HR

PURPOSE:  Larimer County is a hybrid entity that has designated certain covered functions and health care plans as health care components under the Health Insurance Portability and Accountability Act (HIPAA) (reference A).  This procedure is intended to ensure that Larimer County’s designated health care components comply with HIPAA, its regulations and applicable law(s) (reference G); to provide a process for safeguarding protected health information (PHI); to provide a process for reviewing complaints about this issue and to provide for the training of existing and new personnel who handle protected health information (reference P).

SCOPE:  This procedure applies to all of Larimer County’s designated health care components covered under HIPAA, its regulations and other applicable law.

RESPONSIBILITY:  Larimer County employees are responsible for ensuring the designated health care components comply with applicable law and regulations as outlined in this procedure (reference P).  Human Resources is responsible for assisting such employees in complying with this procedure.

REVISION LOCATOR:

A.    References H through P

 

PROCEDURE:

I.   General Policy:

It is the policy of Larimer County that its designated health care components comply with HIPAA, its regulations and relevant state and federal law (reference G).  Larimer County intends to accomplish this responsibility through ongoing efforts to implement reasonable policies and procedures, to require and provide appropriate training and to reasonably monitor these compliance efforts.

 

II.   Definitions:

A.   Health Information: Any information, whether oral or recorded in any form or medium, that:

1.   is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university or health care clearinghouse; and

2.   relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.

B.   Health Care: Care, services, or supplies related to the health of an individual.

C.   Individually Identifiable Health Information: Any health information, including demographic information, that can or could be used to identify an individual.

D.   Protected Health Information (PHI): Individually identifiable information, whether it is in electronic, paper or oral form, that is created or received by or on behalf of an entity covered by HIPAA or its health care component.  Generally does not include employment records.

E.   Covered Entity: Generally, a health plan, health care provider or health care clearinghouse.

F.   Health Care Component: A designated component of a covered entity that performs functions of a health plan, a health care provider and/or a health care clearing house.

G.   Use: The sharing, employment, application, utilization, examination or analysis of information of PHI within the entity that maintains the information.

H.   Disclosure: The release, transfer, provision of access to or divulging in any other manner of information outside the entity holding the information.

I.   Business Associate: An entity that is not a member of a covered entity's workforce that helps a covered entity with a function or activity involving the use or disclosure of individually identifiable health information.

J.   Minimum Necessary Standard: A covered entity or its health care component must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose when using or disclosing PHI or requesting PHI from another covered entity.

K.   Designated Record Set: Information maintained by a covered entity, to include medical records, billing records, enrollment, payment or other records used by or for the covered entity to make certain decisions about individuals.

L.   Treatment: The provision, coordination or management of health care and related services by a provider.

M.   Health Care Operations: A covered entity's activities related to covered functions such as treatment, payment and other related operations.

N.   Employment Records: Records held by an employer in its capacity as an employer, rather than as a plan sponsor or health care provider.

O.   De-identified Health Information: Health information that does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual.  This type of information is not subject to the HIPAA privacy rules.

 

III.   Designation of Health Care Components:

By resolution (enclosure 11), the Larimer County Board of County Commissioners has designated certain divisions and health care plans as health care components.

 

IV.   Privacy Officer and Contact Office:

A.   Privacy Officer Designation:
By resolution, the Larimer County Board of County Commissioners has designated the position of Employee Relations Specialist in the Human Resources Department as the Privacy Officer for Larimer County.  This designation is subject to change in accord with applicable law.

B.   Contact Office Designation:
By resolution, the Larimer County Board of County Commissioners has designated the Human Resources Department as the Contact Office for matters addressed under this procedure. This designation is subject to change in accord with applicable law.

C.   Duties:

1.   Privacy Officer:
The Privacy Officer is responsible for overseeing and assisting the County's designated health care components’ in their ongoing activities related to the development, implementation, maintenance of and adherence to the policies and procedures covering the privacy and security of, and access to, individual health information in compliance with federal and state laws and the County's policies.

