At all times Oakland County shall have one individual identified and assigned to be the Privacy officer. The County shall develop the responsibilities and procedures regarding that individual in the Privacy Officer Procedure.¹

¹ 45 CFR 164.530(a).

All members of the County's workforce who need access to PHI shall receive training on these HIPAA policies and procedures as necessary and appropriate for them to carry out their functions. Newly-hired employees shall be trained before they are given access to PHI, or as soon as possible thereafter. Existing workforce members shall periodically receive reminder training to reinforce their responsibilities under these Policies and Procedures. At a minimum, such training shall occur on an annual basis. All training shall be documented as set forth in the Documentation and Record Retention Requirements Procedure.²

² 45 CFR 164.530(b).

The Privacy Rules require the County to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. The County's policy is to maintain appropriate safeguards as required by the Privacy Rules. The County shall develop procedures for these safeguards as described in the Safeguards Procedure.³

³ 45 CFR 164.530(c).

The Privacy Rules require the County to implement a process by which individuals may file complaints about privacy violations. The County's policy is that anyone who believes that the Policies and Procedures or the Privacy Rules have been violated at the County may complain to the Privacy Officer. If the complaint is verbal, the person receiving the complaint shall document the details of the complaint. The County shall develop complaint procedures as can be found in the Complaint Procedure.⁴

⁴ 45 CFR 164.530(d).

The County employees who violate these policies and procedures are subject to discipline pursuant to the Oakland County Merit Rules.⁵

⁵ 45 CFR 164.530(e).

The County shall not discipline an employee who is a crime victim and discloses PHI to a law enforcement official, so long as the PHI concerns the suspected perpetrator of the criminal act and the PHI is limited as required by the Privacy Rules (see 45 CFR § 164.502(j)). 164.502(j)).

The County shall mitigate, to the extent practicable, any harmful effect that is known to the County of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of HIPAA by the County or its business associate.⁶

⁶ 45 CFR 164.530(f).

Consistent with the Privacy Rules, the County shall not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their privacy rights, filing a complaint, participating in an investigation, or opposing any improper practice under the Privacy Rules.⁷

⁷ 45 CFR 164.530(g).

Individuals will not be required to waive their rights under the Privacy Rules as a condition of enrollment in the Health Plan, eligibility for benefits, treatment or payment.

Limited Exception for the Health Plan's Eligibility or Enrollment Determinations

The County may condition enrollment in the Health Plan or eligibility for benefits on provision of an authorization requested by the Health Plan prior to an individual's enrollment in the Health Plan if (1) the authorization is sought for the Health Plan's eligibility or enrollment determination relating to the individual or for its underwriting or risk rating determinations; and (2) the authorization is not for a use or disclosure of psychotherapy notes.⁸

⁸ 45 CFR 164.530(h).

The County shall provide its patients and participants in the Health Plan with a notice describing (1) how the County may use and disclose their PHI; (2) individuals' rights under the Privacy Rules; and (3) the County's legal duties with respect to PHI. The County shall develop a procedure for notice of privacy practices as described in Notice Procedure.⁹

⁹ 45 CFR 164.520.

All members of the County's workforce involved in PHI must comply with these Policies and Procedures.¹⁰

¹⁰ 45 CFR 160.101; 45 CFR 162.100; 45 CFR 164.104; 45 CFR 164.302; 45 CFR 164.400; and 45 CFR 164.500.

It is the County's policy to limit access to PHI to employees with certain job functions ("Authorized Employees"). The county shall develop a procedure to comply with this policy; see Limitations on Access Procedure.¹¹

¹¹ 45 CFR 164.502(a).

The Privacy Rules require that, for most purposes, the County limit its uses and disclosures to the minimum necessary to accomplish the purpose of the use or disclosure. The County's policy is to limit the uses and disclosures to the minimum necessary, unless an exception applies. The County shall develop a procedure for the minimum necessary standard see Minimum Necessary Standard Procedure.

These policies and procedures are for the County's internal uses and disclosures. Uses and disclosures by third party administrators and/or service providers are governed by that party's business associate agreement with the County.¹²

¹² 45 CFR 164.502(b).

The County may use and disclose an individual's PHI for treatment purposes and to perform the County's own payment activities, health care or Health Plan operations, and to provide treatment, including but not limited to, the activities described in the Permitted Use and Disclosures Payment Procedure.¹³

¹³ 45 CFR 164.506.

The Privacy Rules require the County to disclose an individual's PHI when requested by the individual or, under certain circumstances, by HHS. The County's policy is to cooperate with these requests and to disclose the PHI in accordance with the Privacy Rules.

Requests from the Individual¹⁴

An individual (or the individual's personal representative) may request a disclosure of his or her own PHI. The County shall respond to such requests by following the procedures under Individual Request Procedure.

Request from HHS

If the County receives a request from an HHS official for disclosure of PHI, the County shall verify the identity and authority of the HHS official using the procedures set forth in the section entitled Verification. The County shall document the disclosure as required under the Documentation and Record Retention Requirements Procedure.

¹⁴ 45 CFR 164.524.

From time to time, the County may receive requests from courts, parties to litigation, law enforcement officials, public health authorities, or various other government agencies or officials to use or disclose an individual's PHI. The County shall develop a procedure consistent with guidelines set forth in the Privacy Rules; see Permitted Uses and Disclosures Procedure.¹⁵

¹⁵ 45 CFR 164.512.

