HomeMy WebLinkAbout2005-030 . bs X30
HIPAA-AS ADDENDUM TO ADMINISTRATIVE SERVICES AGREEMENT
This addendum ("Addendum") is effective upon execution and amends that Administrative Services
Agreement ("Agreement") made as of October 1 , 1996 by and among Blue Cross and Blue Shield of
Florida, Inc . ("Administrator") ; Indian River County ("Employer") and Indian River County Group
Health Plan ("GHP") .
WHEREAS , Employer has established and maintains GHP as a self-insured employee welfare benefit
plan, as described in GHP ' s Plan Document (referred to in the Agreement as the Group Health Plan) ; and
WHEREAS , Employer and GHP desire to retain Administrator to provide certain claim processing and
administrative services with respect to GHP ; and
WHEREAS , Employer, GHP , and Administrator agree to modify the Agreement to incorporate the
provisions of this Addendum to address applicable requirements of the implementing regulations, codified
at 45 Code of Federal Regulations ("C . F . R. ") Parts 160-64 , for the Administrative Simplification
provisions of Title 11, Subtitle F of the Health Insurance Portability and Accountability Act of 1996
(collectively, "HIPAA-AS ") , so that GHP may meet its compliance obligations under HIPAA-AS , and to
include additional provisions that Employer, GHP , and Administrator desire to have as part of the
Agreement ;
NOW, THEREFORE , in consideration of the mutual promises contained herein, Employer, GHP , and
Administrator hereby agree as follows :
PART 1—DEFINITIONS
L DEFINITIONS
All capitalized terms in this Addendum that are not defined by this Addendum will have the meaning
ascribed to them by 45 C . F . R. Parts 160- 64 . The following terms have the following meanings when used
in this Addendum :
A . "Covered Employee" means the person to whom coverage under GHP has been extended
by Employer.
B . "Covered Person" means the Covered Employee and any other persons to whom coverage
has been extended under GHP as specified by GHP ' s Plan Document .
C . "Creditable Coverage Certificate" means a certificate disclosing information relating to an
individual ' s creditable coverage under a health care benefit program for purposes of
reducing any preexisting condition limitation or exclusion imposed by any group health
plan coverage .
D . "Disclose" and "disclosure" mean, with respect to Protected Health Information, release,
transfer, providing access to or divulging to a person or entity not within Administrator.
E . "Electronic Protected Health Information" means Protected Health Information that is
( 1 ) transmitted by electronic media or (2 ) maintained in electronic media.
F . "Protected Health Information" means the Protected Health Information, as that term is
defined in 45 C . F . R. § 160 . 103 , that Administrator creates or receives for, on behalf of, or
from GHP (or from a GHP Business Associate) in the performance of Administrator ' s
1
HIPAA\BA Amend to ASO Agmt - fini
August 12 , 2004
lk
duties under the Agreement and this Addendum. For purposes of this Addendum ,
Protected Health Information encompasses Electronic Protected Health Information .
G . "Plan Document" means GHP ' s written documentation that informs Covered Persons of
the benefits to which they are entitled from GHP and describes the procedures for ( 1 )
establishing and carrying out funding of the benefits to which Covered Persons are entitled
under GHP , (2) allocating and delegating responsibility for GHP ' s operation and
administration, and (3 ) amending the Plan Document. Employer and GHP represent and
warrant that GHP ' s Plan Document provides for the allocation and delegation of the
responsibilities assigned to Administrator under the Agreement .
I . "Use" means , with respect to Protected Health Information, utilization, employment,
examination, analysis or application within Administrator.
PART 2--ADMINISTRATOR ' S RESPONSIBILITIES
II . SERVICES PROVIDED BY ADMINISTRATOR
During the continuance of the Agreement, Administrator will perform the services set forth in the
Agreement with respect to the benefits offered to Covered Persons by GHP .
III . PRIVACY AND SECURITY OF PROTECTED HEALTH INFORMATION
A. Preservation of Privacy
Administrator will keep confidential all Protected Health Information that Administrator creates or
receives on GHP ' s behalf or receives from GHP (or another Business Associate of GHP ) in the
performance of its duties under the Agreement and this Addendum .
Be Prohibition on Non-Permitted Use or Disclosure
Administrator will neither use nor disclose Protected Health Information (including any Protected
Health Information that Administrator may receive from a GHP Business Associate) except ( 1 ) as
permitted or required by this Addendum, (2) as permitted or required in writing by GHP , or (3 ) as
Required by Law .
co Permitted Uses and Disclosures
Administrator will be permitted to use or disclose Protected Health Information only as follows :
L Functions and Activities on GHP ' s Behalf
Administrator will be permitted to use and disclose Protected Health Information for the
performance of services set forth in the Agreement, which the parties agree are intended to
include, but are not limited to , Payment activities and Health Care Operations , and which
shall hereby also include Data Aggregation ,
2
H [ PAA\BA Amend to ASO Agmt - fini
August 12 , 2004
2 . Payment Activities and Health Care Operations
Administrator will be permitted to disclose Protected Health Information in accordance
with 45 C . F . R. § 164 . 506(c) for the Payment activities of another Covered Entity or Health
Care Provider and for the qualifying Health Care Operations of another Covered Entity.
3 . Covered Person Permission
Administrator will be permitted to use or disclose Protected Health Information in
accordance with an authorization or other permission granted by an Individual (or the
Individual ' s Personal Representative) in accordance with 45 C . F . R . § 164 . 508 or 45 C . F . R .
§ 164 . 510, as applicable .
4 . Administrator ' s Own Management and Administration
a. Protected Health Information Use
Administrator will be permitted to use Protected Health Information as necessary
for Administrator' s proper management and administration or to carry out
Administrator' s legal responsibilities .
b . Protected Health Information Disclosure
Administrator will be permitted to disclose Protected Health Information as
necessary for Administrator' s proper management and administration or to carry
out Administrator' s legal responsibilities only (i) if the disclosure is Required by
Law, or (ii) if before the disclosure, Administrator obtains from the entity to which
the disclosure is to be made reasonable assurance, evidenced by written contract,
that the entity will ( 1 ) hold Protected Health Information in confidence, (2) use or
further disclose Protected Health Information only for the purposes for which
Administrator disclosed it to the entity or as Required by Law ; and ( 3 ) notify
Administrator of any instance of which the entity becomes aware in which the
confidentiality of any Protected Health Information was breached .
5. De4dentified Health Information
Administrator may use Protected Health Information to create De- Identified Health
Information in conformance with 45 C . F . R . § 164 . 514(b) . Administrator may use and
disclose De-Identified Health Information for any purpose, including after any termination
of the Agreement and this Addendum .
6. Limited Data Set
a. Creation of Limited Data Set. Administrator may use Protected Health
Information to create a Limited Data Set :
i . that contains the minimum amount of Protected Health Information
reasonably necessary to accomplish the purposes set out in Paragraph b of
this Section III . C . 6 , below ; and
3
HIPAA\BA Amend to ASO Agmt - fini
August 12 , 2004
ill from which have been removed all of the direct identifiers, as specified in
45 C . F . R . § 164 . 514(e) (2 ) , of the Individuals whose Protected Health
Information is included in the Limited Data Set and of the relatives ,
household members and employers of those Individuals .
b . Administrator' s Permitted Uses and Disclosures. Administrator may use and
disclose the Limited Data Set for only Health Care Operations permitted by this
Addendum.
c. Prohibition on Unauthorized Use or Disclosure.
i . Administrator will neither use nor disclose the Limited Data Set for any
purpose other than as permitted by Paragraph b of this Section III . C . 6 , as
otherwise permitted in writing by GHP , or as Required by Law .
ii . Administrator is not authorized to use or disclose the Limited Data Set in a
manner that would violate the Privacy Rule, 45 C . F . R . Part 164 , Subpart E ,
if done by GHP .
iii . Administrator will not attempt to identify the information contained in the
Limited Data Set or contact any Individual who may be the subject of
information contained in the Limited Data Set .
d. Information Safeguards. Administrator will adopt and use appropriate
administrative, physical, and technical safeguards to preserve the integrity and
confidentiality of the Limited Data Set and to prevent its use or disclosure other
than as permitted by this Section III . C . 6 .
e. Permitted Subcontractors, and Agents . Administrator will require any agent or
subcontractor to which it discloses the Limited Data Set, to agree to comply with
the same restrictions and conditions that apply to Administrator' s use and
disclosure of the Limited Data Set pursuant to this Section III . C . 6 .
f. Breach of Privacy Obligations . Administrator will report to GHP any use or
disclosure of the Limited Data Set that is not permitted by this Section III . C . 6 of
which Administrator becomes aware.
D . Minimum Necessary
Administrator will , in the performance of its functions and activities on GHP ' s behalf under the
Agreement and this Addendum, make reasonable efforts to use, to disclose, or to request of a
Covered Entity only the minimum necessary amount of Protected Health Information to
accomplish the intended purpose of the use, the disclosure, or the request, except that
Administrator will not be obligated to comply with this minimum necessary limitation with
respect to :
1 . Disclosures to GHP , as distinguished from disclosures to Employer;
2 . Disclosure to or request by a health care provider for Treatment;
4
HIPAA\BA Amend to ASO Agmt - tini
August 12, 2004
3 . Use with or disclosure to a Covered Person who is the subject of Protected Health
Information, or that Covered Person ' s Personal Representative ;
4 . Use or disclosure made pursuant to an authorization compliant with 45 C . F . R .
§ 164 . 508 that is signed by an Individual who is the subject of Protected Health
Information to be used or disclosed, or by that Individual ' s Personal
Representative, as defined in 45 C . F . R . § 164 . 502 (g) ;
5 . Disclosure to the United States Department of Health and Human Services
("DHHS ") in accordance with Section VIII below ;
6 . Use or disclosure that is Required by Law ; or
7 . Any other use or disclosure that is excepted from the minimum necessary limitation
as specified in 45 C . F . R. § 164 . 502 (b)(2 ) .
E . Disclosure to GHP and GHP ' s Business Associates
Other than disclosures permitted by Section III . C . above, Administrator will not disclose Protected
Health Information to GHP , a GHP Business Associate, or a GHP Vendor, except as directed by
GHP in writing.
F. Disclosure to Administrator ' s Subcontractors and Agents
Administrator may disclose Protected Health Information to a subcontractor or agent .
Administrator will require each subcontractor and agent to which Administrator may disclose
Protected Health Information to provide reasonable assurance, evidenced by written contract, that
such subcontractor or agent will comply with the same privacy and security obligations with
respect to Protected Health Information as this Addendum applies to Administrator.
G. Disclosure to Employer
Administrator will not disclose any Protected Health Information to Employer, except as permitted
by and in accordance with PART 3 below .
H. Reporting Non-Permitted Use or Disclosure and Security Incidents
1 . Privacy Breach
Administrator will report to GHP any use or disclosure of Protected Health Information not
permitted by this Addendum or in writing by GHP of which Administrator becomes aware .
2 . Security Incidents
Administrator will report to GHP any incident of which Administrator becomes aware that
is (a) a successful unauthorized access, use or disclosure of Electronic Protected Health
Information; or (b) a successful major (i) modification or destruction of Electronic
Protected Health Information or (ii) interference with system operations in an Information
System containing Electronic Protected Health Information. Upon GHP ' s request,
Administrator will report any incident of which Administrator becomes aware that is a
successful minor (a) modification or destruction of Electronic Protected Health
5
HIPAA\BA Amend to ASO Agmt - fini
August 12 , 2004
Information or (b) interference with system operations in an Information System
containing Electronic Protected Health Information .
L Duty to Mitigate
Administrator will mitigate to the extent practicable any harmful effect of which Administrator is
aware that is caused by any use or disclosure of Protected Health Information in violation of this
Addendum .
J. Termination of Addendum
GHP will have the right to terminate the Agreement and this Addendum if Administrator has
engaged in a pattern of activity or practice that constitutes a material breach or violation of
Administrator' s obligations regarding Protected Health Information under this Addendum and, on
notice of such material breach or violation from GHP, fails to take reasonable steps to cure the
breach or end the violation. If Administrator fails to cure the material breach or end the violation
within 90 days after receipt of GHP ' s notice, GHP may terminate the Agreement and this
Addendum by providing Administrator written notice of termination, stating the uncured material
breach or violation that provides the basis for the termination and specifying the effective date of
the termination.
K. Disposition of Protected Health Information
1 . Return or Destruction Feasible
Upon termination of the Addendum, Administrator will , if feasible, return to GHP or
destroy, all Protected Health Information in Administrator' s custody or control (or in the
custody or control of any subcontractor or agent to which Administrator disclosed
Protected Health Information) . Administrator will complete such return or destruction as
promptly as practical after termination of the Addendum.
2 . Return or Destruction Not Feasible
Administrator will identify for GHP any Protected Health Information that Administrator
(or any subcontractor or agent to which Administrator disclosed Protected Health
Information) cannot feasibly return to GHP or destroy upon termination of the Addendum
and will describe the purposes that make the return to GHP or destruction infeasible.
Administrator will limit its (and, by its written contract pursuant to Section III . F . above,
any subcontractor' s or agent ' s) further use or disclosure of Protected Health Information
after termination of the Addendum to the purposes that make return to GHP or destruction
infeasible and to those uses or disclosures Required by Law .
3 . Ongoing Privacy and Security Obligations
Administrator ' s obligations to preserve the privacy and safeguard the security of Protected
Health Information as specified in this Addendum will survive termination or other
conclusion of the Agreement and this Addendum .
6
HIPAA\BA Amend to ASO Agmt - fini
August 12, 2004
IV. ACCESSe AMENDMENT AND DISCLOSURE ACCOUNTING FOR PROTECTED
HEALTH INFORMATION
A. Access
Administrator will , consistent with 45 C . F . R . § 164. 524(b)(2), make available to the Covered
Person (or the Covered Person ' s Personal Representative) for inspection and copying any of the
Protected Health Information about the Covered Person that qualifies as part of a Designated
Record Set that Administrator has in its custody or control , and that is not exempted from access
by 45 C . F . R. § 164 . 524(a), so that GHP can meet its access obligations under 45 C . F . R. § 164 . 524 .
B. Amendment
Administrator will , consistent with 45 C . F . R . § 164 . 526(b)(2 ), amend, pursuant to a Covered
Person ' s written request to amend (or a written request to amend by the Covered Person ' s
Personal Representative) , any portion of Protected Health Information about the Covered Person
that qualifies as part of a Designated Record Set that Administrator has in its custody or control ,
so that GHP can meet its amendment obligations under 45 C . F . R . § 164 . 526 .
Co Disclosure Accounting
So that GHP may meet its disclosure accounting obligations under 45 C . F . R . § 164 . 5285
Administrator will do the following:
1 . Disclosure Tracking
Starting April 14 , 2003 , Administrator will , consistent with 45 C . F . R. § 164 . 528 (b) , record
each disclosure of Protected Health Information that is not excepted from disclosure
accounting under 45 C . F . R . § 164 . 528 (a) that Administrator makes to GHP or to a third
party ("Accountable Disclosures") ,
2 . Disclosure Tracking Time Periods
Administrator will have available for Covered Person the disclosure information for each
Accountable Disclosure for at least six (6) years immediately following the date of the
Accountable Disclosure ( except Administrator will not be required to have disclosure
information for disclosures occurring before April 14, 2003 ) .
3 . Provision of Disclosure Information
Administrator will , consistent with 45 C . F . R . § 164 . 528 (c)( 1 ), make available to the
Covered Person (or the Covered Person ' s Personal Representative) the disclosure
information regarding the Covered Person, so that GHP can meet its disclosure accounting
obligations under 45 C . F . R . § 164 . 528 .
D. Restriction Requests
GHP will direct a Covered Person to promptly notify Administrator in the manner designated by
Administrator of any request for restriction on the use or disclosure of Protected Health
Information about a Covered Person that may affect Administrator. Consistent with 45 C . F . R. §
164 . 522 (a), and on behalf of GHP , Administrator will agree to or deny any such restriction
7
HIPAMBA Amend to ASO Agmt - fini
August 12, 2004
request . Administrator will not be in breach of the Agreement or this Addendum for failure to
comply with a restriction request on the use or disclosure of Protected Health Information about a
Covered Person unless GHP or the Covered Person (or the Covered Person ' s Personal
Representative) notifies Administrator in the manner designated by Administrator of the terms of
the restriction and Administrator agrees to the restriction request in writing.