2.   Contact Office:
The Human Resources Department, in conjunction with the Privacy Officer, is responsible for assisting the County's designated health care components in complying with applicable law.

 

V.   Training:

A.   Scope of Training:

1.   Responsibility:

a.   Each designated health care component is responsible for developing and providing appropriate training to those employees who access PHI.  The development and implementation of this training will be made in consultation with the Privacy Officer and Human Resources (reference P).

b.   All training must be documented.  The particular designated health care component and the Privacy Officer are responsible for ensuring that the proper documentation exists to verify the workforce member's training.

2.   Nature of Training:
The nature of the training will vary depending on the particular circumstances of the designated health care component.  Training may be in the form of live instruction, access to policies and procedures and other information in writing and on the Bulletin Board, on-line training, document handouts and any other manner deemed appropriate by the Privacy Officer.

B.   Current Employees:
Current employees who access PHI will promptly receive necessary training to enable them to comply with applicable law.  Training will be provided on an ongoing basis to ensure the designated health care components’ continued compliance.

C.   New Employees:
Each designated health care component is responsible for ensuring that new employees who will access PHI promptly receive the necessary training to ensure they comply with County policy and applicable law.

D.   Supervisors:
In addition to the training provided by the designated health care components, the County's mandatory Supervisory Training program will include a session on the importance of complying with the applicable privacy policies, procedures and law.

 

VI.       Safeguards to Protect Privacy:

A.   Consultation with Human Resources:
In all instances where time and circumstances permit, any employee or appointing authority that has a question regarding a specific use, disclosure or retention of PHI, that is not related to treatment, payment and/or health care operations, must consult with the Privacy Officer or designee before using or disclosing the protected health information.

B.   Division, Department and Elected Office Policies and Procedures:
Each designated health care component is responsible for developing and implementing appropriate policies and procedures to ensure that it uses, discloses and maintains PHI in accord with applicable law and this policy.  The development and implementation of these policies will be in consultation with the Privacy Officer and Human Resources.  The Privacy Officer or Human Resources Director will provide reasonable assistance to the designated health care components to achieve and maintain compliance.

C.   Employee Confidentiality Agreement:
Each designated health care component will ensure that all employees who access PHI review and sign a Larimer County HIPAA Employee Confidentiality Agreement (enclosure 4) within a reasonable time from completion of his or her HIPAA compliance training.  All designated health care components must use the HIPAA Employee Confidentiality Agreement, LCHR-95 in complying with this procedure.

D.   Maintenance of Designated Record Set:
Each designated health care component is responsible for documenting one or more designated record sets as needed for business purposes.  A designated record set will be determined in consultation with the Privacy Officer.  Additionally, each designated health care component must document the position responsible for receiving and processing access requests.

E.   Individual Right to Access Ones PHI:

1.   Individuals have the right to see and obtain a copy of their PHI for as long as it is contained in the designated record set, subject to certain exceptions under the HIPAA Privacy Rule.  In order to request access, individuals must use the Request to Inspect and/or Copy Protected Health Information, LCHR-94 (enclosure 3).  A completed Request to Inspect and/or Copy Protected Health Information form must be submitted to the designated position or office.

2.   A request for access must be responded to within 30 days after receipt.  If the PHI is either off-site or held by some other entity, the response must be made within 60 days.  If a delay in providing access is necessary, one 30-day extension may be obtained, but the requesting individual must be informed of the reasons for the delay and the date the response will be provided in writing.  In responding, a Response to Inspection Request, LCHR-97 (enclosure 6) must be used.

3.   If feasible, access must be given in the form or format requested.  If the requested format cannot be reasonably produced, a readable hard copy form or another format that both the designated health care component and the requester agree on must be provided.  A mutually convenient time and place for the individual to inspect or obtain the PHI copy will be provided or the information will be mailed at the individual’s request.

4.   If agreed upon in advance, the designated health care component may provide a PHI summary in lieu of access.  The designated health care component may also provide an explanation of the PHI that is provided.

