Confidentiality & HIPAA Privacy Policy & Procedures...The Confidentiality/HIPAA implementation begins with procedures and training. The Procedures are included as attachments to this

Confidentiality & HIPAA Privacy Policy & Procedures

Clark County Combined Health District

September 25, 2017

Clark County Combined Health District 1 Confidentiality & HIPAA; Revised 092517

Table of Contents Record of Change: ................................................................................................................................................................... 2

Purpose: .................................................................................................................................................................................. 3

Scope and Standards: .............................................................................................................................................................. 3

HIPAA .................................................................................................................................................................................. 3

Ohio Revised Code Chapter 3798: Protected Health Information...................................................................................... 4

Ohio Revised Code 3701.17 ................................................................................................................................................ 4

Additional Ohio Revised Code Standards for Consideration: ............................................................................................. 4

Clark County Board of Health Resolutions .......................................................................................................................... 5

Risk Analysis ............................................................................................................................................................................ 5

Implementation ...................................................................................................................................................................... 6

Procedures .......................................................................................................................................................................... 6

Tools/Forms ........................................................................................................................................................................ 6

Plan Maintenance and Accessibility .................................................................................................................................... 6

Resources and References ...................................................................................................................................................... 6

Attachments Listed ................................................................................................................................................................. 7


Record of Change:

Date Revision or Review Described By Whom

2003 created S. Hiddleson

2017 Reviewed and Revised; changes noted on procedure C. Conover

9/25/2017 Revised Board of Health Resolution S. Hackathorne


Purpose: The purpose of this Confidentiality and HIPAA Privacy Policy is to summarize the methods and procedures that Clark

County Combined Health District (CCCHD) follows to assure compliance to federal laws regarding the protection of our

clients’ health information.

Primarily, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, is the basis for the confidentiality

policies and procedures for CCCHD. HIPAA was introduced by the U.S. Department of Health and Human Services (HHS).

As a requirement of HIPAA, the U.S. Department of Health and Human Services issued the Privacy Rules in order to

develop standards to address the use and disclosure of individuals’ protected health Information when that information

is stored, maintained or transmitted electronically. As an organization that must abide to the Privacy Rule, this

document outlines our usage of and adherence to the HIPAA Privacy Rule.

Scope and Standards: This document is for the workforce of Clark County Combined Health District which includes volunteers, employees, and

contracted employees.

The following sources provide the basis for the policies and procedures:

HIPAA

https://www.hhs.gov/hipaa/for-professionals/index.html

As a provider of health care services who transmit health information in electronic forms, CCCHD is considered a

Covered Entity under HIPAA and must abide by the Privacy Rule requirements. All health district employees and

contracted individuals or groups are required to maintain compliance with HIPAA at all times. Additionally, Business

Associates of CCCHD must be aware of and should comply with the privacy rule.

Four significant components to HIPAA include:

The Privacy Rule was published in December 2000, which was later modified in August 2002. This Rule set

national standards for the protection of individually identifiable health information by three types of covered

entities: health plans, health care clearinghouses, and health care providers who conduct the standard health

care transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (April 14,

2004, for small health plans).

The Security Rule was published in February 2003. This Rule sets national standards for protecting the

confidentiality, integrity, and availability of electronic protected health information. Compliance with the

Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).

The Enforcement Rule provides standards for the enforcement of all the Administrative Simplification Rules.

The Omnibus Rule implements a number of provisions of the HITECH Act to strengthen the privacy and security

protections for health information established under HIPAA, finalizing the Breach Notification Rule.

Other HIPAA Administrative Simplification Rules are administered and enforced by the Centers for Medicare &

Medicaid Services, and include



Transactions and Code Sets Standards

Employer Identifier Standard

National Provider Identifier Standard

Ohio Revised Code Chapter 3798: Protected Health Information http://codes.ohio.gov/orc/3798

The general assembly enacted this chapter to make the Ohio laws of governing the use and disclosure of protected

health information by covered entities consistent with, but generally not more stringent than, the HIPAA privacy rule.

The sections are as follows:

3798.01 Definitions.

3798.02 Legislative intent.

3798.03 Duty of covered entities.

3798.04 Prohibited disclosures of protected health information.

3798.06 Conditions for disclosure of information without authorization.

3798.07 Additional conditions for disclosure to health information exchange.

3798.08 Civil or criminal liability.

3798.10 Standard authorization form.

3798.12 Conflicts with other laws.

3798.13 Adoption of rules regarding classification of minors.

3798.14 Standards for approval of approve health information exchanges.

3798.15 Establishment of processes regarding health information exchanges.

3798.16 Rules regarding content of agreements governing covered entities' participation in approved health information

exchanges.

Ohio Revised Code 3701.17 http://codes.ohio.gov/orc/3701.17

ORC 3701.17 discusses the confidentiality of protected health information from the public health perspective and the

release of information in summary, statistical or aggregate form.

Additional Ohio Revised Code Standards for Consideration: 3701.201 Rules for reporting bioterrorism, epidemic or pandemic disease, infectious agents, toxins posing risk of

human fatality or disability

3701.23 Reporting contagious or infectious diseases, illnesses, health conditions, or unusual infectious agents or

biological toxins

3701.232 Reporting significant changes in medication usage that may be caused by bioterrorism, epidemic or

pandemic disease

3707.06 Notice to be given of prevalence of infectious diseases

http://codes.ohio.gov/orc/3798

http://codes.ohio.gov/orc/3798.01v1














http://codes.ohio.gov/orc/3701.17


3701.25 Occupational diseases - report by physician to department of health

3701.243 Disclosing of HIV test results or diagnosis.

Clark County Board of Health Resolutions As noted in the scope and standards, CCCHD is accountable to the federal and state legislation which addresses

confidentiality of information. The Clark County Board of Health has acknowledged this in the following resolutions:

On April 17, 2003, the Clark County Board of Health voted to accept the Health Insurance Portability and Accountability

Act (HIPAA) policies and procedures as reviewed by the Clark County Prosecutor’s office.

On September 21, 2017, the Clark County Board of Health reiterated the basis of the agency’s confidentiality procedures

in the following resolution:

“In 2003, the Clark County Board of Health voted to accept the revised Health Insurance Portability and Accountability

Act (HIPAA) policies and procedures as reviewed by the Clark County Prosecutor’s office. This resolution clarifies that

the Board of Health declares its polices and the agency’s confidentiality procedures will additionally meet the applicable

federal, state and local laws, rules and regulations.”

Risk Analysis The HIPAA regulations define “risk analysis” as a process of selecting cost-effective security/control measures by balancing the costs of various security/control measures against the losses if those measures were not in place Here are three reasons to perform a Risk Analysis or a Risk Assessment:

1) The Department of Health and Human Services (“HHS”) requires entities like CCCHD to perform risk analysis. Section 262 of the Privacy Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of the information and to protect against reasonably anticipated threats to the security or integrity of the information and against unauthorized uses or disclosures of the information. CCCHD must understand what constitutes the reasonably anticipated threats to the security and integrity of the information and this is accomplished through a Risk Analysis.

2) Under the security regulations, each health care entity engaged in electronic maintenance or transmission of health information must assess potential risks and vulnerabilities to the individual health data in its possession in electronic form. The entities must develop, implement, and maintain appropriate security measures to protect it. Further, such entities must adopt a process for security management. One of the mandatory implementation features of this process is risk analysis.

3) In the absence of any requirement, it is still necessary to know what threats are present prior to protecting electronic data from those threats. The four benefits include:

a. Improve awareness. b. To identify assets, vulnerabilities, and controls. c. To improve the basis for decisions. d. To justify expenditures for security.

The Clark County Combined Health District’s Risk Analysis is ongoing in a sense that as new advances in programs and systems are adopted at the agency, the risk status will change and therefore new mitigation strategies may need to be employed. See Attachments for the Risk Analysis.


Implementation

Procedures The Confidentiality/HIPAA implementation begins with procedures and training. The Procedures are included as

attachments to this plan.

This plan and the associated procedures are stored and accessible to the employee on the CCCHD Server- Common

Shared Drive- _CCCHD Dept. Wide P&P- Confidentiality & HIPAA.

Tools/Forms The tools and forms used for the procedures are located on the CCCHD Server- Common Shared Drive- Forms-

Confidentiality-HIPAA Forms.

Plan Maintenance and Accessibility The following table details the necessary folders for accessing the procedures and reference documents

Drive: Folder: Purpose: Who will want to access:

Common Shared _CCCHD Dept Wide P&P-> Confidentiality and HIPAA

Current version for CCCHD personnel to see

Any CCCHD employee

Website www.clarkhcc.com/45503 Web-based version for CCCHD personnel to see

Any CCCHD employee

Common Shared Confidentiality & HIPAA Working copy of the plan, as well as other “background” documents, such as where training is tracked, annual privacy statements are tracked, etc.

Persons with responsibilities for implementing the confidentiality procedures.

Common Shared Forms -> Confidentiality –HIPAA Forms

Easy access to Forms Any CCCHD employee

Resources and References United States Department of Health and Human Services. Website: HIPAA for Professionals. Available at:


Thacker, Stephen B. (2003). HIPAA Privacy Rule and Public Health: Guidance from CDC and the U.S. Department

of Health and Human Services. Centers for Disease Control and Prevention Morbidity and Mortality Weekly

Report, April 11, 2003 / 52;1-12. Available at:

https://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm

United States Department of Health and Human Services. OCR Privacy Rule Summary. (Revised 05/2003).

Available at:

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf

Tomes, Jonathan P. (2009) Veterans Press. HIPAA Documents Resource Center CD, 4th ed.

http://www.clarkhcc.com/45503


https://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf


Attachments Listed Type Attachment Title Page # Forms

Risk Analysis A HIPAA Risk Analysis 9

Procedure B1 The Privacy Official 16

Procedure B2 Annual Privacy Statement 18 Annual Privacy Statement

Procedure B3 Training on Privacy Policies and Procedures 20 HIPAA, day 1

Procedure B4 Record Retention Periods of HIPAA documents 22 See Common Shared Drive - Record Retention Information & Forms Folder

Procedure B5 Effective Date and Change to Policies 23

Procedure B6 Definition of Health Information 24

Procedure B7 De-Identification of Health Information 25

Procedure B8 Permitted Disclosures for Treatment, Payment, and Healthcare Operations

27

Procedure B9 Uses and Disclosures of Health Information Based on Authorization

29 Authorization Form for Release of Health Information

Procedure B10 Permitted Disclosures for Law Enforcement Requests and Subpoenas

31

Procedure B11 Minimum Necessary Rule 34

Procedure B12 Business Associates Contracts 36

Procedure B13 Patients’ Rights to Notice of Health Information, Privacy Practices and Acknowledgement of Receipt

38 Notice of Health Information Privacy Policies (English & Spanish)

ECD/EHD Acknowledgement of Receipt (English & Spanish)

Procedure B14 Patients’ Rights to Request Restrictions On the Use or Disclosure of their Health Information

39 Request for Restrictions on use & disclosure of protected Health Information

Procedure B15 Patients’ Right of Access to their Health Information 40 Request for access to Health Information

Denial of request for access to Health Information &

Review of denial of request for access to Health Information

Procedure B16 Rights of Minors and Incompetent Persons 44

Procedure B17 Patients’ Right to Accounting of Disclosures 50 Request for Accounting of disclosures of Health Information

Procedure B18 Patients’ Right to Request an Amendment to their Health Information

53 Request for amendment of Health Information


Type Attachment Title Page # Forms

Procedure B19 Patients’ Right to File Complaints 55 See Customer Complaint Form on Common Shared Folder

Procedure B19A. Reference Agency Customer Complaint Procedure 57 See Customer Complaint Form on Common Shared Drive

Procedure B20 HIPAA Training for Short-Term Students/Volunteers/Observers

62

Procedure B21 Encrypting Email Correspondence 64 Encryption for 1st

time recipient

Procedure B22 Transporting Locked Envelopes 68

Procedure B23 Response to a Breach 69

Procedure B24 Perform Risk Analysis 70

Procedure B25 HIPAA Applied to Deceased Persons 72

Procedure B26 HIPAA and Student Immunizations 73

Procedure B27 Red Flag – Identity Theft 74

Attachment A Risk Analysis Page 1 of 7 HIPAA Risk Analysis; rev. 09/2017

HIPAA Risk Analysis

I. HIPAA Risk Analysis Team The HIPAA Risk Analysis Team is comprised of the Administration team of the Clark County Combined Health District (CCCHD). Chairperson: The Chairperson of the HIPAA Risk Analysis Team is the HIPAA Privacy and Security Officer, Christina Conover, BSN, RN of the CCCHD who is responsible for compiling the findings of the HIPAA Risk Analysis. Responsibility: All employees of the CCCHD have the duty to contribute to the ongoing identification and analysis of confidentiality risks. These persons are notified of this duty through the annual statement signed by all employees. Note regarding WIC: It should be noted that while WIC is generally exempt from HIPAA regulations via the Code of Federal Regulations, its position within CCCHD and the additional services that WIC is responsible for necessitates that WIC staff is included in CCCHD policies regarding HIPAA and confidentiality. Team members include:

Name Position Division Area of Expertise regarding HIPAA

Susan Bayless Director Nursing Patient/Client care Christina Conover Emergency Preparedness

& Accreditation Coordinator

Administration Privacy/Security Officer

Micheline Drugmand-Dewitt

Supervisor Early Childhood Patient/Client care

Patricia Free Supervisor Nursing Patient/Client care Lindsey Hardacre Fiscal Officer Administration Financial Emily Hawke Supervisor WIC Patient/Client care Rick Holbrook Information Technology Administration Information Technology Lori Lambert Director Early Childhood Patient/Client care Rick Miller Supervisor Environmental Non Traditional Client care Sandy Miller Supervisor Nursing Patient/Client care Charles Patterson Health Commissioner Administration Agency Head Larry Shaffer Director Environmental Non Traditional Client care Gloria Smith Supervisor Nursing Patient/Client care Dawn Stasak Supervisor Early Childhood Patient/Client care Jacquie Thornburg Administrative Assistant

to Health Commissioner Administration Human

Resources/Records Retention

Carolyn Williams Director WIC Patient/Client care Chris Hagler Pro-Stratus Contractor Administration Information Technology



II. HIPAA Risk Analysis Team Meetings

DATE OF MEETING PURPOSE

February 23, 2016 and February 26, 2016

In order to identify risks from all areas of the health district, it was decided that the Risk Analysis meetings would be part of a cross divisional training day, which involved all full time personnel at CCCHD. Team members were notified of their expected role in the risk analysis per email communication on February 22, 2016.

08/2017 Electronic Interaction with Administrative Team using Survey Monkey to ascertain Degree of Harm and Probability to remaining risks.

