Background

Privacy regulations under HIPAA—the Health Insurance Portability and Accountability Act of 1996—require Oakland County, Michigan (the "county") to protect the privacy of individually identifiable health information of participants in the County's health plans and patients in the County's capacity as a health care provider. This information is known as protected health information, or "PHI" for short.

These policies and procedures reflect the County's compliance with the HIPAA privacy regulations ("Privacy Rules"). The County is a hybrid entity, and these policies and procedures apply only to Protected Health Information that the County has in connection with the County's self-insured health plans and those health care components that are subject to HIPAA. References to the "County" are intended to refer to just those components that are subject to HIPAA.

The County's policy is to strive for compliance with the Privacy Rules. All members of the County's workforce who use or have access to PHI must comply with the policies and procedures set forth herein ("Policies and Procedures"). Failure to comply shall result in discipline up to and including employment or contract termination in accordance with the County's normal disciplinary practices. For purposes of these Policies and Procedures, the County's workforce includes employees, contractors, vendors, volunteers, trainees, and other persons whose work performance is under the direct control of the County, whether-or-not they are paid by the County. These policies shall be reviewed on a periodic basis, upon state/federal regulation updates, or significant changes in the County's operating, technological, and legal environment.

The County does not intend to create any third-party rights (including rights of Health Plan and beneficiaries, patients, or outside service providers) by adopting these Policies and Procedures. The County may amend or change these Policies and Procedures at any time, even retroactively, without notice. The County intends that these Policies and Procedures implement HIPAA's Privacy Rules and shall interpret them consistent with the regulations promulgated under HIPAA. To the extent that these Policies and Procedures establish requirements and obligations beyond those required by HIPAA, they are aspirational and not binding upon the County. These Policies and Procedures do not address requirements under other federal, state, or local laws.