5.   A designated health care component may charge for PHI copies, summaries or explanations. The requesting individual must agree in advance to pay any such fee(s).  The fee must include only the cost of:

a.   copying, including supplies and labor;
b.   postage, if the individual requests mailing; and
c.   preparing a PHI explanation or summary if agreed to by the individual in advance.

6.   If a designated health care component initially determines that access should be denied, it must then consult with the Privacy Officer.  If access is ultimately denied, the requesting individual must be informed in writing using Response to Inspection Request, LCHR-97 (enclosure 6) and advised of any applicable rights to review the denial.

7.   The right to access does not apply to the following PHI:

a.   psychotherapy notes;
b.   information compiled in reasonable anticipation of or for litigation; and
c.   PHI that may not be released because it is covered by the Clinical Laboratory Improvements Amendments Act of 1988.

8.   Under HIPAA privacy rules, other circumstances may exist which limit an individual's right to access ones PHI.  The designated health care component must consult with the Privacy Officer before acting on a Request to Inspect and/or Copy Protected Health Information, LCHR-94 (enclosure 3).

F.   Responsibility to Report Improper Use or Disclosure of Protected Health Information:
All County employees are required to immediately report any potentially improper use or disclosure of PHI to the Privacy Officer or Human Resources.

G.   Minimum Necessary Standard:

1.   A designated health care component will comply with this policy and applicable law by reasonably limiting its uses, requests and disclosures of PHI to the minimum necessary to accomplish the intended purpose.

2.   Each designated health care component is responsible for developing and providing appropriate policies and procedures that contain a protocol to ensure that it complies with this standard.

3.   A protocol for determining which PHI is minimally necessary for a designated health care component’s business operations must:

a.   identify positions or classes of positions in the workforce that need access to PHI to carry out the job responsibilities; and
b.   for each position or class of positions, identify the category or categories of PHI to which access is needed and any conditions appropriate to that access.

H.   De-identification of Information:
To the extent practicable, all designated health care components are encouraged to work with the Privacy Officer and Human Resources in using and disclosing de-identified health information.

I.   Disclosures:

1.   Permitted: PHI may be used and disclosed by a designated health care component without consent or authorization if:

a.   PHI is used by or disclosed to the individual who is the subject of the PHI;
b.   the use or disclosure is for the entity’s treatment, payment or health care operations or the specified treatment, payment or health care operations of another entity;
c.   the use or disclosure is incidental to a permitted use or disclosure, and reasonable safe guards are in place;
d.   the use or disclosure is based on and is in compliance with a valid authorization; or
e.   under specified purposes or where the use or disclosure is based on an agreement with the individual who is the subject of the PHI.

2.   Required: A designated health care component is required to disclose PHI when:

a.   an individual requests access to his or her own PHI or requests an accounting of PHI disclosures, unless the request is subject to one of the exceptions contained in the HIPAA Privacy Rule; and
b.   when required by the U.S. Department of Health and Human Services to determine a designated health care component’s compliance with the HIPAA Privacy Rule.

3.   Other Disclosures: Under certain limited circumstances and for other limited reasons, Larimer County may disclose PHI.  Those include, but are not limited to:

a.   marketing;
b.   fundraising;
c.   underwriting;
d.   verification;
e.   crime reporting;
f.   research and public health;
g.   certain governmental programs;
h.   military and national security; or
i.   when required by other laws.

A designated health care component that contemplates either using or disclosing PHI pursuant to Section VI.I.3, must obtain advance approval from the Privacy Officer.

4.   Responsibility to Verify: A designated health care component is required to verify the identity of an individual or entity requesting PHI before disclosure. Each designated health care component is responsible for developing and providing appropriate policies and procedures to review a person’s authority to access PHI.  A designated health care component may rely on the following items to verify the requestor’s authority:

a.   a written statement of the legal authority under which the information is requested;
b.   an oral statement, if a written statement is impracticable; or
c.   a legal process, warrant, subpoena, court order or other legal process issued by a grand jury, judicial or administrative tribunal.