August through November 2017 Increased Awareness of Confidentiality procedures & Risk Analysis through staff training

09/19/2017 Reviewed Risk Analysis & plan location with Administrative Team. Will review further at CORE team.

III. Inventory Assets Type of Information: Inventory all health information that the facility maintains, transmits, or otherwise has control over.

What types of confidential information does CCCHD maintain?

Type of Information Purpose of Information Location/

Ownership of Information

Birth Records Case Management ECD WIC Info Referrals ECD Medicaid # Case Management ECD Child Protection Services referrals Referrals ECD Name, Address, DOB, SS# Case Management WIC Income information Eligibility WIC Shot records Client Care WIC Health History Client Care WIC Dog bite victim info Disease Investigation Environmental Food/outbreak investigations (nuisance, etc.)

Disease Investigation Environmental

Lead investigations Environmental Investigation Environmental Sexually Transmitted Disease Client Care Nursing Patient Charts Client Care Nursing HIV Client Care Nursing Test Results Client Care Nursing Doctor orders Client Care Nursing



What types of confidential information does CCCHD maintain?

Type of Information Purpose of Information Location/

Ownership of Information

Medications Client Care Nursing X-Rays Client Care Nursing Shot Records Client Care Nursing Labs Client Care Nursing Results Client Care Nursing Reportable diseases Disease Investigation Nursing Referrals Referrals Nursing BCMH Case Management Nursing Lead testing Case management/Client Screening Nursing Emails Case management/Client Care Nursing Stats Disease Investigation/Epidemiology Nursing Employee Medical Records Human Resources Administration Birth Summaries Part of Birth/Death registration Administration Death Cause Part of Birth/Death Registration Administration Fee Slips-Shot Records Billing for Client Care Administration

Sensitive Health Information: Sensitive health information maintained/transmitted by the facility is listed below.

Sensitive Health Information at CCCHD

Type of Information Purpose of Information Location/Ownership of Information

HIV diagnosis and treatment Education/Screening HIV counselor/Nursing Sexually transmitted disease diagnosis and treatment

Client Care Clinic/Nursing

Lab results Disease Reporting/Investigation Comm Dis/Nursing Components of data storage system: Identify all the components of the system that the data resides in because you cannot protect the information within your system unless you also protect the components of that system.

Components of Data Storage System Location

Computers All HIPAA compliant transport bags ECD Phones/Voicemail All Files (Paper) All File Cabinets All Desk Area All Supervisor’s office All File room WIC Office All File cabinets (locked) ECD/Environmental/Administration HDIS/Computer (password protected) Environmental HDIS Nursing/Administration



Charts Nursing/WIC/ECD X-Ray cabinet Nursing CMAX Billing (BLMH) Nursing Shred Box Nursing Tina’s desk Nursing Locked Drawer Administration Scanned files Administration

Existing Security Assets: Identify existing security assets, such as physical protection devices, technical security devices (encryption, firewalls, and so forth), policies and procedures, and personnel who could help in the security effort because it is not cost-effective to procure a security asset you already have.

Existing Security Assets at CCCHD Location Locks on HIPAA bags ECD Locks on file cabinets All Phones password protected ECD Encrypted messages ECD Releases of information ECD Shredder ECD/Administration Locked file room WIC Locked bag to carry files to Springfield office WIC Passwords to get into computer All Locked file cabinets Environmental Password protection Environmental Passwords All Screen covers Nursing Locked BCMH bags Nursing BCMH room Nursing Lock Box (keys) Nursing Release consent form Nursing Keys Administration Screen lock after 9 minutes 20 seconds Administration HIPAA training Administration Privacy Screen (front desk) Administration Malwarebytes: Brand of antivirus IT Windows Defender: Antivirus / Firewalls: 1) Cisco ASA: internal/internet IT Windows built in firewall IT Spam filter: mitigates phishing schemes & viruses through email/helps encrypts if needed

IT

Back-ups IT IDS (intrusion detection system) IT 2012 R2-servers/windows 2010 IT

IV. Identify Risks

Once you have identified and inventoried your assets, you must determine the vulnerabilities of your assets.

PROBABILITY VL = Very low L = Low M = Moderate H = High VH = Very high

DEGREE OF HARM VL = Very low L = Low M = Moderate H = High VH = Very high

THREAT AC = Accuracy of data AV = Availability of data CF = Confidentiality of data



REMAINING RISKS LOCATION THREAT PROBABILITY DEGREE OF

HARM SECURITY MEASURE

Improper use of HIPAA bags ECD AV/CF L L Training/ Assessment

Open cubicles; information on secretary’s desk; leaving information unattended; charts not put away; having files at desks when offices are unlocked

ECD/Nursing/WIC AV/CF M M Training/ Assessment

Calendars ECD/WIC CF L L Training/ Assessment Not clearing participant information from computer screen; unsupervised computers

WIC/NOS AV/CF M H Training/ Assessment

Computer Hackers X3; Viruses Environmental/ Administration

CF L H Information Technology Contract

Locksmiths/brute force! Environmental AV/CF VL M N/A Employee error (forgot to lock cabinets, being overheard)

Environmental CF L M Training/Checklists/ Assessment

Unlocked filing cabinets ECD/Nursing/NOS CF L L Training/ Assessment Unclaimed Faxes Nursing AV/CF M M Training/ Assessment Sharing rooms/vaccines Nursing CF L L Training/ Assessment Lost keys Administration AV/CF L L Training/ Assessment People who leave passwords written next to computer, desk or give out

Administration CF M M Training/ Assessment

Computer Crash Administration AC L L Information Technology Contract Unsecured desk & in-boxes Not specified CF L L Training/ Assessment Sometimes documents can be long & protected information could be missed during hand redaction

Not specified CF L L Process to have secondary proof- reading

Loud conversation Not specified CF M M Training/ Assessment Records waiting for disposal sitting in boxes

ECD/Administration AV/CF L L Consoles

Daily fee slips Nursing CF VL VL Stored in locked location

Postcards? ECD/Nursing CF L L

Universal locks for breastfeeding charts Nursing CF VL VL No in office shredder or locked shred box

Not specified CF L L



REMAINING RISKS LOCATION THREAT PROBABILITY DEGREE OF HARM

SECURITY MEASURE

Clients in & out of areas where personal information is sitting out

Not specified CF L M Process/Training/Assessment

Overhearing public health information of others

Not specified CF M M Training/ Assessment

Discussions around other people “the outside world”

Not specified CF L M Training/ Assessment

System crashes IT AC/AV L L Information Technology Contract

ODH crashes IT AC/AV L M N/A Notes: In order to prioritize the risks, the Administrative Team was asked to rate the degree of harm and the probability of each risk on a scale of 1-5. Answers were averaged.



V. Implement Security Measures

Select reasonable, cost-effective security measures, and plan how to implement them.

Security Measure Cost Implement Who is responsible Target Date Comments/Status/ Test for Effectiveness

Training/Assessment Time Y / N Privacy Officer October 2017 IT Contractor Y / N Health Commissioner ongoing Fee slips to be locked Y / N Admin Assistant to HC October 2017 Consoles for records to be stored, awaiting discard

35.00/month Y / N Health Commissioner December 2017

Y / N Y / N Y / N

**End**


Clark County Combined Health District (CCCHD) 529 East Home Road Springfield, OH 45503

Divisions: All Divisions of CCCHD Procedure No. 1: The Privacy Official (45 C.F.R. 164.530

Purpose: Identify a Privacy Officer and describe expectations

Scope: Clark County Combined Health District

Responsibility: Health Commissioner

References/Related: 45 C.F.R. 164.530 Procedure: The Clark County Combined Health District has a Privacy Official, designated below, who is responsible for overseeing the development and implementation of, and adherence to the Clark County Combined Health District’s policies and procedures covering the privacy of, and access to, patient health information in compliance with federal and state laws and the Clark County Combined Health District’s information privacy practices. 45 C.F.R. 164.530(a)(2).

Christina Conover (Name of Privacy Official)

Responsibilities: • Reports to, and coordinates privacy related activities with the Health Commissioner • Assists with implementation of Policies & Procedures and Forms • Trains the workforce on these Policies & Procedures and Forms • Defines Protected Health Information (PHI) for staff needs • Receives, documents, and responds to complaints about privacy practices • Ensures that all members of the workforce and volunteers sign an Annual Privacy Statement • Maintains and updates these Policies & Procedures and Forms • Assists with determinations of the Minimum Necessary Rule • Answers patient questions about Acknowledgements and Notice of Health Information Privacy Practices • Ensures research protocols and related privacy requirements are followed • Assesses the need for Business Associate contracts • Ensures compliance with rules on De-identification of Health Information • Reviews requests for psychotherapy notes • Reviews law enforcement requests for Health Information • Reviews subpoena requests for Health Information • Assists with patient Requests for an Accounting of Disclosures • Assists with patient Requests for an Amendment to their Health Information • Ensures imposition of sanctions for breaches of these Policies & Procedures • Coordinates with governmental authorities on privacy matters • Identifies state laws not preempted or superseded by Privacy Regulation (in conjunction with local counsel) • Debriefs terminated members of workforce about Privacy Regulation requirements Clark County Combined Health District 16 Confidentiality & HIPAA; Revised 092517


Divisions: All Divisions of CCCHD Procedure No. 1: The Privacy Official (45 C.F.R. 164.530

Notes:

• The position of Privacy Official is a part-time one. However, training and expertise is required to oversee activities related to these Policy & Procedures. While working knowledge of the Privacy Regulation is necessary, equally important is that the Privacy Official possesses an understanding of state and other laws relating to confidentiality, privacy, and disclosure of health-related information. In some instances, these laws will provide the individual with greater protection regarding the use and disclosure of their Health Information, in which case the provisions of such state laws must also be followed.

• Note that in some instances, the Privacy Official must exercise oversight to ensure that compliance activities

occur, rather perform the particular activity himself or herself (e.g., ensure imposition of sanctions for breaches of the policies and procedures). The Privacy Official will likely find it necessary to assemble an inter-disciplinary team representing The Clark County Combined Health District’s various functions and activities (e.g., client services, billing, and other business and administrative functions) to assist him or her in meeting his or her responsibilities under the Privacy Regulation.

Procedure Approval and Maintenance: The HIPAA Privacy Officer is responsible for annual reviews of this procedure.

Date Description of Review or Change Reviewed or Changed by

2003 Created S. Hiddleson

2008 Changed Privacy Officer to reflect Christina Conover due to personnel change C. Conover

03/16/2016 Revised/Reformatted C.Conover

08/29/2017 Reviewed; minor wording changes, without substantial change to content. C.Conover



Divisions: All Divisions of Clark County Combined Health District

Procedure No. 2: Annual Privacy Statement

Purpose: CCCHD employees will acknowledge their responsibilities for familiarity with federal, state and agency confidentiality policies and procedures.

Scope: Who: Clark County Combined Health District Workforce When: Orientation and annually

Responsibility: CCCHD workforce including employees, volunteers, students, contract workers

References/Related: 45 Code of Federal Regulation (CFR) Section 160, 162, 164 Attachment: Annual Privacy Statement

Although the Privacy Regulation does not require workers to sign an Annual Privacy Statement, it is included here to assist affiliates in their compliance efforts. A signed statement provides written documentation that each member of the workforce has received and read the HIPAA Privacy Policies & Procedures and agrees to abide by their terms.

Board of Health Resolution 1.0 Initial Acknowledgement as condition of employment or contracted workforce:

1.1 On date of hire the Administrative Assistant to the Health Commissioner notifies the employee of the confidentiality requirements as an employee of CCCHD. Employee acknowledges understanding in writing.

1.2 Within one week of hire , CCCHD employees will complete the initial CCCHD HIPAA Training and will review and sign the CCCHD Annual Privacy Statement, returning it to the CCCHD Privacy Official

1.3 Privacy Statement is reviewed by CCCHD Privacy Official with signature. 1.4 Privacy Statement is logged and Tracked in “Confidentiality and HIPAA-CCCHD” folder on Common Shared Drive at

CCCHD.

2.0 Annual Acknowledgement as condition of employment or contracted workforce: 2.1 The Annual Privacy Statement will be reviewed and signed by all CCCHD employees with return of completed forms to

the CCCHD Privacy Official. 2.2 Privacy Statement is reviewed by CCCHD Privacy Official with signature. 2.3 Privacy Statement is logged and Tracked in “Confidentiality and HIPAA-CCCHD” folder on Common Shared Drive at

CCCHD.

3.0 Acknowledgement by Students and Volunteers: 3.1 Within one week of volunteer work or student assignment at CCCHD, the individual will complete the HIPAA Training

for Students and Volunteers. At that time the Annual Privacy Statement will be reviewed and signed as part of Attachment B. CCCHD employee who is providing guidance for the student or volunteer will return the completed form to the CCCHD Privacy Official

3.2 Privacy Statement is reviewed and signed by the volunteer/student’s manager or point of contact. The CCCHD Privacy Official may also acknowledge with signature if needed. .

3.3 Privacy Statement is stored/maintained with HIPAA Privacy Officer in accordance to the Record Retention schedule. Procedure Approval and Maintenance: The HIPAA Privacy Officer is responsible for annual review of this procedure.




Procedure No. 2: Annual Privacy Statement



10/06/2016 Reformatted into new procedure template C.Conover

08/29/2017 Reviewed; removed annual training, changed name of folder on Common Shared Drive; added date of hire information.

C.Conover




Procedure No. 3: Training On Privacy Policies & Procedures

Purpose: Formalize the training for CCCHD employees in Confidentiality and HIPAA

Scope: CCCHD Workforce

Responsibility: All Employees of CCCHD

References/Related: 45 Code of Federal Regulations (CFR) 164.530 (b); 45 CFR § 164.308(a)(5) Excerpts regarding training from HIPAA Requirements: 45 CFR § 164.530(b)(1)

(b) (1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

(2) Implementation specifications: Training.

(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:

(A) To each member of the covered entity’s workforce by no later than the compliance date for the covered entity;

(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and

(C) To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.

(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section. HIPAA Security Rule: 45 CFR § 164.308(a)(5)

(a) A covered entity or business associate must, in accordance with § 164.306:

(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations…

(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).

(ii) Implementation specifications. Implement:

(A) Security reminders (Addressable). Periodic security updates.

(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.

(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

(D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords. All employees and contract employees of the CCCHD will be trained with regards to confidentiality of all individually identifiable health information (also known as protected health information) according to HIPAA policies and procedures at orientation and as required by CFR. Clark County Combined Health District 20 Confidentiality & HIPAA; Revised 092517



Procedure No. 3: Training On Privacy Policies & Procedures

Procedure: Confidentiality/HIPAA Training for new employees and contracted workers:

1) The Administrative Assistant to the Health Commissioner will meet with employee on date of hire. At that time, the employee will sign Attachment C, HIPAA – Day 1. This acknowledgement is kept in the employee’s personnel file.

