|
|
|
|
|
COUNTY OF SAN MATEO
Inter-Departmental Correspondence
|
County Counsel
|
|
|
DATE:
|
March 12, 2003
|
|
|
|
BOARD MEETING DATE:
|
March 25, 2003
|
|
|
TO:
|
Honorable Board of Supervisors
|
FROM:
|
Thomas F. Casey III, County Counsel
|
SUBJECT:
|
Compliance with the Health Insurance Portability and Accountability Act (HIPAA)
|
|
|
Recommendation
|
Adopt a resolution:
|
1.
|
determining that San Mateo County is a hybrid entity as defined by the Health Insurance Portability and Accountability Act (HIPAA) regulations;
|
2
|
directing that the County Manager issue administrative memoranda, as necessary, to designate the departments of the County that are covered by HIPAA and to adopt policies required to comply with HIPAA; and,
|
3.
|
authorizing the County Manager to sign Business Associate agreements as required to comply with HIPAA.
|
|
|
Background
|
The federal Department of Health and Human Services adopted regulations required by the Health Insurance Portability and Accountability Act of 1996. The goal of that legislation is to provide continued health insurance coverage to people changing jobs. The regulations, described as administrative simplification, were adopted by the federal Department of Health and Human Services and govern Electronic Data Interchanges (EDI), Privacy and Security. The County is required to be in compliance with the Privacy regulations by April 14, 2003; with the EDI regulations by October 15, 2003 and with the Security regulations by April 2005.
|
|
|
HIPAA regulations allow complex organizations, such as county government or diversified corporations, to comply with HIPAA only in their health care components while allowing other parts of the organization to be unregulated by HIPAA. These organizations are called Hybrid Entities. The County must make a determination as to which of its departments are covered by HIPAA and which ones are not covered.
|
|
|
HIPAA requires the County to enter into Business Associate agreements with contractors that provide certain services, which require access to protected health information. Examples of Business Associates are outside auditors, consultants, and data system providers. Each Business Associate relationship requires formal agreements about the use and disclosure of PHI.
|
|
|
Discussion
|
The County contracted with Boundary Information Group to conduct a gap analysis of the County relative to compliance with HIPAA. That analysis was completed in December, 2002. The products of the gap analysis are workplans for county departments to follow to be compliant. An oversight committee and three steering committees have been established to ensure compliance.
|
|
|
San Mateo County is subject to HIPAA regulations because it is a health care provider, submits electronic billing for medical services, and operates several Health Plans. However, because of the diverse functions and activities of the County departments some can be exempted from compliance if the County designates itself as a Hybrid Entity. Because the organization of the County is flexible, it is recommended that the County Manager be responsible for designating the departments required to comply.
|
|
|
Pursuant to HIPAA the County must adopt a Privacy Policy and other policies related to privacy and security. It is recommended that the County Manager include such policies in Administrative Memoranda. In addition, the various covered departments will also develop more specific policies and procedures to assure that the requirements of state law as well as HIPAA regulations are met.
|
|
|
Whenever possible, Business Associate language will be included in certain service agreements. There are some contracts already in place, however, that require a formal acknowledgement of the Business Associate relationship, but do not require renegotiation of the whole contract. The County has also been requested to enter Business Associate agreements with other entities. It is recommended that the County Manager or designee be authorized to enter Business Associate agreements.
|
|
|
Vision Alignment
|
The resolution to comply with HIPAA keeps the commitment of ensuring basic health and safety for all and goal number 5: Residents have access to healthcare and preventive care. The resolution contributes to this commitment and goal by complying with federal regulations to allow funding and to safeguard patient privacy.
|
|
|
Fiscal Impact
|
There is no fiscal impact to the recommended action. The cost for compliance with HIPAA is great and difficult to calculate. It is largely being absorbed within the operating budgets of the departments.
|
|