Before PHI is disclosed for reasons other than treatment, payment and health care operations, the designated health care component that holds the PHI must consult with the Privacy Officer.

J.   Responsibility to Obtain Consent or Authorization:

1.   A designated health care component may use reasonable methods to obtain an individual’s consent before using, disclosing or requesting PHI for treatment, payment or health care operations.

2.   A designated health care component need not obtain an individual’s authorization before using or disclosing PHI for reasons including, but not limited to:

a.   treatment;
b.   payment;
c.   health care operations;
d.   when required by law;
e.   certain public health activities;
f.   disclosures about victims of abuse, neglect or domestic violence;
g.   certain health oversight activities;
h.    judicial and administrative proceedings;
i.   disclosures for law enforcement proceedings;
j.   disclosures about decedents;
k.   certain organ and/or tissue donation purposes;

l.   certain research purposes;

m.   to avert a serious threat to health or safety;
n.   certain specialized government functions; or
o.   workers' compensation.

3.   An individual may authorize a designated health care component to use or disclose PHI in ways not otherwise permitted or required by applicable law.

4.   A designated health care component must use the Authorization for Use and Consent, LCHR-93 (enclosure 2).  Any use or disclosure must be specifically limited to that listed on the authorization form.

A designated health care component that contemplates either using or disclosing PHI pursuant to Section VI.J.2.d-o, must obtain advance approval from the Privacy Officer.

K.   Release of Protected Health Information to Third Parties:

1.   Release of PHI by a designated health care component to third parties must be in accord with this Policy and Procedure and applicable law.

2.   Each designated health care component is responsible for developing and providing appropriate policies and procedures for when PHI may be released to a person or entity that is not the individual who is the subject of the PHI.

3.   A designated health care component is responsible for complying with the verification requirements of Section VI.I.4 above before releasing PHI to a third party.

4.   Upon verification, a designated health care component may release PHI to a third party under certain circumstances, including but not limited to:

a.   when an individual is legally or otherwise incapable of exercising privacy rights or simply has chosen to legally designate another as a personal representative to act on his or her behalf for health care decisions;
b.   in the absence of a personal representative relationship, when a third party is involved in an individual's care or is directly involved in paying for the individual's care; and
c.   under the circumstances identified in Section VI.I.3 above.

In all instances where time and circumstances permit, before a designated health care component releases PHI to a third party, it should consult with the Privacy Officer.

L.   Responsibility to Document and Account for Disclosures:

1.   A designated health care component must account for and document all disclosures of an individual’s PHI unless the disclosure is:

a.   for the purpose of treatment, payment or health care operations;
b.   to individuals or their personal representatives about themselves;
c.   for a facility directory, to next-of-kin or to those involved in an individual’s care;
d.   for national security or intelligence purposes or for disaster relief;
e.   to correctional institutions or law enforcement officials;
f.   based on an individual’s authorization;
g.   is part of a limited data set; or
h.   is incidental to another permissible use or disclosure.

2.   Each designated health care component must develop a process for documenting and accounting for disclosures of PHI.

3.   An individual has the right to receive an accounting of applicable PHI disclosures that occurred in the preceding six years.  However, no designated health care component is required to provide an accounting of any use or disclosure made prior to April 14, 2003.

M.        Requests to Amend or Correct Records or otherwise Restrict Use of Protected Health Information:

1.   A designated health care component is not required to amend or otherwise correct PHI unless it created the PHI.

2.   Any request to amend or correct PHI created by a designated health care component must be in writing using Request to Correct or Amend Record, LCHR-98 (enclosure 7).

3.   Each designated health care component must document the position responsible for receiving and processing amendment requests.

4.   The right to amendment does not apply if the PHI:

a.   is not created by the designated health care component, unless the requester demonstrates that the originator of the PHI is no longer available to act on the request;
b.   is not part of a designated record set;
c.   will not be available for access under Section VI.E above; or
d.   is accurate and complete.

