The URL can be used to link to this page

Home My WebLink AboutCity Council - 2007-9 RESOLUTION NO. 2007-9 A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF HUNTINGTON BEACH PERTAINING TO THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996, P.L. 104-91 (HEREINAFTER HIPAA)PROVIDING FOR COMPLIANCE BY THE CITY WITH HIPAA AS A HYBRID ENTITY WHEREAS, the HIPAA Privacy Rule imposes privacy standards and requirements upon Covered Entities, which are health plans, health care clearing houses, and health care providers that transmit any health information in electronic form in connection with standard transactions within the scope of HIPAA, as defined under 45 C.F.R. § 160.103 of the Privacy Rule; and It is the intent of the City to incorporate by reference the definitions of terms set forth in the HIPAA Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subparts A and E (the Privacy Rule); and The City, a municipal corporation under the laws of the State of California, is a single legal entity which does not function primarily as a Covered Entity; and The City desires to provide compliance with HIPAA as a Hybrid Entity with designation of its Health Care Components under the Privacy Rule and providing for amendment of such designations; and While most City departments, offices, and agencies do not perform Covered Entity functions that are covered by the Privacy Rule,there are City departments, offices, and agencies, divisions thereof, and the City's Group Health Plan that perform such covered functions, and therefore, the City may fall within the definition of a Covered Entity that is subject to the Privacy Rule; and With the designation of City Health Care Components, the City comes within the definition of Hybrid Entity under the provisions of 45 C.F.R. § 164.105; and A City Health Care Component that discloses Protected Health Information to a non-City entity that provides services to or acts on behalf of the Health Care Component must require that the non-City entity enter into a Business Associate Agreement with the City for its Health Care Component in compliance with the Privacy Rule; and When a City Health Care Component discloses Protected Health Information to other City departments, offices, agencies, or divisions thereof that would be in a Business Associate capacity if such entities were separate and distinct, such other City departments, offices, agencies, or divisions thereof, herein designated as City Business Associate Components, must comply with certain requirements of the Privacy Rule; and 06-397/2996 1 Resolution No. 2007-9 The City desires to: designate a Privacy Officer, providing said Officer with certain duties, and providing for amendment of such designation; to enter into contracts in furtherance of compliance with the Privacy Rule to ratify existing contracts, including but not limited to business associate agreements, that the City has entered into to as required by the Privacy Rule, NOW, THEREFORE, THE CITY COUNCIL OF THE CITY OF HUNTINGTON BEACH DOES HEREBY RESOLVE AS FOLLOWS: 1. Definitions. The definitions of terms set forth in the HIPAA Privacy Rule are adopted and incorporated herein by reference as if fully set forth; unless otherwise defined herein, the terms used in this resolution shall have the same definitions as those set forth in the in the HIPAA Privacy Rule. 2. Health Care Component Designation for Hybrid Entity. A. City departments, agencies, offices, and any divisions thereof, and the City Group Health Plans that perform Covered Entity functions under the Privacy Rule shall be designated as Health Care Components of the City. The following City departments, agencies, offices, divisions thereof, and City Group Health Plans are each hereby designated as a Health Care Component of the City: the Fire Department, including its billing service and ambulance service; the Police Department; and the City Administrator's Office, including City Services Risk Management Division and the City's Group Health Plan. B. The City Council, upon recommendation of the City Attorney, may, by resolution, amend the designation of City Health Care Components by adding or removing City departments, agencies, offices, or divisions thereof, or Group Health. Plans to or from such designation. 3. City Responsibility for Compliance with the Privacy Rule. A. Notwithstanding the designation of the City Health Care Components, the City shall be ultimately responsible for developing policies and procedures to ensure compliance with the Privacy Rule, and shall be ultimately responsible for activities related to compliance with and enforcement of the Privacy Rule. B. Any Protected Health Information and HIPAA-required documentation which is received or maintained by a Health Care Component shall not be disclosed to another Health Care Component and shall not be disclosed to another City department, agency, office, or other component of the City if such disclosure would be prohibited by the Privacy Rule were such other department, agency, office or other component a separate legal entity. 