301363

ORANGE COUNTY SHERIFF'S OFFICE GENERAL ORDER Effective Date: January 21, 2011  Amends - GO 4.6.20 (January 30, 2009) Number: 4.6.20 Distribution: All Personnel Review Month: January Reviewing Authority: HRD / Employee Services Subject: Health Insurance Portability And Accountability Act (HIPAA) This order consists of the following: 1. Purpose 2. Policy 3. Definitions 4. Procedures 1. Purpose The purpose of this policy is to educate agency employees on the Health Insurance Portability and Accountability Act’s (HIPAA) privacy and confidentiality provisions and establish proper procedures for using and disclosing Protected Health Information (PHI) within the workplace and to third parties. 2. Policy The agency will use and disclose PHI only as permitted under HIPAA. All members of the agency’s workforce who have access to PHI are required to comply with this privacy policy. For purposes of this policy, the agency’s workforce includes all full and part time employees, volunteers, reserves, c ontract workers, and temporary employees of the agency. 3. Definitions A. Beneflex Plan – the Orange County Sheriff’s Office Beneflex Plan (hereinafter referred to as the “Plan”). B. Health Insurance Portability and Accountability Act (HIPAA) – federal law and implementing regulations that restrict the use and disclosure of protected health information. C. Personal Representative – a person who possesses appropriate documentation, such as a valid power of attorney, authorizing him or her to obtain, use, and discl ose PHI about another person. D. Privacy Contact – individual designated by the Sheriff who serves as the contact person for participants who have questions, concerns, or complaints about the privacy of their PHI. E. Privacy Officer – individual designated by the Sheriff who is responsible for developing and implementing policies and procedures on HIPAA related privacy issues, including but not limited to this privacy policy and the agency’s use and 4.6.20, Page 2 of 5 disclosure procedures. F. Protected Health Information (PHI) – information that is created or received by the Beneflex Plan and relates to the past, present, or future physical or mental health or condition of a participant; the provision of health care to a participant; or the past, present, or future payment for the provision of health care to a participant; and that identifies the participant or which there is a reasonable basis to believe the information can be used to identify the participant. PHI includes information of persons living or deceased. It does not in clude information from fitness -for-duty examinations, driving physicals, or drug tests. 4. Procedures A. “HIPAA,” which stands for “ Health Insurance Portabilit y and Accountability Act , is a federal law governing the confidentiality of certain medical information. The Sheriff of Orange County, Florida, has designated the agency as a hybrid entity for HIPAA purposes. As a hybrid entity, the agency will confirm that its designated “covered components” comply fully with the requirements of 45 C.F.R. Parts 160 and 164, the HIPAA Privacy Regulations. The following sections/units are covered components under the Privacy Rules: 1. Human Resources Risk Management and Benefits Sections. 2. Human Resources Personnel Services Unit , File Room personnel . 3. The Privacy Officer, Privacy Contact, and his or her support staff. 4. Information Technology personnel designated as Network Administrators with access to protected hea lth information (PHI). All other units, sections, and divisions within the agency are non -covered components and are not covered under the Privacy Rules or HIPAA. B. Uses and Disclosures of PHI 1. The agency as a Health Plan Sponsor may receive PHI from employees as needed to enroll participants in a plan or specific benefit. 2. The agency may receive information directly from employees in coordinating the receipt of benefits such as pre -certification or authorization, eligibility, claims issues, treatme nt payments, billing and similar services. a. Minimal Disclosure of PHI Agency members shall only request or disclose PHI to the minimum amount necessary. Agency employees shall verify the extent of information required before providing the information. Similarly, when requesting information from other entities, employees shall limit their request to only the amount of information that is necessary from completing the task at hand. b. Limited Employee Access to PHI To protect PHI from unintentional disclo sure, the Human Resources Division Commander and the D irector of IT will designate employees in their respective division and section who are permitted to handle 4.6.20, Page 3 of 5 such information and, in coordination with the Privacy Officer, shall help to verify through r easonable technical, organizational, and electronic mechanisms that guidelines for handling, uses, and disclosure of information are followed. C. Technical and Physical Safeguards The agency will establish appropriate technical and physical safeguards to prevent the intentional or unintentional use or disclosure of PHI in violation of HIPAA’s requirements. 1. Technical safeguards may include reasonable limits on access to information by creating computer firewalls so only authorized employees have access to PHI. This access is to the minimum amount of PHI necessary for plan administrative functions, and they do not use or disclose PHI in violation of HIPAA’s privacy rules. 2. Physical safeguards include locking doors or filing cabinets, controlling physical access to building or work areas,