The purpose of this policy is to identify Atlantic County's intent to fully implement the requirements set forth under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In its initial phase HIPAA provided guidelines to insurers for minimum standards of health coverage, the administration of preexisting conditions and guaranteed renewal of health insurance. The second phase of HIPAA provides for safeguards of protected health information (PHI) from disclosure, fraud, and abuse. It gives individuals choices about who can access their personal health information. It also sets standards for how that information is used and shared throughout the entire health care industry. While the County has long been committed to protecting client confidentiality, HIPAA provides an opportunity to improve procedures and coordinate policies for all services.
HIPAA impacts the way Atlantic County provides services in one way or another. Five areas of HIPAA that affect County services are
1. Certification of coverage
A.) Nursing Home as a medical provider
The County's operation of the nursing home (which qualified as a medical provider) and Atlantic County Health Benefits (qualified as a health plan for its self insured PPO) results in the County having business relationships with outside vendors or entities which provide materials and/or administrative type services that aid the County in its role as a provider of medical services. These outside third party entities are referred to under the HIPAA regulations as "Business Associates" (45 CFR § 160.103).
The County is permitted under HIPAA regulations to disclose certain PHI to Business Associates for limited purposes and under limited circumstances. The regulations require that the County have a written agreement, known as a Business Associate Agreement with those business entities to insure that the disclosure of PHI will be limited to only that which is reasonably necessary. (45 CFR § 164.502(e)(1)-(4) et seq.). Atlantic County will enter into Business Associates Agreements with its Business Associates as required by the HIPAA to protect against the unlawful disclosure of Protected Health Information (PHI). Atlantic County will review new programs or changes in programs to determine if HIPAA applies. Atlantic County has determined certain programs have business relationships with outside vendors or entities which provide materials and/or administrative information to assist the County in providing health services. This relationship defines the county as a Business Associate to the vendor who delivers the service and requires Business Associate Agreements between the County and the vendors.
Policies and procedures are required for each covered program to (1) identify staff that is covered by the regulations of the Act and (2) outline how PHI will be safeguarded and shared.
Due to having covered entities, the County is required to identify a privacy officer within each covered entity. Complaints against the covered entity should be addressed to the Privacy Complaint Officer.
I. Privacy Officers. According to Section (45 CFR § 164.530) under the HIPAA regulations, the Privacy Officer is responsible for the development and implementation of the policies and procedures of the covered entity; as well as arrange and document training needs of employees. A copy of each covered entity's Policy and Procedures will be held by the privacy officer and the Privacy Complaint Officer. The County has identified the following privacy officers for each covered program:
A.) Nursing Home - Marietta Stewart
II. Privacy Complaint Officer. According to section (45 CFR § 164.530), The Privacy Complaint Officer will monitor policy and procedures to ensure compliance; be responsible for receiving and responding to complaints and will be able to provide further information about matters covered by the notice of privacy practices. The County Privacy Complaint Officer is.
A.) Department of Administrative Services - Tammi Robbins
III. Business Associate Agreements. All agreements will be forwarded
to the Privacy Complaint Officer to obtain final review and approval
from the Steering Committee.
For more information on the Health Insurance Portability and Accountability Act (HIPAA) follow this link: http://www.dhhs.gov/ocr/hipaa/.