HomeMy WebLinkAboutRESOLUTION 2007-9 - DESIGNATE CITY AS A HYBRID ENTITY - IDEN Council/Agency Meeting Held: oZ z D
Deferred/Continued to:
1 .App ve ❑ Conditionally Approved ❑ Denied
C' �Ck)?S'igna
Council Meeting Date: 2-5-07 Department D Number: CA 06-41
CITY OF HUNTINGTON BEACH
REQUEST FOR CITY COUNCIL ACTION
SUBMITTED TO: Honorable Ma nd City Council Members
SUBMITTED BY: Jennifer McGr ity Attorney
PREPARED BY: Jennifer McG ity Attorney
SUBJECT: Adoption of Resolution No. 2007-9 Pertaining to the Health Insurance
Portability and Accountability Act of 1996
Statement of Issue,Funding Source,Recommended Action,Alternative Action(s),Analysis,Environmental Status,Attachment(s)
Statement of Issue: In order to properly protect confidential health care information
pursuant to the Health Insurance Portability and Accountability Act, the City must adopt a
resolution to designate itself as a hybrid entity and identify departments responsible for
receiving confidential health care information.
Funding Source: No funds are required
Recommended Action: Motion to: Adopt Resolution No. 2007-9 A Resolution of
the City Council of the City Of Huntington Beach Pertaining to the Health Insurance
Portability and Accountability Act of 1996, P.L. 104-91 (Hereinafter HIPAA) Providing For
Compliance By The City with HIPAA as a Hybrid Entity
Alternative Action(s): Do not adopt Resolution No. ?nn7-c)
Analysis:
In 1996, Congress enacted the Health Insurance Portability and Accountability Act (Pub. L.
104-191; "HIPAA"). In general, HIPAA is the federal law that establishes standards for the
privacy and security of health information, as well as standards for electronic data
interchange (EDI) of health information. HIPAA regulations are divided into four Standards
or Rules: (1) Privacy (discussed here), (2) Security, (3) Identifiers, and (4) Transactions and
Code Sets.
The Privacy Rule is the most complex of the four, setting standards for how protected health
information (PHI) "in any form or medium" should be controlled. (HIPAA's other rules cover
only electronic information.) Privacy Rule protections extend to every patient whose
information is collected, used or disclosed by covered entities. It. imposes responsibilities on
the entire workforce of a covered entity including all employees and volunteers. 45 CFR
Parts 160 and 164, Subparts A and E.
When a City routinely handles protected health information in any capacity it will (in all
probability) be considered a covered entity and must comply with the Privacy Rule. (See 45
CFR 160.103). Additionally, many cities conduct functions that make them "business
associates" of a covered entity. A "business associate" is a person or organization that
performs certain functions or activities on behalf of, or provides certain services to, a covered
entity that involve the use or disclosure of individually identifiable health information. For
example, a Fire Department may be a business associate of a paramedic service. In order
to lawfully disclose protected health information to a business associate, a covered entity
must enter into an agreement with each of its business associates. This agreement is
required to obtain satisfactory assurances that the business associate will use the
information only for the purposes for which the business associate has been engaged by the
covered entity.
The Privacy Rule contains an exception for certain organizations that use or disclose
protected health information (PHI) for only a part of its business operations. Such an entity, is
known as a "hybrid entity" (164.504(a)-(c)). Hybrid entities must designate in writing "health
care components" of the organization and describe the operations it conducts that constitute
covered functions. After making this designation, most of the requirements of the Privacy
Rule apply only to the health care components. For example, the organization must train
only those members of its workforce who are involved in the health care component of the
operations. However, it must ensure that the health care information is only available to
those members i.e. identify the employees or classes of employees who will have access to
protected health information, restrict access only to such employees and only for health plan
functions; and provide procedures for resolving employee violations of the requirements of
the Privacy Rule.
A covered entity that does not make this designation is subject to the Privacy Rule as to all of
its staff and programs. In order to reduce the burden of the Privacy Rule, the City must
designate itself as a hybrid entity thereby limiting the number of staff that could generate
adverse legal consequences under HIPAA.