5.   A request to amend must be responded to within 60 days after receipt.  If a delay in providing access is necessary, one 30-day extension may be obtained, but the requesting individual must be informed of the reasons for the delay and the date the response will be provided in writing.  In responding, a Response to Inspection Request, LCHR-97 (enclosure 6) must be used.  The response must inform the individual if the request is granted (in whole or in part) and must make the requested amendment.

6.   Any response to a request for amendment must be made in consultation with the Privacy Officer.

7.   If a designated health care component agrees to make the amendment, it must, at a minimum, do the following:

a.   identify the records in the designated record set that are affected by the amendment;
b.   append or otherwise provide a link to the amendment’s location;
c.   inform the individual in a timely manner that the amendment is accepted and obtain his or her agreement to notify relevant persons who must be informed of the amendment; and
d.   inform others about the amendment within a reasonable time, if the individual requests or the component knows that those other individuals could have reasonably relied on the information.

8.   If a designated health care component initially determines that amendment should be denied, it must consult with the Privacy Officer.  If amendment is ultimately denied, the requesting individual must be informed in writing using Response to Amendment or Correction Request, LCHR-99 (enclosure 8).

9.   Any denial of a PHI amendment, either in whole or in part, must include:

a.   the basis for the denial; and
b.   a statement of the individual’s rights.

10.   An individual whose request to amend or correct PHI has been denied has the right to file a written statement disagreeing with the denial of amendment.

a.   The statement of disagreement must be limited to two single-sided 8-1/2 x 11 pages.  The statement of disagreement should be filed within 60 days of this denial notice with the Larimer County Privacy Officer.  The designated health care component has the right to prepare and submit to the Privacy Officer a rebuttal statement to the individual's statement of disagreement.  If it does, the Privacy Officer will provide a copy to the subject individual.
b.   If the requesting individual does not submit a statement of disagreement, he or she may request that the designated health care component provide a copy of the request for amendment and the denial of amendment with any future disclosures of protected health information that is the subject of this request.

11.   An individual whose request to amend or correct PHI has been denied has the right to file a complaint regarding this decision with the Privacy Officer in accord with Section XII or the U.S. Department of Health and Human Services.

12.   All designated health care components reserve the right to honor requests to restrict the use or disclosure of PHI.  Any such request must be submitted to the health care component that holds the PHI or to the Privacy Officer using Request Not to Use or Disclose Protected Health Information, LCHR-100 (enclosure 9).

13.   Any response to a Request Not to Use or Disclose Protected Health Information must be made in consultation with the Privacy Officer and must use Response to Request Not to Use or Disclose Protected Health Information, LCHR-101 (enclosure 10).

14.   Any request to restrict the usage of PHI must be documented, retained and honored in accord with applicable law.

N.   Data Security: RESERVED

O.   Relationships with Third Parties which involve Protected Health Information:

1.   Plan Documents:
Any plan documents to which Larimer County is a signatory, must be timely amended to ensure compliance with this policy and applicable law.   Larimer County will comply with these plan documents in accord with this policy and applicable law.

2.   Certifications:
Larimer County will comply with any Certifications required under applicable law.

3.   Business Associate Agreements:

a.   Where a Larimer County division or department is a business associate of a covered entity, that division or department, if so requested by the covered entity, will enter into a Business Associate Agreement with the covered entity in the form of LCHR-96 (enclosure 5).  Prior to executing the business associate agreement, the division or department must submit the agreement to the Privacy Officer and the County Attorney for approval.
b.   Larimer County’s designated health care components will provide each of their business associates with a Business Associate Agreement, LCHR-96 (enc. 5) for execution.  After the business associate executes the Business Associate Agreement, but before the County health care component executes it, the health care component must submit the agreement to the Privacy Officer and County Attorney for approval.
c.   The Privacy Officer may reasonably monitor and/or audit a County or non-County business associate's HIPAA compliance with the Agreement.

 

VII.   Responsibility to Mitigate Results of Violation:

A.   To the extent practicable, a designated health care component will mitigate any harmful effect that becomes known to it as a result of a use or disclosure of PHI in violation of applicable federal and state law or Larimer County policies and procedures.

