§ 5.30.110. Privacy of Protected Health Information.

This section contains the Plan provisions required by the Standards for Privacy of Individually Identifiable Health Information and for the security of Electronic Protected Health Information 45 CFR § 164.102 et seq., as amended from time to time, and any successor thereto (the "Privacy Rules") promulgated under Title II of the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), relating to the permitted disclosure of Protected Health Information by the Plan to the County. The provisions of this section shall apply to the Plan for so long as such portion of the Plan constitutes a "health plan" under HIPAA and, as such, is subject to the HIPAA Privacy Rules.

Except as otherwise provided in this section, the provisions of the Plan, including any definitions therein, shall apply to this section; provided, however, that the provisions of this section shall supercede any conflicting or inconsistent provision of the Plan.

A.

Definitions. The following terms, when capitalized, will have the meanings set forth below for purposes of this section, unless otherwise specified herein:

1.

"Covered Person" means any eligible employee or former employee of the County or an eligible spouse or dependent thereof who participates in the Plan.

2.

"Electronic Protected Health Information" means Protected Health Information that is maintained in, or transmitted by, electronic media (as defined in 45 CFR § 160.103).

3.

"Health Information" means any information, whether oral or recorded in any form or medium, that is created or received by the Plan and relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.

4.

"Individually Identifiable Health Information" means Health Information, including demographic information collected from an individual, that identifies an individual; or with respect to which there is a reasonable basis to believe the information can be used to identify an individual.

5.

"Notice" means the notice of privacy practices for Protected Health Information required to be provided by the Plan to a Covered Person pursuant to the Privacy Rules.

6.

"Plan Administration Functions" means administration functions performed by the County on behalf of the Plan, but excluding functions performed by the County in connection with any other benefit or benefit plan of the County.

7.

"Policies and Procedures" means those Comprehensive Privacy Policies and Procedures with respect to Protected Health Information established and maintained by the Plan pursuant to the Privacy Rules.

8.

"Privacy Official" means that person designated by the County in the Policies and Procedures to implement and enforce the Policies and Procedures.

9.

"Protected Health Information" means Individually Identifiable Health Information that is transmitted by electronic media, maintained in any medium described in the definition of electronic media at 45 CFR § 160.103, or transmitted or maintained in any other form or medium; provided, however, that Protected Health Information does not include Individually Identifiable Health Information in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. § 1232g, records described at 20 U.S.C. § 1232g(a)(4)(B)(iv), and employment records held by a health plan in its role as employer.

10.

"Required by Law" means a mandate contained in law that is enforceable in a court of law and includes, but is not limited to:

a.

Court orders and court-ordered warrants;

b.

Subpoenas or summons issued by a court, grand jury, governmental or tribal inspector general, or administrative body authorized to require the production of information;

c.

Civil or an authorized investigative demand;

d.

Medicare conditions of participation with respect to health care providers participating in the program; and

e.

Statutes or regulations that require the production of information.

11.

"Summary Health Information" means information that may be Individually Identifiable Health Information, and:

a.

That summarizes the claims history, claims expenses or type of claims experienced by individuals for whom the County had provided health benefits under the Plan; and

b.

From which the information described at 45 CFR § 164.514(b)(2)(i) has been deleted, except that the geographic information described in 45 CFR § 164.514(b)(2)(i)(B) need only be aggregated to the level of a five-digit zip code.

B.

Identity of Plan Sponsor.

1.

The County shall be the plan sponsor for purposes of the Privacy Rules when using or disclosing Protected Health Information in accordance with subsection C of this section and when otherwise acting on behalf of the Plan with respect to the Plan's obligations under the Privacy Rules.

2.

The Privacy Official shall act for the plan sponsor, and shall be entitled to delegate its powers and responsibilities in accordance with its usual practices.

3.

Individuals and classes of individuals identified in subsection F of this section shall assist the Privacy Official.

C.

Permitted Uses and Disclosure of Protected Health Information.

1.

Subject to obtaining written certification from the County as described in subsection E of this section, and except as provided in subsection C2 of this section, the Plan may disclose Protected Health Information to the County only for the purpose of performing Plan Administration Functions. Only those individuals identified in subsection F of this section will be permitted to access and use Protected Health Information disclosed under this subsection C1, and may access and use it solely for the purposes of performing Plan Administration Functions, consistent with any conditions or restrictions imposed on, or otherwise agreed to by, the County pursuant to this Section.

2.

In addition, the Plan may disclose to the County information on whether an individual is participating in the Plan and may disclose Summary Health Information to the County, provided the County requests Summary Health Information for the purpose of:

a.

Obtaining premium bids from health plans for providing health insurance coverage under or on behalf of the Plan; or

b.

Modifying, amending or terminating the Plan.

