an Accounting of Disclosures of Protected Health Information Requests for Restrictions on the Use and Disclosure of PHI _] Requests to Amend Protected Health Information Sanctions for Privacy Violations i Use of Authorizations ~] Workforce Privacy Training ~] Uses and Disclosures for Which an Authorization or opportunity to Agree or Object is not required Personal Representatives Participant Privacy and Marketing ~] Required Disclosures of PHI L~ Policy and Procedure -Business Associates J TAC HEBP HIPAA Privacy Notice yy u Adobe Portable Document Format (PDF) Files can only be opened if you r~~ have the free Acrobat Readerp program from Adobe on your computer. Select the "get Acrobat Reader" image if you need to download this software adobe today! ^ Home ~ Contact Us ~ Site Index ~ Privacy Policy ~ Website Compatibility ~ ©2000 Texas Association of Counties m I http://www.county.org/resources/HIPAA/ 4/15/03 BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is effective April 14, 2003, by and between ("County") and ("Business Associate") RECITALS WHEREAS, County has created aself-funded employee health and welfare benefits plan ("Plan") for the benefit of its officials, employees, and their dependents; and WHEREAS, the Plan is a covered entity for the purposes of the privacy provisions of Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Privacy Rule promulgated by the United States Department of Health and Human Services; and WHEREAS, Business Associate and County have entered into an agreement ("the Service Agreement"), pursuant to which Business Associate performs functions that assist County in the operation of the Plan; and WHEREAS, it may be necessary for County and Business Associate to disclose protected health information to each other to facilitate performance of the functions performed by Business Associate for County; and WHEREAS, the Privacy Rule requires that there be an agreement between covered entities and business associates that governs the use and disclosure of protected hea{th information; NOW THEREFORE, in consideration of the beneficial relationship enjoyed by the parties pursuant to the Service Agreement, the parties agree as follows: Part 1 Definitions The following definitions apply to this agreement: 1.1 "Designated Record Set" shall mean the set of records used to make decisions about an individual that relate to: 1) medical information or billing records provided by a health care provider; or 2) the enrollment, payment, claims, adjudication, and case or medical management records maintained by or for a health plan. This includes the group of records used or maintained by a health care clearinghouse. 1.2 "Individual" shall have the same meaning as the term "individual" in 45 CFR § 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR § 164.502(8). 1.3 "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E. 1.4 "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR § 164.501, limited to the information created or received by Business Associate from or on behalf of County. 1.5 "Required By Law" shall have the same meaning as the term "required by law" in 45 CFR § 164.501. 1.6 "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee. In addition, unless otherwise noted, any term used in this Agreement that is defined in the Privacy Rule shall have the same meaning as those terms have under the Privacy Rufe. Part II Obligations and Activities of Business Associate 2.1 Business Associate agrees to not use or disclose Protected Health Information other than as permitted or required by the Agreement or as required by law. 2.2 Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. 2.3 Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate, whether or not such disclosure is in violation of the requirements of this Agreement. 2.4 Business Associate agrees to report to County any use or disclosure of the Protected Health Information not provided for by this Agreement of which it becomes aware. 2.5 Business Associate agrees to ensure that any individual or entity to whom it provides Protected Health Information received from County, or created or received by Business Associate on behalf of County, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. 2.6 Business Associate agrees to provide an Individual prompt and reasonable access, at the request of County, to Protected Health Information of the Individual in any Designated Record Set in its possession or control, except Protected Health Information excluded from disclosure by 45 CFR §§ 164.524(a)(1)(i),(ii),(iii), to County or, as directed by County, to an Individual in order to meet the requirements under 45 CFR § 164.524. 2.7 Business Associate agrees to make any amendment(s) to Protected Health Information in any Designated Record Set in its possession or control that County directs or agrees to pursuant to 45 CFR § 164.526, at the request of County or an Individual, and further agrees to do so within 30 days. 2.8 Business Associate agrees to make internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, County available to the Secretary, in a time and manner designated by the Secretary, for purposes of the Secretary determining County's compliance with the Privacy Rule. 2.9 Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for County to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528. 2.10 Business Associate agrees to provide within 30 days, to either County or an Individual as directed by County, information collected in accordance with Section 2.9 of this Agreement, to permit County to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR § 164.528. 2.11 Business Associate agrees to take such other feasible actions as are necessary to allow County to comply with the Privacy Rule as it pertains to the operations governed by the Service Agreement. Part III Permitted Uses and Disclosures by Business Associate 3.1 Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, County as set forth in the Service Agreement governing the business relationship between County and Business Associate, provided that such use or disclosure would not violate the Privacy Rule if done by County or the minimum necessary policies and procedures of the County. 3.2 Business Associate may use and disclose Protected Health information for the management and administration of the Business Associate. 3.3 Business Associate may provide data aggregation services relating to the health care operations of County. Part IV Obligations of County 4.1. County shall notify Business Associate of any limitation(s) in its notice of privacy practices of County in accordance with 45 CFR § 164.520, to the extent that such limitation may affect Business Associate's use or disclosure of Protected Health Information. 4.2 County shall notify Business Associate of any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, to the extent that such changes may affect Business Associate's use or disclosure of Protected Health Information. 4.3 County shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that County has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect Business Associate's use or disclosure of Protected Health Information. Part V. Permissible Requests by County County shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by the County. Part VI. Term and Termination 6.1 Term. The Term of this Agreement shall be effective as of April 14, 2003, and shall terminate when all of the Protected Health Information provided by County to Business Associate, or created or received by Business Associate on behalf of County, is destroyed or returned to County. 6.2 Termination for Cause. Upon County's knowledge of a material breach by Business Associate, County shall either: 1) Provide an opportunity for Business Associate to cure the breach and terminate this Agreement and the Service Agreement only if Business Associate does not cure the breach or end the violation within the time specified by County; 2) Immediately terminate this Agreement and the Service Agreement if Business Associate has breached a material term of this Agreement and cure is not possible; or 3) if neither termination nor cure are feasible, County shall report the violation to the Secretary. 6.3 Effect of Termination. Except as provided below, upon termination of this Agreement, for any reason, Business Associate shall retum or destroy all Protected Health Information received from County, or created or received by Business Associate on behalf of County. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information. In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to County notification of the conditions that make return or destruction infeasible. If County agrees that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. Part VII Miscellaneous Provisions 7.1 Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended. 7.2 Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for County to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191. However, any amendments must be in writing and signed by both Parties. 7.3 Survival. The respective rights and obligations of Business Associate under Section 6.3 shall survive the termination of this Agreement. 7.4 Interpretation. Any ambiguity in this Agreement shall be resolved to permit County to comply with the Privacy Rule. IN WITNESS WHEREOF, the parties have executed this Agreement to take effect on the Effective Date. County By: Date: Business Associate By: Date: TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES DE-IDENTIFIED INFORMATION Effective Date: March 17, 2003 POLICY HEBP may use protected health information to create information that does not identify an individual or disclose protected health information to a business associate for such purpose, whether or not the de-identified information is to be used by HEBP. PROCEDURE In appropriate circumstances, HEBP will de-identify an individual's PHI. A person with appropriate knowledge and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable will apply such principles and methods as necessary for the person to determine that the risk is very small that the information could be used, alone or in combination with other reasonable available information, by an anticipated recipient, to identify an individual who is a subject of the information. • The person de-identifying the information will document the methods used to de-identify the information. • The following identifiers of the individual or of relatives, employers, or household members of the individual, will be removed in order to create de- identified information: • Names; • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code (HEBP may remove all but the first three digits of the zip code under certain circumstances); • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death; • Telephone Numbers; Fax numbers; • Electronic mail addresses; • Social Security numbers; • Medical record numbers; • Health plan beneficiary numbers; • Account numbers; • Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; • Device identifiers and serial numbers; • Web Universal Resource Locators; • Internet Protocol address numbers; • Biometric identifiers, including finger and voice prints; • Full face photographic images and any comparable images; and • Any other unique identifying number characteristic, or code. • Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual will not be treated as PHI. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPPA POLICIES DISCLOSURES OF PROTECTED HEALTH INFORMATION TO THOSE INVOLVED IN THE INDIVIDUAL'S CARE Effective Date: March 17, 2003 POLICY HEBP may disclose to a family member, other relative or a close personal friend of the individual, or any other person identified by the individual, the PHI directly relevant to such person's involvement with the individual's care or payment related to the individual's health care. HEBP may, consistently with the procedures set forth below, also use or disclose PHI to notify, or assist in the notification of a family member, a personal representative of the individual or another person responsible for the care of the individual of the individual's location, general condition or death. PROCEDURE If the individual is present for, or otherwise available prior to, a use or disclosure permitted by this policy and has the capacity to make health care decisions, HEBP will use or disclose the PHI only if HEBP: • Obtains the individual's agreement; • Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or • Reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual's incapacity or an emergency circumstance, HEBP may determine whether the disclosure is in the best interests of the individual and, if so, disclose only the PHI that is directly relevant to the person's involvement with the individual's health care. HEBP will use its judgment and experience to make reasonable inferences of the individual's best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, x-rays, or other similar forms of PHI. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES DISCLOSURES OF PROTECTED HEALTH INFORMATION TO THE PLAN SPONSOR Effective Date: March 17, 2003 POLICY HEBP will disclose, or permit disclosure of protected health information (°PHI") to the plan sponsor only to the extent and in the manner allowed by the Privacy Rule. PROCEDURE • Before disclosure is made to the plan sponsor, HEBP must ensure that the plan documents restrict uses and disclosures of such information by the plan sponsor consistent with the requirements of the Privacy Rule. HEBP may disclose summary health information to the plan sponsor, if the plan sponsor requests the summary health information for the purpose of: 1) obtaining premium bids from health plans for providing health insurance coverage under the group health plan; or 2) modifying, amending, or terminating the Plan. • HEBP may disclose to the plan sponsor whether an individual is participant in the HEBP Plan. • HEBP will, if necessary, amend its plan documents to ensure that they contain provisions to: 1) establish the permitted and required uses and disclosures of such information by the plan sponsor; and 2) provide that the Plan will disclose PHI to the plan sponsor only upon receipt of a certification by the plan sponsor that the Plan Sponsor agrees to: • Not use or further disclose the information other than as permitted or required by the plan documents or as required by law; • Ensure that any agents to whom it provides PHI received from HEBP agree to the same restrictions that apply to the plan sponsor with respect to such information; Not use or disclose the information for employment related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor; Report to HEBP any use or disclosure of PHI that is inconsistent with the uses or disclosures provided for of which it becomes aware; • Make available PHI for amendment and incorporate any amendments to PHI agreed to or required by HEBP; • Make PHI available to an individual who has a right to access it pursuant to the Privacy Rule; • Make available the information required to provide an accounting of disclosures in accordance with the Privacy Rule; • Make its internal practices, books, and records relating to the use and disclosure of PHI received form HEBP available to the Secretary for purposes of determining compliance by HEBP with the Privacy Rule; and If feasible, return or destroy all PHI received from HEBP that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which the disclosure was made; and • HEBP will ensure, prior to any disclosure to the plan sponsor, that the plan documents: • Describe those persons under the control of the plan sponsor who may be given access to the protected health information to be disclosed; • Restrict the access to and use by such employees to the plan administration functions that the plan sponsor performs for the Plan; and • Provide an effective mechanism for resolving any issues of noncompliance by such persons. HEBP will not disclose and will not permit a business associate to disclose PHI for the purpose of an employment-related action or decision or in connection with any other benefit or employee benefit plan of the plan sponsor. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES MAINTAINING THE SECURITY OF PHI IN THE WORKPLACE Effective Date: March 17, 2003 POLICY In conducting the operations of the HEBP Plan, HEBP will manage protected health in#ormation {"PHI") in a manner that prevents unnecessary or inadvertent access to, use of or disclosure of PHI. PROCEDURE • As to all PHI received by HEBP, staff will: • Identify the source of PHI and identify the employees who may receive it and use it to perform Plan functions; • Ensure that the PHI will be stored in a secure environment; • Not disclose PHI to any individuals not necessary to perform the function for which the PHI was obtained. All physical files pertaining to HEBP operations will be stored in a locked room. Only designated staff will access to this room. • If physical records containing PHI are to be destroyed, they will be put in a locked bin that is picked up by a vendor and shredded in a secure manner. Security codes, locks and/or key cards will be changed or re-programmed as necessary when an employee terminates. When working on a file that contains PHI, the designated personnel will keep those files secured at all times. If these personnel must leave their office, either at the end of the day or otherwise, the file must be locked in the deck, the office door locked, or the file returned to the secure file room. No files, papers, disks, CD or any other materials containing PHI will be left unsecured at any time. • Employees with access to computer files containing PHI will utilize password protocols that protect the security of data stored on the network. Computers will not display PHI in a manner or at a time when it would allow for the inadvertent disclosure of PHI, and an employee's computer will never display PHI when the employee is not at the computer. • Fax machines and printers dedicated for use by HEBP will be located in a secured room accessible only by designated personnel. Printed materials or faxes containing PHI must be physically secured at all times. If copying is required, materials containing PHI must not be left unattended on the copier. • Any person who erroneously receive a facsimile, a-mail or other correspondence that should have been directed to HEBP will promptly forward the correspondence to designated personnel without reading it, and without disclosing it to anyone else. • For each routine function that requires HEBP to disclose PHI, ensure that the PHI is transmitted securely to only the intended recipient. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES MINIMUM NECESSARY DISCLOSURES OF PROTECTED HEALTH INFORMATION Effective Date: March 17, 2003 POLICY The Texas Association of Counties Health & Employee Benefits Pool ("HEBP") Health Plan and its Business Associates will disclose only the minimum amount of Protected Health Information ("PHI") necessary to achieve the purpose of the disclosure. PROCEDURE Routine and recurring disclosures of PHI • HEBP has identified disclosures of PHI it makes on a routine and recurring basis. • HEBP has determined the minimum amount of PHI that is needed to achieve the purpose of these requests. Non-routine disclosures of PHI • HEBP reviews non-routine requests for disclosures of PHI that are subject to the minimum necessary standard on a case-by-case basis. • The request for disclosure is forwarded to the Privacy Official (or designee) to determine if the amount of PHI requested is the minimum necessary to achieve the purpose of the disclosure according to established criteria. • HEBP relies on representations that the PHI requested is the minimum amount necessary if the request is for a permitted disclosure from a public official; a Health Care Provider, a Health Plan, or a Health Care Clearinghouse; or a professional providing services to HEBP who is a Business Associate and who represents that the PHI requested is the minimum necessary. When necessary or appropriate, the Privacy Official will speak with a representative from the entity making the request to get clarification and/or modifications. Disclosures of entire medical record HEBP does not disclose a participant's entire medical record in fulfillment of any request subject to the minimum necessary standard for any reason unless a specific justification for such a disclosure is documented. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES MINIMUM NECESSARY REQUESTS FOR PROTECTED HEALTH INFORMATION Effective Date: March 17, 2003 POLICY Texas Association of Counties Health and Employee Benefits Pool (HEBP) requests the minimum amount of Protected Health Information ("PHI") necessary to achieve its purpose from other Covered Entities. PROCEDURE Routine and recurring requests for PHI • HEBP has identified requests for PHI it makes on a routine and recurring basis. • HEBP has determined the minimum amount of PHI that is needed to achieve the purpose of these requests. • When HEBP requests PHI, the Covered Entity or Business Associate to whom the request is made may rely on HEBP's determination that the amount of PHI requested is the minimum necessary to achieve the purpose of the request. Non-routine requests for PHI HEBP reviews the non-routine requests it makes for disclosures of PHI on a case-by-case basis. The Privacy Official (or designee) reviews non-routine requests made by HEBP for PHt from another Covered Entity to ensure that the amount of PHI requested is the minimum necessary to achieve the purpose of the request according to established criteria. Requests for entire medical record • HEBP does not request a participant's entire medical record for any purpose unless a sufficient justification for such a disclosure is documented. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFIT POOL HIPAA POLICIES MINIMUM NECESSARY USES OF PROTECTED HEALTH INFORMATION Effective Date: March 17, 2003 POLICY Individuals who perform Health Plan functions use the minimum amount of Protected Health Information ("PHI") necessary to perform their duties. PROCEDURE • HEBP identifies the individuals who need access to PHI according to the categories of uses for payment or health care operations. • HEBP identifies the type and minimum amount of PHI needed to administer the plan. • HEBP determines the manner and circumstances under which individuals who perform plan functions may use PHI. • All individuals are required to use PHI in accordance with the determination made by HEBP of the minimum amount necessary to effectively administer the plan. • When an individual performs more than one function of Health Plan, the types of PHI and conditions for access are dependent on the function that the member is performing. Newly hired individuals who will perform plan administration functions are provided with information regarding their access to PHI during their initial training. • This policy does not apply to: Disclosures to, or requests by a health care provider for treatment; • Uses or disclosures made to an individual requestor; • Uses or disclosures made pursuant to an authorization; • Disclosures to the United States Department of Health and Human Services; • Uses or disclosures required by law; • Uses or disclosures required by the Privacy Rule, 45 CFR Parts 160, 164. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES PARTICIPANT PRIVACY RIGHTS Effective Date: March 17, 2003 POLICY Texas Association of Counties Health and Employee Benefits Pool ("HEBP") acknowledges participants' privacy rights as specified in the Privacy Rule of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 199fi, and has implemented policies and procedures to ensure these privacy rights are protected. PROCEDURE • Participants in HEBP have the right to: Receive a paper copy of the HEBP Health Plan's Notice of Privacy Practices ("Notice"), even if participant has agreed previously to receive the Notice electronically; • Request restrictions on the uses and disclosures of Protected Health Information ("PHI"); • Request receipt of confidential communication by an alternative means or at an alternative location if appropriate cause is shown; • Access documents in the designated record set for inspection andlor copying; • Request to amend documents in the designated record set that are inaccurate or incomplete; and • Obtain an accounting of disclosures of their PHI. • HEBP adheres to policies and procedures that were developed and implemented to ensure participant privacy rights. • HEBP provides workforce members who perform plan administration functions with training regarding participant rights with respect to their PHI. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPPA POLICIES PARTICIPANT REQUESTS FOR CONFIDENTIAL COMMUNICATIONS Effective Date: March 17, 2003 POLICY Participants in the Health Plan of the Texas Association of Counties Health & Employee Benefits Pool (HEBP) have the right to request restrictions on how and where their Protected Health Information ("PHI") is communicated. HEBP will not discriminate or retaliate against any participant for making such a request. PROCEDURE • Participants who desire their PHI to be communicated in a manner or location other than the Health Plan would otherwise use, may request a specific alternative location or other method of communication. • To be entitled to any requested restrictions, a Participant must clearly establish that the restriction is necessary to prevent an unlawful disclosure. • Even if the participant fails to establish that a failure to grant the request would result in an unlawful disclosure, HEBP will accommodate reasonable requests unless the requests impose an unreasonable administrative burden. • The participant may request confidential communication at any time. • The request must be made in writing to TAC HEBP Program Manager, (512) 478-8753, P.O. Box 2131, Austin, Texas 78768. • Written documentation of the participant's request, if granted, will be placed in the participant's record(s). TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES PRIVACY OF THE PROTECTED HEALTH INFORMATION OF DECEASED PARTICIPANTS Effective Date: March 17, 2003 POLICY Texas Association of Counties Health and Employee Benefits Pool (HEBP) protects the Protected Health Information ("PHI") of deceased Health Plan participants in the same manner and to the same extent as it did prior to the participant's death. PROCEDURE • The privacy of a deceased participant's PHI will continue to be protected for as long as HEBP maintains this information. • A personal representative of the deceased participant (someone with legal authority to act on behalf of the deceased participant or his or her estate) may exercise the deceased participant's rights with respect to PHI. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES REQUESTS FOR ACCESS TO PROTECTED HEALTH INFORMATION Effective Date: March 17, 2003 POLICY Participants in the Texas Association of Counties Health & Employee Benefits Pool (°HEBP") Health Plan have the right to request to inspect or obtain a copy of their Protected Health Information ("PHI") in a designated record set, except for psychotherapy notes or information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding. PROCEDURE • Requests for access to PHI must be made in writing. • When a request for access to PHI is received, it will be acted upon according to the following time frames: Within thirty (30) days if the requested information is maintained and accessible on site; or • Within sixty (60) days if the requested information is maintained off site. If the request is granted, HEBP informs the participant and provides the access requested, within the time frames above. The time frames stated above may be extended one time for no more than thirty (30) days. If the extension is necessary, HEBP will provide the participant, within the time frames above, a written statement that specifies the reason(s) for the delay and the date by which the participant may expect to receive a decision on the request to access the PHI for inspection and/or copying. • HEBP may deny a request without providing for review of the denial if: 1) the PHI consists of psychotherapy notes or information compiled in anticipation of, or for us in a civil, criminal or administrative action or proceeding; or 2) if the PHI was received by HEBP pursuant to a promise of confidentiality. HEBP may deny a request, but will provide a review of the denial, if: 1) a licensed health care professional determines, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person; 2) the PHI makes reference to another person and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to the individual or another person; or 3) the request is made by an individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person. • HEBP documents the records that comprise the designated record set that is subject to access requests and maintains such records for a period of six (6) years from the date they were created or were last in effect, whichever is later. • HEBP maintains the titles of the persons/offices responsible for receiving and processing access requests for a period of six (6) years. When the Health Plan denies a request for access (in whole or in part): • The participant is given a statement written in plain language that includes: • The reasons for the denial; If applicable, the participant's right to a review of the decision with an explanation of how to exercise this right; and A description of how the participant may file a complaint with the Hearth Plan and United States Department of Health and Human Services, including the title and telephone number of a Health Plan contact person. To the extent possible, HEBP will grant access to other PHI for which there are no grounds to deny access. If the denial is reviewable and the participant requests such a review, HEBP will designate a licensed health care professional, not involved in the original denial decision, to serve as a reviewing official. Upon receipt of a review request, HEBP will promptly refer the denial to the reviewing official for reevaluation. HEBP will provide written notice to the participant of the reviewing official's determination. If HEBP denies access because it does not maintain the PHI requested but knows where the requested PHI is maintained, HEBP will inform the participant where to direct the request. When a request for access is accepted (in whole or in part): • The participant is notified of the decision and may choose to inspect the PHI, copy it, or both, in the form or format requested. • In lieu of providing access, HEBP may provide a summary of the requested PHI for an additional charge if the participant agrees to the summary and to the additional fee. • HEBP and the participant will arrange a mutually convenient time and place for the participant to inspect and/or obtain a copy of the requested PHI. • HEBP will mail a copy of the requested PHI if the participant prefers this method of obtaining a copy. Fees charged by TAC HEBP for access to PHI: • HEBP charges a reasonable, cost-based fee for copying, including labor and supplies (for instance, paper, computer disks). • HEBP charges the cost of postage when the participant requests that the information be mailed. • No fee is charged for retrieving or handling the PHI or for processing the participant's access request. • HEBP may charge a nominal fee for preparing an explanation or summary of the requested PHI if the participant is informed of and agrees to receive a summary of the PHI and is willing to pay the fee. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES REQUEST FOR AN ACCOUNTING OF DISCLOSURES OF PROTECTED HEALTH INFORMATION Effective Date: March 17, 2003 POLICY Participants have the right to request an accounting of any disclosures of their Protected Health Information ("PHI") that were for purposes other than treatment, payment, health care operations or other exceptions specified in the Privacy Rule. PROCEDURE • Effective April 14, 2003, Texas Association of Counties Health and Employee Benefits Pool (HEBP) will provide an accounting of disclosures of a participant's PHI for up to six (6) years prior to the date of the participant's request. • The Health Plan does not provide an accounting of disclosures made for the following purposes: • pursuant to an authorization the individual has signed; • that are incidental to another permissible use or disclosure; • that are part of a limited data set: • made for the purposes of payment or health care operations, including those made to business associates; • made to the individual who is the subject of the information; • made for national security or intelligence purposes; • made to correctional institutions or law enforcement officials; and • made prior to April 14, 2003 (the compliance date of the Privacy Rule}. • When a request for an accounting of disclosures of PHI is received, it will be processed within sixty (60) days. If necessary, this time frame may be extended for thirty (30) days. The participant requesting the accounting will be informed in writing, within sixty (60) days of the original request, of the reason(s) for the delay and the date by which action will be taken upon the request. • A participant may receive an accounting of disclosures once during any twelve (12) month period for no charge. • If a participant requests more than one accounting within the same twelve (12) month period, a reasonable, cost-based fee may be charged by HEBP. The participant will be informed of the fee in advance and will be provided the opportunity to modify or withdraw the request in order to avoid or reduce the fee. • The accounting for each disclosure includes: • The date of the disclosure; • The name of the entity or person to whom the disclosure was made and their address (if known); • A brief description of the PHI disclosed; • One of the following: • A brief statement of the purpose of the disclosure; or • A copy of the written request for the disclosure from United States Department of Health and Human Services or from the appropriate entity. If the accounting includes multiple disclosures to the same person/entity for a single purpose, the accounting will include only the frequency or number of disclosures and the date of the last disclosure made during the accounting period for all disclosures after the first disclosure. • HEBP maintains the information that is required to be included in an accounting of PHI for six (6) years from the date of its creation or the date when it was last in effect, whichever is later. • Written accountings provided to individuals in response to a request are maintained for six (6) years from the date of the creation or the date when it was last in effect, whichever is later. • HEBP maintains the titles of the persons/offices responsible for receiving and processing requests for an accounting for a period of six (6) years. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES PARTICIPANT REQUESTS FOR RESTRICTIONS ON THE USE AND/OR DISCLOSURE OF PROTECTED HEALTH INFORMATION Effective Date: March 17, 2003 POLICY Participants have the right to request restrictions on how their Protected Health Information ("PHI") is used and/or disclosed when the use or disclosure is for treatment, payment and health care operations, or to communicate with family members and friends. If HEBP agrees to the restriction, HEBP will not use or disclose protected health information in violation of the restriction unless an emergency situation exists, as discussed below. The restriction may be terminated either by HEBP or the participant. If HEBP terminates the restriction, such termination is effective only for PHI created or received after the termination date. PROCEDURE • Participants are informed of their right to request restrictions on the use and disclosure of their PHI in Texas Association of Counties Health and Employee Benefits Pool's ("HEBP") Notice of Privacy Practices ("Notice"). • All requests by participants for restrictions on the use and disclosure of their PHI must be forwarded to the Privacy Official or designee for approval or declination. • Workforce members or Business Associates who perform plan functions may not grant or deny a participant's request for restrictions without prior authorization from the Privacy Official or designee. When a request for restriction(s) is accepted: • The participant will be informed of any potential consequences of the restriction; • A notation will be made in the participant's record(s); • HEBP will not use or disclose PHI contrary to the agreed restriction, nor will its Business Associates; • The participant will be informed that HEBP is not required to comply with the agreed upon restriction(s) in emergency treatment situations when the restricted PHI is needed for treatment; • If the agreed upon restriction hampers treatment, HEBP will ask the participant to modify or revoke the restriction and get written agreement to the modification or revocation or document an oral agreement; • The use and/or disclosure of PHI will be consistent with the status of the restriction in effect on the date it is used or disclosed; and • Written documentation of the agreed to restriction will be maintained for six (6) years from the date of its creation or the date when it was last in effect, whichever is later. When a request for restriction(s) is denied by TAC HEBP: • The participant will be given the opportunity to discuss his or her privacy concems, if desired; and • Efforts will be made to assist the participant in modifying the request for restrictions to accommodate his or her concerns and obtain acceptance by HEBP. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES REQUESTS TO AMEND PROTECTED HEALTH INFORMATION Effective Date: March 17, 2003 POLICY Participants have the right to request amendment of incorrect or incomplete Protected Health Information ("PHI") contained in the designated record set. PROCEDURE • Requests to amend of PHI must be made in writing and must include a reason to amend the PHI. • If the request for amendment is not received in writing, or if the written request doss not include a reason in support of the request, HEBP will not act on the request. • When a request to amend PHI is received, it will be acted on within sixty (60) days. A request for amendment that would, in fact, make the Participant's PHI more correct or complete will generally be granted. • If necessary, the time frame for acting on a request may be extended for thirty (30) days. The individual requesting the amendment will be informed in writing of the reason(s) for the delay and the date by which action will be taken on the request. This notice will be provided within sixty (60) days of receipt of the original request. • HEBP documents the titles of the persons or positions responsible for receiving and processing requests for amendment and retains such documentation for a period of six (6) years. When a request for amendment is denied: The participant is given a notice written in plain language that: • Includes a permissible basis for denial; • Informs the participant of the right to submit a statement of disagreement, and how to file the statement; • States that if the participant does not file a statement of disagreement the participant may request that HEBP provide the request for amendment and the denial in any future release of the disputed PHI; and • Includes a description of the procedure to file a complaint with either HEBP or U.S. Department of Health and Human Services (DHHS). • If the individual chooses to write a statement of disagreement with the denial decision: • HEBP may write a rebuttal statement and will provide a copy to the participant; and • HEBP will include the request for amendment, denial letter, statement of disagreement, and rebuttal (if any), with any future disclosures of the disputed PHI. • If the participant does not choose to write a statement of disagreement with the denial decision, HEBP is not required to include the request for amendment and denial decision letter with future disclosures of the disputed PHI unless requested by the participant. When a request for amendment is accepted (in whole or in part): • HEBP will identify the record(s) that are the subject of the amendment request and will append the amendment to the record(s). • HEBP will inform the participant that his or her request for amendment has been accepted and request the identification of and permission to contact other individuals or health care entities that need to be informed of the amendment(s). • HEBP will make reasonable efforts to provide the amendment within a reasonable time to the persons/entities identified by the participant as well as persons and Business Associates who the Health Plan knows have the disputed PHI and may rely on it to the participant's detriment. Receipt of notification of amendment from other Covered Entities: • When HEBP receives notification from another Covered Entity that a participant's PHI has been amended: • HEBP will ensure that the amendment is appended to all applicable records of the participant, and HEBP will inform its Business Associates that may use or rely on the participant's PHI of the amendment and require them to make the necessary corrections. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES SANCTIONS FOR PRIVACY VIOLATIONS Effective Date: March 17, 2003 POLICY An employee who violates the Privacy Rule or the privacy policies developed by HEBP will be sanctioned appropriately. PROCEDURE • Individuals who perform Health Plan functions are provided with training and retraining as necessary to ensure they understand Health Plan's privacy policies and procedures, the requirements of the Privacy Rule and the expectation that they will comply with them. • Sanctions are applied against any employee who violates HEBP privacy policies and procedures or the Privacy Rule. • Appropriate sanctions are determined based on the nature of the violation, its severity and whether it was intentional or unintentional. • Sanctions may include verbal warnings, written warnings, probationary periods or termination. • Any sanctions applied are documented and retained for a period of six (6) years. • Sanctions are not applied against employees who lodge a complaint with any entity regarding a privacy violation or who refuse to follow a policy or procedure that they believe, in good faith, violates the Privacy Rule. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES USE OF AUTHORIZATIONS Effective Date: March 17, 2003 POLICY Unless authorized by an individual Participant, the Texas Association of Counties Health & Employee Benefits Pool ("HEBP") will not use or disclose the Participant's Protected Health Information ("PHI") for purposes other than the permitted uses and disclosures specified in the Privacy Rule. PROCEDURE • An authorization from the Participant is not required for HEBP to: • Use or disclose PHI for HEBP's payment or health care operations; • Disclose PHI to a health care provider for the participant's treatment; • Disclose PHI to another covered entity or a health care provider for that entity's payment activities; and • Disclose PHI to another covered entity for that entity's health care operations if both entities have or had a relationship with the participant whose PHI is being requested, the PHI pertains to the current or former relationship, and the purpose of the disclosure is for: • A health care operations activity for which the Privacy Rule states an authorization is not required; or • Detection of health care fraud and abuse or compliance with health care fraud and abuse laws. • Use or disclose PHI as specifically permitted by the Privacy Rule pursuant to an exception. When authorization is needed, no PHI will be used or disclosed until the participant is provided with a copy of the authorization form and has signed it. • Signing the authorization form is voluntary and the participant may refuse to sign it. • A copy of the signed authorization is provided to the participant. • The participant may revoke the authorization, in writing, at any time. The permissions granted in the authorization are not acted upon if the authorization has been revoked or if it has expired. The authorization is documented and retained for a period of six (6) years after it was created or expired, whichever date is later. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES WORKFORCE PRIVACY TRAINING Effective Date: March 17, 2003 POLICY Texas Association of Counties Health and Employee Benefits Pool (HEBP), through the Texas Association of Counties, provides privacy training for all employees who perform Health Ptan functions and have contact with participants' Protected Health Information ("PHI"). PROCEDURE • All current employees who perform Health Plan functions received training regarding the requirements of the HIPAA Privacy Rule no later than April 14, 2003. • All new employees who perform Health Plan functions receive privacy training as part of their initial training. • All employees who perform Health Plan functions and who change positions will receive new privacy training as appropriate at the time of the change. • All affected members of the TAC workforce receive retraining within a reasonable time if HEBP materially changes any privacy policy or procedure. • Documentation of privacy training is maintained by the Privacy Official according to the requirements of the Privacy Rule. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES USES AND DISCLOSURES FOR WHICH AN AUTHORIZATION OR OPPORTUNITY TO AGREE OR OBJECT IS NOT REQUIRED Effective Date: March 17, 2003 POLICY HEBP may, to the extent permitted by the Privacy Rule, use or disclose PHI without the written authorization of the individual or the opportunity for the individual to agree or object: 1 }when the use or disclosure is required by law; 2) for certain public health activities; 3) if the disclosure concerns victims of abuse, neglect or domestic violence; 4) to a public agency as necessary for health oversight activities; 5) in judicial or administrative proceedings; 6) for law enforcement purposes; 7) to a coroner, medical examiner or funeral director; 8) to avert a serious threat to health or safety; 9) for workers compensation; 10) for treatment, payment and operations; 11) for cadaveric organ donation purposes; 12) for research; or.13) for specialized government functions such as military operations and national security. PROCEDURE If the issue of disclosure under this policy arises, HEBP will refer to the appropriate section of 45 CFR Section 164.512 of the Privacy Rule and ascertain the circumstances under which the PHI may lawfully be disclosed without authorization or agreement. • If it is practicable to contact the individual and obtain his authorization, or to obtain his agreement or give him an opportunity to object, HEBP will do so, even if disclosure would be permitted without such authorization, consent or opportunity to object. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES PERSONAL REPRESENTATIVES Effective Date: March 17, 2003 POLICY To the extent provided by the Privacy Rule, the Texas Association of Counties Health and Employee Benefits Pool (HEBP) recognizes the rights of a properly- designated personal representative of a participant to be treated the same as the participant for the purposes of the Privacy Rule. PROCEDURE Personal Representatives of Adults and Emancipated Minors • Upon a showing that a person has lawful authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, HEBP will treat such person as a personal representative with respect to protected health information relevant to such personal representation. Personal Representatives of Unemancipated Minors • If under applicable law a person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, HEBP will treat such person as a personal representative with respect to protected health information relevant to such personal representation, except that such person may not be a personal representative of an unemancipated minor, and the minor has the authority to act as an individual, with respect to PHI pertaining to a health care service, if: The minor consents to such health such health care service is required consent of another person has also not requested that such person representative; care service; no other consent to by law, regardless of whether the been obtained; and the minor has be treated as the personal 2. The minor may lawfully obtain such health care service without the consent of a parent, guardian or other person acting in loco parentis, and the minor, a court, or another person authorized by law consents to such heath care service; or 3. A parent, guardian, or other person acting in loco parentis assents to an agreement of confidentiality between a covered health care provider and the minor with respect to such health care service. Notwithstanding the provisions of 1 - 3, above: • If, and to the extent, permitted or required by applicable law, HEBP may disclose, or provide access to PHI about an unemancipated minor to a parent or other person acting in loco parentis; • If, and to the extent prohibited by applicable law, HEBP may not disclose or provide access to PHI about an unemancipated minor to a parent or other person acting in loco parentis; and Where the parent or other person acting in loco parentis is not the personal representative under 1, 2 or 3, above, and where there is no applicable access provision under State or other law, HEBP may provide or deny access to a parent or other person acting in loco parentis if such action is consistent with State or other applicable law. The decision whether to grant or deny access will be made by a licensed health care professional, in the exercise of professional judgment. Deceased Individuals If under applicable law an executor, administrator or other person has authority to act on behalf of a deceased individual or of the individual's estate, HEBP will treat such person as a personal representative with respect to PHI relevant to such personal representation. Abuse, Neglect and Endangerment Situations • Notwithstanding State law, or any other provisions of the Privacy Rule, HEBP may elect not to treat a person as the personal representative of an individual if: • HEBP has a reasonable belief that: • the individual has been or may be subjected to domestic violence, abuse, or neglect by such person; or • treating such person as the personal representative could endanger the individual; and • HEBP, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL PARTICIPANT PRIVACY AND MARKETING Effective Date: March 17, 2003 POLICY Texas Association of Counties Health and Employee Benefits Pool (HEBP) will protect the privacy of a participant's Protected Health Information ("PHI") during its marketing activities unless the participant authorizes the disclosure of the participant's PHI. PROCEDURE • HEBP will obtain a participant's authorization before disclosing PHI to a third party pursuant to an arrangement whereby HEBP receives remuneration, direct or indirect, in exchange for the disclosure of PHI to a third party so that the third party may make a marketing communication to the participant. • Marketing includes communications that encourage participants to purchase or use a product or service. • Marketing does not include: • HEBP's description of ahealth-related product or service (or payment for such product or service) that the Health Plan provides or includes in its plan of benefits, including communications about the Health Plan's participating providers or network. • HEBP's description of replacement of or enhancements to a Health Plan. • HEBP's description of health-related products or services that are only available to Health Plan participants and that are not part of the plan of benefits, but add value to it. • Communications for treatment of the participant. • Communications for the participant's case management or care coordination, or to direct or recommend treatment alternatives, therapies, Health Care Providers or settings of care. • All authorizations for marketing disclose whether HEBP receives remuneration from a third party, either direct or indirect. HEBP does not allow its Business Associates or others to use PHI for their own marketing purposes without obtaining authorizations from the participants who are the subject of the PHI. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES REQUIRED DISCLOSURES OF PROTECTED HEALTH INFORMATION Effective Date: March 17, 2003 POLICY HEBP will disclose Protected Health Information: 1) to an individual, when requested under, and as required by the Privacy Rule; and 2) when required by the Secretary of the Department of Health 8~ Human Services to investigate or determine HEBP's compliance with the Privacy Rule. PROCEDURE • Requests by an individual for disclosure of PHI will be analyzed under 45 CFR Sections 164.524 and 164.528. If disclosure is required by either section, the PHI will be disclosed to the individual in accordance with the Rule. • Requests by the Secretary for PHI will be honored to the extent required under subpart C of part 160. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL HIPAA POLICIES BUSINESS ASSOCIATES Effective Date: March 17, 2003 POLICY Texas Association of Counties Health and Employee Benefits Pool ("HEBP") requires its Business Associates to provide satisfactory assurances that they will maintain the confidentiality of the Protected Health Information ("PHI") of HEBP's participants and only use and disclose PHI for the purposes for which it was provided. PROCEDURE • Existing and new relationships with HEBP's service providers are reviewed to determine if the relationship requires the use and/or disclosure of PHI and thus, whether the entity is a Business Associate. • Business associates are required to sign a written contract that provides satisfactory assurances that they will adhere to HEBP's privacy practices. HEBP requires each Business Associate to determine the minimum necessary type and amount of PHI required to perform its function for the Plan and to represent to HEBP that it has requested the minimum necessary PHI for the stated purpose. HEBP relies on the professional judgement of Business Associates to determine the type and amount of PHI necessary for their purposes. The Privacy Official monitors the return or destruction of PHI used, created or obtained by the Business Associate upon termination of the contract (or the extension of protection if not returned or destroyed). The Privacy Official ensures that any complaints regarding privacy violations by Business Associates are reviewed. If the Privacy Official is aware of a pattern or practice that is a material violation of the Business Associate's duties with regard to privacy, the Privacy Official takes reasonable steps to end the violation. If such steps are unsuccessful, the Privacy Official determines, in consultation with the HEBP Board of Trustees, whether termination of the agreement is feasible. If not, the Privacy Official reports the violation to DHHS. TEXAS ASSOCIATION OF COUNTIES HEALTH AND EMPLOYEE BENEFITS POOL NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. I. USE AND DISCLOSURE OF HEALTH INFORMATION The Texas Association of Counties Health and Employee Benefits Pool ("Pool") has created a health plan that provides health coverages for employees (and their dependents) of the counties and county-related entities that are members of the Pool ("the Plan"). The Plan is subject to the requirements of the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA°) and the Privacy Rule published by the United States Department of Health and Human Services at 45 CFR §§ 160 - 164 ("Privacy Rule"). HIPAA and the Rule regulate the Plan's use of your protected health information. The Plan may use your protected health information for purposes of making or obtaining payment for your care and conducting health care operations. The Plan has established a policy to guard against unnecessary disclosure of your health information. THE FOLLOWING IS A SUMMARY OF THE CIRCUMSTANCES UNDER WHICH AND PURPOSES FOR WHICH YOUR HEALTH INFORMATION MAY BE USED AND DISCLOSED WITHOUT GETTING AN AUTHORIZATION FROM YOU OR GIVING YOU A CHANCE TO AGREE OR OBJECT TO THE DISCLOSURE: A. To Make or Obtain Payment. The Plan may use or disclose your health information to make payment to or collect payment from third parties, such as other health plans or providers, for the care you receive. For example, the Plan may provide information regarding your coverage or health care treatment to other health plans to coordinate payment of benefits. B. To Conduct Health Care Operations. The Plan may use or disclose health information for its own health care operations, to facilitate the administration of the Plan, and as necessary to provide coverage and services to all of the Plan's participants. If the Plan needs to use your information, but does not need to disclose it to third parties, it will be used but will not be disclosed. Health care operations includes such activities as: - Quality assessment and improvement activities. - Activities designed to improve health or reduce health care costs. - Clinical guideline and protocol development, case management and care coordination. - Contacting health care providers and participants with information about treatment altematives and other related functions. - Health care professional competence or qualifications review and performance evaluation. - Accreditation, certification, licensing or similar activities. - Underwriting, premium rating or related functions to create, renew or replace health insurance or health benefits. - Review and auditing, including compliance reviews, medical reviews, legal services and compliance programs. - Business planning and development, including cost management and planning related analyses and formulary development. - Business management and general administrative activities of the Plan, including customer service and resolution of internal grievances. For example, the Plan may use your health information to conduct case management reviews, to review and assess the quality of the various components of the Plan and the utilized health care providers, or to engage in customer service and grievance resolution activities. C. For Treatment Alternatives. The Plan may use and disclose your health information to tell you about or recommend possible treatment options or altematives that may be of interest to you. D. For Distribution of Health-Related Benefits and Services. The Plan may use or disclose your health information to provide to you information on health-related benefits and services that may be of interest to you. E. For Disclosure to the Plan Sponsor. The Plan may disclose your health information to the plan sponsor as necessary for the plan sponsor to perform administration functions on behalf of the Plan. The Plan may provide summary health information to the plan sponsor so that the plan sponsor may solicit premium bids from health insurers or modify, amend or terminate the plan. The Plan also may disclose to the plan sponsor information on whether you are participating in the health plan. F. When Legally Required. The Plan will disclose your health information when it is required to do so by any federal, state or local law. G. To Conduct Health Oversight Activities. The Plan may disclose your health information to a health oversight agency for authorized activities including audits, civil administrative or criminal investigations, inspections, licensure or disciplinary action. The Plan, however, may not disclose your health information if you are the subject of an investigation and the investigation does not arise out of or is not directly related to your receipt of health care or public benefits. H. In Connection With Judicial and Administrative Proceedings. The Plan may disclose your health information in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal as expressly authorized by such order or in response to a subpoena, discovery request or other lawful process, but only when the Plan makes reasonable efforts to either notify you about the request or to obtain an order protecting your health information. 