In order to designate itself as a hybrid entity, Huntington Beach must adopt a resolution
designating itself as a hybrid entity,thereby avoiding the pitfalls of the entire City being a
Covered Entity. This resolution must identify the City departments that are responsible for
and have access to medical information of the general public as well as City employees. The
resolution must also designate a City Privacy Officer that will be responsible for overseeing
HIPAA related issues. In addition, departments identified as Health Care Components of the
City must designate privacy officers that will coordinate with the Privacy Officer to ensure
compliance with HIPAA rules. Upon adoption of the resolution, departments identified as
Health Care Components must identify employees that will act as Privacy Officers and those
employees must be trained regarding the proper disclosure of medical information.
REQUEST FOR CITY COUNCIL ACTION
MEETING DATE: 2-5-07 DEPARTMENT ID NUMBER: CA 06-41
Environmental Status: Not applicable.
Attachment(s):
City Clerk's
. . - NumberDescription
1. Resolution No. 2007-9 A Resolution of the City Council of the City
of Huntington Beach Pertaining to the Health Insurance Portability and
Accountability Act of 1996, P.L. 104-91 (Hereinafter HIPAA)
Providing for Compliance by the City With HIPPA as a Hybrid Entity
-2- 1/3/2007 10:38 AM
ATTACHMENT NO
. 1
RESOLUTION NO. 2007-9
A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF HUNTINGTON BEACH
PERTAINING TO THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY
ACT OF 1996, P.L. 104-91 (HEREINAFTER HIPAA)PROVIDING FOR COMPLIANCE BY
THE CITY WITH HIPAA AS A HYBRID ENTITY
WHEREAS, the HIPAA Privacy Rule imposes privacy standards and requirements upon
Covered Entities, which are health plans, health care clearing houses, and health care providers
that transmit any health information in electronic form in connection with standard transactions
within the scope of HIPAA, as defined under 45 C.F.R. § 160.103 of the Privacy Rule; and
It is the intent of the City to incorporate by reference the definitions of terms set forth in
the HIPAA Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part
160 and Part 164, Subparts A and E (the Privacy Rule); and
The City, a municipal corporation under the laws of the State of California, is a single
legal entity which does not function primarily as a Covered Entity; and
The City desires to provide compliance with HIPAA as a Hybrid Entity with designation
of its Health Care Components under the Privacy Rule and providing for amendment of such
designations; and
While most City departments, offices, and agencies do not perform Covered Entity
functions that are covered by the Privacy Rule, there are City departments, offices, and agencies,
divisions thereof, and the City's Group Health Plan that perform such covered functions, and
therefore, the City may fall within the definition of a Covered Entity that is subject to the Privacy
Rule; and
With the designation of City Health Care Components, the City comes within the
definition of Hybrid Entity under the provisions of 45 C.F.R. § 164.105; and
A City Health Care Component that discloses Protected Health Information to a non-City
entity that provides services to or acts on behalf of the Health Care Component must require that
the non-City entity enter into a Business Associate Agreement with the City for its Health Care
Component in compliance with the Privacy Rule; and
When a City Health Care Component discloses Protected Health Information to other
City departments, offices, agencies, or divisions thereof that would be in a Business Associate
capacity if such entities were separate and distinct, such other City departments, offices,
agencies, or divisions thereof, herein designated as City Business Associate Components, must
comply with certain requirements of the Privacy Rule; and
06-397/2996 1
Resolution No. 2007-9
The City desires to: designate a Privacy Officer,providing said Officer with certain duties,
and providing for amendment of such designation; to enter into contracts in furtherance of
compliance with the Privacy Rule to ratify existing contracts, including but not limited to
business associate agreements,that the City has entered into to as required by the Privacy Rule,
NOW, THEREFORE, THE CITY COUNCIL OF THE CITY OF HUNTINGTON
BEACH DOES HEREBY RESOLVE AS FOLLOWS:
I. Definitions. The definitions of terms set forth in the HIPAA Privacy Rule are
adopted and incorporated herein by reference as if fully set forth; unless otherwise defined
herein, the terms used in this resolution shall have the same definitions as those set forth in the in
the HIPAA Privacy Rule.