3.

The Plan shall not disclose Protected Health Information to the County unless the Notice contains the statement required by 45 CFR § 164.520(b)(1)(iii)(C).

4.

Notwithstanding any provisions of the Plan to the contrary, in no event will the County be permitted to use or disclose Protected Health Information in a manner that is inconsistent with 45 CFR § 164.504(f).

5.

The Plan may otherwise use and disclose Protected Health Information in accordance with the Privacy Rules and the Plan's Policies and Procedures.

D.

Protected Health Information Disclosure Conditions. The Plan will disclose Protected Health Information to the County as provided in subsection C1 of this section only if the County furnishes the certification set forth in subsection E of this section, and the County agrees that with respect to any Protected Health Information disclosed to it by the Plan, the County will:

1.

Not use or further disclose the Protected Health Information other than as permitted or required by the Plan or as Required by Law;

2.

Ensure that any agents, including a subcontractor, to whom it provides Protected Health Information received from the Plan agree to the same restrictions and conditions that apply to the County with respect to such Protected Health Information;

3.

Not use or disclose the Protected Health Information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the County, (except to the extent such other benefit plan, program or arrangement is part of an organized health care arrangement of which the Plan also is a part);

4.

Report to the Plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware;

5.

Make Protected Health Information available to an individual who requests access to his or her Health Information in accordance with 45 CFR § 164.524;

6.

Make Protected Health Information available for amendment and incorporate any amendments to Protected Health Information in accordance with 45 CFR § 164.526;

7.

Maintain and make available information required to provide an accounting of disclosures in accordance with 45 CFR § 164.528;

8.

Make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from the Plan available to the Secretary of the Department of Health and Human Services for the purposes of determining compliance by the Plan with Subpart E of 45 CFR § 164;

9.

If feasible, return or destroy all Protected Health Information received from the Plan that the County still maintains in any form, and retain no copies of such information, when no longer needed for the purpose for which the disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and

10.

Ensure that the adequate separation between the Plan and the County, required in 45 CFR § 164.504(f)(2)(iii), is established.

E.

County Certification. The Plan will disclose Protected Health Information to the County as provided in subsection C1 of this section only upon the receipt of a certification from the County that the Plan has been amended to incorporate the provisions of 45 CFR § 164.504(f)(2)(ii), and that the County agrees to the conditions set forth in subsection D of this section.

F.

Adequate Separation between the Plan and the County for Plan Administration Functions. Only the following employees or classes of employees or other persons under the County's control will be permitted to access and use Protected Health Information for Plan Administration Functions in accordance with subsection C of this section:

Director of Personnel

Department of Human Resources, Employee Benefits Division—Senior Human Resources Manager and all Human Resources Analysts

Department of Human Resources, Administrative Services

Division, Fiscal Services Section—Senior Human Resources

Manager and all Human Resources Analysts

Office of the County Counsel—Designated Deputies

Chief Administrative Office—Compensation Policy Division—Division Chief,

Assistant Division Chief, all Principal Analysts, CAO

County Privacy Official and Assistant Privacy Official

Protected Health Information disclosed to these individuals under subsection C1 of this section may be accessed and used only for purposes of performing Plan Administration Functions.

G.

Disciplinary Sanctions and Mitigation of Harm. In the event that any employee specified in subsection F of this section does not comply with the provisions set forth in this section, that employee will be subject to disciplinary action by the County (which may include termination) for such non-compliance, as set forth in the Policies and Procedures. In addition, the Plan will take all necessary action to mitigate any harm caused by an employee's failure to comply with these provisions.

H.

Compliance with Health Privacy Laws. To the extent applicable, the Plan will comply with Subpart E of 45 CFR § 164 and any other applicable federal, state and local laws governing the safeguarding of health privacy matters.

I.

Interpretation of HIPAA Privacy Rules. The provisions of this section are meant to comply with (and not expand upon) the requirements of the HIPAA Privacy Rules and shall be interpreted accordingly. In the event that any of the provisions of this section are not applicable, are superceded, or are no longer required under HIPAA, they shall be deemed to be deleted from the Plan and shall have no further force or affect.

J.

Security Standards for Electronic Protected Health Information. Beginning no later than April 20, 2006, in order to safeguard any Electronic Protected Health Information created, received, maintained, or transmitted to or by the County on behalf of the Plan, the County shall:

1.

Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains or transmits on behalf of the Plan;

2.

Ensure that the adequate separation between the Plan and the County required by subsection F and 45 CFR § 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures;

3.

Ensure that any agent, including a subcontractor, to whom it provides Electronic Protected Health Information agrees to implement reasonable and appropriate security measures to protect that Information; and

4.

Report to the Plan any security incident of which it becomes aware.