E . Confidential Communications
Administrator will provide a process for a Covered Person to request that Administrator
communicate with the Covered Person about Protected Health Information about the Covered
Person by confidential alternative location, and Covered Person to provide Administrator with the
information that Administrator needs to be able to evaluate that request. Consistent with 45
C . F . R . § 164 . 522(b) and on behalf of GHP , Administrator will agree to or deny any confidential
communication request. Furthermore, Administrator will develop policies and procedures
consistent with 45 C . F . R . § 164 . 522(b) to fulfill its obligations under this paragraph.
Administrator will provide a process for termination of any requirement to communicate with the
Covered Person about Protected Health Information about the Covered Person by confidential
alternative location .
F. Complaint Process
Administrator will , consistent with 45 C . F . R. § 164 . 530(d) and on behalf of GHP , provide a
process for Covered Persons (or Covered Person ' s Personal Representative) to make complaints
concerning Administrator ' s policies and procedures, which policies and procedures GHP hereby
adopts as its own so that GHP can meet its compliance obligations under 45 C . F . R . Part 164 ,
V. GHP ' S PRIVACY PRACTICES NOTICE
A . Preparation of GHP' s Privacy Practices Notices
Administrator will prepare Privacy Practices Notices appropriate for the benefit plans that
Administrator administers for GHP under the Agreement and reflective of the requirements of 45
C . F . R . Part 164 pertaining to use and disclosure of Protected Health Information and Covered
Person ' s rights with respect to Protected Health Information. The Privacy Practices Notices will
address whether GHP discloses or authorizes Administrator to disclose to Employer enrollment
data, Summary Health Information that may include Covered Persons ' Individually Identifiable
Health Information, or Protected Health Information for plan administration functions . Unless
otherwise agreed upon by the Parties, GHP hereby adopts Administrator' s Privacy Practices
Notice attached as EXHIBIT 1 , and any future revisions thereof, as its own.
Be Distribution of GHP ' s Privacy Practices Notice
Administrator will distribute GHP ' s then effective and appropriate Privacy Practices Notice to
each new Covered Employee upon the Covered Employee ' s enrollment in GHP and to any
Covered Employee upon request. Administrator will distribute any GHP revised Privacy Practices
Notice to each Covered Employee then enrolled in GHP , and may distribute any GHP revised
Privacy Practices Notice to any other Covered Person over the age of 18 then enrolled in GHP ,
within sixty (60) days after any material change in GHP ' s Privacy Practices Notice.
8
HIPAA\BA Amend to ASO Agmt - fini
August 12, 2004
Administrator will distribute GHP ' s Privacy Practices Notice to any Covered Person requesting it .
Additionally, every three (3 ) years after April 14, 2003 , Administrator will notify each Covered
Employee then enrolled in GHP , and may notify any other Covered Person over the age of 18 then
enrolled in GHP , of the availability of GHP ' s Privacy Practices Notice upon request.
C . Administrator to ComDly with Notices
Administrator will neither use nor disclose Protected Health Information in any manner
inconsistent with the content of GHP ' s then current Privacy Practices Notice applicable to the
benefit plans that Administrator administers for GHP under the Agreement .
VI. ISSUANCE OF CERTIFICATE OF CREDITABLE COVERAGE
At the written or electronic direction of Employer or GHP , Administrator may use and disclose Protected
Health Information to issue to each Covered Person, whose coverage under a benefits plan administered
pursuant to the Agreement terminates during the term of the Agreement, a Certificate of Creditable
Coverage. The Certificate of Creditable Coverage will be based upon the coverage that the Covered
Person had under the benefits plan administered pursuant to the Agreement and the information that
Employer or GHP provides to Administrator regarding the Covered Person ' s coverage eligibility and
coverage termination under that benefits plan.
VII. SAFEGUARDING PROTECTED HEALTH INFORMATION
A . Privacy of Protected Health Information
Administrator will maintain reasonable and appropriate administrative, physical , and technical
safeguards, consistent with 45 C . F . R. § 164 . 530(c) and any other implementing regulations issued
by DHHS that are applicable to Administrator as GHP ' s Business Associate, to protect against
reasonably anticipated threats or hazards to and to ensure the security and integrity of Protected
Health Information, to protect against reasonably anticipated unauthorized use or disclosure of
Protected Health Information, and to reasonably safeguard Protected Health Information from any
intentional or unintentional use or disclosure in violation of this Addendum .
Be Security of Electronic Protected Health Information
Administrator will develop, implement, maintain, and use administrative, technical , and physical
safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability
of Electronic Protected Health Information that Administrator creates, receives , maintains , or
transmits on behalf of GHP consistent with the Security Rule, 45 C . F . R. Part 164 , Subpart C .
VIII. INSPECTION OF INTERNAL PRACTICES BOOKS AND RECORDS
Administrator will make its internal practices, books, and records relating to its use and disclosure of
Protected Health Information available to GHP and to DHHS to determine GHP ' s compliance with 45
C . F . R . Part 164, Subpart E "Privacy of Individually Identifiable Health Information . "
9
HIPAMBA Amend to ASO Agmt - fini
August 12, 2004
PART 3—EMPLOYER ' S RESPONSIBILITIES
IX. DATA EXCHANGE BETWEEN EMPLOYER AND ADMINISTRATOR
A. Enrollment Data
Administrator may disclose to Employer the minimum necessary information regarding whether
an individual is a Covered Person participating in GHP or enrolled or disenrolled from coverage
under the GHP .
Employer may electronically exchange data with Administrator regarding the enrollment and
disenrollment of Covered Persons as participants in GHP using the Enrollment and Disenrollment
in Health Plan Standard Transaction (ASC X12N 834- Benefit Enrollment and Maintenance) as
specified in 45 C . F . R. Part 162 , Subpart O .
B. Other Data Exchanges and Notifications
Employer will exchange with Administrator all data not otherwise addressed in this Section IX
and any notification by using such forms , tape formats, or electronic formats as Administrator may
approve. Employer will furnish all information reasonably required by Administrator to effect
such data exchanges or notifications .
X. SUMMARY HEALTH INFORMATION
Upon Employer ' s written request for the purpose either (A) to obtain premium bids for providing health
insurance coverage under GHP , or (B) to modify, amend, or terminate GHP , Administrator will provide
Summary Health Information regarding the Covered Persons participating in GHP to Employer.
XI. EMPLOYER ' S CERTIFICATION
Employer hereby makes the certification specified in EXHIBIT 2 so that Employer may request and
receive the minimum necessary Protected Health Information from Administrator for those plan
administration functions that Employer will perform for GHP . GHP therefore authorizes Administrator to
disclose the minimum necessary Protected Health Information to those authorized representatives of
Employer as specified in EXHIBIT 3 for the plan administration functions that Employer will perform
for GHP as specified in GHP ' s Plan Document as amended and in EXHIBIT 3 . Administrator may rely
on Employer ' s certification and GHP ' s authorization that Employer has provided the requisite
certification and will have no obligation to verify ( 1 ) that GHP ' s Plan Document has been amended to
comply with the requirements of 45 C . F . R. § 164 . 504(f)(2 ), 45 C . F . R . § 164 . 314(b)(2 ) , or this Section XI,
or (2) that Employer is complying with GHP ' s Plan Document as amended .
PART 4—MISCELLANEOUS
XII. AUTOMATIC AMENDMENT TO CONFORM TO APPLICABLE LAW
Upon the compliance date of any final regulation or amendment to final regulation with respect to
Protected Health Information, Standard Transactions , the security of Health Information, or other aspects
of HIPAA -AS applicable to this Addendum or to the Agreement, this Addendum will automatically
amend such that the obligations imposed on Employer, GHP , and Administrator remain in compliance
with such regulations, unless Administrator elects to terminate the Agreement by providing Employer and
GHP notice of termination in accordance with the Agreement at least 90 days before the compliance date
of such final regulation or amendment to final regulation .
10
HIPAA\BA Amend to ASO Agmt - fini
August 12, 2004
XIII. CONFLICTS
The provisions of this Addendum will override and control any conflicting provision of the Agreement.
All nonconflicting provisions of the Agreement will remain in full force and effect .
XIV. ADD GHP AS A PARTY TO AGREEMENT
Notwithstanding Section 3 . 1 of the Agreement, in order to make clear the respective HIPAA-AS
compliance obligations of Administrator, GHP , and Employer, as set forth in this Addendum , GHP shall
hereby be added as a separate party to the Agreement .
XV. REVISION TO SECTION 3 .3
The first sentence of Section 3 . 3 of the Agreement shall be deleted and replaced as follows :
"The
Administrator shall provide claims processing services on behalf of the Group Health Plan . "
XVI. REVISION TO SECTION 3 .6
In order for GHP to be able to comply with its obligations under the HIPAA-AS Privacy and Security
Rules and for Employer and Administrator to be able to comply with their obligations hereunder, the
terms and conditions of Section 3 . 6 of the Agreement, and any subsequent amendments made thereto by
the parties, shall be made subject to this Addendum .
XVII . REVISION TO SECTION 6.6
Section 6 . 6 of the Agreement shall be given effect except with respect to the subject matter of
this
Addendum, in which case Section XIII of this Addendum shall control .
XVIII. COMPLIANCE DATE FOR SECURITY OBLIGATIONS
Administrator' s security obligations as set forth in Sections III . F , III . H . 2 , and VII . B herein shall
take
effect the later of (A) the last date set forth in PART 5 below or (B) the compliance deadline of the
HIPAA-AS Security Rule (which is, as of the date hereof, April 20, 2005 or April 20 2006 for Small
Health Plans) ,
PART 5—SIGNATURES
ADMINISTRATOR : GROUP HEALTH PLAN :
Blue Cross And Blue 5hield of Florida Inc. Indian River County Group Health Plan
00
Title t � CLir . J Title : Chairman
y ri 3Fr { .Ya
Date : Date : January 18 , 2005
y
EMPLOYED ' '
tN wta . f ✓Jy,
" - !f nd Fh • �� i
Indian RJ .
By . �.
Title
y,
Date : Janua ?,y%
HIPAA\BA Amend to ASO Ag r li tii
August 12, 2004
EXHIBIT 1-SAMPLE NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED
AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION . PLEASE
REVIEW IT CAREFULLY.
Si usted desea una copia de esta notificacion en espanol, por favor comuniquese con un
representante de servicio al cliente utilizando el numero telefonico indicado en su tarjeta de
asegurado,
Health Insurance Portability and Accountability Act-
Administrative Simplification (HIPAA-AS )
Notice of Privacy Practices
for your group health plan Sponsored by your employer and for which Blue
Cross and Blue Shield of Florida, Health Options , Inc . and/or Florida
Combined Life Insurance Company, Inc . provides claim administration and
other services .
Our Legal Duty
As your health plan , we are required by applicable federal and state laws to maintain the privacy
of your protected health information ( PHI ) . We want you to be aware of our privacy practices ,
our legal duties , and your rights concerning your PHI . We will follow the privacy practices that
are described in this notice while it is in effect. This notice took effect April 14, 2003 , and will
remain in effect until a revised notice is issued .
We reserve the right to change our privacy practices and the terms of this notice at any time and
to make the terms of our notice effective for all PHI that we maintain .
Before we make a significant change in our privacy practices , we will change this notice and
send the new notice to you .
How we can use or disclose PHI without a specific authorization
To You : We must disclose your PHI to you , as described in the Individual Rights section of this
notice .
For Treatment : For example : we may disclose your PHI to a doctor, dentist or a hospital when
requested , in order for the treating provider to provide treatment to you .
For Payment : For example : we may use and disclose PHI to pay claims for services provided
to you by doctors , dentists or hospitals . We may also disclose your PHI to a health care
provider or another health plan so that the provider or plan may obtain payment of a claim or
engage in other payment activities .
12
HIPAA\BA Amend to ASO Agmt - fini
August 12, 2004
For Health Care Operations : For example : we may use or disclose PHI to conduct quality
assessment and improvement activities , to conduct fraud and abuse investigations , to engage in
care coordination or case management or to communicate with you about health related
benefits and services or about treatment alternatives that may be of interest to you . We may
also disclose PHI to another health plan or a health care provider subject to federal privacy
laws , as long as the plan provider has or had a relationship with you and the PHI is disclosed
only for certain health care operations of that plan or provider.
For Public Health and Safety : We may use or disclose PHI to the extent necessary to avert a
serious and imminent threat to the health or safety of you or others . We may also disclose PHI
for public health and government health care oversight activities and to report suspected abuse ,
neglect or domestic violence to government authorities .
As Required by Law : We may use or disclose PHI when we are required to do so by law.
For Process and Proceedings : We may disclose PHI in response to a court or administrative
order, subpoena , discovery request , or other lawful process .
For Law Enforcement : We may disclose PHI to a law enforcement official with regard to crime
victims and criminal activities .
Special Government Functions : We may disclose the PHI of military personnel or inmates or
other persons in lawful custody under certain circumstances . We may disclose PHI to
authorized federal officials for lawful national security activities .
To Plan Sponsors ( including employers who act as Plan Sponsors ) : We may disclose
certain PHI to the Sponsor of your group health plan to perform plan administration functions .
We may also disclose enrollment and disenrollment information , or summary health information
to the Plan Sponsor so that the Plan Sponsor may :
• Obtain premium bids
• Decide whether to amend , modify or terminate your group health plan
For Research , Death , and Organ Donation : We may use or disclose PHI in certain
circumstances related to research , death or organ donation .
For Workers Compensation : We may disclose PHI as permitted by workers ' compensation
and similar laws .
Uses and Disclosures of PHI permitted only after Authorization received
Authorization : You may give us written authorization to use your PHI or to disclose it to
anyone for any purpose not otherwise permitted or required by law. If you give us an
authorization , you may revoke it in writing at any time . Your revocation will not affect any use or
disclosure permitted by your authorization while it was in effect .
To Family and Friends : While the law permits us in certain circumstances to disclose your PHI
to family , friends and others , we will do so only with your authorization . In the event you are
unable to authorize such disclosure , but emergency or similar circumstances indicate that
disclosure would be in your best interest , we may disclose your PHI to family , friends or others
to the extent necessary to help with your health care coverage arrangements .
13
HIPAMBA Amend to ASO Agmt - fini
August 12, 2004
Individual Rights
To exercise any of these rights, please call the customer service number on your ID card.
Access : With limited exceptions , you have the right to review in person , or obtain copies of
your PHI . We reserve the right to impose reasonable fees associated with this access request
as allowed by law.
Amendment : With limited exceptions , you have the right to request that we amend your PHI
that we have on file .
Disclosure Accounting : You have the right to request and receive a list of certain disclosures
made of your PHI . If you request this list more than once in a 12-month period , we may charge
you a reasonable , cost-based fee to respond to any additional request .
Use/Disclosure Restriction : You have the right to request that we place certain additional
restrictions on our use or disclosure of your PHI . We are not required to agree to a requested
restriction .
Confidential Communication : You have the right to request that we communicate with you in
confidence about your PHI at an alternative address . To receive confidential communications at
an alternative address , please ask for a PHI address when you call the customer service
number located on your ID card .
Provider Services and Confidential Communications : If you receive services from any
health care providers , you are responsible for notifying those providers directly if you would like
to request a PHI address from them .
Privacy Notice : You may request a copy of our notice at any time . For more information about
our privacy practices , or for additional copies of or questions about this notice , please contact us
using the information listed at the end of this notice .
Organizations Covered by this Notice
This Notice applies to the privacy practices of the organizations listed below :
Your group health plan sponsored by your employer and for which Blue Cross and Blue
Shield of Florida , Health Options , Inc . or Florida Combined Life Insurance Company, Inc .
provides claim administration and other services .
Complaints
If you are concerned that we may have violated your privacy rights , you may complain to us
using the contact information listed at the end of this Notice . You also may submit a written
complaint to the U . S . Department of Health and Human Services . We will provide you with the
14
HIPAA\BA Amend to ASO Agmt - fini
August 12 , 2004
address to file your complaint with the U . S . Department of Health and Human Services upon
request .
We support your right to protect the privacy of your PHI . We will not retaliate in any way if you
choose to file a complaint with us or with the U . S . Department of Health and Human Services ,
Contact Office : The Corporate Compliance Office of Blue Cross and Blue Shield of Florida ,
administrative service provider for your group health plan .