B.   Mitigation efforts may include, but are not limited to, the following:

1.   taking operational and procedural corrective measures to remedy violations;

2.   taking employment actions to re-train, correct or discipline workforce members, staff and employees as necessary, up to and including termination;

3.   addressing problems with other entities with whom Larimer County is related once Larimer County reasonably becomes aware of a breach of privacy; and

4.   incorporating mitigation solution(s) into Larimer County policies and procedures as appropriate.

 

VIII.    Disciplinary Action:

A.   Statutory Penalties:
Violations of applicable law may result in the imposition of civil and criminal penalties.

B.   Basis for Corrective and/or Disciplinary Action:
Any employee who engages in conduct prohibited under this policy and/or applicable law will be subject to disciplinary action, up to and including dismissal from employment (reference H).

 

IX.   Prohibition of Retaliatory Action:

A.   All Larimer County workforce members and employees shall be allowed to freely discuss and raise questions to Larimer County's Privacy Officer and/or it's Human Resources Department about situations they feel are in violation of applicable federal and state laws and/or Larimer County policies and procedures.

B.   All Larimer County workforce members and employees have a personal obligation to report any activity that appears to violate applicable laws, regulations, rules, policies and/or procedures.

C.   Larimer County shall not intimidate, threaten, coerce, discriminate against or take any retaliatory action if any patient, legally authorized representative, employee, workforce member, volunteer, associate, association, contractor, organization or group in good faith:

1.   discloses or threatens to disclose information about a situation they feel is inappropriate, or potentially illegal;

2.   provides information to or testifies against the alleged offending individual or Larimer County;

3.   objects to or refuses to participate in an activity they feel are in violation of applicable federal and state law or Larimer County policies and procedures;

4.   is involved in any compliance review process; or

5.   files a valid or legitimate report or a complaint to either Larimer County, state or federal officials responsible for investigating violations of applicable law.

D.   Larimer County will review any allegation of retaliation and will ensure that a proper investigation is conducted as appropriate. The investigation will be in accordance with the Larimer County policies and procedures and applicable law.  Upon completion of an investigation, the Privacy Officer will ensure that appropriate action is taken, which may include disciplinary action under Human Resources Policy and Procedure 331.8 (reference H).

 

X.   Responsibility to Document Compliance Activity:

A.   Monitoring Activities:
The Privacy Officer will conduct reasonable monitoring activities necessary to ensure the designated health care components’ compliance with applicable law.  The Privacy Officer may associate with an outside party to review or otherwise assist with this monitoring process.

B.   Responsibility to Maintain Records:

1.   Location of Protected Records:
Each designated health care component is responsible for identifying and maintaining the privacy of covered records.  The location and maintenance of such records will be determined in consultation with the Privacy Officer.

2.   Duration of Record Retention:
PHI in a designated record set must be maintained for a period of six years from either the date it was created or the date it was last in effect, whichever is later.

3.   Destruction of Records:
At the end of the record retention period, PHI must be destroyed in a manner reasonably calculated to preserve its privacy.

 

XI.   Prohibition Against Waivers of Individual Rights:
Larimer County will not require the waiver of individual rights prohibited by applicable law.

 

XII.   Complaint Process:

A.   General Policy:
Individuals who believe their rights granted by HIPAA or any other state or federal laws dealing with the privacy and confidentiality of health information have been violated may file a complaint regarding the alleged privacy violation.

B.   Procedure:

1.   Any privacy related complaint must be filed with the Privacy Officer.  A complaint must be in writing, identify itself as a complaint under this procedure, identify the complaining individual or entity, specifically describe the problem and state the remedy sought.

2.   The Privacy Officer will meet with the complaining party within a reasonable period of time from receipt of the complaint.

3.   The Privacy Officer will investigate the alleged privacy violation complaint.  Employees and workforce members may be requested to assist in investigations regarding complaints and their cooperation is required.

4.   The Privacy Officer shall make a decision with respect to the complaint, which shall be final and binding. The decision shall be in writing and a copy given to the complaining party, the health care component and maintained by the Privacy Officer for documentation and storage in accord with this procedure and applicable law.