2) On Day 1 of hire, the employee will receive a checklist of necessary trainings from the Administrative Assistant to the Health Commissioner to complete during the first week. This list includes the Confidentiality/HIPAA Training. The Administrative Assistant has the binder with the materials for orientation training.

a. Step 1: The employee will view the video from Veterans Press, Basic HIPAA Training by J. Tomes. b. Step 2: Complete the test and submit to Workforce Development either through the division representative or by

emailing directly to [email protected] . c. Step 3: Sign the Annual Privacy Statement and submit to HIPAA Privacy Officer for review and signature.

Confidentiality/HIPAA Training for existing employees and contracted workers: 1) Periodic trainings on HIPAA or confidentiality are conducted by the HIPAA Privacy Officer: Training is tracked in the

Workforce Development Database on Common Shared. The 2003-2016 Excel Sheet is stored in the “documents” folder which is located inside the CCCHD Workforce Dev Tracking in Common Shared.



April 2003 Created S. Hiddleson

6/15/17 Training for employees was changed from “annual” to “as required”. Updated and reformatted B. Dorsey/C. Conover

08/29/2017 Detailed out steps for training on orientation C. Conover


mailto:[email protected]


Divisions: All of CCCHD

Procedure No. 4: Record Retention Periods (45 C.F.R. 164.53O(i))

Purpose: To ensure seven (7) year retention period for all documentation required or generated by HIPAA policy and procedure.

Scope: All documentation completed in the administration of HIPAA/Confidentiality policy and procedure

Responsibility: All Employees

References/Related: ORC from Record Retention, CCCHD Record Retention Policy Board of Health Resolution

Procedure:

1) See Record Retention Policy and Procedure which indicates HIPAA Related Records are retained for seven years unless they are scanned, then they are retained 1 month after scanning to electronic media.

2) HIPAA Related Records include, but are not limited to: • Annual Privacy Statement • Notice of Health Information Privacy Practices • Patient Acknowledgement Of Receipt of Notice Of Health Information Privacy Practices • Requests For Restrictions On Use And Disclosure Of Protected Health Information • Authorization Forms • Requests For Access To Health Information • Denial of Request For Access To Health Information • Review Of Denial Of Request For Access To Health Information • Requests For Accounting Of Disclosures Of Health Information • Requests For Amendment Of Health Information • Training materials and attendance sheet • Business Associate Agreements (retained for 7 years after the business contract is terminated) • Consents




6/15/17 Updated and Reformatted B. Dorsey/C. Conover

08/29/2017 Clarified retention for Business Associates Agreements C. Conover



Divisions: All Divisions of CCCHD Procedure No. 5: Effective Date and Changes to These Policies

Purpose: Formalize the effective date for HIPAA implementation and outline process for revising Confidentiality and HIPAA procedures at the Clark County Combined Health District.

Scope: Clark County Combined Health District Responsibility: Privacy Officer

References/Related: Board of Health Resolution 2003 Board of Health Resolution 2017

Procedure:

1) The Policy and Procedures associated with HIPAA became effective at CCCHD on April 2003.

2) Changes to the Confidentiality and HIPAA procedures that do not materially affect the content of the NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES may occur at any time. The Privacy Official shall be consulted before any changes are made.

3) If a change to these Policies & Procedures materially affects the NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES,

then the workforce must be retrained. Additionally, a new ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES must be obtained from each patient (see Procedure #13).

Note: A “material change” is a new practice that affects a patient’s right to access or control his/her Health Information or an operational change that, if implemented by the Clark County Combined Health District would require the NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES to be amended to accurately reflect the new practice.




6/15/17 Reformatted and updated B. Dorsey/C. Conover

08/29/2017 Reformatting; no significant content change C.Conover



Divisions: All Divisions of CCCHD Procedure No. 6: Definition of “Health Information”

Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." “Individually identifiable health information” is information, including demographic data, that relates to

• the individual’s past, present or future physical or mental health or condition, • the provision of health care to the individual, or • the past, present or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.




6/15/17 Reformatted and Updated B. Dorsey/C. Conover

08/29/2017 Reformat C .Conover

Purpose: Define and protect all the elements of individually identifiable health information. Scope: All forms or media (print, verbal, audio, electronic)

Responsibility: Clark County Combined Health District Employees References/Related: Board of Health Resolution



Divisions: All Divisions of CCCHD Procedure No. 7: De-identification of Health Information

Purpose: Allow use of de-identified health information

Scope: Clark County Combined Health District Responsibility: CCCHD Epidemiologist and employees

References/Related: Board of Health Resolution 1) There are no restrictions on the use or disclosure of de-identified health information. 2) Definition: De-identified health information neither identifies nor provides a reasonable basis to identify an individual. 45 C.F.R. 164.514 (a). 3) Procedure to de-identify information: De-identified information must meet one of the two criteria:

a. Epidemiologist Determination: Formal determination by a qualified statistician such as the CCCHD

Epidemiologist, who is a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not identifiable. This person must apply these principles and methods and determine that the risk is very small that the information could be used, alone or in combination with other reasonable available information, by an anticipated recipient to identify an individual who is a subject of the information. This person must document the methods and results of the analysis that justify such determination.

b. Redaction: The removal of specified identifiers of the individual and of the individual’s relatives, household

members and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used alone or in combination with other information to identify an individual who is a subject of the information. The following identifiers must be removed:

Names

All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code,

and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

• The geographic unit formed by combining all zip codes with the same three initial digits

contains more than 20,000 people; and

• The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

All elements of dates (except year) for dates directly related to an individual, including birth date, admission

date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

Telephone numbers;

Fax numbers;

Electronic mail addresses;



Divisions: All Divisions of CCCHD Procedure No. 7: De-identification of Health Information

Social security numbers;

Medical record numbers;

Health plan beneficiary numbers;

Account numbers;

Certificate/license numbers;

Vehicle identifiers and serial numbers, including license plate numbers;

Device identifiers and serial numbers;

Web Universal Resource Locators (URLs);

Internet Protocol (IP) address numbers;

Biometric identifiers, including finger and voice prints;

Full face photographic images and any comparable images; and

Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section

4) Re-identification: A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:

a) Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and

b) Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.


Date Description of Review or Change By Whom 2003 created C. Conover 06/15/2017 reformatted B. Dorsey/ C.

Conover 08/29/2017 Added information from CFR regarding the elements of info that must be eliminated. C. Conover


Clark County Combined Health District (CCCHD) Divisions: All Divisions of CCCHD

529 E. Home Road Procedure No. 8: Permitted Disclosures for Treatment, Payment and Operations Springfield, OH 45503

1

Purpose: Access and use protected health information for treatment, payment and healthcare operations.

Scope: Individually identifiable health information at Clark County Combined Health District

Responsibility: CCCHD Workforce References: Board of Health Resolution

The HIPAA Privacy Rule permits a covered entity such as CCCHD to use and disclose protected health information, with certain limits and protections, for treatment, payment, and health care operations activities. The core health care activities of “Treatment,” “Payment,” and “Health Care Operations” are defined in the Privacy Rule at 45 CFR 164.501. 1) Disclose for Treatment: “Treatment” is the provision, coordination, or management of health care and related services among

health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.

2) Disclose for Payment: “Payment” encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.

3) Disclose for Operations: “Health care operations” are certain administrative, financial, legal, and quality improvement activities

of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities include:

a. Conducting quality assessment and improvement activities, population based activities relating to improving health or reducing health care costs, and case management and care coordination;

b. Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities;

c. Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims;

d. Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs;

e. Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and

f. Business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, customer service, resolution of internal grievances, sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

A covered entity may disclose protected health information to another covered entity for certain health care operation activities of the entity that receives the information if:

a. Each entity either has or had a relationship with the individual who is the subject of the information, and the protected health information pertains to the relationship; and

b. The disclosure is for a quality-related health care operations activity or for the purpose of health care fraud and abuse detection or compliance.


Clark County Combined Health District (CCCHD) Divisions: All Divisions of CCCHD

529 E. Home Road Procedure No. 8: Permitted Disclosures for Treatment, Payment and Operations Springfield, OH 45503

2

4) Psychotherapy Notes. Uses and disclosures of psychotherapy notes for treatment, payment, and health care operations require

the individual’s authorization. 5) Minimum Necessary. Disclosures of, and requests for, protected health information for payment and health care operations

must be limited to the minimum information necessary. (Note: Minimum necessary standards do not apply to disclosures/requests by health care providers for treatment purposes.)

6) Consent. A covered entity may choose, but is not required, to obtain the individual’s consent for it to use and disclose information about him or her for treatment, payment, and health care operations. (Note: a consent is different than an “authorization” which is required in various parts of the Privacy Rule.)

7) Right to Request Privacy Protection. Individuals have the right to request restrictions on how a covered entity will use and

disclose protected health information about them for treatment, payment, and health care operations. A covered entity is not required to agree to an individual’s request for a restriction, but is bound by any restrictions to which it agrees. See 45 CFR 164.522(a).

8) Right to Request Confidential Communications. Individuals also may request to receive confidential communications from

CCCHD, either at alternative locations or by alternative means. For example, an individual may request that her health care provider or health plan call her at her office, rather than her home. A health care provider must accommodate an individual’s reasonable request for such confidential communications. See 45 CFR 164.522(b).

9) Notice of Privacy Practices. Any use or disclosure of protected health information for treatment, payment, or health care

operations must be consistent with CCCHD’s notice of privacy practices. A covered entity is required to provide the individual with adequate notice of its privacy practices, including the uses or disclosures the covered entity may make of the individual’s information and the individual’s rights with respect to that information.

Procedure Maintenance: The HIPAA Privacy Officer is responsible for annual reviews of this procedure.

Date Revision By Whom 2003 Created S. Hiddleson 06/16/2017 Reformatted and updated B. Dorsey C. Conover 08/30/2017 Detail added from OCR HIPAA Privacy Memo re: acceptable uses C.Conover



Divisions: All Divisions of CCCHD Procedure No. 9: Uses and Disclosures of Health Information Based on an Authorization

A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or healthcare operations or is otherwise required or permitted by the Privacy Rule. Conditions: 1) Initiation of Authorization: Authorization may allow use and disclosure of protected health information by

either the entity seeking the authorization or by a third party. 2) Health Literacy: Authorizations must be in plain language. 3) Specific Elements: An authorization must specify a number of elements:

a. a description of the protected health information to be used and disclosed b. the person authorized to make the use or disclosure c. the person to whom the covered entity may make the disclosure d. an expiration date e. in some cases, the purpose for which the information may be used or disclosed.

4) Treatment: With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.

5) Marketing: The HIPAA Privacy Rule expressly requires an authorization for uses or disclosures of protected health information for ALL marketing communications, except in two circumstances:

a. When the communication occurs in a face-to-face encounter between the covered entity and the individual; or

b. The communication involves a promotional gift of nominal value. c. Additionally, if the marketing communication involves direct or indirect remuneration to the covered

entity from a third party, the authorization must state that such remuneration is involved. 6) Psychotherapy Notes: An individual’s authorization to use or disclose psychotherapy notes must be obtained,

with the following exceptions: a. A covered entity who initiated the notes may use them for treatment. b. A covered entity may use or disclose psychotherapy notes

i. for its own training ii. to defend itself in legal proceedings brought by the individual,

iii. for HHS to investigate or determine the entity’s compliance with Privacy Rules iv. to avert a serious and imminent threat to public health or safety v. to a health oversight agency for lawful oversight of the originator of the psychotherapy notes

vi. lawful activities of a coroner or medical examiner or as required by law

Forms: The AUTHORIZATION FORM FOR RELEASE OF HEALTH INFORMATION shall be used at CCCHD. Procedure Approval and Maintenance: The HIPAA Privacy Officer is responsible for annual reviews of this procedure.

Purpose: An individual can provide written authorization for use or disclosure of protected health information that is not already permitted or required by the Privacy Rule.

Scope: Clients of CCCHD services that involve Protected Health Information Responsibility: Employees of CCCHD

References/Related: Board of Health Resolution



Divisions: All Divisions of CCCHD Procedure No. 9: Uses and Disclosures of Health Information Based on an Authorization


2003 Created C.Conover


08/30/2017 Added detail from HHS website regarding specific elements included in an authorizaiton C.Conover



Divisions: All Divisions of CCCHD Procedure No. 10: Permitted Disclosures for Judicial and Law Enforcement Purposes

Background: Allowed Disclosures

Judicial or Administrative Proceeding 1. Judicial or Administrative Proceeding. CCCHD may disclose protected health information in the course of any judicial or

administrative proceeding as follows:

a. In response to an order of a court or administrative tribunal, provided that the CCCHD discloses only the protected health information expressly authorized by such order

b. In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if either of these things have been done:

i. CCCHD receives satisfactory assurance from the party requesting information that reasonable efforts have been made to ensure that the individual who is the subject of the protected health information has been notified of the request. This includes:

• The party requesting information must make a good faith attempt to provide written notice to the individual, or, if the individual's location is unknown, to mail a notice to the individual's last known address

• The notice should include sufficient information about the litigation or proceeding to permit the individual to raise an objection to the court or administrative tribunal

• The time for the individual to raise objections must have elapsed and either no objection was filed or the objections filed have been resolved.

ii. CCCHD receives satisfactory assurance from the party seeking the information that reasonable efforts have been made to secure a qualified protective order. This includes:

• The parties involved in the dispute have agreed to a qualified protective order and have presented it to the court or administrative tribunal or the party seeking the information has requested a qualified protective order from such court or administrative tribunal.

• A qualified protective order prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and requires the information to be returned to CCCHD or destroyed at the end of the litigation or proceeding.

c. CCCHD may disclose protected health information in response to lawful process without receiving satisfactory assurance if CCCHD makes reasonable efforts to provide notice to the individual or to seek a qualified protective order.

Law Enforcement 1. CCCHD may disclose protected health information for a law enforcement purposes under these conditions:

• As required by law including laws that require the reporting of certain types of wounds or other physical injuries • In compliance with a court order, court-ordered warrant, subpoena or summons issued by a judicial officer, a grand jury

subpoena, an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand.

• Additionally, disclosure could occur in response to a similar process authorized under law, provided that the information sought is relevant and material to a legitimate law enforcement inquiry, the request is specific and limited in scope to the extent and de-identified information could not reasonably be used.

Purpose: Protected health information may be disclosed in judicial or administrative proceedings as well as law enforcement purposes under certain circumstances.

Scope: Protected Health Information at CCCHD Responsibility: Employees at CCCHD





2. Except for disclosures required by law, CCCHD may disclose protected health information in response to a law enforcement

official's request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that the disclosure includes only the following information:

• Name, address, date of birth, place of birth, social security number, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death(if applicable), distinguishing physical characteristics.

• CCCHD may not disclose protected health information related to the individual's DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue.