Telephone : 888- 574-2583
Address : P . O . Box 44283 , Jacksonville , FL 322034283
Si usted desea una Copia de esta notiricacion en espanol, por favor comuniquese con un
representante de servicio al cliente utilizando el numero telefonico indicado en su tarjeta
de asegurado.
15
HIPAA\BA Amend to ASO Agmt - tini
August 12 , 2004
EXHIBIT 2—EMPLOYER ' S CERTIFICATION
PART 1 – Employer to Amend Plan Documents for Privacy provisions
Employer certifies that Employer has amended GHP ' s Plan Document to incorporate the provisions
required by 45 C . F . R . § 164 . 504(f)(2 ), as set forth below, and agrees to comply with GHP
' s Plan
Document as amended.
1 . Neither use nor further disclose Protected Health Information, except as permitted or required by
GHP ' s Plan Document or as required by law.
2 . Neither use nor disclose Protected Health Information for any employment-related action or
decision, or in connection with any other benefit or employee benefit plan of Employer.
3 . Ensure adequate separation between Employer and GHP by (a) describing those employees or
classes of employees or other persons under Employer ' s control who will be given access to
Protected Health Information to perform plan administration functions for GHP , (b) restricting the
access to and use of Protected Health Information by such employees or other persons to the plan
administration functions that Employer will perform for GHP , and ( c) instituting an effective
mechanism for resolving any noncompliance with GHP ' s Plan Document by such employees or
other persons .
4 . Ensure that any subcontractor or agent to which Employer provides Protected Health Information
agrees to the restrictions and conditions of GHP ' s Plan Document with respect to Protected Health
Information.
5 . Report to GHP any use or disclosure of Protected Health Information of which Employer becomes
aware that is inconsistent with the uses and disclosures allowed by GHP ' s Plan Document ,
6 , Make Protected Health Information available to GHP or, at GHP ' s direction, to the Covered
Person who is the subject of Protected Health Information (or the Covered Person ' s Personal
Representative) so that GHP can meet its access obligations under 45 C . F . R. § 164 . 524 .
7 , Make Protected Health Information available to GHP for amendment and, on notice from GHP ,
amend Protected Health Information, so that GHP can meet its amendment obligations under 45
C . F . R. § 164 . 526 .
8 , Record Disclosure Information as defined above for each disclosure that Employer makes of
Protected Health Information that is not excepted from disclosure accounting and provide that
Disclosure Information to GHP on request so that GHP can meet its disclosure accounting
obligations under 45 C . F . R. § 164 . 528 .
9 . Make its internal practices, books, and records relating to its use and disclosure of Protected
Health Information available to GHP and to DHHS to determine GHP ' s compliance with 45
C . F . R . Part 164, Subpart E "Privacy of Individually Identifiable Health Information. "
10 . Return to GHP or destroy if feasible all Protected Health Information in whatever form or medium
that Employer ( and any subcontractor or agent of Employer) received from GHP or Administrator,
16
HIPAA\BA Amend to ASO Agmt - fini
August 12 , 2004
r including all copies thereof and all data, compilations, and other works derived there from that
allow identification of any present or past Covered Person who is the subject of Protected Health
Information, when Employer no longer needs Protected Health Information for the plan
administration functions for which the Employer received Protected Health Information .
Employer will limit the use or disclosure of any of Protected Health Information that Employer (or
any subcontractor or agent of Employer) cannot feasibly return to GHP or destroy to the purposes
that make its return to GHP or destruction infeasible.
PART 2 - Employer to Amend Plan Documents for Security provisions
Employer further certifies that Employer has amended GHP ' s Plan Document to incorporate the
provisions required by 45 C . F . R. § 164 . 314(b)(2 ) , as set forth below, and agrees to comply with GHP ' s
Plan Document as amended .
1 . Implement administrative, physical and technical safeguards that reasonably and appropriately
protect the confidentiality, integrity and availability of Electronic Protected Health Information
that Employer creates, receives , maintains or transmits on GHP ' s behalf.
2 . Ensure that the adequate separation between Employer and GHP required by 45 C . F . R. §
164 . 504(f)(2 )(iii ) (as described in item 3 above) is supported by reasonable and appropriate
Security Measures ,
3 . Ensure that any subcontractor or agent to which Employer provides Electronic Protected Health
Information agrees to implement reasonable and appropriate Security Measures to protect the
Electronic Protected Health Information.
4 . Report to GHP any incident of which Employer becomes aware that is (a) a successful
unauthorized access , use or disclosure of Electronic Protected Health Information; or (b) a
successful major ( i ) modification or destruction of Electronic Protected Health Information or (ii )
interference with system operations in an Information System containing Electronic Protected
Health Information . Upon GHP ' s request, Employer will report any incident of which Employer
becomes aware that is a successful minor (a) modification or destruction of Electronic Protected
Health Information or (b) interference with system operations in an Information System
containing Electronic Protected Health Information .
17
HIPAA\BA Amend to ASO Agmt - fini
August 12, 2004
EXHIBIT 3— DISCLOSURE OF PROTECTED HEALTH INFORMATION
FOR PLAN ADMINISTRATION
Group Health Plan ("GHP") must promptly notify Administrator in writing if any of the information contained in
EXHIBIT 3 changes .
PART 1
Name(s) and Title(s) of Employer representatives (i .e. employees of Employer) authorized to request and receive
the minimum necessary Protected Health Information from Administrator:
Joe Baird County Administrator
Ann Rankin Benefits / Pavroll Administrator
Donna Kaspari Director of Human Resources
Jason Brown Budget Director
for the performance of the following plan administration functions for GHP unless otherwise indicated by GHP :
• Actuarial and statistical analysis
• Claims/membership inquiries
• Procurement of reinsurance or stop loss coverage
• Quality assessment and improvement activities
• Performance monitoring
• Other health care operations
• Payment activities
PART 2
Identify the name(s) , title(s) and company name(s) of any individual(s) from organizations other than Employer or
Group Health Plan ("GHP") (examples of such "GHP Vendor" types of services include, but are not limited to,
stop-loss carriers ; reinsurers ; agents, brokers or consultants; or external auditors) that Employer or GHP hereby
authorizes to request and receive the minimum necessary Protected Health Information to perform plan
administration functions and/or assist with the procurement of reinsurance or stop-loss coverage :
Company Name Type of Service Performed Name of Individual Title of Individual
(Example: stop-loss carrier, Performing Service Performing Service
reinsurer, agent, broker
Crowne Consulting Group Agent/Broker Leslie Karp Director of Acct.
Management
Crowne Consulting Group Agent/Broker Mackie Branham CEO
Crowne Consulting Groqp Agent/Broker Ray Tomlinson President
Safeco Life Insurance �," Re-insurer Murphy Head Regional Group Manager
Company
18
HIPAA\BA Amend to ASO Agmt - fini
August 12, 2004
, s
. yi
EXHIBIT
TO THE ADMINISTRATIVE SERVICES AGREEMENT
Between
BLUE CROSS AND BLUE SHIELD OF FLORIDA. INC .
and
INDIAN RIVER COUNTY
CONFIDENTIALITY AND INDEMNITY AGREEMENT
This Agreement, effective October 1 , 2004 is entered into between Blue Cross and
Blue Shield of Florida, Inc. (hereinafter "Administrator" ), and Indian River County
(hereinafter " Employer" ) , and Crowne Consulting Group (hereinafter " Consultant") and
Safeco Life Insurance Company (hereinafter `&einsu er" Y
ked rv� svrw-nc PeJJ CC o 64 tr VNO q l o .
WHEREAS , Employer has established and maintains a self-insured Employee
Welfare Benefit Plan pursuant to the Employee Retirement Income Security Act of 1974 to
provide certain benefits as its Group Health Plan (hereinafter "Plan") for covered group
members and their covered dependents ; and
WHEREAS , Administrator and Employer have entered into an agreement for the
administration of the Group Health Plan (hereinafter " Administrative Services Agreement" ) ;
and
WHEREAS , Employer has directed Administrator to provide Consultant and/or
Reinsurer access to certain Confidential Information (hereinafter defined) for cases which
meet the criteria set forth in attached Exhibit 1 , which Employer has determined is necessary
for Consultant and/or Reinsurer to perform the certain services for the Employer ; and
WHEREAS , Administrator desires to safeguard the confidentiality of the medical
claims and other information acquired with regard to the covered group members and their
covered dependents and to safeguard information regarding Administrator' s policies and
procedures which are regarded as confidential and proprietary; and
WHEREAS , Employer, Consultant, and Reinsurer recognize the legitimate interests
of Administrator and the individuals whose health benefits are administered by
Administrator in the proprietary, confidential, and private nature of such Confidential
Information, and Administrator is willing to provide the Confidential Information only if its
use is restricted to the purpose for which it is released and its confidentiality is maintained;
NOW, THEREFORE, for good and valuable consideration, the parties hereby agree
as follows :
1 . For the purposes of this Agreement, "Confidential Information" means the information
listed below in this Paragraph 1 , any information that Consultant and/or Reinsurer learns
or becomes aware of, directly or indirectly, through the disclosure of Confidential
ASA Conf . doc 8 =26 =04 revised 1 =7 -2005 dhb 1
Information, and any and all summaries, distillations , excerpts , work product or other
documents utilizing or incorporating same, whether in whole or in part.
Medical claim record information concerning individuals covered under the Plan,
Administrator' s provider contract information, e . g . , allowances , fee schedules ,
etc . , and
any other information designated by Administrator as confidential , trade secret,
or proprietary.
2 . Consultant and/or Reinsurer shall only request, use and disclose the minimum amount of
Confidential Information necessary for Consultant and/or Reinsurer to perform the
services for Employer.
3 . Confidential Information shall not include information that (i) is already known to
Consultant and/or Reinsurer on effective date of this Agreement; (ii) is or becomes
known to the general public other than as a direct or indirect result of any act or omission
of Employer, Consultant, Reinsurer, or the affiliates , officers, directors, partners,
employees , or agents (collectively, the "Related Parties") of Employer, Consultant or
Reinsurer; (iii) is lawfully received by Consultant and/or Reinsurer from a third party
that Consultant and/or Reinsurer has verified is free to disclose the information without
restriction on disclosure ; or (iv) is independently developed by Consultant and/or
Reinsurer without use of Confidential Information.
4 . Subject to applicable laws, Administrator will release to Consultant and/or Reinsurer
certain Confidential Information for purposes of: 1 ) monitoring designated cases for
which reinsurance coverage may be available to Employer; and/or 2) auditing claims
payments made by Administrator; provided that Employer is in compliance with all other
terms and conditions of this Agreement and the Administrative Services Agreement, and
Consultant and Reinsurer are in compliance with all other terms and conditions of this
Agreement.
5 . Consultant and Reinsurer each acknowledge that Administrator will provide Confidential
Information to Consultant and/or Reinsurer in confidence and solely for Consultant' s
and/or ReinsurerI s use in performing the services for Employer. Accordingly,
Consultant and Reinsurer each agree (i) to protect any and all Confidential Information
Consultant or Reinsurer receives from unauthorized access, use and disclosure ; (ii) not to
use the Confidential Information for any purpose other than performing the services for
Employer; (iii) not to record, copy, or reproduce any Confidential Information in any
form, except to the extent necessary to perform the services for Employer; (iv) not to
disclose the Confidential Information to, or otherwise permit to access the Confidential
Information, any third party, including without limitation Consultant ' s or Reinsurer ' s
Related Parties , except as expressly provided herein or with Administrator ' s prior
written consent; (v) to limit access to and use of the Confidential Information to those of
Consultant' s or Reinsurer ' s employees who have a need to know such information for
the purpose of performing the services and have acknowledged, in a writing which will
be made available to Administrator upon request, their individual agreement to the terms
hereof; and (vi) to take any and all other steps necessary to safeguard Confidential
ASA Conf . doc 8 -26 -04 revised 1 -7 -2005 dhb 2
Information against unauthorized access, use, and disclosure to at least the extent
Consultant or Reinsurer maintains the confidentiality of its most proprietary and
confidential information.
6 . Consultant and/or Reinsurer shall ensure that its agents, contractors and vendors to
whom it discloses Confidential Information agree to abide by those provisions within
this Agreement that govern the use , disclosure, and protection of all Confidential
Information obtained from Administrator. This provision shall not be construed to
permit any delegation or assignment of Consultant' s or Reinsurer' s obligations otherwise
prohibited by this Agreement.
7 . Consultant and/or Reinsurer shall promptly report in writing to Administrator any use or
disclosure of Confidential Information not provided for under this Agreement, of which
Consultant and/or Reinsurer becomes aware, but in no event later than within five
business days of first learning of any such use or disclosure . Consultant and/or Reinsurer
shall mitigate , to the extent practicable, any harmful effect that is known to Consultant
and/or Reinsurer of a use or disclosure of Confidential Information by Consultant and/or
Reinsurer in violation of this Agreement.
8 . Consultant and/or Reinsurer may disclose Confidential Information if required to do so
under any federal, state, or local law, statute, rule or regulation; provided, however, that
(i) Consultant and/or Reinsurer will provide Administrator with immediate written notice
of any request that Consultant and/or Reinsurer disclose Confidential Information, so
that Administrator may object to the request and/or seek an appropriate protective order
or, if such notice is prohibited by law, Consultant and/or Reinsurer shall disclose the
minimum amount of Confidential Information required to be disclosed under the
applicable legal mandate ; and (ii) in no event shall Consultant and/or Reinsurer disclose
Confidential Information to a parry other than a government agency except under a valid
order from a court having jurisdiction requiring the specific disclosure .
9 . By disclosing Confidential Information to Consultant and/or Reinsurer under this
Agreement (including but not limited to information incorporated in computer software
or held in electronic storage media) , Administrator grants Consultant and/or Reinsurer
no ownership right or interest in the Confidential Information. When Consultant and/or
Reinsurer no longer need Confidential Information for the purpose for which it was
disclosed but no later than the expiration or termination of this Agreement, Consultant
and/or Reinsurer shall collect and return to Administrator or destroy all Confidential
Information received from or on behalf of Administrator that Consultant and/or
Reinsurer has in its control or custody in any form and shall retain no copies of such
information. Consultant and/or Reinsurer shall complete these obligations as promptly as
possible . Upon request, an authorized officer of Consultant and/or Reinsurer shall
certify on oath to Administrator that all Confidential Information has been returned or
destroyed and deliver such certification to Administrator within ten ( 10) business days of
its request. If return or destruction of any Confidential Information is not feasible ,
Consultant and/or Reinsurer shall limit further uses and disclosures of such Confidential
Information to those purposes making return or destruction infeasible and continue to
apply the protections of this Agreement to such Confidential Information for so long as
Consultant and/or Reinsurer retains such Confidential Information. Consultant and/or
ASA Conf . doc 8 -26-04 revised 1 -7 -2005 dhb 3
Reinsurer may, subject to its continued adherence to its obligations of confidentiality as
defined in this Agreement, retain one copy of documents containing Confidential
Information to defend its work product and to comply with applicable insurance record-
keeping laws and regulations .
10 . In the event that Consultant and/or Reinsurer perform any of the services on
Administrator' s premises, Consultant and/or Reinsurer agree not to remove from
Administrator' s premises any Confidential Information that is provided to or obtained by
the Consultant and/or Reinsurer on such premises, without the prior written consent of
Administrator.
11 . In any report or transmittal to Employer by Consultant and/or Reinsurer that contains or
pertains to oral or written Confidential Information, no medical information or dates of
service will be identifiably attributed to any particular employee, dependent, or provider.
Furthermore, any such report or transmittal shall not contain any information designated
by Administrator as confidential, trade secret, or proprietary.
12 . As the administrative simplification provisions of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA-AS) and certain of its implementing regulations
(HIPAA-AS Regulations) are now effective, Employer, Consultant, and Reinsurer agree
to institute any additional procedures and/or agreements required to ensure the parties '
compliance with that law and those regulations . Employer represents and warrants that
Employer (i) has amended each Plan ' s plan document to permit Employer to perform
plan administration for the Plans (including the activity(ies) described in the recital
clauses above) in accordance with 45 C .F . R. § 164 . 504(f) and 45 C . F . R. § 164 . 314(b) of
the HIPAA-AS Regulations ("HIPAA Amendment") ; (ii) has delivered to each Plan and
Administrator a written statement, certifying its amendment of the Plan' s plan document
as required by the HIPAA-AS Regulations and its agreement to comply with that
amendment; and (iii) has obtained each Plan ' s permission to receive individually
identifiable health information from Administrator for the purposes and subject to the
restrictions and protections described in the HIPAA Amendment. Consultant and
Reinsurer each agree to be bound, and to cause any agent or subcontractor to be bound,
by the same restrictions . and protections agreed to by Employer in the HIPAA
Amendment with respect to any individually identifiable health information
encompassed within the Confidential Information Consultant and/or Reinsurer receives .