5.   At any time during the complaint process, the complaining party or the involved designated health care component may consult with Human Resources or the Privacy Officer to ensure compliance with the provisions of this procedure and for assistance in reaching a solution.

 

XIII.   Notice of Right and Responsibility to Amend:

A.   Larimer County reserves the right to amend this Policy and Procedure as well as any reasonably related policy or procedure based on changes in the applicable laws and/or regulations, based on changes in the designated health care components’ use of PHI, based on organizational changes within the County and based on any other reason permissible under the law.

B.   Any amendment to this policy and procedure may either be made retroactive or prospective based on the particular circumstances warranting the amendment.

C.   Any amendment must be documented, including in the Notice of Information Practices, LCHR-92 (enclosure 1).

 

 

                                                           

Kathay Rennels
Chair, Board of County Commissioners

(Approved by BOCC – Admin Matters – 09/29/2009)

 

Distribution:
All County Department and Elected Officials
Records Management SOP Manual (original)

JG/vl

 

DATE: September 29, 2009 (This Policy is under additional review for changes pending the HIPAA Policy Project; as of March 10, 2015)

EFFECTIVE PERIOD:  Until Superseded

REVIEW SCHEDULE:  Annual

CANCELLATION:  Human Resources Policy and Procedure 331.2.17A (dated April 8, 2003)

ENCLOSURES:

1.  Larimer County Notice of Information Practices, LCHR-92 (4/03)
2.  Larimer County Authorization for Use and Release Of Protected Health Information, LCHR-93 (4/03) 
3.  Larimer County Request to Inspect and/or Copy Protected Health Information, LCHR-94 (4/03)
4.  Larimer County HIPAA Employee Confidentiality Agreement, LCHR-95 (5/08)
5.  Larimer County Business Associate Agreement, LCHR-96 (4/03)
6.  Larimer County Response to Inspection Request, LCHR-97 (4/03)
7.  Larimer County Request to Correct or Amend Record, LCHR-98 (4/03)
8.  Larimer County Response to Amendment or Correction Request, LCHR-99 (4/03)
9.  Larimer County Request Not to Use or Disclose Protected Health Information, LCHR-100 (4/03)
10.  Larimer County Response to Request Not to Use or Disclose Protected Health Information, LCHR-101 (4/03)
11.  Larimer County Board of County Commissioners Resolution (04082003R005)

REFERENCES:

A.  Health Insurance Portability and Accountability Act (HIPAA)
B.  Social Security Act   
C.  Americans with Disabilities Act
D.  Family and Medical Leave Act
E.  U. S. Constitution
F.  Administrative Simplification Compliance Act
G.  Health Insurance Portability and Accountability Act Regulations, 45 C.F.R. Part 160 and 164, et seq.
H.  Human Resources Policy and Procedure 331.8; Corrective and Adverse Actions, Grievance Procedure, and Problem Solving Process
I.  Human Resources Policy and Procedure 331.6.24; Family and Medical Leave Policy
J.  Human Resources Policy and Procedure 331.2, Section XIV; Applicant or Employee Background Checks
K.  Human Resources Policy and Procedure 331.4, Section XI; Release of Employee Information
L.  Human Resources Policy and Procedure 331.4, Section II, C, 2; Disability Discrimination
M.  Human Resources Policy and Procedure 331.4, Section IX; Personnel Files
N.  Human Resources Policy and Procedure 331.6, Section V, I; Sick Leave
O.  Administrative Policy and Procedure 390.15, Section II; Controlled Substance and Alcohol Testing Policy Pertaining to Employees Covered by D.O.T. Regulations
P.  Governing Policies Manual; 3.2 – Treatment of Staff

courthouse-offices

Human Resources Department

200 West Oak, Suite 3200, Fort Collins, CO 80521
Monday - Friday, 8:00am-4:30pm
Ph: (970) 498-5970 | FAX: (970) 498-5980
Email Human Resources