3. Victims of a crime. Except for disclosures required by law, CCCHD may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime if the individual agrees to the disclosure; or CCCHD is unable to obtain the individual's agreement because of incapacity or other emergency circumstance.

• If agreement is unable to be obtained, the law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, that immediate law enforcement activity would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and in his/her professional judgement, disclosure is in the best interests of the individual as determined by CCCHD.

4. Decedents. CCCHD may disclose protected health information about an individual who has died to a law enforcement official for

the purpose of alerting law enforcement of the death of the individual if the covered entity has a suspicion that such death may have resulted from criminal conduct.

5. Crime on premises. CCCHD may disclose to a law enforcement official protected health information that the agency believes in good faith constitutes evidence of criminal conduct that occurred on CCCHD premises.

6. Reporting crime in emergencies. A health care provider may disclose protected health information to a law enforcement official

if such disclosure appears necessary to alert law enforcement regarding commission, nature, location of crime, as well as perpetrator description.

Procedure to Respond to Order of the Court or Administrative Tribunal:

1. Order should be routed to the CCCHD Records Custodian.

2. CCCHD staff comply with requests of the Records Custodian in gathering the only the protected health information authorized

by the order. 3. The Records Custodian is responsible for responding to the court order by sending the requested records to the requesting

court. 4. The Records Custodian will log the nature of request and the requestor on the CCCHD Server, in the Administration Drive -

Public Records File - Invoice Number Logs Document and should be retained according to the CCCHD Records Retention Policy.

Procedure to Respond to Subpoena or Other Request for Disclosure by Law Enforcement

1. When CCCHD receives a request or subpoena from a law enforcement official for any Health Information, forward the request or subpoena to the Records Custodian and notify the Privacy Official.

2. The Records Custodian and the Privacy Official shall review state and federal laws that govern the disclosure of Health

Information to law enforcement officials.




3. The Records Custodian shall contact the County Prosecutor to verify that the request satisfies all legal standards. 4. If an attorney issued the subpoena, the Privacy Officer or the Records Custodian, under advisement of the County Prosecutor,

will contact that attorney and inform him/her that it is the policy of CCCHD not to release Health Information unless and until satisfactory assurances are provided in writing to CCCHD demonstrating that:

• The requesting party has made a good faith attempt to provide written notice to the patient requesting the information;

• The notice to the patient includes sufficient information about the litigation or proceeding to permit the patient to raise objections to the court or administrative tribunal; and

• The time for the individual to raise objections lapsed and not objections were filed OR the court or administrative tribunal has resolved all objections.

It is the responsibility of the Privacy Officer to review and understand that satisfactory assurances have been met. 5. The Records Custodian will contact the patient to inform him/her that the Affiliate has received a subpoena or request for her

Health Information. The contact will include the following elements: • Offer to send or arrange for the patient to pick up a copy of the request or subpoena. • Tell the patient the name of parties to the litigation or matter, the name of the party requesting the Health Information,

the particular Health Information requested or subpoenaed, and the date by which such Information must be produced. • Tell the patient that it is his/her obligation to object to the subpoena.

6. If, after repeated attempts, CCCHD cannot contact the patient, the Records Custodian will document the efforts made to

contact the patient. 7. If the decision is made to disclose Health Information, the Records Custodian will oversee the process of gathering records and

sending the response to the subpoena or request. • The Minimum Necessary Health Information (Procedure 11) should be provided. This may require redacting a copy of

the medical record so that only the particular information responsive to the subpoena is disclosed. • The Records Custodian or the Privacy Official may consult with the Medical Director to determine that only the

minimally required information is released. It is the responsibility of the Privacy Officer to review the contents of the disclosure.

8. The Records Custodian will log the nature of the request and the requestor on the CCCHD Server - the Administration Drive -

Public Records File - Invoice Number Logs Document. These records should be retained according to the CCCHD Record Retention Policy.





08/31/2017 Detailed responsibilities C. Conover



Divisions: All Divisions of CCCHD Procedure No. 11: Minimum Necessary Rule

1) The Clark County Combined Health District must make reasonable efforts to use, disclose or request only the minimum amount

of protected health information needed to accomplish the intended purpose of such use, request or disclosure. As a general matter, the entire medical record or file shall not be used or disclosed unless it is exempted from this rule, (as set forth below) or there is documented justification as to the necessity for the entire record.

2) Exemptions from minimum necessary rule: The following uses and disclosures are exempted from the Minimum Necessary Rule and, if there are no other prohibitions (i.e., a patient request for restrictions on use and disclosure- see Procedure 14) the entire record containing Health Information may be disclosed:

a. Disclosures to or a request by another provider for treatment b. Disclosures to the patient or the patient’s representative c. Disclosures pursuant to an authorization by the patient d. Disclosures to HHS for compliance or enforcement action e. Uses or disclosures required by other laws f. Uses or Disclosures for compliance with HIPAA Transactions Rule or HIPAA Administrative Simplification Rule

3) Access to Protected Health Information (created, maintained or received) by CCCHD involves the following classes of persons.

As a general principle, each position/class should only access client specific Protected Health Information and/or files that are necessary to complete their assigned duties.

Purpose for Access Position or Class Notes Regarding Access

Treatment Medical Director Shall have permission to access the Medical Records from the Nursing Division. Files from other departments will be available on an as needed basis for purposes of disease surveillance, consultation and quality assurance

Treatment Nurse Practitioners Shall have permission to access the Medical Records from the Nursing Division.

Treatment/ Payment Nurses Will have access to all files within those areas for the purposes of treatment, consultation, co-ordination of services and billing.

Treatment/ Payment Home Visitors Will have access to all files within those areas for the purposes of treatment, consultation, co-ordination of services and billing.

Treatment/ Payment/ Healthcare Operations

Clerical Staff in Early Childhood, Nursing

Will have access to all files within those areas for the purposes of treatment, consultation, co-ordination of services and billing.

Treatment/ Payment All personnel in WIC Will have access to all files within those areas for the purposes of treatment, consultation, co-ordination of services and billing.

Treatment/ Payment/ Healthcare Operations

Health Commissioner Shall have access to all files for purposes of disease surveillance, quality assurance and legal matters relating to the Agency legal jurisdiction.

Treatment Epidemiologist Shall have access to all files within the Clark County Combined Health District for purposes of disease surveillance and statistical assessment and analysis

Payment/ Healthcare Operations

Fiscal Officer Engaged in billing, payment, audit or insurance matters

Payment / Health Care Operations

Finance Staff Engaged in billing, payment, audit or insurance matters

Healthcare Operations Records Custodian engaged in billing, payment, audit or insurance matters, records requests Healthcare Operations Vital Statistics Staff Death review, statistical information derived from confidential section of Birth

Records

Purpose: Limit the use or disclosure of any Health Information to the minimum information necessary to accomplish the intended purpose of the use or disclosure.

Scope: Uses and Disclosures within the Clark County Combined Health District Responsibility: Employees of CCCHD




Divisions: All Divisions of CCCHD Procedure No. 11: Minimum Necessary Rule

Healthcare Operations/ Payment/ Treatment

Front Desk Staff

Client Assistance, billing, payment


Volunteers/ Students Clinical experiences, assistance to agency operations

Healthcare Operations Information Technology Electronical Medical Records maintenance and support

Other Sanitarians, Sanitarians in Training

Medical history, diagnoses as part of nuisance investigation, mitigation

Other Clerical Staff in Environmental Health

Medical history, diagnoses as part of nuisance investigation, mitigation

Healthcare Operations Other Administration Division Staff

Audits, administration of HIPAA, surge support for other Health District programs


All CCCHD Staff Assigned duties during an emergency response.

4) The Privacy Official shall review all non-routine disclosures of Health Information (those not occurring on a routine basis)

and assist in determining the minimum amount of information necessary to achieve the purpose of the disclosure. 5) CCCHD will need to rely upon the representations of certain requests for disclosure which permitted by the privacy rule,

that the amount of requested information is the minimum necessary. CCCHD in interest of protecting the individual’s privacy, must question the broad requests for Health Information from officials and set appropriate limits on such disclosures. (i.e., Procedure #10).





08/31/2017 Expanded classes of employees and identified uses of Protected Health Information C. Conover



Divisions: All Divisions of CCCHD Procedure No. 12: Business Associate Contracts

1. When CCCHD uses a contractor or other non-workforce member to perform “business associate” services or activities, CCCHD

must include certain protections for the information in a business associate agreement.

2. Business Associates include any entity or person (other than a member of Clark County Combined Health District’s workforce) that:

a. performs a function or activity on behalf of a Clark County Combined Health District or b. provides legal, actuarial, accounting, consulting, data aggregation, management, accreditation, administrative, or

financial services For Clark County Combined Health District

3. As a matter of principle, if during the course of performing any services, Health Information will be disclosed to someone who is not part of the CCCHD’s workforce; then it is likely that a business associate relationship is created and a Business Associate Contract will be required.

a. Most disclosures of Health Information do not create a business associate relationship.

4. CCCHD Business Agreements are maintained on the CCCHD management drive.

Specific Examples Of When A Business Associate Relationship Is Not Created: • A disclosure of Health Information to a member of the Clark County Combined Health District’s workforce.

• A disclosure for Treatment purposes. For example, exchanges of information with a hospital or other provider to which

the Clark County Combined Health District has referred a patient.

• A disclosure for Payment purposes usually does not trigger a business associate relationship. For example, The Clark County Combined Health District may transfer Health Information to a health plan for purposes of payment. However, if the Clark County Combined Health District sends Health Information to a clearinghouse (an organization that translates the data into a standard format to assist with payment (45 C.F.R. 160.103)) it will trigger the need for a Business Associate Contract even though the clearinghouse is a Covered Entity.

• Sending Health Information via the mail or other carrier does not trigger a Business Associate relationship, as there is no

intent to disclose Health Information to the carrier.

• Cleaning services/construction contractors and the like do not trigger a business associate relationship even though the cleaners or painters could inadvertently access Health Information. This is because the scope of work does not call for use or disclosure of Health Information. As a practical matter, however, to prevent any inadvertent disclosures, it is advisable to always insert a provision in the contractor's agreement advising them that protected Health Information is on the premises and their employees and agents are prohibited from viewing or accessing any Health Information.

• If a state licensing entity asks for Health Information, this does not give rise to a business associate relationship

because such entities are considered health oversight agencies exempt from the need for a Business Associate Contract.

Purpose: Any entity or person (other than CCCHD workforce) that performs a function on behalf of CCCHD or provides a service for CCCHD involving the use or disclosure of Protected Health Information must agree to conditions regarding the maintenance of confidentiality.

Scope: Business Associates of CCCHD Responsibility: Administrative Team of CCCHD




Divisions: All Divisions of CCCHD Procedure No. 12: Business Associate Contracts

Specific Examples of when a Business Associate Relationship is Created

• If a contractor is hired to update the computer system and it requires access to any Health Information, even if only to validate their work, then a business associate relationship will arise.

• When an accreditation organization visits and Health Information will be accessed, then a business associate

relationship will arise. 4. If A Business Associate Contract is required, use example language found in the Confidentiality/HIPAA forms. Note the Contract

can be a stand-alone agreement or incorporated into an existing contract or agreement. 3. Note that the Minimum Necessary Rule applies to disclosures to Business Associates. Procedure Approval and Maintenance: The HIPAA Privacy Officer is responsible for annual reviews of this procedure.

Date Description of Review or Change

Reviewed or

Changed by



08/31/2017 Reformat, reword C. Conover



Divisions: All Divisions of CCCHD Procedure No. 13: Patients’ Right to Notice of Health Information Privacy Practices and

Acknowledgement of Receipt

1. All patients must be informed of the Health Information privacy practices of CCCHD at the time of service delivery. 2. The NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES (See Forms) shall be used for this purpose at CCCHD.

3. The CCCHD shall also obtain from the patient a written acknowledgement of receipt of the agency’s NOTICE OF HEALTH

INFORMATION PRIVACY PRACTICES. • In Nursing and Environmental Divisions, the signed acknowledgement of receipt is scanned and maintained in the

Nursing Drive of the CCCHD Server. There is also a place in the electronic medical record (EMR) for indication that the acknowledgement of receipt was signed. The most recent date of signature is logged in the EMR.

• In Early Childhood Division, the signed acknowledgement is kept with the client folder. • In WIC Division, the signed acknowledgement of confidentiality is an integrated part of the patient chart.

4. The Notice of Health Information Privacy Practices is provided to the patient with every visit. An exception to this is when

the visit is a follow up to a previous visit which occurred within the calendar year;

5. A patient’s refusal to sign an acknowledgement of receipt shall not affect the provision of services by CCCHD, providing that a good faith attempt has been made to obtain such Acknowledgment, and that such effort and the reasons for failing to obtain a signed Acknowledgment are documented and placed in the patient’s file.





08/31/2017 Clarified process for acknowledgement of receipt at CCCHD C. Conover

Purpose: All patients must be informed of the Health Information privacy practices of the Clark County Combined Health District at the time of service delivery.

Scope: Clients of CCCHD who are receiving a healthcare service Responsibility: CCCHD employees providing healthcare services




Divisions: All Divisions of CCCHD Procedure No. 14: Patient’s Right to Request Restrictions on the Use or Disclosure of their Health Information

Procedure: 1) Patients have the right to request restrictions on the use or disclosure of health Information generated, maintained or received

by CCCHD.

2) A patient who requests such restrictions shall complete the REQUEST FOR RESTRICTIONS ON USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION (See Forms).

3) The Clark County Combined Health District must consider, but is not required to agree to the requested restrictions.

4) After the patient completes the REQUEST FOR RESTRICTIONS ON USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION, immediately take it to the Privacy Official or a supervisor. Unless an emergency exists, do not provide healthcare services to the patient until approval of the requested restrictions is obtained from one of these individuals.

5) If the request is not approved, the patient should be informed that she will not be treated unless her request for restrictions is withdrawn. If the patient refuses to withdraw her request, then inform her that a written notice will be sent within the next thirty days explaining the reason(s) for denial of her request.


Date Description of Review or Change

Reviewed or

Changed by



08/31/2017 Reformat, reword C. Conover

Purpose: Patients may request restrictions on the use or disclosure of health Information generated, maintained or received by the Clark County Combined Health District.

Scope: Patients of CCCHD Responsibility: CCCHD Employees




Divisions: All Divisions of CCCHD

Procedure No. 15: Patients’ Right of Access to their Health Information (45 C.F.R.164.524)

Purpose: Provide a process for Patients to Request Access to their Health Information held at CCCHD.

Scope: Requests for Patients’ Right of access to their health information that extend beyond providing copies of records pertaining to a particular visit or test result.

Responsibility: All CCCHD Employees involved in maintaining or creating Health Information.

References/Related: 45 C.F.R. 164.524; CCCHD Record Retention Policy Board of Health Resolution

Background:

Rights: 1. Patients shall have the right of access to inspect and copy their Health Information and CCCHD shall provide each patient with

access to his/her Health Information.