13 . No health insurance records or information, or claims information, shall be disclosed
without the prior written authorization of the individual whose records or information
would be disclosed ; provided, however, that Consultant and Reinsurer may release
information provided pursuant to this Agreement to subsidiaries of Consultant and
Reinsurer so long as any and all such subsidiaries agree to abide by all terms and
conditions of this Agreement.
14 . Employer, Consultant and Reinsurer shall comply with all applicable federal, state or
local laws , rules, or regulations or any other order of any authorized court, agency, or
regulatory commission, and all applicable professional standards and practices,
concerning the handling and/or safekeeping of information and/or other records of the
ASA Conf . doc 8 -26-04 revised 1 -7 -2005 dhb 4
nature disclosed by Administrator hereunder and shall use such information only for
proper and lawful purposes .
15 . Employer, Consultant and Reinsurer shall comply with all state and federal laws
regulating the disclosure of patient records or private and medically sensitive information
released pursuant to this Agreement, including without limitation, alcohol and drug
abuse patient records, information relating to treatment of alcohol or drug dependency,
HIV testing results, and psychological or psychiatric evaluation.
16 . To the extent permitted by law, Employer agrees to indemnify, defend, and hold
Administrator and each of its officers, directors, employees , agents, and other
representatives (collectively, "Administrator' s Related Parties") harmless from any
liability and reasonable attorneys ' fees and costs (collectively, "Liability") , that
Administrator or Administrator' s Related Parties may incur arising out of the disclosure
of Confidential Information to Employer including, without limitation, any Liability
incurred as a result of a breach by Employer of any applicable law, regulation, or other
legal mandate or any provision of this Agreement.
17 . Consultant agrees to indemnify, defend, and hold Administrator and Administrator ' s
Related Parties harmless from any actual or threatened legal or administrative action,
claim, liability, penalty, fine, assessment, lawsuit, litigation, or other loss, expense, or
damage, including without limitation reasonable attorneys ' fees and costs (collectively,
"Liability") , that Administrator or Administrator' s Related Parties may incur arising out
of or in connection with any actual or alleged breach by Consultant or any of
Consultant' s Related Parties of any applicable law, regulation, or other legal mandate or
any provision of this Agreement.
18 . Reinsurer agrees to indemnify, defend, and hold Administrator and Administrator ' s
Related Parties harmless from any actual or threatened legal or administrative action,
claim, liability, penalty, fine, assessment, lawsuit, litigation, or other loss , expense, or
damage, including without limitation reasonable attorneys ' fees and costs (collectively,
"Liability"), that Administrator or Administrator' s Related Parties may incur arising out
of or in connection with any actual or alleged breach by Reinsurer or any of Reinsurer ' s
Related Parties of any applicable law, regulation, or other legal mandate or any provision
of this Agreement.
19 . Employer, Consultant, and Reinsurer acknowledge and agree that Administrator operates
in a highly regulated and competitive environment and that the unauthorized use or
disclosure of Confidential Information will cause irreparable harm and significant injury
to Administrator, which will be difficult to measure with certainty or to compensate
through money damages . Accordingly, Administrator shall be entitled to seek injunctive
or other equitable relief, without bond, and/or specific performance as a remedy for any
breach of this Agreement. Such remedy shall not be deemed to be the exclusive remedy
for a breach of this Agreement, but shall be in addition to all other remedies available at
law or in equity .
20 . It is understood and agreed that no failure or delay by Administrator in exercising any
right, power or privilege hereunder shall operate as a waiver thereof, nor shall any single
ASA Conf . doc 8 -26-04 revised 1 -7 -2005 dhb 5
or partial exercise thereof preclude any other or further exercise thereof or the exercise of
any right, power or privilege hereunder .
21 . Upon occurrence of any of the following, this Agreement shall terminate without notice,
unless notice is specifically required :
a. Termination of the Administrative Services Agreement.
b . If Administrator determines at its own discretion that the Confidential Information
released pursuant to this Agreement is not being adequately protected by either
Employer, Consultant or Reinsurer for confidentiality purposes .
c . Upon fifteen ( 15 ) days notice to Employer, Consultant or Reinsurer, as appropriate .
Such notice shall be given without need for cause .
d . Upon any attempt by Employer, Consultant or Reinsurer (which attempts shall be
null and void) to assign this Agreement or the right to receive information, without
the prior express consent of Administrator.
e . Upon enactment of or the effective date of, whichever first occurs , any applicable
state or federal law or any rule or regulation of any agency having applicable
jurisdiction, which law, rule or regulation shall prohibit (in part or in full)
Administrator from fulfilling its obligations hereunder. No penalty, liability or
damage shall be applicable or claimed by Employer, Consultant or Reinsurer against
Administrator in such event .
22 . The relationship between the parties is that of independent contractors . Nothing in this
Agreement shall be construed to create a partnership or joint venture between the parties
and neither party shall have the right to bind the other to any contracts, agreements, or
other obligations without the express, written consent of an authorized representative of
the other.
23 . This Agreement shall be governed and construed by the laws of the State of Florida
(irrespective of its choice of law principles) . It constitutes the entire Agreement between
the parties in reference to all matters expressed in the Agreement. All previous
discussions , promises, representations, and understandings between the parties pertaining
thereto , if any, being merged herein.
24 . This Agreement may not be assigned, nor any obligations delegated, by Employer,
Consultant, and/or Reinsurer, without the prior written consent of Administrator, and any
such non-permitted assignment or delegation shall be void .
25 . In the event any provision of this Agreement is rendered invalid or unenforceable by any
valid act of Congress or the Florida Legislature or by any regulation duly promulgated by
the officers of the United States or the State of Florida acting in accordance with law, or
if declared null and void by any court of competent jurisdiction, the remainder of this
Agreement shall remain in full force and effect.
ASA Conf . doc 8 -26 - 04 revised 1 -7 -2005 dhb 6
26 . Waiver of breach of any provision of this Agreement shall not be deemed a waiver of
any other breach of the same or a different provision.
27 . The obligation of Employer, Consultant and/or Reinsurer to protect the privacy of
Confidential Information as specified in this Agreement shall be continuous and survive
the expiration or termination of this Agreement. In addition, the rights and obligations
of the parties set forth in Sections 9, 11 , 16 - 20 and of this paragraph 27 of
this
Agreement shall survive its expiration or termination.
28 . This Agreement may be amended by mutual agreement of the parties, but no such
amendment shall become effective until it is reduced to writing and signed by duly
authorized representatives of each party.
IN WITNESS WHEREOF, the parties have caused this Agreement to be executed by their
duly authorized representative as set forth below.
EMPLOYER ADMINISTRATOR
INDIAN RIVER COUNTY BLUE CROSS AND BLUE SHIELD
OFF DA , INC .
By :
a Lowther
`
r' ittrraSn ' Title :
� r e janoary 189 2005 Date : G/ '
A
G eNT REINSURER
ssssss
CROWNE CONSULTING GROUP SAFECO LI CE COMPANY - ReOAA e�
6Nft+.� l Dlp
By : r4,w By :
Title : C�.z. O Title :
Date : 1 -' y?�®O .5' Date :
ASA Conf . doc 8 -26- 04 revised 1 -7-2005 dhb 7
^L`
W
L
cc
.N
L
O
cc
Y
00
75
c
O
U
O
.r
c
O
F- E
m o`
W
C U O
N N
� C �
O O
U p N
N � �
� N
1 O
5 E N
00
O 0
� 3 �
WN O
;c C U
Cl)
'a L
Q O
BLUE CROSS AND BLUE SHIELD OF FLORIDA. INC .
EXHIBIT 1
Administrator shall release confidential information to Consultant and/or Reinsurer for cases which
meet the following criteria :
Consultant-
Any claims information needed for the purposes of data aggregation , payment activities , financial
reporting , or standard transactions and other data interchanges
Reinsurer-
FOR ON-GOING FINANCIAL MANAGEMENT & COST/PRICING EVALUATION
• Monthly Detailed claim reports (which include the data described below) for any claimant in
excess of 30% of the specific stop loss deductible
FOR CLAIM ADJUDICATION
System report ran on the same basis as the excess loss policy coverage which includes:
• Claimant Name or Identifier (ie : Soc. Sec . No. and Spouse - but not dependent #2)
• Diagnosis Code(s) (ICD9)
• Inclusive Dates : Incurred (from as to) and Paid (from — to)
• Procedure Codes (CPT4)
• Provider Identification (name and/or tax id no. )
• Payment Calculation : Charges, Allowable, Deductible, Co-pay, Discount, Ineligible
Amounts, Payment
• Check Number and Paid
Additional reports as needed if claim costs dictate an audit
ELIGIBILITY
Screen Print for the claimant which shows the following as applicable :
• Effective Date
• Termination Date
• Work Status: Active, FMLA, Medical Leave of Absence, etc.
• Last date worked
• Date leave began
• Return to work date
• Dates of FMLA
• COBRA: effective dates — reason as # of months eligible — premium paid through date
• Medicare eligible : effective date — reason
• Copy of the enrollment card if available
• Date and Details of Accident
• Other Insurance Information
NOTE: Reports for the reinsurer, unless otherwise dictated , are to be sent to the consultant for
delivery to reinsurer.
ASA Conf .doc 8-26-04 1
Indian River County -
Health Insurance Portability and Accountability Act
(HIPAA)
Privacy Use and Disclosure
Policy . and Procedures
( cecv �4N�X) kv��) Maw
c \ c:\. co ck Aai , e c
Table of Contents
Plan's Responsibility as Covered Entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . 4
I . Privacy Official and Contact Person . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . .. . . . . . . . . . . . .
2 . Workforce Training . . . . . . . . . . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . . . . . .. .. . . . . sea . * so . . . * to . . .
. . . . . . . . . . . . . . dead . . . . . . . . . . :. , . . , . . , . . , 5
3 . Technical and Physical Safeguards and Firewall . . . . . . . . . . . . . . . :. . . . . . . . . . . . .
1100 , 15
4. Privacy Notice . . . . . . . . . : . . . :. . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 5
5 , Complaints . . . . . . . . . . . . .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .
6 . Sanctions for Violations of Privacy Policy . . . . . . . . . . . . . . . . . . . . . . .. . . : . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7. Mitigation of Inadvertent Disclosures of Protected Health Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
8. No . Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy
6
cy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9 , Plan Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . :. . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . . . . . I . . . . 7
10. Documentation .. . . .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Policieson Use and Disclosure of PHI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. .: . 9
1 . Use and Disclosure Defined . . . . . . . .. . . . . . . . . . . . . . . . .. . .. . . . . . . .. . . . , , . . . , . . . . . . : . . .
. . . . . . . . . . . . . . . . . . . . . .. 9
2. Workforce Must Comply With City's Policy and Procedures . . . . .: . .. . . : . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . .
. . . 9
3 . Access to PHI is Limited to Certain Employees . . . . . . .. . . . .: . . . . . . . . . .
4. Permitted Uses an Disclosures : Payment and Health Care Operations . . . . . . . . . . . . . . . . . .. . . . . . . . . . 10
5 . No Disclosure of PHI for Non-Health Plan Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.. . . . . . . . 11
6. Mandatory Disclosures of PHI: To Individuals and DHHS . . . . . . : . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . .
. . . . 11
7 . Permissive Disclosures of PHI: For Legal and Public Policy Purposes . . . . . . . . . .. . .. . . : . . . . . . . . . . . 11
8. Disclosures of PHI Pursuant to an authorization. . . . . . . :. . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . 12
9 . Complying With the "Minimum-Necessary" Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 12
10. Disclosures of PHI to Business Associates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . .. . . . . . . . . . . . . . . . . . . 15
11 . Disclosures of De-identified Information. . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . 15
Table of Contents (Continued)
Policieson Individual Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 16
1 . Access to Protected Health Information and Requests for Amendment . . . . . . . . . . . . . . . .. . . . . . . . . 16
2. Accounting . . , . . . assesses a 0 see * age * . . . . as , *." * & & * @as ease s " 66446000 0 " s 0 00 . . . osset ' t " of . . . * 40 # 000009 . .
. . . . . . . 161111111611111116
3 . Requests for Alternative Communication Means or Locations . . . . . . . . . " " " . ..4661 # 11911190 , 9 . . . . . . . . . . 17
4. Requests on Resttictions on Uses and Disclosures of PHL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. . . . . .. . . . ..
. . . 17
Useand Disclosure Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . 18
1 . Procedures for Use and Disclosure of PHI . . '. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . .
. . . . . . . 18
2 . Mandatory Disclosures of PHI : to Individuals and DHHS . . . . . . . . . . . . . . . . . . . . . . . . . : . . . . 19
3 . Permissive Disclosures of PHI : for Legal and Public Policy Purposes . . . . . . . . . . . . 19
4. Disclosures of PHI Pursuant to an Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5 . Disclosures of PHI to Business Associates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : . . . . . : .
. . . . . . 22
6 . Requests for Disclosure of PHI from Spouse, Family Member, .or Friends . . . . =
7 . Disclosures of De-Identified Information . , . . . @ , * * fee * . . . . . . 04 , 23
8 . Verification of Identity of Those Requesting PHI . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
9 . Complying With the to Minimum Standard . . . , . . . . . " 1 661111116 , 106110 * 0 . . . . . . C , 25
10 . Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
11 . Mitigation of Inadvertent Disclosures of PHI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . 27
Procedures for Complying With Individual Rights . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
1 . Individual' s Request for Access . . . . . . .
2. Individual' s Request for Amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 29
3 . Processing Requests for an Accounting of Disclosures of PHI . . . . . . . . . . . . . . . . . . . . . . . 30
4. Processing Requests for Confidential Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5 . Processing Requests for Restrictions on Uses and Disclosures of PHI . . . . . . . . .: . 32
Proceduresto Safeguard PHI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3
HIPAA Privacy Policy
Introduction
Indian River County (the County) sponsors group health, pharmaceutical, dental, Employee
Assistance Program, and flexible spending plans referred to as (the Plan) . Members of the
County' s workforce may have access to the individually identifiable health information of
Plan participants ( 1 ) on behalf of the Plan itself; or (2) on behalf of the County, for
administrative functions of the Plan . In addition, certain employees of the County may
receive. or transmit individually identifiable health information in connection with the
County ' s general operations and services .
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its
implementing regulations restrict the County' s ability to use and disclose protected health
information (PHI) .
Protected Health Information. Protected health information means information that is
created or received by the Plan or the County as an employer or health care provider and
relates to the past, present, or future physical or mental health or condition of a participant :
the provision of health care to a participant ; or the past, present, or future payment for the
provision of health care to a participant; and that identifies the participant or for which
there is a reasonable basis to believe the information can be used to identity the participant.
Protected health information includes information of persons living or deceased .
It is the County' s policy to comply fully with HIPAA's requirements . To that end, all
members of the County ' s workforce who have access to PHI must comply with this Privacy
Policy. For purposes of this Policy, the County' s workforce includes individuals who
would be considered part of the workforce under HIPAA such as employees , volunteers ,
trainees, and other persons whose work performance is under the direct control of the
County, whether or not they are paid by the County. The term " employee " includes all of
these types of workers .
No third party rights (including but not limited to rights of Plan participants, beneficiaries ,
covered dependents , or business associates) are intended to be created by this Policy. The
County reserves the right to amend or change this Policy at any time ( and even
retroactively) without notice . To the extent this Policy establishes requirements and
obligations above and beyond those required by HIPAA, the Policy shall be aspirational
and shall not be binding upon the County. This Policy does not address requirements under
other federal laws or under state laws .
Plan 's Responsibilities as Covered Entity
1 . Privacy Official and Contact Person
The Benefits/Payroll Administrator will be the Privacy Official for the Plan . The Privacy
Official will be responsible for the development and implementation of policies and
4
procedures relating to privacy, including but not limited to this Privacy Policy and the
County' s use and disclosure procedures . The Privacy Official will also serve as the contact
person for participants who have questions, concerns , or complaints about the privacy of
their PHI . The County ' s Privacy Official is Ann Rankin, Benefits/Payroll Administrator,
Human Resources Department .