2. Health Care Component Designation for Hybrid Entity.
A. City departments, agencies, offices, and any divisions thereof, and the City
Group Health Plans that perform Covered Entity functions under the Privacy Rule shall be
designated as Health Care Components of the City. The following City departments, agencies,
offices, divisions thereof, and City Group Health Plans are each hereby designated as a Health
Care Component of the City: the Fire Department, including its billing service and ambulance
service; the Police Department; and the City Administrator's Office, including City Services Risk
Management Division and the City's Group Health Plan.
B. The,City Council, upon recommendation of the City Attorney, may, by
resolution, amend the designation of City Health Care Components by adding or removing City
departments, agencies, offices, or divisions thereof, or Group Health Plans to or from such
designation.
3. City Responsibility for Compliance with the Privacy Rule.
A. Notwithstanding the designation of the City Health Care Components, the
City shall be ultimately responsible for developing policies and procedures to ensure compliance
with the Privacy Rule, and shall be ultimately responsible for activities related to compliance
with and enforcement of the Privacy Rule.
B. Any Protected Health Information and HIPAA-required documentation
which is received or maintained by a Health Care Component shall not be disclosed to another
Health Care Component and shall not be disclosed to another City department, agency, office, or
other component of the City if such disclosure would be prohibited by the Privacy Rule were
such other department, agency, office or other component a separate legal entity.
4. Privacy Officers.
A. The City Administrator or designee is hereby designated as the City
Privacy Officer to implement and coordinate the City's compliance with the Privacy Rule.
06-397/2996 2
Resolution No. 2007-9
B. Each Health Care Component shall have a designated Privacy Officer as
follows: the Fire Chief or designee shall serve as the Privacy Officer for the Fire Department; the
Police Chief, or designee shall serve as the Privacy Officer for the Police Department; and the
Deputy City Administrator or designee shall serve as the Privacy Officer for the City
Administrator, and for the City's Group Health Plan. Health Care Component Privacy Officers
may appoint employees to assist in the performance of the Privacy Officer's responsibilities set
forth herein.
C. Each Health Care Component Privacy Officer shall be responsible for the
following:
1) Develop written policies and procedures for the Health Care
Component as required by the Privacy Rule and in consultation
with the City Attorney to assure compliance therewith;
2) Receive, process, and respond to requests for or regarding
Protected Health Information received or used by the Health Care
Component;
3) Serve as the Complaint Officer for the Health Care Component;
and
4) Implement the Privacy Rule policies and procedures of the Health
Care Component to assure compliance therewith.
5. Contract Authorization and Ratification.
A. Each Health Care Component Privacy Officer, upon approval of the City
Attorney, is hereby authorized to enter into agreements necessary to comply with the Privacy
Rule, including but not limited to business associate agreements, memorandums of
understanding, confidentiality agreements, and trading partner agreements.
B. All existing business associate agreements entered into by the City in
furtherance of compliance with the Privacy Rule are hereby ratified.
6. City Business Associate Components.
A. Any City department, office, agency, or division thereof that receives
Protected Health Information from a Health Care Component in providing services or performing
activities and functions that would be in the capacity of a Business Associate as defined under 45
C.F.R. § 160.103 of the Privacy Rule if such City department, office, agency, or division thereof
were a separate and distinct legal entity, is hereby designated a Business Associate Component of
the City's Hybrid Entity.