• Records are maintained according to the CCCHD record retention schedule.

• The patient’s right to access is subject to certain exceptions and limitations within the Privacy Rule.

• Verification of the authority and identity of the person requesting access to Health Information is required.

2. The Privacy Regulation gives individuals the right to request amendment of their Health Information. Who: 1. These rights noted in #1 and #2 rest with: 1) the individual, or with 2) the ‘personal representative’ of that individual.

• A ‘personal representative’ of a minor child under the Privacy Regulation is generally the parent.

• A ‘personal representative’ of a person who is incompetent to make their own health care decisions will include a guardian who has been authorized to make health care decisions for the client.

• CCCHD’s Confidentiality Policy and Procedure #16 describes exceptions (such as when sensitive services are provided) which allow CCCHD to continue to guarantee confidentiality to minors and clients who are incompetent as described above.

Procedure to Request Access: 1. Patients requesting access to their Health Information should complete the REQUEST FOR ACCESS TO HEALTH INFORMATION

form (See Forms).

2. The authority and identity of the person requesting access must be verified by CCCHD employee. 3. CCCHD shall act on a request for access no later than 30 days after receipt of the request. 4. CCCHD shall arrange with the individual a convenient time and place to inspect or obtain a copy of his/her Health Information,

or shall mail a copy of the Health Information to the individual at his/her request. 5. At this time, CCCHD has chosen not to impose any fee. 6. Under certain circumstances access to patient’s medical records may be limited or denied.





Grounds for denying access to Health Information: 1. An individual may be denied access to her Health Information in the following circumstances and the provider has no obligation

to provide a right of appeal (review) to the individual: • Information Was Compiled for a Legal Proceeding: When the Health Information was compiled in reasonable anticipation

of, or for use in, a civil, criminal, or administrative action or proceeding.

• Psychotherapy Notes: When the requested information meets the definition of “psychotherapy notes” under the privacy Regulation.

o The Privacy Rule defines psychotherapy notes as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record. Psychotherapy notes do not include any information about medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, or results of clinical tests; nor do they include summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date. Psychotherapy notes also do not include any information that is maintained in a patient’s medical record. See 45 CFR 164.501. Psychotherapy notes are treated differently from other mental health information both because they contain particularly sensitive information and because they are the personal notes of the therapist that typically are not required or useful for treatment, payment, or health care operations purposes, other than by the mental health professional who created the notes.

• Relates to an Inmate: When the request is from an inmate of a correctional institution, and where CCCHD believes that providing a copy of the information would jeopardize the health, safety, security, custody, or rehabilitation of the inmate or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate.

• Relates to A Research Study: When the patient has agreed to be denied access to his or her Health Information for the duration of a research study when consenting to participate in a research conducted by or at CCCHD that includes treatment. See 45 C.F.R. 164.524 (a)(2)(iii).

• Obtained with Promise of Confidentiality: When the information was obtained from someone other than a healthcare provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.

• Subject to CLIA: When the information maintained is subject to the Clinical Laboratory Improvements Amendments of 1988 (CLIA), and law prohibits provision of access.

• Records Subject to the Privacy Act, 5 U.S.C. 552a: The Privacy Act of 1974, 5 U.S.C. § 552a, establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual. The Privacy Act requires that agencies give the public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of a record about an individual from a system of records absent the written consent of the individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records, and sets forth various agency record-keeping requirements.





• Denial, but with reviewable grounds for denial: A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed, as required by paragraph (a)(4) of this section, in the following circumstances:

o A licensed health care professional, (the CCCHD Medical Director along with any Nurse Practitioners involved in the assessment and treatment of the client), has determined in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;

o The protected health information makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or

o The request for access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.

o Note: the requirement for review and consideration of substantial harm does not apply when the decision is made not to treat a parent or guardian as the individual’s personal representative because of the threat of abuse, neglect, endangerment or domestic violence, or for some other reason. In that case no explanation is required. The requestor may simply be informed that, pursuant to federal law, access to the Health Information is limited to the individual who is the subject of the Information.

What are the procedures governing denial of access? 1. If access is denied for one of the reasons for which the patient is not entitled to review, give the patient a copy of the DENIAL OF

REQUEST FOR ACCESS TO HEALTH INFORMATION form (See forms), indicating the applicable reason. Retain a copy of the Denial of Request for Access to Health Information form in the patient’s medical record.

2. If access is denied for one of the reasons for which the patient or his/her personal representative is entitled to review, determine if portions of the record or a summary of the medical record can be made available to the individual. • If so, give the individual a copy of the DENIAL OF REQUEST FOR ACCESS TO HEALTH INFORMATION form indicating the

basis for denial of access and offer the patient either a summary of the record or access to portions thereof.

• If providing a summary or access to limited portions of the record is not possible, or if the patient refuses a summary or access to limited portions of the record, return a copy of the DENIAL OF REQUEST FOR ACCESS TO HEALTH INFORMATION form indicating the reason for denial of access and the individual’s right to have the decisions reviewed by another licensed health care professional within the affiliate.

3. If the patient requests, and he/she is entitled to, a review of the denial of access. Have him/her complete a REVIEW OF DENIAL OF REQUEST FOR ACCESS TO HEALTH INFORMATION form (See Forms).

• Give a copy of that form and the PATIENT REQUEST FOR ACCESS TO HEALTH INFORMATION form to the CCCHD Medical Director. This reviewer will make a final determination.

• Upon review and determination, send a response to the patient indicating the result of the review and the process the patient may use to file a complaint to the Secretary of Health and Human Services (“HHS”).

• File a copy of all forms and other documentation received from the patient in the patient’s medical record.

• In stating the reasons for denial, in circumstances where a health care professional believes that revealing information will cause substantial harm to the individual or a third person, extreme care should be exercised in stating the reason for a denial so as not to trigger the harm sought to be avoided.








06/25/2016 • Revised/Reformatted; • Expanded definition of psychotherapy notes and the Privacy Act, 5 U.S.C. 552a • Revised/Reformatted Attachments F, G, H

C.Conover


08/31/2017 Reformatted C.Conover



Divisions: All Divisions of CCCHD Procedure No. 16: Rights of Minors; Role of Personal Representatives

Purpose: CCCHD is aware of rights of minors and persons needing personal representation as outlined by the Privacy Rule and the Ohio Revised Code.

Scope: Clark County Combined Health District practices

Responsibility: Administrative Team

References/Related: 45 C.F.R. 164.530 45 CFR 164.502(g) Ohio Revised Code: 3701.242 Board of Health Resolution

Personal Representatives The HIPAA Privacy Rule recognizes that there may be times when individuals are legally or otherwise incapable of exercising their rights, or choose to designate another to act on their behalf with respect to these rights. A person authorized (under State or other applicable law, e.g., tribal or military law) to act on behalf of the individual in making health care related decisions is the individual’s “personal representative.” Subject to certain exceptions, the Privacy Rule at 45 CFR 164.502(g) requires covered entities to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s protected health information, as well as the individual’s rights under the Rule. This includes:

• CCCHD must provide the individual’s personal representative with an accounting of disclosures in accordance with 45 CFR 164.528,

• CCCHD must provide the personal representative access to the individual’s protected health information in accordance with 45 CFR 164.524 to the extent such information is relevant to such representation.

• A personal representative may also authorize disclosures of the individual’s protected health information. Scope of Personal Representatives: In general, the scope of the personal representative’s authority to act for the individual under the Privacy Rule derives from his or her authority under applicable law to make health care decisions for the individual.

• Where the person has broad authority to act on the behalf of a living individual in making decisions related to health care, such as is usually the case with a parent with respect to a minor child or a legal guardian of a mentally incompetent adult, the covered entity must treat the personal representative as the individual for all purposes under the Rule, unless an exception (abuse, neglect, endangerment) applies.

• Where the authority to act for the individual is limited or specific to particular health care decisions, the personal representative is to be treated as the individual only with respect to protected health information that is relevant to the representation. For example, a person with an individual’s limited health care power of attorney regarding only a specific treatment, such as use of artificial life support, is that individual’s personal representative only with respect to protected health information that relates to that health care decision. The covered entity should not treat that person as the individual for other purposes, such as to sign an authorization for the disclosure of protected health information for marketing purposes.

• Where the person has authority to act on the behalf of a deceased individual or his estate, which does not have to include the authority to make decisions related to health care, the covered entity must treat the personal representative as the individual with respect to protected health information relevant to such personal representation (e.g., an executor of an estate has the right to access all of the protected health information of the decedent relevant to these responsibilities).




Who Must Be Recognized as the Individual’s Personal Representative? The following chart displays who must be recognized as the personal representative for a category of individuals:




Parents and Unemancipated Minors. In most cases under the Rule, a parent, guardian, or other person acting in loco parentis (collectively, “parent”) is the personal representative of the minor child and can exercise the minor’s rights with respect to protected health information, because the parent usually has the authority to make health care decisions about his or her minor child. However, the Privacy Rule specifies three circumstances in which the parent is not the “personal representative” with respect to certain health information about his or her minor child. These exceptions generally track the ability of certain minors to obtain specified health care without parental consent under State or other laws, or standards of professional practice. In these situations, the parent does not control the minor’s health care decisions, and thus under the Rule, does not control the protected health information related to that care. The three exceptional circumstances when a parent is not the minor’s personal representative are:

•When State or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service;

•When someone other than the parent is authorized by law to consent to the provision of a particular health service to a minor and provides such consent;

•When a parent agrees to a confidential relationship between the minor and a health care provider. State Laws Addressing Minors and Parents Regardless of whether a parent is the personal representative of a minor child, the Privacy Rule defers to State or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child. In doing so, the Privacy Rule permits a covered entity to disclose to a parent, or provide the parent with access to, a minor child’s protected health information when and to the extent it is permitted or required by State or other laws (including relevant case law). Likewise, the Privacy Rule prohibits a covered entity from disclosing a minor child’s protected health information to a parent, or providing a parent with access to such information, when and to the extent it is prohibited under State or other laws (including relevant case law). Abuse, Neglect, and Endangerment Situations. When a physician or other covered entity reasonably believes that an individual, including an unemancipated minor, has been or may be subjected to domestic violence, abuse, or neglect by the personal representative, or that treating a person as an individual’s personal representative could endanger the individual, the covered entity may choose not to treat that person as the individual’s personal representative, if in the exercise of professional judgment, doing so would not be in the best interests of the individual. For example, if a physician reasonably believes that providing the personal representative of an incompetent elderly individual with access to the individual’s health information would endanger that individual, the Privacy Rule permits the physician to decline to provide such access. Personal Representative for

Ohio Revised Code (State Law) Addressing Rights of Minors and Adults with Developmental Disabilities

3701.242 Informed consent to HIV test required. (A) An HIV test may be performed by or on the order of a health care provider who, in the exercise of the provider's professional judgment, determines the test to be necessary for providing diagnosis and treatment to the individual to be tested, if the individual or the individual's parent or guardian has given consent to the provider for medical or other health care treatment. The health care provider shall inform the individual of the individual's right under division (D) of this section to an anonymous test. (B) A minor may consent to be given an HIV test. The consent is not subject to disaffirmance because of minority. The parents or guardian of a minor giving consent under this division are not liable for payment and shall not be charged for an HIV test given to the minor without the consent of a parent or the guardian.




3709.241 Minor may give consent for diagnosis or treatment of venereal disease. Notwithstanding any other provision of law, a minor may give consent for the diagnosis or treatment of any venereal disease by a licensed physician. Such consent is not subject to disaffirmance because of minority. The consent of the parent, parents, or guardian of a minor is not required for such diagnosis or treatment. The parent, parents, or guardian of a minor giving consent under this section are not liable for payment for any diagnostic or treatment services provided under this section without their consent. 3719.012 Minor may give consent to diagnosis or treatment of condition caused by drug or alcohol abuse. (A) Notwithstanding any other provision of law, a minor may give consent for the diagnosis or treatment by a physician licensed to practice in this state of any condition which it is reasonable to believe is caused by a drug of abuse, beer, or intoxicating liquor. Such consent shall not be subject to disaffirmance because of minority. (B) A physician licensed to practice in this state, or any person acting at his direction, who in good faith renders medical or surgical services to a minor giving consent under division (A) of this section, shall not be subject to any civil or criminal liability for assault, battery, or assault and battery. (C) The parent or legal guardian of a minor giving consent under division (A) of this section is not liable for the payment of any charges made for medical or surgical services rendered such minor, unless the parent or legal guardian has also given consent for the diagnosis or treatment. 5120.172 Consent to medical treatment of minor prosecuted as adult. A minor whose case is transferred for criminal prosecution pursuant to section 2152.12 of the Revised Code, who is prosecuted as an adult and is convicted of or pleads guilty to one or more offenses in that case, and who is sentenced to a prison term or term of imprisonment in a state correctional institution for one or more of those offenses shall be considered emancipated for the purpose of consenting to medical treatment while confined in the state correctional institution. 2907.29 Hospital emergency services for victims of sexual offenses. Every hospital of this state that offers organized emergency services shall provide that a physician, a physician assistant, a clinical nurse specialist, a certified nurse practitioner, or a certified nurse-midwife is available on call twenty-four hours each day for the examination of persons reported to any law enforcement agency to be victims of sexual offenses cognizable as violations of any provision of sections 2907.02 to 2907.06 of the Revised Code. The physician, physician assistant, clinical nurse specialist, certified nurse practitioner, or certified nurse-midwife, upon the request of any peace officer or prosecuting attorney and with the consent of the reported victim or upon the request of the reported victim, shall examine the person for the purposes of gathering physical evidence and shall complete any written documentation of the physical examination. The director of health shall establish procedures for gathering evidence under this section. Each reported victim shall be informed of available venereal disease, pregnancy, medical, and psychiatric services. Notwithstanding any other provision of law, a minor may consent to examination under this section. The consent is not subject to disaffirmance because of minority, and consent of the parent, parents, or guardian of the minor is not required for an examination under this section. However, the hospital shall give written notice to the parent, parents, or guardian of a minor that an examination under this section has taken place. The parent, parents, or guardian of a minor giving consent under this section are not liable for payment for any services provided under this section without their consent.