All departments and constitutional offices shall have a designated Privacy Coordinator,
which will be the individual . that accepts PHI from employees within each respective
department/constitutional office . All privacy coordinators should meet on an annual basis
or as needed with the Privacy Official for training refresher and to monitor ongoing
compliance with this privacy policy.
2 . Workforce Training
It is the County' s policy to train all members of its workforce who have access to PHI on
its privacy policies and procedures . The Privacy Official is charged with developing
training schedules and programs so that all affected workforce members receive the
training necessary and appropriate to permit them to carry out their functions within the
Plan.
3 . Technical and Physical Safeguards and Firewall
The County will establish on behalf of the Plan appropriate technical and physical safeguards to
prevent PHI from intentionally or unintentionally being used or disclosed in violation of
HIPAA' s requirements . Technical safeguards include limiting access to information by creating
computer firewalls. Physical safeguards include locking doors or filing cabinets.
Firewalls will ensure that only authorized employees will have access to PHI, that they will have
access to only the minimum amount of PHI necessary for plan administrative functions, and that
they will not further use or disclose PHI in violation of HIPAA' s privacy rules.
4. Privacy Notice
The Privacy Official is responsible for developing and maintaining a notice of the Plan's privacy
practices that describes:
• the uses and disclosures of PHI that may be made by the Plan;
• the individual's rights ; and
• the Plan's legal duties with respect to the PHI.
The privacy notice will inform participants that the County will have access to PHI in connection
with its plan administrative functions. The privacy notice will also provide a description of the
County' s complaint procedures, the name and telephone number of the contact person for further
information, and the date of the notice.
The notice of privacy practices will be individually delivered to all participants :
5
• no later than April 14, 2005
• on an ongoing basis, at the time of an individual ' s enrollment in the Plan, and
• within 60 clays after a material change to the notice
The Plan will also provide notice of availability of the privacy notice at least once every three
years .
5. Complaints
Complaints shall be made to the Privacy Official, Ann Rankin, Human Resources Department,
1840 25d' Street, Vero Beach, Florida, 32960, Phone : 772 . 567 . 8000, Ext 1448 and Fax:
772 . 770-5004.
The Privacy Official is responsible for creating a process for individualsto lodge complaints
about the Plan's privacy procedures and for creating a system for handling such complaints. A
copy of the complaint procedure shall be provided to any participant upon request.
6. Sanctions for Violations of Privacy Policy
Sanctions for using or disclosing PHI in violation of this HIPAA Privacy Policy will -be unposed
in accordance with the County' s Disciplinary Procedures as referenced in the Personnel Policy
and Procedure Manual; up to and including termination.
7. Mitigation of Inadvertent Disclosures of Protected Health Information
The County shall mitigate, to the extent possible, any harmful effects that become known to it of
a use or disclosure of an individual's PHI in violation of the policies and procedures set forth in
this Policy. As a result, if an employee becomes aware of a use or disclosure of protected health
information, either by an employee of the County or an outside consultant/contractor, that is not
in compliance with this Policy, immediately contact the Privacy Official so that the appropriate
steps to mitigate the harm to the participant can be taken.
8. No Intimidating or Retaliatory Acts ; No Waiver of HIPAA Privacy
No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory
action against individuals for exercising their rights, filing a complaint, participating in an
investigation, or opposing any improper practice under HIPAA. No individual shall be
required to waive his or her privacy rights under HIPAA as a condition of treatment ,
payment, enrollment or eligibility.
9 . Plan Document
The Plan document includes provisions describing the permitted and required uses and
disclosures of PHI by the County for plan administrative purposes . Specifically, . the Plan
document requires the County to :
6
• not use or further disclose PHI other than as permitted by the Plan documents or as
required by law ;
• ensure that any agents or subcontractors to whom it provides PHI received from
the Plan agree to the same restrictions and conditions that apply to the County;
not use or disclose PHI . for employment-related actions or in connection with any
other employee benefit plan ;
report to the Privacy Official any use or disclosure of the information that is
inconsistent with the permitted uses or disclosures ;
• make PHI available to Plan participants, consider their amendments and, upon
request, provide them with an accounting of PHI disclosures as required by
make the County' s internal practices and records relating to the use and disclosure
of PHI received from the Plan available to Department of Health and Human
Resources (DHHS) upon request; and
• if feasible , return. or destroy all PHI received from the Plan that the County still
maintains in any form and retain no copies of such information when no longer
needed for the purpose for which disclosure was made , except that, if such return
or destruction is not feasible , limit further uses and disclosures to those purposes
that make the return or destruction of the information infeasible .
The Plan document also requires the County to ( 1 ) certify to the Privacy Official that
the Plan documents have been amended to include the above restrictions and that the
County agrees to those restrictions ; and (2) provide adequate safeguards .
10. Documentation
The Plan' s and the County' s privacy policies and procedures shall be documented and
maintained for. at least six years . Policies and procedures must be changed as necessary or
appropriate to comply with changes in the law, standards , requirements , and
implementation specifications (including changes and modifications in regulations) . Any
changes to policies or procedures must be promptly documented .
If a change in law impacts the privacy notice, the privacy policy must promptly be
revised and made available . Such change is effective only with respect to PHI created or
received after the effective date of the notice .
The Plan and the County shall document certain events and actions (including
authorizations , requests for information, sanctions , and complaints) relating to an
individual' s privacy rights .
The documentation of any policies and procedures , actions , activities , and designations
may be maintained in either written or electronic form. Covered entities must maintain
such documentation for at least six years .
7
Policies on Use and Disclosure of PHI
1 . Use and Disclosure Defined
The County and the Plan will use and disclose PHI only as permitted under HIPAA. The terms
use and " disclosure " are defined as follows :
• Use. The sharing, employment, application, utilization, examination, or analysis of
individually identifiable health information by any person working _for or within
Indian River County, Human Resources Department or other affected County
Departments or by a Business Associate , Business Associates of the Plan or the
County are as follows :
• Blue Cross Blue Shield of Florida, Merco/Medco , Symetra Life Insurance
Company, Crowne Consulting Group , _Bradman/UniPsych Companies , The Flex
Company of America, UnumProvident, Allstate Workplace Division, Guardian
Life Insurance , American Dental Plan, and Assistant County Attorney.
• Disclosure. For information that is protected health information, disclosure means
any release , transfer, provision of access to , or divulging in any other manner of
individually identifiable health information to persons not employed by or
working within Indian River County, Human Resources Department . or : other
affected departments of the County.
2 . Workforce Must Comply With County ' s Policy and Procedures
All members of the County' s workforce (described at the beginning of this Policy and
referred to herein as " employees ") must comply with this Policy and with the County' s use
and disclosure procedures, which are set forth in this document .
3 . Access to PHI Is Limited to Certain Employees
The following positions will have access to PHI on behalf of the County or its use in Plan
Administration and will be limited to information necessary to initiate the function :
• Benefits/Payroll Administrator, Human Resources Administrator, Director of Human
Resources , who perform functions directly on behalf of the group health plan, and
• The POCs will have access to PHI on behalf of the County for its use in
plan
administrative functions, as well as during the scope and course of . their job related
duties .
The positions named or described in both of these two categories . These employees with
access may use and disclose PHI for plan administrative functions, as well as during the
scope and course of their job related duties, and they may disclose PHI to other employees
with access for plan administrative functions (but the PHI disclosed must be limited to the
minimum amount necessary to perform the plan administrative function) . Employees with
access may not disclose PHI to employees (other than employees with access) unless an
8
authorization is in place or the disclosure otherwise is in compliance with this Policy and the
more detailed use and disclosure procedures .
4 . Permitted Uses and Disclosures : Payment and Health Care Operations
PHI may be disclosed for the Plan's or the County' s own payment purposes, and PHI may be
disclosed by a covered entity to -a health care provider concerning the treatments of an
individual for the payment purposes of that covered entity.
Payment . Payment includes activities undertaken to obtain Plan contributions or to
determine or fulfill the Plan's responsibility for provision of benefits under the Plan, or to
obtain or provide reimbursement for health care. Payment also includes :
• eligibility and coverage determinations including coordination of benefits and
adjudication (e . g. claim administration) or subrogation of health benefit claims ;
• risk adjusting based on enrollee status and demographic characteristics; and
• billing, claims management, collection activities, obtaining payment, under a contract
for reinsurance (including stop-loss insurance and excess loss insurance) , and related
health care data processing .
Health Care Operations . PHI may be disclosed for purposes of the Plan Is � or the
County' s own health care operations . PHI may be disclosed to another covered entity for
purposes of . the other covered entity's quality assessment and improvement, case
management, or health care fraud and abuse detection programs, if the other covered entity
has (or had) a relationship with the participant and the PHI requested pertains to that
relationship .
Health care operations means any of the following activities to the extent that they are
related to Plan administration.
• assist plan participants in claim resolution;
• determination of eligibility, coverage and cost sharing amounts (for example, cost sharing of a
benefit, plan maximums and co-payments as determined for an individual ' s claim) ;
• . coordination of benefits;
• subrogation of health benefit claims ;
• population-based activities relating to improving health or reducing health care costs ;
• premium rating and other activities relating to the creation, renewal or replacement of
a contract of health insurance or health benefits, and ceding, securing or placing a
contract for reinsurance of risk relating to health care claims (including stop-loss
insurance and excess of loss insurance) ;
• conducting or arranging for medical review, legal services and auditing functions
including fraud and abuse detection and compliance programs ;
• business planning and development, such as conducting cost-management and
planning-related analyses related to managing and operating the Plan, including
formulary development and administration, development or improvement of payment
methods or coverage policies ;
9
• business management and general administrative activities of the Plan, including, but
not limited to :
(a) management activities relating to the implementation of and compliance
with HIPAA ' s administrative simplification requirements, or
(b) customer service, including the provision of data analyses for resolution of
internal grievances .
5 . No Disclosure of PHI for Non-Health Plan Purposes
PHI may not be used or disclosed for the payment or operations of the County' s "non-health"
benefits (e . g. , disability, workers ' compensation, life insurance, etc. ) , unless the participant
has provided an authorization for such use or disclosure (as discussed in "Disclosures
Pursuant to an Authorization") or such use or disclosure . is required by applicable state law
and particular requirements under HIPAA are met.
6. Mandatory Disclosures of PHI : to Individual and DHHS
A participant' s PHI must be disclosed as required by HIPAA in two situations :
• The disclosure is to the individual who is the subject of the information (see the
policy for " Access to Protected Information and Request for Amendment " that
follows ) ; and
• The disclosure is made to the (DHHS ) for purposes of enforcing of HIPAA .
7. Permissive Disclosures of PHI : for Legal and Public Policy Purposes
PHI may be disclosed in the following situations without a participant 's authorization ,
when specific requirements are satisfied . The County ' s use and disclosure procedures
describe specific requirements that must be met before these types of disclosures may
be made . The requirements may include prior approval of the County ' s Privacy Official .
Permitted disclosures are :
• about victims of abuse ;
• neglect or domestic violence ;
• for judicial and administrative proceedings ;
• for law enforcement purposes ;
• for public health activities , for health oversight activities ;
• about decedents ; -
• for cadaveric organ, eye or tissue donation purposes ;
• for certain limited research purposes ;
• to avert a serious threat to health or safety ,
• for specialized government functions , and
• that relate to workers ' compensation programs .
8 . Disclosures of PHI Pursuant to an Authorization
10
PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA ' s
requirements for a valid authorization is provided by the participant . All uses and
disclosures made pursuant to a signed authorization must be consistent with the terms
and conditions of the authorization .
9 . Complying With the " Minimum-Necessary " Standard
HIPAA requires that when PHI is used or disclosed, the amount disclosed generally
must be limited to the "minimum necessary" to accomplish the purpose - of the use or
disclosure .
• For each of the following recurring disclosures .
benefit enrollment /changes , audits , . claim resolution, obtaining identification
cards , and responding to legal requests , the identifiers will be as follows : social
security, medical records , account and health plan beneficiary numbers , names ,
geographic units , dates , ages over 89 , phone/fax numbers , email addresses and any
other unique identifiers . The persons who may receive the PHI will be account
representatives , claims adjusters , attorneys , . nurses , physicians , managers ,
supervisors , auditors , underwriters , insurance brokers , and the Human Resource
designated staff. The conditions will be as follows :
• determination of eligibility, coverage and cost sharing amounts (for example , cost
of a benefit, plan maximums and co -payments as determined for an individuals
claim) ;
• coordination of benefits ;
• adjudication of health benefit claims (including appeals and other payment
disputes) ,
• subrogation of health benefit claims ,
• establishing employee contributions ,
• risk adjusting amounts due based on enrollee health status and demographic
characteristics
• billing , collection activities and related health care data processing;
• claims management and related health care data processing, including auditing
payments , investigating and resolving payment disputes , and responding to
participant inquiries about payments ;
• obtaining payment under a contract for reinsurance (including stop - loss and excess
of loss insurance) ;
• medical necessity reviews or reviews of appropriateness of care justification of
charges ,
• utilization review, including pre-certification, preauthorization, concurrent review
and retrospective review ;
• disclosure to consumer reporting agencies related to the collection of premiums or
reimbursement (the following PHI may be disclosed for payment purposes ; name
and address , date of birth, Social Security number, payment history, account
number, and name and address of the provider and/or health plan) .
11
• In emergency situations in order for the Emergency Services Department to
perform or assist with emergency medical treatment it will be limited to
minimum necessary for the purpose .
• In order to determine eligibility for programs offered through the County ' s
Housing Rehabilitation it will be limited to the minimum necessary for the
purpose .
All other disclosures must be reviewed by the Privacy Official on an individual basis to
ensure that the amount of information disclosed is the minimum necessary to
accomplish the purpose of the disclosure .
Minimum Necessary When the County is Requesting PHI. For making requests for
disclosure of PHI the following applies :
• For claim payment, strategic planning with respect to the Plan , COBRA rate or
funding level determination, information requested from the third party
administrator and/or the Plan should be limited to summary health information or
de-identified information to the . extent possible . PHI should be requested only to
the extent reasonably necessary to carry out these functions .
• To assist with claim and/or physician billing issues , requests for information
from the third party administrator, health care providers and/or Plan should be
limited to summary health information or de.identified information to the extent
possible . ' PHI should be requested only to the extent reasonably necessary to
assist individuals with resolution of their claims and/or physician billing issues .
• For claims audits , requests for information from the third party administrator
and/or Plan should be limited to summary health information or de-identified
information to the extent possible . PHI should be requested only to the extent
reasonably necessary to carry out these functions .
• For Plan marketing, renewal , underwriting and experience evaluation, requests
for information from the third party administrator and / or Plan should be limited
to summary health information or de-identified information to the extent
possible . PHI should be requested only to the extent reasonably necessary to
carry out these functions .
• Requests for PHI from physicians and other health care providers for the
purposes of providing day care and community services for the elderly and
running the County ' s Early Learning Program shall be limited to the minimum
information necessary to operate these programs and to maintain appropriate
licensure .
• In emergency situations in order for the Emergency Services Department to
perform or assist with emergency medical treatment it will be limited to
minimum necessary for the purpose .
• In order to determine eligibility for programs offered through the County ' s
Housing Rehabilitation it will be limited to 'the minimum necessary for the
purpose .
12
All other requests must be reviewed on an individual basis to ensure that the amount of
information requested is the minimum necessary to accomplish the purpose of the
disclosure .
The " minimum -necessary" standard does not apply to any of the following :
• uses or disclosures made to the individual ;
• uses or disclosures made pursuant to a valid authorization ;
• disclosures made to the DOL ;
• uses or disclosures required by law ; and
• uses or disclosures required to comply with HIPAA .
Minimum Necessary When Disclosing PHI. For making disclosures of PHI to the
medical plan, prescription plan, Employee Assistance Plan, dental plan, vision plan,
reciprocal benefits plan, auditors , and attorneys for purposes of benefit
enrollment/changes , audits , claim resolution, obtaining identifications cards , benefit
eligibility, hospital reports on. suspects/arrestees , and response to legal requests , by only
. giving information necessary to initiate the function .
All other disclosures must be reviewed on an individual basis with the Privacy Official
to ensure that the amount of information disclosed is the minimum necessary to
accomplish the purpose of the disclosure .