06-397/2996 3
Resolution No. 2007-9
B. Pursuant to 45 C.F.R. § 164.504(e), each Business Associate Component
shall meet the following requirements of the Privacy Rule:
1) Establish permitted uses and disclosure of Protected Health
Information received by each Business Associate Component in
compliance with the Privacy Rule;
2) Use and apply appropriate safeguards to prevent any use or
disclosure of Protected Health Information not permitted by the
Health Care Component or under the Privacy Rule;
3) Report to the Health Care Component and the City Privacy Officer
any use or disclosure of the Protected Health Information of which
it becomes aware that is not permitted by the Health Care
Component or under the Privacy Rule;
4) Ensure that any party to whom the Business Associate Component
provides Protected Health Information received from, or created or
received by the Business Associate Component on behalf of the
Health Care Component agrees to the same restrictions and
conditions that apply to the Business Associate Component with
respect to the Protect Health Information;
5) Make available Protected Health Information in accordance with
45 C.F.R. § 164.524;
6) Make available Protected Health Information for amendment and
incorporate any amendments to Protected Health Information in
accordance with 45 C.F.R. § 164.526;
7) Make available the information required to provide an accounting
of disclosure in accordance with 45 C.F.R. § 164.528;
8) Make its internal practices, books and records relating to the use
and disclosure of Protected Health Information received from, or
created or received by the Business Associate Component on
behalf of, the Health Care Component available to the United
States Secretary of Health and Human Services for purposes of
determining compliance with the Privacy Rule; and
9) Upon completion of the services to or activities on behalf of the
Health Care Component, return or destroy all Protected Health
Information received from, or created or received by the Business
Associate Component on behalf of, the Health Care Component
that is maintained in any form and retain no copies of such
06-397/2996 4
Resolution No. 2007-9
information or, if such return or destruction is not feasible, extend
the privacy protections established and as required by the Privacy
Rule and limit further uses and disclosure to those purposes that
make the return or destruction of the Protected Health Information
infeasible.
7. Severability. If any section, subsection, sentence, clause, phrase or portion of this
resolution is held to be invalid or unconstitutional, or unlawful for any reason, by any court of
competent jurisdiction, such portion shall be deemed and is hereby declared to be a separate,
distinct and independent provision of this ordinance, and such holding or holdings shall not
affect the validity of the remaining portions of this ordinance.
PASSED AND ADOPTED by the City Council of the City of Huntington Beach at a
regular meeting thereof held on the 5th day of February 7200 7
REVIEWED AND APPROVED: Ma
ity A inistrator APPROVED AS TO FORM:
Aity Attorney III 1
INITIATED AND APPROVED:
Fire Chief t ►q ��
06-397/2996 5
Res. No. 2007-9
STATE OF CALIFORNIA
COUNTY OF ORANGE ) ss:
CITY OF HUNTINGTON BEACH )
I, JOAN L. FLYNN the duly elected, qualified City Clerk of the City of
Huntington Beach, and ex-officio Clerk of the City Council of said City, do hereby
certify that the whole number of members of the City Council of the City of
Huntington Beach is seven; that the foregoing resolution was passed and adopted
by the affirmative vote of at least a majority of all the members of said City Council
at an regular meeting thereof held on the 5th day of February, 2007 by the
following vote:
AYES: Bohr, Carchio, Cook, Coerper, Green, Hansen, Hardy
NOES: None
ABSENT: None
ABSTAIN: None
City Jerk and ex-officio CUrk of the
City Council of the City of
Huntington Beach, California
RCA ROUTING SHEET
INITIATING DEPARTMENT: City Attorney
SUBJECT: Adoption of Resolution No. Pertaining to
Health Insurance Ility
COUNCIL MEETING DATE: February 5, 2007
RCA ATTACHMENTS STATUS
Ordinance (w/exhibits & legislative draft if applicable) Attached ❑
Not Applicable ❑
Resolution (w/exhibits & legislative draft if applicable) Attached
Not Applicable ❑
Tract Map, Location Map and/or other Exhibits Attached ❑
Not Ap licable ❑
Contract/Agreement (w/exhibits if applicable) Attached ❑
Signed in full by the City Attorney) Not Applicable ❑
Subleases, Third Party Agreements, etc. Attached
El
Approved as to form by City Attorney) Not Applicable ❑
Certificates of Insurance (Approved by the City Attorney) Attached ❑
Not Applicable ❑
Fiscal Impact Statement (Unbudgeted, over$5,000) Attached
Not Ap licable ❑
Bonds (If applicable) Attached ❑
Not Applicable ❑
Staff Report (If applicable) Attached ❑
Not Applicable ❑
Commission, Board or Committee Report (If applicable) Attached
Not Ap licable ❑
Findings/Conditions for Approval and/or Denial Attached ❑
Not Ap licable ❑
EXPLANATION FOR MISSING ATTACHMENTS
REVIEWED RETURNED FORWARDED
Administrative Staff
Deputy City Administrator Initial
City Administrator Initial
City Clerk
EXPLANATION FOR RETURN OF ITEM:
Only)(Below Space For City Clerk's Use
RCA Author: 06-397/6290 my