5122.04 Outpatient services for minors without knowledge or consent of parent or guardian. (A) Upon the request of a minor fourteen years of age or older, a mental health professional may provide outpatient mental health services, excluding the use of medication, without the consent or knowledge of the minor's parent or guardian. Except as otherwise provided in this section, the minor's parent or guardian shall not be informed of the services without the minor's consent unless the mental health professional treating the minor determines that there is a compelling need for disclosure based on a substantial probability of harm to the minor or to other persons, and if the minor is notified of the mental health professional's intent to inform the minor's parent, or guardian. (B) Services provided to a minor pursuant to this section shall be limited to not more than six sessions or thirty days of services whichever occurs sooner. After the sixth session or thirty days of services the mental health professional shall terminate the services or, with the consent of the minor, notify the parent, or guardian, to obtain consent to provide further outpatient services. (C) The minor's parent or guardian shall not be liable for the costs of services which are received by a minor under division (A). (D) Nothing in this section relieves a mental health professional from the obligations of section 2151.421 of the Revised Code. (E) As used in this section, "mental health professional" has the same meaning as in section 340.02 of the Revised Code. 5126.043 Decisions by individuals with mental retardation or other developmental disability; authorization for decision by adult; decisions by guardian. (A) Unless a guardian has been appointed for the individual, when a decision regarding receipt of a service or participation in a program provided for or funded under this chapter or Chapter 5123. or 5124. of the Revised Code by an individual with mental retardation or other developmental disability must be made, the individual shall be permitted to make the decision. The individual may obtain support and guidance from an adult family member or other person, but doing so does not affect the right of the individual to make the decision. (B) An individual with mental retardation or other developmental disability may authorize an adult to make a decision described in division (A) of this section on the individual's behalf, as long as the adult does not have a financial interest in the decision. The authorization shall be made in writing. (C) If a guardian has been appointed for an individual with mental retardation or other developmental disability, the guardian shall make any decision described in division (A) of this section on behalf of the individual. This section does not require appointment of a guardian. (D) Individuals with mental retardation and other developmental disabilities, including those who have been adjudicated incompetent pursuant to Chapter 2111. of the Revised Code, have the right to participate in decisions that affect their lives and to have their needs, desires, and preferences considered. An adult or guardian who makes a decision pursuant to division (B) or (C) of this section shall make a decision that is in the best interests of the individual on whose behalf the decision is made and that is consistent with the needs, desires, and preferences of that individual.






2003 Created S. Hiddleson 03/16/2016 • Revised to allow persons other than Privacy Official to be point

of contact for complaint and investigation • Moved Repository of documented breaches and logged

complaints to Management Drive rather than as stored previously on Common Shared folders

• Revised to allow an Internal memo to serve as documentation of client complaint rather than requiring client to submit complaint in writing.

C.Conover

06/26/2016 Added detail C.Conover 6/16/17 Reformatted and updated B. Dorsey/C. Conover 08/31/2017 Changed content to reflect information at HHS C. Conover



Divisions: All Divisions of CCCHD Procedure No. 17: Patient’s Right to Accounting of Disclosures

The Clark County Combined Health District shall grant patient requests for an accounting of disclosures of their Health Information in accordance with the provisions of this Procedure. 1) Role: The Privacy Official is responsible for ensuring compliance with requests for an accounting of disclosures of Health

Information. 2) Request Form: Patients requesting an accounting of disclosures must complete the REQUEST FOR ACCOUNTING OF

DISCLOSURES OF HEATLH INFORMATION (See Forms). 3) An individual has a right to receive an accounting of disclosures of protected health information made by a covered entity in the

six years prior to the date on which the accounting is requested, except for disclosures: a. To carry out treatment, payment and health care operations as provided in § 164.506; b. To individuals of protected health information about them as provided in § 164.502; c. Incident to a use or disclosure otherwise permitted or required by this subpart, as provided in § 164.502; d. Pursuant to an authorization as provided in § 164.508; e. For the facility's directory or to persons involved in the individual's care or other notification purposes as provided in §

164.510; f. For national security or intelligence purposes as provided in § 164.512(k)(2); g. To correctional institutions or law enforcement officials as provided in § 164.512(k)(5); h. As part of a limited data set in accordance with § 164.514(e); i. (Not applicable) That occurred prior to the compliance date for the covered entity

4) An individual may request an accounting of disclosures for a period of time less than six years from the date of the request.

5) CCCHD must temporarily suspend an individual's right to receive an accounting of disclosures to a health oversight agency or law enforcement official, if such agency or official provides the covered entity with a written statement that such an accounting to the individual would be reasonably likely to impede the agency's activities. The statement must specify the length of time for the suspension. If this statement by an oversight agency or official is made orally, CCCHD must:

a. Document the statement, including the identity of the agency or official making the statement; b. Temporarily suspend the individual's right to an accounting of disclosures subject to the statement; an c. Limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written

statement of this section is submitted during that time

Purpose: A patient may receive an accounting of disclosures of his/her Protected Health Information (PHI) upon request.

Scope: Clients of the CCCHD who are receiving healthcare services or services that support healthcare, such as case management.

Responsibility: CCCHD employees References/Related: Board of Health Resolution

CFR 164.528




6) Disclosure Content: The covered entity must provide the individual with a written accounting that meets the following

requirements. a. The accounting must include disclosures of protected health information that occurred during the six years prior to the

request date (or such shorter time period at the request of the individual), including disclosures to or by business associates of the covered entity.

b. the accounting must include for each disclosure: • The date of the disclosure; • The name of the entity or person who received the protected health information • If known, the address of such entity or person • A brief description of the protected health information disclosed • A brief statement of the purpose of the disclosure

c. Repeated Disclosures: If, during the period covered by the accounting, the covered entity has made multiple

disclosures of protected health information to the same person or entity for a single purpose, the accounting may, with respect to such multiple disclosures, provide: • The information required above • The frequency, periodicity, or number of the disclosures made during the accounting period • The date of the last such disclosure during the accounting period.

d. Research Disclosures: If, during the period covered by the accounting, the covered entity has made disclosures of

protected health information for a particular research purpose for 50 or more individuals, the accounting may, with respect to such disclosures for which the protected health information about the individual may have been included, provide: • The name of the protocol or other research activity • A description, in plain language, of the research protocol or other research activity, including the purpose of the

research and the criteria for selecting particular records; • A brief description of the type of protected health information that was disclosed • The date or period of time during which such disclosures occurred, or may have occurred, including the date of the

last such disclosure during the accounting period; • The name, address, and telephone number of the entity that sponsored the research and of the researcher to

whom the information was disclosed; and • A statement that the protected health information of the individual may or may not have been disclosed for a

particular protocol or other research activity. • If the covered entity provides an accounting for research disclosures, and if it is likely that the protected health

information of the individual was disclosed for research protocol or activity, the covered entity shall, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher.

7) Providing the accounting: a. The covered entity must act on the individual's request for an accounting, no later than 60 days after receipt of such a

request. • If the covered entity is unable to provide the accounting within the time required the covered entity may have a

one-time 30 day extension, provided that the covered entity, within the time limit provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will provide the accounting

• CCCHD does not charge for the accounting • Documenting the content of the accounting and the titles of the persons or offices responsible for receiving and

processing requests for an accounting by individuals.








09/01/2017 Added detail from CFR C. Conover



Divisions: All Divisions of CCCHD Procedure No. 18: Patient’s Right to Request an Amendment to their Health Information

1) Patients shall have the right to request amendment of their Health Information.

2) Patients should use the REQUEST FOR AMENDMENT OF HEALTH INFORMATION form (See forms) to request an amendment. The form should be sent to the Privacy Official, who should oversee all requests for amendment.

3) The Privacy Official must then take the REQUEST FOR AMENDMENT OF HEALTH INFORMATION form to the healthcare

professional who treated the patient or to a supervisory healthcare professional to review.

4) Accepting the amendment. If the healthcare professional accepts the patient’s amendment, he/she should: a. Amend: make the appropriate amendment to the protected health information or record. b. Sign: sign and date the REQUEST FOR AMENDMENT OF HEALTH INFORMATION as amended and make a note at this

site in the record to which the amendment applies. c. The healthcare professional may also add a comment to the REQUEST FOR AMENDMENT OF HEALTH INFORMATION. d. Informing the individual. CCCHD must inform the individual that the amendment is accepted and obtain the

individual's identification of and permission to notify the relevant persons with which the amendment needs to be shared.

e. Informing others. The CCCHD must make reasonable efforts to inform and provide the amendment within a reasonable time to persons identified as having received protected health information about the individual and needing the amendment; and persons, including business associates, that the covered entity knows have the protected health information that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the individual.

f. A copy of the REQUEST FOR AMENDMENT OF HEALTH INFORMATION indicating acceptance should then be filed in the patient’s medical record and a copy sent to the patient. The Privacy Official should retain the original copy of the REQUEST FOR AMENDMENT OF HEALTH INFORMATION.

5) Justification for denying the amendment.

a. Requests for amendment of Health Information shall be denied if: • The Clark County Combined Health District did not create the information; • The information is not part of the medical record; • The information is not available for patient access and inspection (such as under 164.524 • The information is accurate and complete.

6) Process for denying the amendment. If the CCCHD denies the requested amendment, in whole or in part, the covered entity

must comply with the following requirements: a. Written denial. CCCHD must provide the individual with a timely, written denial. The denial must use plain language and

contain: • The basis for the denial • The individual's right and procedure to submit a written statement disagreeing with the denial • A statement that if the individual does not submit a statement of disagreement, the individual may request that on any

future disclosures of protected health information that was subject of amendment, CCCHD would also provide the individual's request for amendment and the denial documentation.

• A description of how the individual may complain to CCCHD pursuant to the agency’s complaint procedures or to the Secretary (Health and Human Services) pursuant to the procedures established in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated to receive complaints.

Purpose: Patients have the right to request amendment of their Health Information. Scope: Patients of CCCHD

Responsibility: CCCHD Employees References/Related: Board of Health Resolution


http://www.hipaasurvivalguide.com/hipaa-regulations/160-306.php


Divisions: All Divisions of CCCHD Procedure No. 18: Patient’s Right to Request an Amendment to their Health Information

b. Statement of disagreement. CCCHD must permit the individual to submit a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement.

c. Rebuttal statement. CCCHD may prepare a written rebuttal to the individual's statement of disagreement. Whenever such a rebuttal is prepared, CCCHD must provide a copy to the individual who submitted the statement of disagreement.

d. Recordkeeping. CCCHD must, as appropriate, identify the record or protected health information in the designated record set that is the subject of the disputed amendment and append or otherwise link the individual's request for an amendment, the agency’s denial of the request, the individual's statement of disagreement, if any, and the agency’s rebuttal, if any, to the designated record set

7) Future disclosures. a. If a statement of disagreement has been submitted by the individual, the CCCHD must include the material appended

or, at the election of CCCHD, an accurate summary of any such information, with any subsequent disclosure of the protected health information to which the disagreement relates.

b. If the individual has not submitted a written statement of disagreement, CCCHD must include the individual's request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the protected health information only if the individual has requested such action.

8) Actions on notices of amendment. A covered entity that is informed by CCCHD of an amendment to an individual's protected health information must amend the protected health information in designated record sets.

9) Documentation. CCCHD must document the titles of the persons or offices responsible for receiving and processing requests for amendments by individuals and retain the documentation according to the CCCHD Record Retention Policy.

10) Timeframe: CCCHD must act on the individual's request for an amendment no later than 60 days after receipt of such a

request, as follows. May have a one-time extension of 30 days if CCCHD provides the individual with a written statement of the reasons for the delay and the date by which the CCCHD will complete its action on the request.


Date Description of Review or Change Section or

Pages Affected

Reviewed or

Changed by

2003 Created All C. Conover

6/16/17 Reformatted and updated All B. Dorsey/C. Conover

09/01/2017 Added text closer mirroring the CFR language All C. Conover



Divisions: All Divisions of CCCHD Procedure No. 19: Patients’ Right to File Complaints (45 C.F.R.164.530 (d)(1)

Purpose: Sustain a process by which client can submit a complaint about a perceived breach of confidentiality.

Scope: Clark County Combined Health District

Responsibility: Administrative Team

References/Related: 45 C.F.R. 164.530 Board of Health Resolution CCCHD’s (Agency Level) Complaint Procedure

The Clark County Combined Health District shall provide a process for individuals to submit complaints regarding its privacy practices and shall document the receipt and disposition of all such complaints. 1. Procedure:

1.1. A member of the Clark County Combined Health District’s Administrative Team, or the Privacy Officer shall be the point of contact for complaints.

1.2. The point of contact shall document all such complaints using an Internal Memo to the file or shall retain a client’s

submitted written complaint.

1.3. The point of contact shall then evaluate, and if necessary, further investigate, the complaint.

1.4. Upon completion of this evaluation/investigation, the Privacy Official, working with senior management as necessary and appropriate, shall document the disposition of the written complaint.

1.5. Where appropriate, sanctions should be imposed on any CCCHD workforce (volunteers or employees) found to have

violated The Clark County Combined Health District’s privacy practices of these Policies & Procedures.

1.6. When appropriate, the Privacy Officer or a member of CCCHD’s Administrative Team will respond to the client regarding concerns and investigation process and status and corrective measures to re-establish confidentiality of the vulnerable Health Information.

1.6.1. Client should be informed of his/her right to submit a complaint to as per C.F.R. 160.306 Complaints to the Secretary

of Health and Human Services.

1.6.1.1. Right to file a complaint. A person who believes a covered entity or business associate is not complying with the administrative simplification provisions may file a complaint with the Secretary.

1.6.1.2. Requirements for filing complaints. Complaints under this section must meet the following requirements:

(1) A complaint must be filed in writing, either on paper or electronically.

(2) A complaint must name the person that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable administrative simplification provision(s).

(3) A complaint must be filed within 180 days of when the complainant knew or should have known that

the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause shown.

(4) The Secretary may prescribe additional procedures for the filing of complaints, as well as the place and manner of filing, by notice in the Federal Register.



Divisions: All Divisions of CCCHD Procedure No. 19: Patients’ Right to File Complaints (45 C.F.R.164.530 (d)(1)

More information including links to file complaints can be filed here: http://www.hhs.gov/hipaa/filing-a-complaint/index.html

1.7. The point of contact shall also advise the Health Commissioner and the Privacy Officer of the status of all complaints received and their disposition.

1.8. The following items shall be filed in the HIPAA Complaint Repository folder in Management Drive of the CCCHD Servers: 1) Written record (by client or by staff) of complaint of confidentiality breach 2) Investigative actions performed by CCCHD point of contact 3) Disposition/findings of investigation 4) General information about sanctions imposed as necessary 5) Whether or not client was given information to further pursue complaint with Health and Human Services, as indicated

on the client’s Notice of Health Information. 6) Notice of Health Commissioner and Privacy Officer made aware of complaint and follow-up


Date Description of Review or Change Section or Pages Affected

Reviewed or

Changed by

2003 Created All S. Hiddleson

03/16/2016 • Revised to allow persons other than Privacy Official to be point of contact for complaint and investigation

• Moved Repository of documented breaches and logged complaints to Management Drive rather than as stored previously on Common Shared folders

• Revised to allow an Internal memo to serve as documentation of client complaint rather than requiring client to submit complaint in writing.