Minimum Necessary When Requesting PHI. For making requests for disclosure of PHI
from the prescription plan, Employee Assistance Plan, dental plan, reciprocal benefits
plan, auditors , and attorneys for purposes of benefit enrollment/changes , audits , claim
resolution, obtaining identifications cards , benefit . eligibility hospital reports on
suspects/arrestees , and response to legal requests , by only giving information necessary
to initiate the function .
All other requests must be reviewed on an individual basis with the Privacy Official to
ensure that the amount of information requested is the minimum necessary to
accomplish the purpose of the disclosure .
10 . Disclosures of PHI to Business Associates
Employees may disclose PHI to the Plan' s or the County ' s businesses associates and
allow the Plans or the County ' s business associates to create or receive PHI on its
behalf. However, prior to doing so , the Plan or the County, as applicable , must first
obtain assurances from the business associate that it will appropriately safeguard the
information . Before sharing PHI with outside consultants or contractors who meet the
definition of a "business associate , " employees must contact the Privacy Official and
verify that a business associate contract is in place .
Business Associate is an entity that :
13
• performs or assists in performing functions or activities for or on behalf of a
covered entity involving the use and disclosure of protected health information
(including claims processing or administration . data analysis , underwriting,
etc . ) ; or
• provides legal , accounting , actuarial , consulting , data aggregation , management,
accreditation, or financial services , where the performance of such services
involves giving the service provider access to PHI .
11 . Disclosures of De4dentified Information
The Plan or the County may freely use and disclose de -identified information . De.
identified information is health information that does not identify an individual and
with respect to which there is no reasonable basis to believe that the information can be
used to identify an individual . There are two ways a covered entity can determine that
information is de - identified : either by professional statistical analysis , or by removing
18 specific identifiers .
14
Policies on Individual Rights
1 . Access to Protected Health Information and Requests for Amendment
HIPAA gives participants the right to access and obtain copies of their PHI that the
Plan or the County, as applicable (or its business associates) maintains in designated
record sets . HIPAA also provides that participants may request to have their PHI
amended . The Plan will provide access to PHI and it will consider requests for
amendment that are submitted in writing by participants .
Designated Record Set is a group of records maintained by or for the County that
includes :
• the enrollment, payment, and claims adjudication record of an individual
maintained by or for the Plan, or
• other PHI used, in whole or in part, by or , for the Plan to make coverage
decisions about an individual .
2 . Accounting
An individual has the right to obtain an accounting of certain disclosures of ' his or her
own PHI . This right to an accounting extends to disclosures made in the last six years , .
other than disclosures :
• to carry out treatment, payment , or health care operations ;
• to individuals about their own PHI ;
• incident to an otherwise permitted use or disclosure ;
• pursuant to an authorization ;
• for purposes of creation of a facility directory or to persons involved in the
patient ' s care or other notification purposes ;
• as part of a limited data set ; or
• for other national security or law enforcement purposes .
The Plan or the County shall respond to an accounting request within 60 days . If the
Plan or the County is unable to provide the accounting within 60 days , it may extend
the period by 30 days , provided that it gives the participant notice (including the reason
for the delay and the date the information will be provided) within the original 60 - day
period .
The accounting must include the date of the disclosure, the name of the receiving party,
a brief description of the information disclosed, and a brief statement of the purpose of
the disclosure (or a copy of the written request for disclosure , if any) .
The first accounting in any 12 -month period shall be provided free of charge . The Privacy
Official may impose reasonable production and mailing costs for subsequent accountings .
25
3 . Requests for Alternative Communication Means or Locations
Individuals may request to receive communications regarding their PHI by alternative means
or at alternative locations . For example, individuals may ask to . be called only at work rather
than at home. Such requests may be honored if, in the sole discretion of the County, the
requests are reasonable.
However, the County shall accommodate such a request if the individual clearly provides
information that the disclosure of all or part of . that information could - endanger the
individual . The Privacy Official has responsibility for administering requests for confidential
communications .
4. Requests for Restrictions on Uses and Disclosures of. Protected Health Information
A participant may request restrictions on the use and disclosure of the participant ' s PHI. It is
the County' s policy to attempt to honor such requests if, in the sole discretion of the County,
the requests are reasonable . The County' s Privacy Official, Ann Rankin, Human Resources
Department, 1840 25th Street, Vero Beach, Florida, 32960, Phone : 772. 567 . 8000, Ext 1448 and
Fax : 772 . 770 . 5004 is charged with responsibility for administering requests for restrictions .
16
Use and Disclosure Procedures
1 . Procedures for Use and Disclosure of PHI
Procedure
Uses and .Disclosures for Plan ' s Own Payment Activities or Health Care
Operations . An employee may use and disclose PHI to perform the Plan's or the County' s
own payment activities or health care operations .
• Disclosures must comply with the "Minimum-Necessary Standard. " (Under that
procedure, if the disclosure is not recurring, the disclosure must be approved by the
Privacy Official .)
• Disclosures must be documented in accordance with the procedure for "Documentation
Requirements . "
Disclosures for Another Entity ' s Payment Activities . An employee may disclose a
Plan participant's PHI to another covered entity or health care provider to perform the other
entity's payment activities . Disclosures may be made under the following procedures :
• Disclosures must comply with the "Minimum-Necessary Standard. " (Under that
procedure, if the disclosure is not recurring, the disclosure must be approved by the
Privacy Official . )
• Disclosures must be documented in accordance with the procedure for "Documentation
Requirements . "
Disclosures for Certain Health Care Operations of the Receiving Entity . An
employee may disclose PHI for purposes of the other covered entity's quality assessment and
improvement, case management, or health care - fraud and abuse detection programs, if the
other covered entity has (or had) a relationship with the individual and the PHI requested
pertains to that relationship . Such disclosures are subject to the following:
• Disclosures must comply with the "Minimum-Necessary Standard. "
• Disclosures must be documented in accordance with the procedure for "Documentation
Requirements . "
Use or Disclosure for Purposes of Non =Health Benefits . Unless an authorization from
the individual (as discussed in "Disclosures Pursuant to an Authorization") has been received,
an employee may not use a participant's PHI for the payment or operations of the County' s
"non-health" benefits (e. g. , disability, worker's compensation, and life insurance) . If an
employee requires a participant ' s PHI for the payment or healthcare operations of non-Plan
benefits, follow these steps :
• Obtain an Authorization. First, contact the Privacy Official to determine whether an
authorization for this type of use or disclosure is on file . If no form is on file, request an
appropriate form from the Privacy Official . Employees shall not attempt to draft
17
authorization forms. All authorizations for use or disclosure for non-Plan purposes
must be on a form provided by (or approved by) the Privacy Official .
• Disclosures must comply with the "Minimum-Necessary Standard. "
• Disclosures must be documented in accordance with the procedure for "Documentation
Requirements . "
Questions ? Any employee who is unsure as to whether a task he or she is asked to perform
qualifies as a payment activity or a health care operation of the Plan should contact the
Privacy Official, Ann Rankin, Human Resources Department, 1840 25a' Street, Vero Beach,
Florida, 32960, Phone . 772 . 567 . 8000, Ext 1448 and Fax: 772 . 770. 5004 .
2 . Mandatory Disclosures of PHI : to Individuals and DHHS
Procedure
• Request From Individual. Upon receiving a request from an individual (or an
individual representative) for disclosure of the individual' s own PHI, the employee
must follow the procedure for " Disclosures to Individuals Under Right to Access
Own PHL "
• Request From DHHS . Upon receiving a request from a DHHS official for
disclosure of PHI, the employee must take the following steps :
• Follow the procedures for verifying the identity of a public official set forth in
"Verification of Identity of Those Requesting Protected Health Information . "
• Disclosures must be documented in accordance with the procedure for
" Documentation Requirements . "
3 . Permissive Disclosures of PHI : for Legal and Public Policy Purposes
Procedure
• Disclosures for Legal or Public Policy Purposes. An employee who receives a
request for disclosure of an individual ' s PHI that appears to fall within one of the
categories described below under " Legaland and Public Policy Disclosures Covered "
must contact the Privacy Official . Disclosures may be made under the following
procedures :
The disclosure must be approved by the Privacy Official
• Disclosures must comply with the "Minimum-Necessary Standard . "
• Disclosures must be documented in accordance with the procedure for
" Documentation Requirements . "
Legal and Public Policy Disclosures Covered
A . Disclosures about victims of abuse, neglect or domestic violence, if the following
conditions are met :
18
• The individual agrees with the disclosure ; or
• The disclosure is expressly authorized by statute or regulation and the disclosure
prevents harm to the individual (or other victim) or the individual is . incapacitated
and unable to agree and information will not be used against the individual and is
necessary for an imminent enforcement activity. In this case, the individual must
be promptly informed of the disclosure unless this would place the individual at
risk or if informing would involve a personal representative who is believed to be
responsible for the abuse, neglect or violence .
B . For Judicial and Administrative Proceedings, in response to :
• An order of a court or administrative tribunal (disclosure must be limited to PHI
expressly authorized by the order) : and
• A subpoena, discovery request or other lawful process , not accompanied by a court
order ' or administrative tribunal , upon receipt of assurances that the individual has
been given notice of the request , or that the party seeking the information. has
made reasonable efforts to receive a qualified protective order.
C . To a Law Enforcement Official for Law Enforcement Purposes, under the
following conditions:
• Pursuant to a process and as otherwise required by law , but only if the information
sought is relevant and material, the request is specific and limited to amounts
reasonably necessary, and it is not possible to use de-identified information.
• Information requested is limited information to identify or locate a suspect,
fugitive, material witness or missing person.
• Information about a suspected victim of a crime ( 1 ) if the individual agrees to
disclosure; or (2) without agreement from the individual, if the information is not
to be used against the victim, if need for information is urgent, and if disclosure is
in the best interest of the individual .
• Information about a deceased individual upon suspicion that the individual' s death
resulted from criminal conduct.
• Information that constitutes evidence of criminal conduct that occurred on the
County' s premises .
D . To Appropriate Public Health Authorities for Public Health Activities .
E . To a Health Oversight Agency for Health Oversight Activities, as authorized by
law .
F . To a Coroner or Medical Examine About Decedents, for the purpose of identifying
a deceased person, determining the cause of death or other duties as authorized by law .
19
G . For Cadaveric Organ, Eye or Tissue Donation Purposes, to organ procurement
organizations or other entities engaged in the procurement , banking, or transplantation of
organs , eyes or tissue for the purpose of facilitating transplantation .
H . For Certain Limited Research Purposes, provided that a waiver of the authorization
required by HIPAA has been approved by an appropriate privacy board.
I . To Avert a Serious Threat to Health or Safety, upon a belief in good faith that the
use or disclosure is necessary to prevent a serious and imminent threat to the health or
safety of a person or the public .
J . For Specialized Government Functions, including disclosures of an inmates ' PHI to
correctional institutions and disclosures of an individual' s PHI to authorized federal
officials for the conduct of national security activities .
K. For Workers ' Compensation Programs, only to the extent necessary to comply with
laws relating to workers ' compensation or other similar programs .
4 . Disclosures of PHI Pursuant to an Authorization
Procedure
Disclosure Pursuant to Individual Authorization . Any requested disclosure to a third
party (i . e . , not the individual to whom the PHI pertains) that does not fall within one of
the categories. for which . disclosure is permitted or required under these Use and
Disclosure Procedures may be made pursuant to an individual authorization . If disclosure
pursuant to an authorization is requested, the following procedures should be followed :
• Follow the procedures for verifying the identity of the individual (or individual ' s
representative) set forth in " Verification of Identity of Those Requesting Protected
Health Information . "
• Verify that the authorization form is valid . Valid authorization forms are those
that :
• Are properly signed and dated by the individual or the individual ' s
representative ;
• Are not expired or revoked. The expiration date of the authorization form must
be a specific date ( such as July 1 , 2003 ) or a specific time period ( e . g . , one
year from the date of signature) , or to such time that employment with the
County terminates ;
• Contain a description of the information to be used or disclosed ;
• Contain the name of the entity or person authorized to use or disclose the PHI ;
• Contain the name of the recipient of the PHI ;
• Contain a statement regarding the individual ' s right to revoke the
authorization and the procedures for revoking authorizations ; and
• Contain a statement regarding the possibility for a subsequent re- disclosure of
the information;
20
• All uses and disclosures made pursuant to an authorization must be
consistent with the terms and conditions of the authorization ;
• Disclosures must be documented in accordance with the procedure for
" Documentation Requirements . "
5 . Disclosure of PHI to Business Associates
Definition of Business Associate
Business Associate is an entity or person who .
• performs or assists in performing a function or activity for or on behalf of a
covered entity involving the use . and disclosure of PHI (including claims
processing or administration in claim review assistance ; data analysis ,
underwriting, including vendor selection processes , etc . ) ; or
• provides legal, accounting, actuarial , consulting, data aggregation, management ,
accreditation, or financial services, where the performance of such services
involves giving the business associate access to PHI .
Procedure
Use and Disclosure of PHI by Business Associate. All uses and disclosures by a
"business associate " must be made in accordance with a valid business associate
agreement . Before providing PHI to a business associate, employees must contact the
Privacy Official and verify that a business associate contract is in place . The following
additional procedures must be satisfied .
• Disclosures must be consistent with the terms of the business associate contract .
• Disclosures must comply with the "Minimum-Necessary Standard . " (Under that
procedure , each recurring disclosure. will be subject to a separate policy to address
the minimum-necessary requirement, and each non-recurring disclosure must be
approved by the Privacy Official . )
• Disclosures must be documented in accordance with the procedure for
" Documentation Requirements . "
6. Requests for Disclosure of PHI From Spouse, Family Member or Friend
The Plan and County will not disclose PHI to family and friends of an individual except
as required or permitted by HIPAA. Generally, an authorization is required before
another party, including spouse, family member or friend will be able to access PHI .
• If an employee receives a request for disclosure of an individual's PHI from a
spouse , family member, or personal friend of an individual , and the spouse, family
member, or personal friend is either ( 1 ) the parent of the individual and the
individual is a minor child, or (2) the personal representative of the individual ,
21
then follow the procedure for " Verification of Identity of Those Requesting
Protected Health Information . "
• Once the identity of a parent or personal representative is verified, then follow the
procedure for "Individual ' s Request for Access . "
• All other requests from spouses , family members , and friends must be authorized
by the individual whose PHI is involved . See the procedures for "Disclosures
Pursuant to Individual Authorization. "
7. Disclosures of De-Identified Information
De-identified information is health information that does not identify an individual and
with respect to which there is no reasonable basis to believe that the information can be
used to identify an individual . There are two ways a covered entity can determine that
information is de-identified : either by professional statistical analysis , or by removing 18
specific identifiers as outlined in HIPAA regulations . The following identifiers must be
removed to de-identify information :
• names
• all geographic subdivisions smaller than a state (special rules apply)
• all elements of dates ( except year) relating to an individual (special rules
apply)
• telephone numbers
• fax numbers
• electronic mail addresses
• Social Security numbers
• medical record numbers
• health plan beneficiary numbers
• account numbers
• certificate/license numbers
• vehicle identification and serial numbers including license plate numbers
• device identifiers and serial numbers (such as pacemaker number)
• web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• biometric identifiers including finger and voice prints
• full face photographic images and any comparable images , and
• any other unique identifying number, characteristic or code (special rules
apply) ,
Procedure
• Obtain approval from Privacy Official for the disclosure . The Privacy Official will
verify that the information is de-identified.
• The Plan may freely use and disclose de-identified information . De-identified
information is not PHI.
8 . Verification of Identity of Those Requesting Protected Health Information
22
Verifying Identity and Authority of Requesting Party. Employees must take steps to
verify the identity of individuals who request access to PHI . They must also verify the
authority of any person to have access to PHI, if the identity or authority of such person
is not known . Separate procedures are set forth below for verifying the identity and
authority, depending on whether the request is made by the individual, a parent seeking
access to the PHI of his or her minor child, a personal representative, or a public official
seeking access .
Request Made by Individual. When an individual requests access to his or her own PHI,
the following steps should be followed :
• Request a form of identification from the individual . Employees may rely on a
valid driver ' s license, passport or other photo identification issued by a
government agency.
• Verify that the identification matches the identity of the individual requesting
access to the PHI . If you have any doubts as to the validity or authenticity of
the identification provided or the identity of the individual requesting access to
the PHI, contact the Privacy Official .
