Confidentiality Employee and Patient Health Care Information Guidelines

RESOLUTION ESTABLISHING POLICIES AND GUIDELINES FOR PROTECTION OF THE CONFIDENTIALITY AND SECURITY OF PATIENT AND EMPLOYEE HEALTHCARE INFORMATION

 

Resolution No. 011-03

 

WHEREAS, the board of County Commissioner’s is the governing body of Johnson County, Kansas, and as such is authorized to adopt policies, rules, regulations, and guidelines governing the administration of Johnson County Government pursuant to K.S.A.19-101 et seq.; and

 

WHEREAS, certain departments within Johnson County Government (the “Covered Departments”) collect health information of a confidential and sensitive nature during the course of providing healthcare related services to patients, clients, and consumers, and during the course of administration of Johnson County’s healthcare and related employee benefit plans on behalf of County employee dependents; and

 

WHEREAS, The Health Insurance Portability and Accountability Act of 1996 (HIPAA)[1] and the regulations and standards issued thereunder by the United States Department of Health and Human Services (HHS) require the protection of the confidentiality and security of individually identifiable health information that is transmitted or maintained by electronic media or any other form or medium, excluding information in education records and inmate records(hereinafter referred to as Protected Health Information or PHI); and

 

WHEREAS, the Board has determined that it is in the best interest of Johnson County to implement policies and guidelines protecting the confidentiality and security of PHI.

 

NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Johnson County, Kansas that the following policies and guidelines shall be and hereby are adopted, applicable from and after the adoption of the Resolution, for protection of the confidentiality and security of PHI in compliance with HIPAA and other federal or state requirements.

 

ARTICLE I.

 

It is the purpose of these policies and guidelines to ensure that Johnson County and its boards, commissions, officers, employees and agents, have the necessary health care related and other information to provide or arrange for the provision of quality health related services while at the same time protecting the confidentiality and security of that information so that clients, consumer, patients, employee’s and employee dependents do not fear to provide information to Johnson County for purpose of receiving treatment or employee benefits.

 

ARTICLE II.

 

It is the policy of Johnson County that all County personnel, contractors and/or business associates shall preserve the security and confidentiality of Protected Health Information and other sensitive information pertaining to the County’s clients, consumers, patients, employees and employee dependents and comply with all state and federal laws and regulations, including but not limited to regulations and standards issued by the HHS under HIPAA. To that end, the attached Protected Health Information Security Policy is herby adopted and incorporated by reference herein.

 

ARTICLE III.

 

The County Manager is herby authorized and directed to designate a Privacy Officer and Information Security Officer (ISO) whose duties it shall be to provide oversight and management of all activities related to the development and implementation of County policies, procedures and standards required for protection of the privacy, confidentiality, and security of PHI as required by HIPAA and the regulations and standards issued by HHS thereunder, and any other state or federal laws, professional ethics, and accreditation standards that protect the confidentiality and privacy of individuals health (including financial) information. The ISO is further responsible for the development, implementation and monitoring of policies and procedures to ensure that PHI is secure from unauthorized access, inappropriate alteration, and is physically secure and available to authorized users in a timely fashion.

 

ARTICLE IV

 

All Johnson County Departments that collect PHI (Covered Departments) are hereby authorized and directed with assistance from the County Privacy and Information Security Officer(s) to develop, implement, and promulgate privacy and/or security policies and procedures that are deemed necessary and advisable to comply with HIPAA and any other applicable federal and state laws or regulatory requirements consistent with the over-arching policy of the Board as adopted by this Resolution. Copies of such policies and procedures shall be filed at the Office of the County Manager where they shall be available for public inspection. Such policies and procedures shall include but not be limited to the following;

  1. The Information Technology Services Department (ITS) shall develop and implement countywide security policies and procedures including but not limited to appropriate procedures pertaining to the use of password security, firewalls, encryption, and installation of anti-virus software necessary to safeguard Johnson County’s e-mail and other information systems against damage, misuses or unauthorized disclosure of PHI.
  2. The human Resources Department (HR) shall develop and implement appropriate countywide employee conduct and disciplinary policies and procedures proscribing employee conduct that results or could result in the un-authorized disclosure of PHI and providing appropriate sanctions for misconduct.
  3. Each Covered Department shall develop and implement a Notice of Information Practices as required by HIPAA that describes the manner in which PHI may be utilized and disclosed by Johnson County including disclosures for treatment, payment and/or for health operations purposes, procedures by which the client, consumer, patient, employee or dependents may request access to the PHI for inspection and copying, and procedures whereby amendments and/or corrections to PHI may be requested.
  4. Each Covered Department shall develop and conduct adequate employee-training programs to review all countywide and departmental policies and procedures implemented for the purpose of protecting the privacy and security of protected health information as required by HIPAA and the HHS regulations issued thereunder.