1 C.Conover

06/26/2016 Added detail and link to file complaint with HHS 1-2 C.Conover

6/19/17 Reformatted and updated 2 B. Dorsey/C. Conover


http://www.hhs.gov/hipaa/filing-a-complaint/index.html

Clark County Combined Health District (CCCHD) 529 East Home Road Springfield OH, 45503

Divisions: Agency Wide Customer Complaint Procedure

Purpose: To accept, document and process customer complaints regarding CCCHD

Scope: Customers of CCCHD and residents of Clark County

Responsibility: CCCHD staff

References/Related: Title VI, Title VII, American Disabilities Act, Culturally and Linguistically Appropriate Services (CLAS) Plan; Health Information Portability and Accountability Act (HIPAA) Policy and Procedure

Procedure:

*Please note the flow chart that is part of this procedure is the primary tool for processing a customer complaint.

1) Notification of Client Rights: Clients are notified of their client rights in the following ways:a. Posted in lobby of CCCHD East Home Road office.b. Posted in lobby of CCCHD High Street officec. Distributed to clients of Early Childhood Division (ECD)d. Distributed to clients of the Women Infant and Children (WIC) Division

2) Awareness of Complaint Process: Clients are notified of the option to utilize the CCCHD Complaint Process:a. Posted in lobby of CCCHD East Home Road office.b. Posted in lobby of CCCHD High Street officec. Posted in New Carlisle Officed. Distributed to clients of Early Childhood Division (ECD)e. Distributed to clients of the Women Infant and Children (WIC) Divisionf. Distributed to clients receiving services which fall under the scope of HIPAA

3) Receive Complaint: Client complaints are received written, verbally, electronically. Anonymous complaints are accepted.4) Document Complaint: CCCHD representative documents information about the complaint using the Customer Complaint form.5) Notifications: Depending on the nature of the complaint (discrimination, confidentiality or other), notify appropriate parties as

per flow chart.6) Legal: Consult legal counsel as needed.7) Mitigation and Resolution: Resolve through initial conversation or through follow-up or investigation. Mitigation and/or

Resolution may involve employee discipline or further interventions for a specific client care. Details of these items should bedocumented in client or employee record.

Procedure Approval and Maintenance: This procedure will be maintained by the CCCHD Core Team and will be reviewed annually for necessary revisions.


Reviewed or

Changed by

05/17/2017 Created All C. Conover

Page 1of 5Clark County Combined Health District 57 Confidentiality & HIPAA; Revised 092517

Clients aware of Complaint Process

Displayed in Lobby of Home Road Office (E)

Displayed in Lobby of High Street Office

Displayed in New Carlisle Office

Early Childhood Division Programs wri en material

WIC Division wri en material

Services necessita ng HIPAA– wri en no ce re:

complaints about confiden ality

Clients Brings a Complaint or Grievance

1) Wri en (Le er, completed complaint form)

2) Verbal (phone, face to face)

3) Electronically (email, private message through social media, customer sa sfac on survey)

4) Anonymous complaints will be accepted

CCCHD Representa ve Receiving the Complaint Gathers informa on on Complaint form.

1) Form found: Common Shared Folders‐ _CCCHD Dept Wide P&P

Forward Complaint to Division Director

Is complaint related to something other than confiden ality or discrimina on ? If YES, see next page.

Is complaint related to confiden ality or HIPAA? If YES

Was complaint related to discrimina on or civil rights? If YES

Consult HIPAA Privacy/Security

Officer and Health Commis‐

CCCHD Policy & Procedure No. 19: Pa ents’ Right To File

Complaints (45 C.F.R.164.530 (d)(1))

Consult Health Commissioner/AdminAssistant

Applicable Standards Include:

Title VI

Title VII

Sec on 504/ Americans with Disabili es Act

Division Directors are responsible for addi onal ac ons as specified by grants/programs.

Title VI Civil Rights Act Complaint Procedure

Step 1: The person suffering the alleged discrimina on shall report the alleged discriminatory ac vity to the designated agency staff person.

Step 2: If it cannot be resolved, a wri en complaint form shall be completed and forwarded by the designated person to his/her Director within five (5) working days.

Step 3: If sa sfac on is not achieved at step 2, the complaint form shall be forwarded by the Director to the Director of the Agency (Health Commissioner within five (5) working days.

Step 4: If sa sfac on is not achieved at step 3, the Director/Health Commissioner shall bring the complaint before the Board of Health within a period of ten (10) working days.

Step 5: If sa sfac on is not achieved by the complainant in step 4, the complaint form and a summary of all ac ons taken locally shall be referred to the appropriate funding source within fi een (15) working days.

Flow Chart for Complaint Process Clark County Combined Health District

Consult

legal

counsel

and follow

mandatory

processes


If Complaint Unresolved: Inves gate/Follow Up and Mi ga on

Use Part 2 of complaint form to document inves ga on/follow up ac vi es including mi ga on efforts.

Depending on nature of complaint, it may be necessary to inform customer of op ons to report to oversight

agencies of CCCHD’s programs.

Division Directors are responsible for addi onal ac ons as specified by grants/programs.

Details of mi ga on ac vi es that may have include client specific interven ons involving personal infor‐

ma on should be men oned briefly (without iden fiers). Necessary detailed documenta on should be re‐

served for follow up in the client chart.

Complaint is related to something other than confiden ality or discrimina on

Resolved through Ini al Conversa on (Note on Part 1 of Complaint Form)

Unresolved a er Ini al Conversa on

Flow Chart for Complaint Process Clark County Combined Health District

When Complaint is Resolved, file chart:

Division Director may choose to keep a copy at the Division level

Copy to be scanned to Management drive for oversight by Health Commissioner. Loca on is:

M:\Complaints‐ Customers

Records to be kept for two (2) years per record reten on.

If Complaint Results in Employee Discipline, follow process of CCCHD Personnel Policy

Discipline can be briefly referenced in inves ga on (without iden fiers), but detailed documenta on should occur through

the discipline procedure and kept separate from the complaint documenta on.

**End**


1 Form Created 051717/CC


Customer Complaint Form (Part 1: Documenting Initial Complaint)

Initial Response to this Complaint: Notes:

Processing the Complaint Select Situation: Notify:

This incident is regarding a breach of confidentiality. Supervisor and/or Director HIPAA Privacy/Security Officer

This incident is regarding discrimination or civil rights. Supervisor and/or Director Admin Assistant to the H. Commissioner

This incident is regarding service other than discrimination, civil rights or confidentiality.

Supervisor and/or Director

Is this matter resolved? (Yes / No)

If no, assign a case number using 6 digit date of report made (mmddyy) and a division acronym (ADM, ECD, EHD, ND, WIC): i.e. mmddyyADM

Complaint Information Date Complaint Received: Time Complaint

Received: Complaint Taken by: Division/Title:

Complainant Information (anonymous complaints accepted) Name:

Mailing Address:

Phone Number:

Email:

Information about Occurrence Date of Occurrence: Time of Occurrence:

Location Division or Staff Member Involved:

Narrative of Event: (field expands)


2 Form Created 051717/CC


Customer Complaint Form (Part 2: Investigation or Follow-Up of Complaint)

Case Number: (see initial complaint)

Is this complaint related to any of these areas? Confidentiality Other Discrimination or Civil Rights

Documentation of Investigation or Follow-Up Please include information regarding quality assurance checks, procedure review, data collection from CCCHD workforce, contacts (after initial) to seek more information from the complainant, etc. Disciplinary activity related to this occurrence should be documented according to the CCCHD discipline procedure and details of that activity should be avoided in this documentation. Date/Time: Investigation or Follow-Up Activities: By Whom:

Resolution A complaint is considered active until declared “Resolved” or filed as “Unresolved”. Select one: Date By Whom (Signature) Print Name/ Title

Yes, this case has been investigated and is now resolved. This case will be filed as “Unresolved” for the reasons noted in documentation above.



Divisions: All Divisions of CCCHD Procedure No. 20: HIPAA Training for Short-Term Students/Volunteers/Observers

Procedure:

1. Background: a. Students, volunteers, observers can be part of the workforce of CCCHD. b. During their time at CCCHD, they may be exposed to information that is considered Protected Health Information. c. Confidentiality of such information is an expectation of all workforce, including students, volunteers and

observers. d. There is a short training required for these individuals who are temporarily part of the CCCHD workforce.

2. The CCCHD point of contact is responsible to arrange a time for the student/volunteer/observer to receive Student HIPAA

Training Binder kept within each CCCHD division. 3. In each Student HIPAA Training Binder, there should be blank copies of the worksheet, HIPAA for Students and Volunteers.

a. This document is also found at: P:\HIPAA & ROI\HIPAA for students&volunteers\HIPAA for Students & Volunteers- CCCHD.doc.

4. Step 1 of the worksheet can be completed by the student/volunteer/observer, using either option (the link to the video or time to review the binder).

5. Step 2 of the worksheet is used demonstrate understanding. 6. Step 3 must be completed to indicate commitment and understanding. 7. Completed worksheet should be reviewed and signed by the CCCHD employee who is facilitating the student experience

and forwarded to the HIPAA Privacy Officer

Purpose: Provide Health Insurance Portability and Accountability Act (HIPAA) training for Students/Volunteers or other short-term associates of Clark County Combined Health District.

Scope: Students, volunteers, observers who will only be doing or observing the business of the Health District for a short time and who will not be asked to complete the full one hour video with test orientation to HIPAA that is commonly used by CCCHD

Responsibility: Point of contact for the student/volunteer or observer should facilitate the completion of the training.

References/Related: • 45 C.F.R. §160.103; 45 C.F.R. § 164.530(b) • HIPAA for Students and Volunteers • Board of Health Resolution



Divisions: All Divisions of CCCHD Procedure No. 20: HIPAA Training for Short-Term Students/Volunteers/Observers


Date Change By Whom 04/10/15 created C.Conover 02/03/2017 CCCHD employee reviews and signs the form after completion by student. C. Conover 6/19/17 Reformatted and updated B. Dorsey/ C.

Conover


Clark County Combined Health District (CCCHD) 529 East Home Road Divisions: All Divisions of CCCHD Springfield, OH 45503 Procedure No. 21: Encrypting Email Correspondence

Policy: HIPAA Policy

Procedure:

1) If an outgoing email message meets these two conditions, the message must be encrypted: If it contains Protected Health Information in the subject line, the body of the email or an attachment

to the email, and It is an email going to an address outside of the CCCHD email domain (for example, it is being sent

to an email address with a suffix other than “@ccchd.com”).

Please note: email sent within the CCCHD email domain does not need to be encrypted. All CCCHD personnel are responsible for maintaining the confidentiality of protected health information.

2) In the subject line, include the word, “encrypted”. It is not case sensitive, but correct spelling of the word “encrypted” is important. Formulate the rest of the message content as necessary and send.

3) If the recipient may be unfamiliar with encryption, it is recommended that he/she is contacted before or after the encrypted message has been sent to verify the transmission of sensitive information was successful.

Example text: “You have recently been sent an email from Clark County Combined Health District that has been encrypted. By following the steps in that email, you will be able to retrieve the necessary protected information. Please contact me by phone, (937) 390-5600, if you are unsuccessful in retrieving the message.”

Purpose: To direct a CCCHD employee through the process of encrypting an email message containing protected health information.

Scope: This procedure pertains to any email correspondence sent outside of the CCCHD email domain which contains personal or protected health information in the subject line, the body of the email or the attachment to the email.

Responsibility: All CCCHD employees who have access to protected health information References/Related: Health Insurance Portability and Accountability Act (HIPAA) Policies of CCCHD.


Clark County Combined Health District (CCCHD) 529 East Home Road Divisions: All Divisions of CCCHD Springfield, OH 45503 Procedure No. 21: Encrypting Email Correspondence Figure 1. CCCHD employee sends an encrypted message.

Figure 2. Recipient of message receives notification of an encrypted message from a CCCHD email address and must click on the link.

Email is going to an email outside of CCCHD Domain

Subject Line includes the word “encrypted”

This password created by the email recipient will be used to open

this encrypted message, in addition

to any other encrypted messages from

CCCHD personnel in the future. It is

recommended that the recipient stores the password in case future encrypted

messages are necessary.


Clark County Combined Health District (CCCHD) 529 East Home Road Divisions: All Divisions of CCCHD Springfield, OH 45503 Procedure No. 21: Encrypting Email Correspondence Figure 3. Recipient of encrypted email clicks on the link as directed above and creates a password.

Figure 4. Message becomes available to recipient.

Select to read

message.


Clark County Combined Health District (CCCHD) 529 East Home Road Divisions: All Divisions of CCCHD Springfield, OH 45503 Procedure No. 21: Encrypting Email Correspondence Figure 5. Recipient views full message.


Date Description of Review or Change Section or

Pages Affected

Reviewed or

Changed by 5/14/15 Created All C. Conover

5/18/15 Updated/Revised All C. Conover

5/18/15 Approved/Reviewed All C. Conover

6/19/17 Updated and Reformatted All B. Dorsey/ C. Conover



Divisions: All Divisions of CCCHD Procedure No. 22: Transporting Locked Envelopes

Procedure:

1) Put all records with PHI inside a CCCHD supplied locked bag for transport.

2) Lock the bag and carry the key on your person or in a bag such as a purse.

3) When at destination, use key to unlock bag and retrieve only the records pertaining to the client being seen. If other client records are in the bag, re-lock bag until ready to return all records to bag.

4) If transporting charts between offices, charts may be removed at destination and stored using the secured method for that particular office.

5) If an incident occurs during transport and the CCCHD employee responsible for the transport of records is

incapacitated or otherwise unable to recover records, it is the responsibility of the employee’s division director or his/her designee, to retrieve records, complete immediate mitigation efforts and report any breaches to the CCCHD HIPAA Officer.



3/16/16 Created CC 6/19/17 Updated and Reformatted B. Dorsey/ C.

Conover

Purpose: To prevent confidentiality breach while transporting protected health information between offices or between an office and a location of client visit/interaction.

Scope: Protected Health Information (PHI), or individually identifiable health information is information, including demographic data, that relates to any of these:

• the individual’s past, present or future physical or mental health • the provision of health care to the individual • payment for the provision of health care

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

Responsibility: All CCCHD employees who have access to protected health information References/Related: Health Insurance Portability and Accountability Act



Divisions: All Divisions of CCCHD Procedure No. 23: Response to a Breach

Procedure:

1) Identify the clients who have had their information breached. 2) Investigate the breach and speak with the individual who had access to the information. Notify them of the duty to

destroy information copies, such as a computer screen photo. 3) Notify the customers whose personal information was breached. 4) Report each breach per Health and Human Services requirements. 5) Modify procedures and workforce training increase protection against future breaches. 6) If clients want reimbursement, make it available for up to $120.00 for credit monitoring and identity theft resolution

through Experian. (http://www.experian.com/consumer-products/compare-identity-theft-products.html) 7) Offer a toll-free number as required in the Privacy Act.