• Make a copy of the identification provided by the individual and file it with the
individual' s designated record set .
• If the individual requests PHI over the telephone , their social security number
will be requested as a means of identification .
• Disclosures must be documented in accordance with the procedure for
" Documentation Requirements . "
Request Made by Parent Seeking PHI of Minor Child. When a parent requests access
to the PHI of the parent' s minor child, the following steps should be followed :
• Seek verification of the person' s relationship with the child . Such verification may
take the form of confirming enrollment of the child in the parent' s plan as a
dependent . [Insert information about relevant state law , in some circumstances ,
access by a parent may be denied if state law forbids access . ]
• Disclosures must be documented in accordance with the procedure
"Documentation Requirements . "
Request Made by Personal Representative. When a personal representative requests
access to an individual' s PHI, the following steps should be followed :
• Require a copy of appropriate documentation such as a valid power of attorney [ or
other documentation-requirements may vary state-by- state] . If there are any
questions about the validity of this document, seek review by the Privacy Official .
• Make a copy of the documentation provided and file it with the individual ' s
designated record set.
• Disclosures must be documented in accordance with the procedure for
" Documentation Requirements . "
23
Request Made by Public Official. If a public official requests access to PHI, and if the
request is for one of the purposes set forth above in " Mandatory Disclosures of PHI " or
"Permissive Disclosures of PHI" the following steps should be followed to verify the
official' s identity and authority) .
• If the request is made in person, request presentation of an agency identification
badge , other official credentials . or other proof of government status . Make a copy
of the identification provided and file it with the individual' s designated record set .
• If the request is in writing, verify that the request is on the appropriate
government letterhead .
If the request is by a person purporting to act on behalf of a public official , request
a written statement on appropriate government letterhead that the person is acting
under the government' s authority or other evidence or documentation of agency,
such as a contract for services , memorandum of understanding, or purchase order,
that establishes that the person is acting on behalf of the public official .
• Request a written statement of the legal authority under which the information is
requested , or, if a written statement would be impracticable, an oral statement of
such legal authority. If the individual' s request is made pursuant to legal process ,
warrant, subpoena, order, or other legal process issued by a grand jury or a judicial
or administrative tribunal , contact the Office of the County Attorney.
Obtain approval for the disclosure from the Privacy Official .
• Disclosures must be documented in accordance with the procedure for
" Documentation Requirements . "
9. • Complying With the " Minimum-Necessary " Standard
Procedures for Disclosures of PHI
• The standards for disclosures will be in accordance with policies on use of
disclosure as referenced in Indian River County HIPAA Privacy Disclosure Policy
and Procedures .
• The amount of information requested will be the minimum amount to initiate the
function .
• For all other requests for disclosures of PHI, contact the Privacy Official, who will
ensure that the amount of information disclosed is the minimum necessary to
accomplish the purpose of the disclosure .
Procedures for Requests of PHI
• Recurring requests such as benefit enrollment/changes , audits , claim resolutions ,
obtaining identification cards , benefit eligibility and response to legal requests
will follow as :
Telephone Requests — Steps to Follow
• Determine if Requestor is "known . "
• If unknown, tell Requestor to send written request on letterhead .
24
• Enter request into Disclosure of PHI logbook .
• If not for treatment , payment or health care operations (TPO) , determine if there
is a patient/client authorization .
Fax or Mail Requests — Steps to Follow
• Determine origin of request — check for seal or logo .
• If known, follow the same steps as for Telephone Request .
• If unknown, give the request to the Privacy Official to handle .
Requests Made in Person — Steps to Follow
• Verify the identity of the requestor with picture ID .
• If you are not certain give to the Privacy Official to handle .
• If requestor/request are verified, then follow the steps for Fax or Mail Requests .
• Each request will be limited to the minimum amount to initiate the function .
• For all other requests for PHI, contact the Privacy Official , who will ensure that
the amount of information requested is the minimum necessary to accomplish the .
purpose of the disclosure .
Exceptions
The "minimum-necessary" standard does not apply to any of the following :
• Uses or disclosures made to the individual ;
• Uses or disclosures made pursuant to an individual authorization ;
• Disclosures made to DHHS ,
• Uses or disclosures required by law ; and
• Uses or disclosures required to comply with HIPAA .
10 . Documentation
Procedure
Documentation . Employees shall maintain copies of all of the following items for a
period of at least six years from the date the documents were created or were last in
effect, whichever is later :
• " Notices of Privacy Practices " that are issued to participants ,
• When a disclosure of PHI is made ,
• the date of the disclosure ;
• the name of the entity or person who received the PHI and, if known , the
address of such entity or person ;
• a brief description of the PHI disclosed ;
• a brief statement of the purpose of the disclosure ; and
• any other documentation required under these Use and Disclosure Procedures .
25
• Individual authorizations .
11 . Mitigation of Inadvertent Disclosures of PHI
Mitigation : Reporting Required. HIPAA requires that a covered entity mitigate, to the
extent possible , any harmful effects that become known to us of a use or disclosure of
an individual 's PHI in violation of the policies and procedures set forth in this manual .
As a result, if you become aware of a disclosure of PHI, either by an employee of Plan
or an outside consultant/contractor, that is not in compliance with the policies and
procedures set forth in this manual , immediately contact the Privacy Official so that the
appropriate steps to mitigate any potential harm to the individual can be taken .
26_
Procedures for Complying With Individual Rights
1 . Individual ' s Request for Access
" Designated Record Set " Defined
Designated Record Set is a group of records maintained by or for the County that
includes :
• the enrollment, payment, and claims adjudication record of an individual
maintained by or for the Plan; or
• other protected health information used, in whole or in part, by or for the Plan
to make coverage decisions about an individual .
Procedure
Request From Individual, Parent of Minor Child, or Personal Representative. Upon
receiving a written request from an individual (or from a minor's parent or an individual' s
personal representative) for disclosure of an individual 's PHI, the employee must take the
following steps .
• Follow the procedures for verifying the identity of the individual (or parent or
personal representative) set forth in " Verification of Identity of Those Requesting
Protected Health Information. "
• Review the disclosure request to determine whether the PHI requested is held in
the individual 's designated record set . See the Privacy Official if it appears that the
requested information is not held . in the individual' s designated record set . No
request for access may be denied without approval from the Privacy Official.
• Review the disclosure request to determine whether an exception to the disclosure
requirement might exist ; for example, disclosure may be denied for requests to
access psychotherapy notes , documents compiled for a legal proceeding, certain
requests by inmates , information compiled during research when the individual has
agreed to denial of access , information obtained under a promise of
confidentiality, and other disclosures that are determined by a health care
professional to be likely to cause harm . See the Privacy Official if there is any
question about whether one of these exceptions applies. No request for access
may be denied without approval from the Privacy Official.
• Respond to the request by providing the information or denying the request within
30 days (60 days if the information is maintained off- site) . If the requested PHI
cannot be accessed within the 30-day (or 60 - day) period , the deadline may be
extended for 30 days by providing written notice to the individual within the
original 30 - or 60 -day period of the reasons for the extension and the date by
which the County will respond .
• A Denial Notice must contain ( 1 ) the basis for the denial , (2) a statement of the
individual ' s right to request a review of the denial , if applicable , and ( 3 ) a
27
statement of how the individual may file a complaint concerning the denial . All
notices of denial must be prepared or approved by the Privacy Official .
• Provide the information requested in the form or format requested by the
individual, if readily producible in such form . Otherwise, provide the information
in a readable hard copy or such other form as is agreed to by the individual .
• Individuals have the right to receive a copy by mail or by e-mail or can come in
and pick up a copy. Individuals also have the right to come in and inspect the
information.
• If the individual has requested a summary and explanation of the requested
information in lieu of, or in addition to , the full information, prepare such
summary and explanation of the information requested and make it available to the
individual in the form or format requested by the individual .
• Disclosures must be documented in accordance with the. procedure
" Documentation Requirements . "
2 . Individual ' s Request for Amendment
Procedure
Request From Individual, Parent of Minor Child, or Personal Representative. Upon
receiving a written request from an individual (or a minor' s parent or an individual ' s
personal representative) for amendment of an individual's PHI held in a designated record
set, the employee must take the following steps .
• Follow the procedures for verifying the identity of the individual (or parent or
personal representative) set forth in -Verification of Identity of Those Requesting
Protected Health Information. "
• Review the disclosure request to determine whether the PHI at issue is held in the
individual's designated record set . See the Privacy Official if it appears that the
requested information is not held in the individual' s designated record set . No
requestfor amendment may be denied without approval from the Privacy
Official.
• Review the request for amendment to determine whether the information would be
accessible under HIPAA' s right to access (see the access procedures above on
PAGE 28) . See the Privacy Official if there is any question about whether one of
these exceptions applies . No request for amendment may be denied without
approval from the Privacy Official.
• Review the request for amendment to determine whether the amendment is
appropriate-that is , determine whether the information in the designated record
set is accurate and complete without the amendment .
• Respond to the request within 60 days by informing the individual in writing that
the amendment will be made or that the request is denied . ' If the determination
cannot be made within the 60-day period, the deadline may be extended for 30
days by providing written notice to the individual within the original 60 - day
period of the reasons for the extension and the date by which the County will
respond .
28_
• When an amendment is accepted, make the change in the designated record set ,
and provide appropriate notice to the individual and all persons or entities listed
on the individual ' s amendment request form, if any, and also provide notice of the
amendment to any persons/entities who are known to have the particular record
and who may rely on the uncorrected information to the detriment of the
individual .
• When an amendment request is denied, the following procedures apply :
• All notices of denial must be prepared or approved by the Privacy Official . A
Denial Notice must contain ( 1 ) the basis for the denial ; (2) information about
the individual 's right to submit a written statement disagreeing with the denial
and how to file such a statement : (3 ) an explanation that the individual may (if
he or she does not file a . statement of disagreement) request that the request for
amendment and its denial be included in future disclosures of the information ;
and (4) a statement of how the individual may file a complaint concerning the
denial .
• If, following the denial , the individual files a statement of disagreement,
include the individual' s request for an amendment; the denial notice of the
request ; the individual ' s statement of disagreement, if any; and the County' s
rebuttal/response to such statement of disagreement, if any, with any
subsequent disclosure of the record to which the request for amendment
relates . If the individual has not submitted a written statement of disagreement,
include the individual ' s request for amendment and its denial with any
subsequent disclosure of the protected health information only if the individual
has requested such action .
3 . Processing Requests for an Accounting of Disclosures of PHI
Procedure
Request From Individual, Parent of Minor Child, or Personal Representative. Upon
receiving a request from an individual (or a minor's parent or an individual 's personal
0.
representative) for an accounting of disclosures , the employee must take the following
steps :
Follow the procedures for verifying the identity of the individual (or parent or
personal representative) set forth in " Verification of Identity of Those Requesting
Protected Health Information . "
• If the individual requesting the accounting has already received one accounting
within the 12 month period immediately preceding the date of receipt of the
current request, a written notice will be sent to the individual informing him or her
that a fee for processing will be charged which will provide the individual with a
chance to withdraw the request . The fee for processing will be as follows : Fifteen
( 15 ) cents per page . Also if extensive clerical or supervisory assistance by
personnel of Indian River County is involved ; or both, Indian River County may
29
charge in addition to the actual cost of duplication, a special service charge, which
shall be reasonable and shall be based on the cost incurred .
• Respond to the request within 60 days by providing the accounting (as described
in more detail below) , or informing the individual -that there have been no
disclosures that must be included in an accounting (see the list of exceptions to the
accounting requirement below -) . If the accounting cannot be provided within the
60- day period, the deadline may be extended for 30 days by providing written
notice to the individual within the original 60-day period of the reasons for the
extension and the date by which the County will respond .
• The accounting must include disclosures (but not uses) , of the requesting
individual 's PHI made by Plan and any of its business associates during the period
requested by the individual up ' to six years prior to the request. (Note , however,
that the plan is not required to account for any disclosures made prior to April 14,
2003 . ) The accounting does not have to include disclosures made :
• to carry out treatment, payment and health care operations ;
• to the individual about. his or her own PHI;
• incident to an otherwise permitted use or disclosure ;
• pursuant to an individual authorization;
• for specific national security or intelligence purposes ;
• to correctional institutions or law enforcement when the disclosure was
permitted without an authorization ; and
• as part of a limited data set.
• If any business associate of the Plan has the authority to disclose the individual 's
PHI, then in order to obtain an accounting of the business associate ' s disclosures ,
the Privacy Officer for the plan will provide to the individual upon request the
business associate ' s primary contact ' s name and telephone numbers :
• The accounting must include the following information for each reportable
disclosure of the individual's PHI :
• the date of disclosure ,
• the name (and if known, the address) of the entity or person to whom the
information was disclosed ;
• a brief description of the PHI disclosed; and
• a brief statement explaining the purpose for the disclosure . (The statement of
purpose may ' be accomplished by providing a copy of the written request for
disclosure, when applicable . )
• If the Plan has received a temporary suspension statement from a health oversight
agency or a law enforcement official indicating that notice to the individual of
disclosures of PHI would be reasonably likely to impede the agency' s activities ,
disclosure may not be required . If an employee receives such a statement, either
orally or in writing, the employee must contact the Privacy Official for more
guidance .
30
• Accountings must be documented in accordance with the procedure for
" Documentation Requirements . "
4 . Processing Requests for Confidential Communications
Request From Individual, Parent of Minor Child, or Personal Representative. Upon
receiving a written request from an individual (or a minor' s parent or an individual ' s
personal representative) to receive communications of PHI by alternative means or at
alternative locations , the employee must take the following steps :
• ' Follow the procedures for verifying the identity of the individual (or parent or
personal representative) set forth in "Verification of Identity of Those Requesting
Protected Health Information. "
• Determine whether the request contains a statement that disclosure of all or part of
the information to which the request pertains could endanger the individual .
• If a request will not be accommodated, the employee must contact the individual
in person, in writing, or by telephone to explain why the request cannot be
accommodated .
• All confidential communication requests that are approved must be recorded . in a
written log that is maintained by the designated Privacy Official.
• Requests and their dispositions must be documented in accordance with the
procedure for " Documentation Requirements : "
5 . Processing Requests for Restrictions on Uses and Disclosures of PHI
Request From Individual, Parent of Minor Child, or Personal Representative. Upon
receiving a written request from an individual (or a minor' s parent or an individual ' s
personal representative) to restrict access to an individual 's PHI, the employee must take
the following steps .
• Follow the procedures for verifying the identity of the individual (or parent or
personal representative) set forth in " Verification of Identity of Those Requesting
Protected Health Information. "
• The employee should take steps to honor requests if disclosure could endanger the
individual .
• If a request will not be accommodated , the employee must contact the individual
in person, in writing, or by telephone to explain why the request cannot be
accommodated .
• All requests for limitations on use or disclosure of PHI that are approved must be
recorded in a written log that is maintained by the designated Privacy Official .
• All business associates that may have access to the individual ' s PHI must be
notified of any agreed-to restrictions which will be provided via written
correspondence from the Privacy Official .
• Requests and their dispositions must be documented in accordance with the
procedure for " Documentation Requirements . "
31 V
Procedures to Safeguard PHI
Physical Security. Physical security of PHI will be maintained through various
means as follows :
• PHI is to be maintained in separate file area of the office or enclosed room
where access is limited to those County employees who have access
according to the terms of the Privacy Policy. File cabinets should have
locks . To the extent feasible, file cabinets should be kept locked .
• If PHI is stored in a desk, the desk should have a lock . Desks containing
PHI should be locked when unattended . PHI is not to be left unattended on
desktops , countertops or worktables .
• Departments that maintain PHI should ensure that visitors to the office are
escorted to their .contact person and not left unattended .
• Incoming mail should be delivered unopened to the person to whom it is
addressed .
• If an employee receives PHI and the employee is not designated as being
permitted to have access to PHI, the employee should redirect .the PHI as
soon as possible to an appropriate person who does have access to PHI .
• Fax machines should be kept in an enclosed area or room to limit access to
incoming communications that may contain PHI . Employees should
exercise reasonable care to keep incoming fax messages secure and limit
access by other County employees .
• Address outgoing mail and fax communications only to the specific person
at the organization who the organization has confirmed has access to PHI .