The County's general policy is not to use PHI for marketing activities. Any use of PHI for marketing would require approval by the HIPAA Privacy Officer. Before any such marketing use could occur, the County would first have to obtain authorization from each individual whose information was to be sold. A detailed description of the County's procedure with regards to marketing can be found in the Use of PHI for Marketing Procedure.¹⁶

¹⁶ 45 CFR 164.508(a)(3).

The County's policy states it will not sell PHI.

The Privacy Rules provide that unless expressly authorized by the individual who is the subject of the PHI (or the individual's personal representative), any use or disclosure of that individual's PHI is prohibited unless it falls within one of the categories for which disclosure is permitted or required or the individual has been deceased for at least fifty years. An individual may, however, expressly authorize a use or disclosure of PHI for any purpose.

The County shall develop procedures for the use or disclose PHI pursuant to an authorization see Individual's Authorization Procedure.¹⁷

¹⁷ 45 CFR 164.508.

Business Associate Agreements

The County may share PHI with outside service providers, the outside service providers must contractually obligate themselves to protect the PHI. The Privacy Rules call these third parties that provide services to or on behalf of the County "business associates." The County shall maintain a copy of each business associate agreement that it has entered into according to the Documentation and Record Retention Requirements Procedure. The County shall develop a procedure regarding Business Associates; see Business Associate Procedure.¹⁸

¹⁸ 45 CFR 164.504(e).

Generally, the County shall not disclose an individual's PHI to another person (except to service providers and authorized County employees involved in the administration of the plan). The County, however, may disclose an individual's PHI to another person if authorized by the individual or in emergency situations if the Privacy Officer concludes that the disclosure is in the individual's best interest.

Disclosures Subject to Authorizations

County may provide individuals an authorization form that can be used to designate family members or others who are permitted to access the individual's Health Plan or medical record. The individual can, at any time, revoke his or her designation or authorize additional persons to whom the individual's PHI should be disclosed. These authorization forms and any subsequent revocations shall be kept with the Health Plan records or medical records, as applicable.

Information About Deceased Individuals

If the County receives a request for information from a family member, other relative, or a close personal friend of the individual who were involved in the individual's care or payment for health care prior to the individual's death, the County, at its discretion, may disclose the information relevant to that person's involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the County.

Verification

If the county receives a request for a disclosure from a person claiming to have authorization to access an individual's Health Plan record or medical record, the county shall check the applicable Health Plan or medical records to determine if the individual has signed an authorization giving this person access to the individual's PHI. If the person is not authorized to receive the PHI, the County may not make the disclosure, except that either parent of a minor child may access the minor child's records without an authorization unless the Health Plan has received a copy of a court order prohibiting such access. The County employee receiving the request should verify the validity of the authorization using the procedures under "Uses and Disclosures of PHI with an Individual's Authorization" (see Section III.K., beginning at page 10).

Emergency Disclosure of Information

If the county receives a request for information from a person who has not been identified in an authorization form to receive an individual's PHI (and is not otherwise authorized to receive the PHI for purposes of administering the Health Plan or providing health care), the County shall normally deny the request. In an emergency situation, the Privacy Officer may permit disclosure to a family member or close friend who is involved in the individual's care or payment for the individual's care, if (1) the individual is aware that such disclosure may be made, has had an opportunity to object to the disclosure and does not object; or (2) the County is unable to notify the individual about the proposed disclosure and the Privacy Officer determines that the disclosure is in the individual's best interest.

Under the Privacy Rules, health information from which all individual identifiers have been removed is called de-identified information, and can be used and disclosed without an individual's authorization Definition Procedure.

The County shall use and disclose de-identified information only if the Privacy Officer has verified that the information is in fact de-identified. De-identified information is not PHI, so once the information has been approved as de-identified information, the County may freely use and disclose the de-identified information.

The Privacy Rules require that the County verify the identity and authority of persons or entities exercising their individual rights or otherwise seeking access to PHI (if the identity or authority is not known). County employees shall use reasonable verification steps, such as those outlined in the Verification Procedure. If a County employee is unable to verify identity, the County employee shall discuss the request for PHI with the Privacy Officer.¹⁹

¹⁹ 45 CFR 164.514(h).

The Privacy Rules require the County to maintain documentation of its compliance with the Privacy Rules. The County shall maintain records pursuant to the Documentation and Record Retention Requirements Procedure.

The Privacy Rules require that the County minimize as much as possible any harmful effects resulting from an unauthorized use or disclosure of PHI that comes to the County's attention.

When an employee of the County becomes aware of a use or disclosure of PHI that is not in compliance with these Policies and Procedures, the employee must immediately notify the Privacy Officer of the unauthorized use or disclosure. The Privacy Officer shall:

• Determine if there are steps that should be taken immediately to prevent any further potential harm to individuals whose PHI is involved in the unauthorized use, and take reasonable and appropriate action to prevent further potential harm. The Privacy Officer may consult as necessary with the County management and legal counsel.
• Document the known details of the unauthorized use or disclosure for purposes of responding to a request for an accounting of disclosures.
• Follow any other instructions given by the Privacy Officer to minimize any harm resulting from the use or disclosure.
  • If appropriate, follow the Breach Notification Policy contained in the County's Security Policies and Procedures.
  • Evaluate current policies and procedures to determine whether modifications are appropriate.