1. For Law Enforcement Purposes. As permitted or required by state law, the Plan may disclose your protected health information to a law enforcement official for certain law enforcement purposes, including, but not limited to, if the Plan has a suspicion that your death was the result of criminal conduct or in an emergency to report a crime. J. In the Event of a Serious Threat to Health or Safety. The Plan may, consistent with applicable law and ethical standards of conduct, disclose your protected health information if the Plan, in good faith, believes that such disclosure is necessary to prevent or lessen a serious and imminent threat to your health or safety or to the health and safety of the public. K. For Saecialized Government Functions. We may be required to disclose your information to federal authorities. Federal regulations require the Plan to use or disclose your health information to facilitate specified government functions related to the military and veterans, national security and intelligence activities, protective services for the president and others, and correctional institutions and inmates. L. For Worker's Comaensation. The Plan may release your health information to the extent necessary to comply with laws related to workers' compensation or similar programs. M. Public Health Activities. The Plan may disclose your protected health information to a public health authority authorized by law to collect such information to prevent or control disease, injury, or disability, and to report such information as birth or death, the conduct of public health surveillance and public health investigations. The Plan also may disclose your information to an appropriate government authority authorized to receive reports about child abuse. The Plan also may disclose your information to a person responsible for activities related to the quality, safety and effectiveness of products regulated by the federal Food and Drug Administration. The Plan may disclose your protected health information to a govemment authority if there is a reasonable belief that you are a victim of abuse, neglect, or domestic violence. II. AUTHORIZATION TO USE OR DISCLOSE HEALTH INFORMATION Other than as stated above, the Plan will not disclose your health information unless you give us your written authorization. If you authorize the Plan to use or disclose your health information, you may revoke that authorization in writing at any time, unless the Plan has taken an action based on your authorization. III. YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION You have the following rights regarding your health information that the Plan maintains: A. Right to Request Restrictions. You may request restrictions on certain uses and disclosures of your health information. You have the right to request a limit on the Plan's disclosure of your health information to someone involved in the payment of your care. The Plan is not required to agree to your request, but will certainly consider it. If you wish to make a request for restrictions, please contact TAC HEBP Program Manager at 1-800-456-5974. B. Right to Receive Confidential Communications. You have the right to request that the Plan communicate with you in a certain way if you feel it is necessary to protect your interests. For example, you may ask that the Plan only communicate with you at a certain telephone number or by a-mail. If you wish to receive confidential communications, please make your request in writing to TAC HEBP Program Manager, P.O. Box 2131, Austin, Texas 78768, Fax 1-512-481- 8481. The Plan will honor your reasonable requests for confidential communications. C. Right to Inspect and Copy Your Health Information. You have the right to inspect and copy your health information. A request to inspect and copy records containing your health information must be made in writing to TAC HEBP Program Manager, P.O. Box 2131, Austin, Texas 78768, Fax 1-512-481- 8481. If you request a copy of your health information, the Plan may charge a reasonable fee for copying, assembling costs and postage, if applicable, associated with your request. D. Right to Amend Your Health Information. If you believe that your health information records are inaccurate or incomplete, you may request that the Plan amend any records in its possession. A request for an amendment of records must be made in writing, must express a reason the records should be amended, and must be sent to TAC HEBP Program Manager, P.O. Box 2131, Austin, Texas 78768, Fax 1-512-481-8481. The Plan may deny the request if it does not include a reason to support the amendment. The request also may be denied if your health information records were not created by the Plan, if the information requested is not part of a designated record set, if the health information you are requesting to amend is not part of the Plan's records, if the health information you wish to amend falls within an exception to the health information you are permitted to inspect and copy (including psychotherapy notes, and information compiled for or in anticipation of a civil, criminal or administrative proceeding), or if the Plan determines the records containing your health information are accurate and complete. E. Right to an Accounting. The Privacy Rule requires the Plan to keep a record of certain disclosures of health information, such as disclosures for public purposes authorized by law or disclosures that are not in accordance with the Plan's privacy policies and applicable law. You have the right to request a copy of this record. The request must be made in writing to TAC HEBP Program Manager, P.O. Box 2131, Austin, Texas 78768, Fax 1- 512-481-8481. The request should specify the time period for which you are requesting the information, but may not start earlier than April 14, 2003. Accounting requests may not be made for periods of time going back more than six (6) years. The Plan will provide the first accounting you request during any 12-month period without charge. Subsequent accounting requests may be subject to a reasonable cost-based fee. The Plan will inform you in advance of the fee, if applicable. F. Right to a Paaer Coav of this Notice. You have a right to request and receive a paper copy of this Notice at any time, even if you have received this Notice previously or agreed to receive the Notice electronically. To obtain a paper copy, please contact TAC HEBP Program Manager, P.O. Box 2131, Austin, Texas 78768, Fax 1-512-481-8481. You also may view a copy of the current version of the Plan's Privacy Notice at the Web site, http://www.County.Org. IV. DUTIES OF TAC HEBP HEALTH PLAN The Plan is required by law to maintain the privacy of your health information as set forth in this Notice and to provide to you this Notice of its duties and privacy practices. The Plan is required to abide by the terms of this Notice, which may be amended from time to time. The Plan reserves the right to change the terms of this Notice and to make the new Notice provisions effective for all health information that it maintains. If the Plan changes its policies and procedures, the Plan will revise the Notice and will provide a copy of the revised Notice to you within 60 days of the change. You have the right to express complaints to the Plan and to the Secretary of the Department of Health and Human Services if you believe that your privacy rights have been violated. Any complaints to the Plan should be made in writing to TAC HEBP Privacy Official, Jim Jean, P.O. Sox 2131, Austin, Texas 78768, Fax: 512-478-1426. The Plan encourages you to express any concerns you may have regarding the privacy of your information. You will not be retaliated against in any way for filing a complaint. CONTACT PERSON The Plan has designated Jim Jean, Privacy Official as its contact person for all issues regarding patient privacy and your privacy rights. You may contact him at P.O. Box 2131, Austin, Texas 78768, (512)-478-8753. EFFECTIVE DATE This Notice is effective April 14, 2003. IF YOU HAVE ANY QUESTIONS REGARDING THIS NOTICE, PLEASE CONTACT Jim Jean, TAC HEBP Privacy Official, P.O. Box 2131, Austin, Texas 78768, (512) 478-8753