Send PHI to a secure fax number verified by the intended receiver . Mark
outgoing mail containing PHI "Personal & Confidential ."
Verbal Security.
• Employees shall take reasonable steps in verbally discussing PHI to ensure
that PHI is not discussed with any employee , individual or third party who
does not have access to PHI pursuant to the terms of the County ' s Privacy
Policy.
• PHI should not be discussed on speakerphone , unless necessary. If a
speakerphone is used while discussing PHI, the door to the employee ' s
office should be kept closed .
• When discussing PHI by telephone, employees should take reasonable care
that the party to whom they are speaking is permitted to have access to PHI .
• Employees should not discuss PHI in public areas such as elevators and
lunch rooms or at social gatherings .
Supervisors should monitor physical and verbal security and access to PHI.
Employees must report any violations of security to the Privacy Official as soon as
possible .
37 _
Destruction of PHI.
• Discarded PHI should be left completely inaccessible .
• Do not use ordinary trash to discard PHI in any form (hard copy, diskette,
CD , etc . )
• Paper documents containing PHI should be shredded whenever possible .
Electronic Security. Procedures for electronic security shall be determined on or
before the HIPAA Security effective date of April 21 , 2005 .
33 r
INDIAN RIVER COUNTY
INDIVIDUAL AUTHORIZATION FORM
AUTHORIZATION FOR RELEASE OF HEALTH INFORMATION
I hereby authorize the use or disclosure of my health
information as described in this authorization,
is authorized to provide the information.
(Specific person/organization)
is authorized to receive and use the information:
(Specific person/organization)
The specific description of the information is .
Right to revoke: I understand that I have the right to revoke this authorization at any time by
notifying the Indian River County' s Health Benefits Administrator (Ann Rankin, 567. 8000) in
writing at the Human Resources Department, Fax 772. 770. 5004, Address 1840 25th Street Vero .
Beach, Fl 32960 . I understand that the revocation is only effective after it is received and
logged by the Benefit/Payroll Administrator. I understand that any use or disclosure made prior
to the revocation under this authorization will not be affected by a revocation.
I understand that after this information is disclosed, federal law might not protect it and the
recipient might re-disclose it.
I understand that I am entitled to receive a copy of this authorization.
I understand that this authorization will expire when my employment with Indian River County
terminates and for all others such as retirees on this date :
M/D/Y
Signature of Employee Date
Personal Representatives section
If a Personal Representative executes this form, the Representative warrants that he or she has
authority to sign this form on the basis of:
INDIAN RIVER COUNTY
INDIVIDUAL RIGHTS FORM
INDIVIDUAL REQUEST TO INSPECT HEALTH INFORMATION
I request to review health information held about me in the Indian River County Employee
Health Care Plan group health plan' s "designated record set" in accordance with the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) . A . "designated record set"
includes information such as medical records : billing records; enrollment, payment, claims
adjudication and health plan case or medical management record systems; or records used to
make decisions about individuals .
I understand that the group health plan has 30 days to respond to this request, and that
if
someone else holds the information or it is off-site, the response time is 60 days.
I request that the information be provided in the following format: (circle one)
Paper Electronic
Optional : I agree that the group health plan may provide a summary of the health information
instead of allowing me to review the information.
I agree to pay any fees for copying or summarizing my health information. Fees will be
reasonable and cost-based, and include only the cost of copying, postage, and preparation of a
summary (if I agree to a summary) .
I understand that this request does not apply to certain health information, including: ( 1 )
information that is not held in the designated record set; (2) psychotherapy notes; (3) information
compiled in reasonable anticipation of or for litigation; and (4) other . information not subject to
the right to access information under HIPAA.
Signature: Date:
INDIAN RIVER COUNTY
INDIVIDUAL RIGHTS FORMS
GROUP HEALTH PLAN' S RESPONSE TO INSPECTION REQUEST
Grant
Your request to access your health information has been granted. Access will be provided by
Need for Extension of Time
The group health plan received your request to access health information on The
group health plan has evaluated your request to access health information. A delay in providing
the information is necessary for the following reason:
The group health plan will respond to your request within 60 days from the date of your request.
Denial of Access
The group health plan received your request to access health information and was denied for the
following reason:
You may file a complaint regarding this decision with the group health plan or the U. S .
Department of Health and Human Services . If you file a complaint with the group health plan,
please file. it in writing with the following person: Benefits/Payroll Administrator, Ann Rankin,
Fax 772 . 770 . 5004, Address 1840 25th Street, Vero Beach, Fl, 32960 .
In certain cases you are entitled to appeal the denial of access. You are entitled to an appeal if
access was denied because in the opinion of a licensed health care professional, granting access
is likely to endanger the life or physical safety of you or another person. If you appeal, your
appeal will be reviewed by a licensed health care professional designated by the plan that did not
participate in the original decision. The appeal and notice of the appeal decision will be
conducted promptly.
Signature of Plan Representative Date
INDIAN RIVER COUNTY
INDIVIDUAL RIGHTS FORMS
INDIVIDUAL REQUEST TO CORRECT OR AMEND A RECORD
I request the group health plan to amend the protected health information in its designated record
set.
Specific Statement of Amendment Request
Specific Reason for Amendment Request
I understand that if the protected health information was not created by the group health plan, the
group health plan is not required to honor my request. For example, if the information I wish to
amend is in a medical report created by my physician, I must ask the physician — not the plan —
to amend the report. I also understand that if the information is not available for my inspection,
is not part of the plan' s designated record set or is already accurate and complete, I cannot amend
the information.
I understand that the group health plan will respond to my, request within 60 days .
Signature : Date.
•
INDIAN RIVER COUNTY
INDIVIDUAL RIGHTS FORMS
GROUP HEALTH PLAN' S RESPONSE TO AMENDMENT OR CORRECTION
REQUEST
Grant
Your request to amend or correct your health information has been granted. The Plan will make
an appropriate amendment to the designated record set.
You must provide the Plan with the names and addresses of any persons to which you wish to
provide the amended information. The Plan then will make reasonable efforts to inform these
individuals — and persons that the Plan knows may have relied or could rely on the information —
of the amendment within a reasonable time.
Need for Extension of Time
The group health plan received your request to amend your health information on
The group health plan has evaluated your request to amend health
information. A delay in action is necessary for the following reason:
The group health plan will respond to your request within 60 days of your request.
Denial of Access
The group health plan received your request to amend health information on. Your request is
denied for the following reason:
Statement of Disagreement
You have the right to file a written statement disagreeing with denial of amendment. The
statement of disagreement must be limited to two single- sided 81 /2 x 11 pages . The statement
of disagreement should be filed within 60 days of this notice with the Benefits/Payroll
Administrator, Ann Rankin, Address 1840 25th Street, Vero Beach, F132960. The Plan has the
right to prepare a rebuttal statement to your statement of disagreement. If it does so, you will
receive a copy.
If you do not submit a statement of disagreement, you may request that the Plan provide your
request for amendment and this denial of amendment with any future disclosures of protected
health information that is the subject of this request.
You may file a complaint regarding this decision with the group health plan or the U. S .
Department of Health and Human Services . If you file a complaint with the group health plan,
please file it in writing with the following person: Benefits/Payroll Administrator, Ann Rankin.
INDIAN RIVER COUNTY
INDIVIDUAL RIGHTS FORMS
INDIVIDUAL REQUEST NOT TO USE OR DISCLOSE HEALTH INFORMATION
I understand that Indian River County group health plan may use and disclose protected health
information about me for purposes of health care treatment, payment and health care
operations without my consent. I request to restrict use and disclosure of protected health
information concerning health care treatment, payment or health care operations about me by the
Indian River County group health plan in accordance with the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) .
Group Health Plan Not Required To Agree
I understand that the group health plan is not required to agree to this restriction.
Termination of Restriction
I understand that if the group health plan agrees to this restriction, either the Plan or I may
terminate this restriction at any time. The termination of the restriction is only effective for
future uses and disclosures .
Emergency Treatment Exception
I understand that if protected health information must be used or disclosed to provide emergency
treatment for me, then this restriction is void.
Questionnaire
Requestor: Please complete all of the following questions. If the question is not applicable,
mark N/A on the answer line.
1 ) I request the following information be restricted.
2) I request that use and disclosure of the above-described information be restricted in the
following manner:
3 ) I request that my protected health information not be disclosed to the following
individuals or entities :
I understand that if a restriction is not specifically listed above and agreed to in writing by the
group health plan, it will not be effective.
Signature of Employee: Date :
INDIAN RIVER COUNTY
INDIVIDUAL RIGHTS FORMS
GROUP HEALTH PLAN' S RESPONSE TO INSPECTION REQUEST
Grant
Your request to access your health information has been granted. Access will be provided by
Need for Extension of Time
The group health plan received your request to access health information on The
group health plan has evaluated your request to access health information. A delay in providing
the information is necessary for the following reason:
The group health plan will respond to your request within 60 days from the date of your request.
Denial of Access
The group health plan received your request to access health information and was denied for the
following reason :
You may file a complaint regarding this decision with the group health plan or the U . S .
Department of Health and Human Services . If you file a complaint with the group health plan,
please file it in writing with the following person: Health Benefits Administrator, Ann Rankin,
Fax 772 . 770 . 5004 , Address 1840 25th Street, Vero Beach, Fl, 32960 .
In certain cases you are entitled to appeal the denial of access . You are entitled to an appeal if
access was denied because in the opinion of a licensed health care professional, granting access
is likely to endanger the life or physical safety of you or another person. If you appeal, your
appeal will be reviewed by a licensed health care professional designated by the plan that did not
participate in the original decision. The appeal and notice of the appeal decision will be
conducted promptly.
Signature of Plan Representative Date
INDIAN RIVER COUNTY
INDIVIDUAL RIGHTS FORM
INDIVIDUAL REQUEST TO INSPECT HEALTH INFORMATION
I request to review health information held about me in the Indian River County Employee
Health Care Plan group health plan' s "designated record set" in accordance with the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) . A "designated record set"
includes information such as medical records : billing records ; enrollment, payment, claims
adjudication and health plan case or medical management record systems ; or records used to
make decisions about individuals .
I understand that the group health plan has 30 days to respond to this request, and that if
someone else holds the information or it is off-site, the response time is 60 days .
I request that the information be provided in the following format : (circle one)
. Paper Electronic
Optional : I agree that the group health plan may provide a summary of the health information
instead of allowing me to review the information.
I agree to pay any fees for copying or summarizing my health information. Fees will be
reasonable and cost-based, and include only the cost of copying, postage , and preparation of a
summary (if I agree to a summary) .
I understand that this request does not apply to certain health information, including : ( 1 )
information that is not held in the designated record set; (2) psychotherapy notes ; (3 ) information
compiled in reasonable anticipation of or for litigation; and (4) other information not subject to
the right to access information under HIPAA.
Signature : Date :
INDIAN RIVER COUNTY
INDIVIDUAL RIGHTS FORMS
INDIVIDUAL REQUEST TO CORRECT OR AMEND A RECORD
I request the group health plan to amend the protected health information in its designated record
set.
Specific Statement of Amendment Request
Specific Reason for Amendment Request
I understand that if the protected health information was not created by the group health plan, the
group health plan is not required to honor my request. For example, if the information I wish to
amend is in a medical report created by my physician, I must ask the physician — not the plan —
to amend the report. I also understand that if the information is not available for my inspection,
is not part of the plan' s designated record set or is already accurate and complete, I cannot amend
the information.
I understand that the group health plan will respond to my request within 60 days .
Signature :
Date :
INDIAN RIVER COUNTY
INDIVIDUAL RIGHTS FORMS
N .
INDIVIDUAL REQUEST NOT TO USE OR DISCLOSE HEALTH INFORMATION
I understand that Indian River County group health plan may use and disclose protected health
information about me for purposes of health care treatment, payment and health care
operations without my consent. I request to restrict use and disclosure of protected health
information concerning health care treatment, payment or health care operations about me by the
Indian River County group health plan in accordance with the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) .
Group Health Plan Not Required To Agree
I understand that the group health plan is not required to agree to this restriction.
Termination of Restriction
I understand that if the group health plan agrees to this restriction, either the Plan or I may
terminate this restriction at any time . The termination of the restriction is only effective for
future uses and disclosures .
Emergency Treatment Exception
I understand that if protected health information must be used or disclosed to provide emergency
treatment for me , then this restriction is void.
Questionnaire
Requestor: Please complete all of the following questions . If the question is not applicable,
mark N/A on the answer line .
1 ) I request the following information be restricted :
2) I request that use and disclosure of the above-described information be restricted in the
following manner:
3 ) I request that my protected health information not be disclosed to the following
individuals or entities :
I understand that if a restriction is not specifically listed above and agreed to in writing by the
group health plan, it will not be effective.
Signature of Employee : Date :
INDIAN RIVER COUNTY
INDIVIDUAL AUTHORIZATION FORM
AUTHORIZATION FOR RELEASE OF HEALTH INFORMATION
I hereby authorize the use or disclosure of my health
information as described in this authorization.
is authorized to provide the information.
(Specific person/organization)
is authorized to receive and use the information:
(Specific person/organization)
The specific description of the information is :
Right to revoke : I understand that I have the right to revoke this authorization at any time by
notifying the Indian River County' s Health Benefits Administrator (Ann Rankin, 567 . 8000) in
writing at the Human Resources Department, Fax 772 . 770 . 5004, Address 1840 25th Street Vero
Beach, F132960 . I understand that the revocation is only effective after it is received and
logged by the Health Benefit' s Administrator. I understand that any use or disclosure made prior
to the revocation under this authorization will not be affected by a revocation.
I understand that after this information is disclosed, federal law might not protect it and the
recipient might re-disclose it.
I understand that I am entitled to receive a copy of this authorization.
I understand that this authorization will expire when my employment with Indian River County -
terminates and for all others such as retirees on this date : M/D/Y
Signature of Employee Date
Personal Representatives section
If a Personal Representative executes this form, the Representative warrants that he or she has
authority to sign this form on the basis of:
INDIAN RIVER COUNTY
INDIVIDUAL RIGHTS FORMS
GROUP HEALTH PLAN ' S RESPONSE TO AMENDMENT OR CORRECTION
REQUEST
Grant
Your request to amend or correct your health information has been granted . The Plan will make
an appropriate amendment to the designated record set.
You must provide the Plan with the names and addresses of any persons to which
you wish to
these
provide the amended information. The Plan then will make reasonable efforts inform
individuals — and persons that the Plan knows may have relied or could rely on the information —
of the amendment within a reasonable time .
Need for Extension of Time
The group health plan received your request to amend you re health information
end health
The group health plan has evaluatedy q o
information. A delay in action is necessary for the following reason:
The group health plan will respond to your request within 60 days of your request.
Denial of Access
The group health plan received your request to amend health information on. Your request is
denied for the following reason:
Statement of Disagreement
You have the right to file a written statement disagreeing with denial of amendment. The
statement of disagreement must be limited to two single-sided 84 /2 x 11 pages . The statement
of disagreement should be filed within 60 days of this notice with the Health Benefits has the
Administrator, Ann Rankin, Address 1840 25th Street, Vero Beach, F132960 . Th you will
right to prepare a rebuttal statement to your statement of disagreement. If it does so , y
receive a copy .
If you do not submit a statement of disagreement, you may request that the Plan provide your
request for amendment and this denial of amendment with any future disclosures of protected
health information that is the subject of this request.
You may file a complaint regarding this decision f you file a complaint with the group heallth plan,
Department of Health and Human Sern y
please file it in writing with the following person: Health Benefits Administrator, Ann Rankin.
/ - 19 - aPage1 of 1
V / / , D
Kimberly Massung
From , Ann Rankin
Sent : Thursday , March 17 , 2005 3 : 41 PM
To : ' Ikarp@crowneinc . com' ; Mackie Branham ( E-mail )
Cc : Donna Kaspari ; Kimberly Massung �� S
Subject: HIPAA Addendum and Confidentiality & Indemnity Agreements
Leslie or Mackie ,
Blue Cro flue Shield sent Addendum Agreement and the HIPAA Policy and
Procedure , but we did not receive the original C & I agreemen . an you assist me with locating this
agreement.
Thanks ,
Ann Rankin
Benefits/Payroll Administrator
Indian River County Board of County Commissioners
Phone : (772) 567-8000 ext. 1448
Fax: (772) 770-5004
Email: arankin aircgov. com
3 / 18/2005