4. Privacy Officers. A. The City Administrator or designee is hereby designated as the City Privacy Officer to implement and coordinate the City's compliance with the Privacy Rule. 06-397/2996 2 Resolution No. 2007-9 B. Each Health Care Component shall have a designated Privacy Officer as follows: the Fire Chief or designee shall serve as the Privacy Officer for the Fire Department; the Police Chief, or designee shall serve as the Privacy Officer for the Police Department; and the Deputy City Administrator or designee shall serve as the Privacy Officer for the City Administrator, and for the City's Group Health Plan. Health Care Component Privacy Officers may appoint employees to assist in the performance of the Privacy Officer's responsibilities set forth herein. C. Each Health Care Component Privacy Officer shall be responsible for the following: 1) Develop written policies and procedures for the Health Care Component as required by the Privacy Rule and in consultation with the City Attorney to assure compliance therewith; 2) Receive, process, and respond to requests for or regarding Protected Health Information received or used by the Health Care Component; 3) Serve as the Complaint Officer for the Health Care Component; and 4) Implement the Privacy Rule policies and procedures of the Health Care Component to assure compliance therewith. 5. Contract Authorization and Ratification. A. Each Health Care Component Privacy Officer, upon approval of the City Attorney, is hereby authorized to enter into agreements necessary to comply with the Privacy Rule, including but not limited to business associate agreements, memorandums of understanding, confidentiality agreements, and trading partner agreements. B. All existing business associate agreements entered into by the City in furtherance of compliance with the Privacy Rule are hereby ratified. 6. City Business Associate Components. A. Any City department, office, agency, or division thereof that receives Protected Health Information from a Health Care Component in providing services or performing activities and functions that would be in the capacity of a Business Associate as defined under 45 C.F.R. § 160.103 of the Privacy Rule if such City department, office, agency, or division thereof were a separate and distinct legal entity, is hereby designated a Business Associate Component of the City's Hybrid Entity. 06-397/2996 3 Resolution No. 2007-9 B. Pursuant to 45 C.F.R. § 164.504(e), each Business Associate Component shall meet the following requirements of the Privacy Rule: 1) Establish permitted uses and disclosure of Protected Health Information received by each Business Associate Component in compliance with the Privacy Rule; 2) Use and apply appropriate safeguards to prevent any use or disclosure of Protected Health Information not permitted by the Health Care Component or under the Privacy Rule; 3) Report to the Health Care Component and the City Privacy Officer any use or disclosure of the Protected Health Information of which it becomes aware that is not permitted by the Health Care Component or under the Privacy Rule; 4) Ensure that any party to whom the Business Associate Component provides Protected Health Information received from, or created or received by the Business Associate Component on behalf of the Health Care Component agrees to the same restrictions and conditions that apply to the Business Associate Component with respect to the Protect Health Information; 5) Make available Protected Health Information in accordance with 45 C.F.R. § 164.524; 6) Make available Protected Health Information for amendment and incorporate any amendments to Protected Health Information in accordance with 45 C.F.R. § 164.526; 7) Make available the information required to provide an accounting of disclosure in accordance with 45 C.F.R. § 164.528; 8) Make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by the Business Associate Component on behalf of, the. Health Care Component available to the United States Secretary of Health and Human Services for purposes of determining compliance with the Privacy Rule; and 9) Upon completion of the services to or activities on behalf of the Health Care Component, return or destroy all Protected Health Information received from, or created or received by the Business Associate Component on behalf of, the Health Care Component that is maintained in any form and retain no copies of such 06-397/2996 4 Resolution No. 2007-9 information or, if such return or destruction is not feasible, extend the privacy protections established and as required by the Privacy Rule and limit further uses and disclosure to those purposes that make the return or destruction of the Protected Health Information infeasible. 7. Severability. If any section, subsection, sentence, clause, phrase or portion of this resolution is held to be invalid or unconstitutional, or unlawful for any reason, by any court of competent jurisdiction, such portion shall be deemed and is hereby declared to be a separate, distinct and independent provision of this ordinance, and such holding or holdings shall not affect the validity of the remaining portions of this ordinance. PASSED AND ADOPTED by the City Council of the City of Huntington Beach at a regular meeting thereof held on the 5th day of February , 200 7 REVIEWED AND APPROVED: F Ma Z" ity A inistrator APPROVED AS TO FORM: r Ailty Attorney U1 Z,i 74d INITIATED AND APPROVED: Fire Chief �q o 06-397/2996 5 Res. No. 2007-9 STATE OF CALIFORNIA COUNTY OF ORANGE ) ss: CITY OF HUNTINGTON BEACH ) I, JOAN L. FLYNN the duly elected, qualified City Clerk of the City of Huntington Beach, and ex-officio Clerk of the City Council of said City, do hereby certify that the whole number of members of the City Council of the City of Huntington Beach is seven; that the foregoing resolution was passed and adopted by the affirmative vote of at least a majority of all the members of said City Council at an regular meeting thereof held on the 51th day of February, 2007 by the following vote: AYES: Bohr, Carchio, Cook, Coerper, Green, Hansen, Hardy NOES: None ABSENT: None ABSTAIN: None City lerk and ex-officio &rk of the City Council of the City of Huntington Beach, California