 

BOARD OF COUNTY COMMISSIONERS

OF JOHNSON COUNTY, KANSAS

(filed March 20, 2003)

 

SEAL

ATTEST:

John A. Bartolac, County Clerk

 

APPROVED AS TO FORM:

Roger L. Tarbutton, Assistant County Counselor

 

Protected Health Information Security Policy

 

  1. GENERAL: It is the policy of Johnson County, Kansas, that all personnel must preserve the integrity and the confidentiality of health care related and other sensitive information pertaining to patients, clients, consumers, employees and employee dependents. The purpose of this policy is to ensure that Johnson County, Kansas, and its boards, commissions, officers, employees, and agents (hereinafter collectively referred to as “Johnson County”) have the necessary health care related and other information to provide or arrange for quality health care related services while protecting the confidentiality of that information so that clients, consumers, employees and employee dependents do not fear to provide information to Johnson County for purposes of treatment or for the purpose of providing employee benefits. To that end, Johnson County will –
  2. Collect and use individually identifiable health care related information only for the purposes of providing or arranging for health care related services and for supporting the delivery, payment, integrity, and quality of those services or for the purpose of providing employee benefits. Johnson County will not use or supply individual health care related information for non-health care uses, such as direct marketing, employment, or credit evaluation purposes other than as authorized by the Health and Human Services Privacy Regulations (“HHS”) (“privacy regulations”).
  3. Collect and use individual health care related information only –
  4. To provide or assist with proper evaluations, diagnosis or treatment or other health related services.
  5. To arrange for health-related services, financial assistance or auxiliary aids.
  6. With the individual’s knowledge and consent/authorization.
  7. To receive reimbursement for services provided.
  8. For research and similar purposes designed to improve the quality and to reduce the cost of health care.
  9. As a basis for required reporting of health information.
  10. For the purpose of providing employee benefits.

 

  1. Recognize that individually identifiable health care related information collected about patients, clients, consumers and employees and employee dependents must be accurate, timely, complete and available when needed and Johnson County will –
  2. Use its best effort to ensure the accuracy, timeliness, and completeness of data and to ensure that authorized personnel can access it when needed.
  3. Complete and authenticate health care related records in accordance with the law, medical ethics, and accreditation standards.
  4. Maintain health care related records for the retention periods required by law and professional standards.
  5. Not alter or destroy an entry in a record, but rather designate it as an error while leaving the original entry intact and create and maintain a new entry showing the correct data.
  6. Implement reasonable measures to protect the integrity of all data maintained about consumers, clients and employees and their dependents.
  7. Recognize that patients, clients, consumer, employees and employee dependents have a right of privacy. Johnson County will respect individuals’ dignity at all times. Johnson County will respect the privacy of patients, clients, consumers, clients, employees and employee dependents to the extent consistent with providing the highest quality health related care possible and with the efficient administration of the facility or program.
  8. Act as responsible information stewards and treat all individual health care related record data and related financial, demographic, and lifestyle information as sensitive and confidential. Consequently, Johnson County will:
  9. Treat all individually identifiable health care related record data (“protected health information”) as confidential in accordance with the HHS privacy regulations, state and federal laws providing more stringent regulations or requirements, other legal requirements, professional ethics, and accreditation standards.
  10. Only use or disclose the minimum necessary health information to accomplish the particular task for which the information is used or disclosed.
  11. Not divulge health care related record data unless the patient, client, consumer, employee, employee dependents (or his or her authorized representative) has properly consented to the release or the release is otherwise authorized by the privacy regulations and/or other law, such as communicable disease reporting, child abuse reporting, and the like.
  12. When releasing individually identifiable health care related record data, take appropriate steps to prevent unauthorized disclosures, such as specifying that the recipient may not further disclose the information without consumer, client or employee and their dependent consent or as authorized by law.
  13. Implement reasonable measures to protect the confidentiality of health care related and other information maintained about patients, clients, consumers, employees, and employee dependents.
  14. Remove patient, client, consumer, employee and employee dependent identifiers when appropriate, such as in statistical reporting and in medical research studies.
  15. Not disclose financial or other patient, client, consumer, employee and dependent information except as necessary for billing or other authorized purposes as authorized by the privacy regulations, other laws, and professional standards.
  16. Recognize that some individually identifiable health care related information is particularly sensitive, such as HIV/AIDS information, mental health and developmental disability information, alcohol and drug abuse information, and other information about sexually transmitted or communicable diseases and that disclosure of such information could severely harm patients, clients, consumers, employees and employee dependents, such as by causing loss of employment opportunities and insurance coverage, as well as the pain of social stigma. Consequently, Johnson County will treat such information with additional confidentiality protections as required by law, professional ethics, and accreditation requirements.
  17. Recognize that, although Johnson County “owns” the health care related record, the patient, client, consumer, employee, and employee dependent has a right of access to information contained in the record. Johnson County will --

a.)                Permit patients, clients, consumers, employees and employee dependents to access and copy their protected health information in accordance with the requirements of the privacy regulations.

b.)                Provide patients, clients, consumers, employees and employee dependents an opportunity to request correction of inaccurate data in their records in accordance with the requirements of the privacy regulations.

c.)                Provide patients, clients, consumers, employees and employee dependents an accounting of uses and disclosures other than those for treatment, payment, and healthcare operations in accordance with the requirements of the privacy regulations.

 

  1. Compliance:  All boards, officers, commissions, agents, and employees of Johnson County must adhere to this policy. Johnson County will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions in accordance with Johnson County’s health care related information sanction policy and personnel rules and regulations. Violations committed by licensed professionals will be subject to reporting to the appropriate licensing body.

 

[1] Public Law 104-191, 110 Stat. 1396(1996).