Reviewed or Changed by

6/19/17 Created All B. Dorsey/C. Conover

6/19/17 Updated and Reformatted All B. Dorsey/ C. Conover

Purpose: To respond to a confidentiality breach. Scope: Protected Health Information (PHI), or individually identifiable health

information is information, including demographic data, that relates to any of these:

• the individual’s past, present or future physical or mental health • the provision of health care to the individual • payment for the provision of health care

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

Responsibility: All CCCHD employees who have access to protected health information References/Related: Health Insurance Portability and Accountability Act

Board of Health Resolution


http://www.experian.com/consumer-products/compare-identity-theft-products.html


Divisions: All Divisions of CCCHD Procedure No. 24: Perform Risk Analysis

Procedure:

Perform Risk Analysis no less than every two (2) years. Maintain and revise as needed.

1) Hold Risk Analysis Team Meetings. Team members should be informed of the following: • Explanation of the purpose of the meeting • Explanation of the need for risk analysis • Definition of risk analysis • Explanation of the process that the team will follow to perform risk analysis

2) Inventory Assets.

• Inventory all health information that the facility maintains, transmits, or otherwise has control over. Do not limit the inventory to just medical records. Rather, inventory all health information in all departments whether authorized or unauthorized and whether patient is identifiable or not.

• Identify all sensitive health information maintained/transmitted by the facility, such as AIDS/HIV, other sexually transmitted diseases, mental health and alcohol and drug abuse information. Such information may be in multiple locations. Identify from each location.

• Identify all the components of the system that the data resides in because you cannot protect the information within your system unless you also protect the components of that system. Include not only hardware, but also software, documentation, and so forth. Identify assets involving paper records, as well, such as storage cabinets and fax machines. Include all portable devices, such as laptops, palm pilots, and so forth. It may be helpful to identify these components by department. Briefly describe the purpose of the asset and indicate its location(s) within the department(s).

• Identify existing security assets, such as physical protection devices, technical security devices (encryption, firewalls, and so forth), policies & procedures, and personnel who could help in the security effort because it is not cost-effective to procure a security asset you already have. Detail the effectiveness of the security asset.

3) Identify Risks. Once you identified and inventoried your assets, you must determine the vulnerabilities of your assets. You should evaluate risks/threats in the following areas:

• Threats to patient information. When evaluating patient information, remember that not all threats involve

improper use, abuse or improper disclosure. Threats also exist in the use of patient information, such as proper use of a laboratory test report that is inaccurate or an authorized disclosure of health information that the recipient then improperly discloses.

• Electronic Threats. Electronic threats include threats to hardware, such as power surges and fire or water damage, threats to software, such as viruses, and threats to data, such as data garbled in transmission.

• System Threats. Because providers are becoming more and more networked with other sub elements of their entity and with other entities, you must evaluate the threats that exist when sharing data with others.

Purpose: To identify and prioritize risks and interventions Scope: Employees of CCCHD

Responsibility: HIPAA Privacy & Security Officer and Administrative Team References/Related: Section 262 of the Health Insurance Portability and Accountability Act



Divisions: All Divisions of CCCHD Procedure No. 24: Perform Risk Analysis

• Combined risk of the above threats. Potential threats to patient information include threats in three (3) major

areas: o threats to the confidentiality of the data o threats to the integrity of the data o threats to the availability of the data

These threats could exist in both authorized and unauthorized uses or disclosures of the data, garbled data, incomplete data, theft of data, and breach of confidentiality. After considering these threats individually, you should consider the combined threats of the risks identified.

4) Quantify Risks. Because risk analysis is the process of selecting cost-effective security measures by balancing the cost of those measures against the harm that would occur if the security measures were not in place, you must identify the harm that would result from the risks you have identified. This step has two (2) parts:

• Determine the probability that risk will occur. To quantify the probability of the threat occurring use the categories of (VL – very low), (L – low), (M – moderate), (H – high) or (VH – very high).

• After determining the probability that a risk will occur, you must consider the degree of harm if it does occur. To quantify the damage, you can use the same categories VL, L, M, H, or VH. If possible, try to set a dollar figure for the harm.

5) Identify Select Security Measures and costs. • List all possible security measures and their costs to help decide which security measures are medically,

practically, and economically viable. • From the possible security measures identified above, select reasonable, cost-effective security measures, and

plan how to implement them.

6) Implement Selected Security Measures. This process involves acquiring security measures, such as new anti-virus software, installing and testing security measures, and writing/revising policies and procedures for adoption by management.

7) Test and Revise Security Measures. Select security measures to test, perform the test, document the test and its results, and take necessary action to remedy deficiencies identified by the test.



8/29/2017 Created S. Hackathorne/C. Conover



Divisions: All Divisions of CCCHD Procedure No. 25: HIPAA Applied to Deceased Persons

Procedure:

The Privacy Rule protects the identifiable health information of a deceased individual for 50 years after date of death. The protection occurs to the same extent the Rule protects the health information of a living individual.

1) Record Retention: The Privacy Rule does not include medical record retention requirements and CCCHD may destroy such records at the time permitted by State or other applicable law, regardless of death or not.

2) Disclosure to Family Members: The Privacy Rule permits a covered entity to disclose protected health information about a decedent to a family member, or other person who was involved in the individual’s health care or payment for care prior to the individual’s death.

a. This may include, depending on the circumstances, disclosures to spouses, parents, children, domestic

partners, other relatives, or friends of the decedent, provided the information disclosed is limited to that which is relevant to the person’s involvement in the decedent’s care or payment for care. See 45 CFR 164.510(b)(5).

b. Exception: If doing so is inconsistent with any prior expressed preference of the deceased individual that is

known to the covered entity. For example, a covered health care provider could describe the circumstances that led to an individual’s death with the decedent’s sister who is asking about her sibling’s death.

c. In addition, a covered health care provider or pharmacy could disclose billing information or records to a

family member of a decedent who is assisting with closing a decedent’s estate. d. A provider generally should not share information about past, unrelated medical problems.



09/01/2017 Created C. Conover

Purpose: Protection of identifiable health information of the deceased individual. Scope: Employees of CCCHD

Responsibility: HIPAA Privacy & Security Officer and Administrative Team References/Related: Health Insurance Portability and Accountability Act



Divisions: All Divisions of CCCHD Procedure No. 26: HIPAA and Student Immunizations

If a school is required by law to have proof of immunizations in order to admit the child, the immunization record can be provided to the school without authorization, but with agreement.

1) In the case of an unemancipated minor, a parent, guardian, or other person acting in loco parentis must agree to the disclosure.

2) The individual who is a student or prospective student is an adult or emancipated minor; the provider may make the disclosure with the agreement of the student herself.

3) In either case, the agreement may be obtained orally or in writing, but must be documented (e.g., by placing in the

medical record a copy of a written request, or notation of an oral request, from a parent for the provider to disclose the proof of immunization to the school).




Purpose: HIPAA and Student Immunizations Scope: Clients who are students of schools that are required by law to have proof of

immunizations. Responsibility: CCCHD Staff

References/Related: Board of Health Resolution 45 CFR 164.512(b)(1)(vi)



Divisions: All Divisions of CCCHD Procedure No. 27 Red Flag – Identity Theft

Introduction CCCHD has adopted this Red Flag Policy in general to comply with our duties under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Department of Health and Human Services (“DHHS”) security and privacy regulations, as well as our duty to protect the confidentiality and integrity of confidential medical information as required by law and professional ethics. Specifically, CCCHD has adopted this policy to comply with the requirement to have a Theft Prevention Program (“Program”) pursuant to the Federal Trade Commission’s (“FTC”) Red Flag Rule, which implements Section 114 of the Fair and Accurate Credit Transaction Act of 2003 (see 16 C.F.R. § 681.2). All personnel of CCCHD must comply with this policy. Familiarity with this policy and demonstrated competence in the requirements of the policy are an important part of every employee’s responsibilities. Assumptions

1. “Identity Theft” means “fraud committed using the identifying information of another person.” 2. “Covered account” means the following:

• An account that a creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions.

• Any other account that the creditor offers or maintains for which a reasonably foreseeable risk exists to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

3. “Credit” means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer payments or to purchase items or services and defer payment therefore.

4. “Creditor” means the following: • Any person who regularly extends, renews, or continues credit. • Any person who regularly arranges for the extension, renewal, or continuation of credit. • Any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.

5. “Identifying information” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including the following:

o Name. o Address. o Telephone number. o Social Security number. o Date of birth. o Government-issued driver’s license or identification number. o Alien registration number. o Government passport number. o Employer or taxpayer identification number. o Unique electronic identification number. o Computer internet protocol (“IP”) address. o Routing code.

6. “Red Flag” means a pattern, practice, or specific activity that indicates the possible existence of identity theft.

Purpose: Describe practices which help to identify identity theft. Scope: CCCHD Programs

Responsibility: CCCHD Staff References/Related: • Board of Health Resolution

• 45 CFR 164.512(b)(1)(vi) • Content excerpted from HIPAA Documents Resource Center. Tomes, Jonathan P.,

Veterans Press, Inc., and EMR Legal, Inc.




7. Individually identifiable health information is sensitive and confidential. Such information is protected from improper use

and disclosure by HIPAA, its implementing regulations, other state and federal laws, professional ethics, and accreditation requirements.

8. Loss or breach of confidentiality of such data may cause severe harm to the subject of the information, to CCCHD and to its Board and Employees.

9. Most breaches of confidentiality result from poor personnel security. Hence, CCCHD must ensure that access is limited so as to minimize this risk.

10. HIPAA, its implementing regulations, other state and federal laws, professional ethics, and accreditation requirements specify that only those individuals with a need to access and use individually identifiable health information should have access to such information.

11. Limiting access to those with a need to know and giving them no more access than necessary for performance of their duties will help CCCHD comply with the privacy regulation’s “minimum necessary” rule.

12. Those people authorized access should have no more access than needed for the performance of their responsibilities. 13. HIPAA, its implementing regulations, and good practice require screening of all personnel with access.

Implementation

1. In order to identify a Red Flag, CCCHD will consider the types of Accounts that it offers and maintains, the methods that it provides to open its Accounts, the methods that it provides to access its Accounts, the relationship of the component with others who may be providing billing information to CCCHD, and the component’s previous experiences of any known occurrences of identity theft.

2. The following are recognized as potential Red Flags, some of which may not be applicable to the agency’s operations at this time. At this time we have chosen to include relevant and non-relevant aspects to increase awareness and vigilance on and off the job: o Red Flags for documents:

Documents provided for identification that appear to be forged or altered. Documentation on which a person’s photograph or physical description is not consistent with the person

presenting the documentation. Documentation with information that is not consistent with existing customer information. Application for service that appears to have been altered or forged.

o Red Flags for personal identifying information: Person’s identifying information is inconsistent with other information that the customer provides. Person’s identifying information is the same as shown on other applications found to be fraudulent. Person’s identifying information is consistent with fraudulent activity. Person’s Social Security number (“SSN”) is the same as another patient/customer’s SSN. Person’s address or phone number is the same as that of another person. Person fails to provide complete personal identifying information on an application when asked to do so. Person’s identifying information is not consistent with the information that is on file for the patient/customer.

o Red Flags for activity related to a patient account: Change of address for an account followed by a request to change the account holder’s name. Account being used in a way that is not consistent with prior use. Mail sent to the account holder is repeatedly returned as undeliverable. CCCHD receives notice that a customer is not receiving paper statements. CCCHD receives notice that an account has unauthorized activity. CCCHD receives notice that an account has activity that is inconsistent with a patient/consumer’s usual

pattern or activity. CCCHD receives a complaint from a patient/consumer based on the patient/consumer’s receipt of:

• Bill for another individual. • Bill for a product or service that the consumer denies receiving.




• Bill from a health care provider that the consumer never patronized.• Notice of insurance benefits (or explanation of benefits) for health care services never received.

Records showing medical treatment that is inconsistent with a physical examination or with medical history asreported by the patient.

Complaint or question from a patient/consumer about the receipt of a collection notice. Patient/Consumer or health insurer report that coverage for items or services is denied because insurance

benefits have been depleted or a lifetime cap has been reached. Dispute about a bill by a consumer who claims to be the victim of identity theft. Patient who has an insurance number but never produces an insurance card or other documentation of

insurance.o Notice regarding possible identity theft: CCCHD receives notice that a CCCHD maintained account is being used by a

person engaged in identity theft.3. CCCHD complies with federal regulations that require that each component of the agency be diligent in detecting any of the

Red Flags identified above in connection with the opening of a new account and to take the following steps, as appropriate,to obtain and verify the identity of the person opening a new account:o Verify an individual’s identity by reviewing and, if necessary, copying a driver’s license or other identification card.o Review documentation showing the existence of a business entity.o Require, as applicable, the name, date of birth, residential or business address, principal place of business for an entity,

and Social Security number, tax identification number, driver’s license information, or other identification.4. In order to detect any of the Red Flags identified above for an existing account, CCCHD’s component personnel should be

trained to take the following steps to monitor transactions involving such accounts:o Verify identification of a patient/customer requesting information that could lead to identity theft.o Verify the validity of a request to change a billing address.o Verify changes in banking information given for billing or payment purposes.

5. In order to prevent and mitigate identity theft, if CCCHD’s component personnel detect any identified Red Flags, suchpersonnel shall take appropriate action, which may include the following, among other things:o Notify Supervisor and the HIPAA Privacy Officer for determination of the appropriate action to take.o Monitor the account for evidence of identity theft.o Investigate the situation.o If the Red Flag involves protected health information (“PHI”), covered under the HIPAA Security and Privacy Standards,

CCCHD will also apply existing HIPAA security and privacy policies to the response.o Not open a new account.o Close an existing account.o Notify law enforcement.o Determine that no response is warranted under the circumstances.

6. If the activity is determined to be fraudulent, CCCHD should take immediate action, such as the following possible actions:o Contact the patient/consumer.o Notify law enforcement.o Notify the affected patient if not the patient/consumer.o Notify any affected clinicians.o Assess effect on CCCHD.o Review the patient/consumer’s medical record to confirm whether documentation in the record is inaccurate as a

result of the identity theft. If inaccuracies exist, take necessary steps to properly correct the record and annotate asinaccurate because of identity theft.

o Notify others who hold records on the patient/consumer that their records may also contain inaccurate informationbecause of identity theft.

7. Service provider arrangements: If CCCHD engages a third-party service provider to perform an activity in connection withone or more accounts, CCCHD will ensure that the service provider performs its activity in accordance with reasonablepolicies and procedures designed to detect, prevent, and mitigate the risk of identity theft, including requiring the serviceproviders to have Identity Theft policies and procedures in place.Clark County Combined Health District 76 Confidentiality & HIPAA; Revised 092517





