Alert!Alert: Information about the 36 Pit Fire near Estacada or call 503-630-7712.
Services Departments Government

HIPAA Policy and Procedure

Policy | Procedure | Information

Policy

CLACKAMAS COUNTY
DEPARTMENT OF EMPLOYEE SERVICE
HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996
PRIVACY & SECURITY POLICY

Introduction

Clackamas County is subject to the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as well as state laws that protect the confidentiality of certain employment-related records.  HIPAA was enacted to give patients new rights and protection against the misuse or disclosure of their health records.  All individually identifiable health information held or disclosed by a covered entity in any form, whether communicated electronically, on paper, or orally, is covered. 

Under HIPAA, the Department of Employee Services (DES) is required to reasonably safeguard Protected Health Information (PHI) from any intentional or unintentional use or disclosure.  Information to be safeguarded may be in any medium — paper, electronic, oral, and visual.  PHI used by DES includes health plan enrollment information (including paper enrollment forms, online enrollment records and enrollment data transmitted electronically to health plans) and PHI provided to us by the employee or an enrolled dependent to assist with health coverage issues, such as explanations of benefits (EOB), claims adjudication (approvals/denials), prescribed drugs, diagnoses, treatment plans, health conditions, etc.

DES will provide the same level of protection to other employee medical records that are not subject to HIPAA, including pre-employment physical and mental evaluations, employment-related immunizations, work place accommodations under ADA, fitness-for-duty evaluations, worker’s compensation reports that disclose an employee’s injuries or illness, releases to return work that describe physical limitations (rather than work limitations), non-duty disability claims and Family & Medical Leave (FML) requests. 

All PHI and other employee medical records will be maintained for a period of not less than six (6) years from the date of creation, or the date it was last in effect, whichever is later. 

Notice of Privacy Practices

Clackamas County Department of Employee Services has a published Notice of Privacy Practices (NPP) which describes the County’s uses and disclosures of PHI and the rights of plan participants to inspect, request amendment, obtain an accounting of disclosures of their PHI and file a complaint regarding the uses and disclosures of their PHI.  The NPP is incorporated as part of this policy.

The NPP was provided to all plan participants (County employees, former employees and retirees and their family members) who were enrolled in County health plans as of April 14, 2003.  The NPP will be provided to all new benefit-eligible employees and their enrolled family members prior to their benefits effective date.  It will be provided annually thereafter at open enrollment to all employees, former employees and retirees who are enrolled in County health plans.  It is also posted on the DES Intranet web page.

PHI maintained by DES will be provided to a plan participant at his/her request.  Unless it is impossible, the PHI will be provided in any form available (paper, email, fax, etc.) and at any location requested by the plan participant (home address, work address, temporary address, etc.)

PHI also will be shared without the plan participant’s consent with health plans and health providers as needed to carry out treatment, payment and health care operations.  This includes, but is not limited to, submitting premium payments and sending enrollment forms to health plans, transmitting electronic eligibility files to health plans, and verifying eligibility and coverage to health care providers.

PHI will be disclosed to family members, other relatives and close personal friends if the plan participant has given consent, which may be revoked at any time by the plan participant.  PHI may also be disclosed to a personal representative with legal responsibility for the plan participant’s health care, such as power of attorney for health care.  Such individuals will be required to provide photographic identification to verify their identity.

PHI will be disclosed without the plan participant’s consent, authorization or request when required by law or by court order or subpoena, and for other public health or law enforcement activities designed to reasonably protect the plan participant, another individual and/or the public from risk of serious harm.  However, any court order or subpoena received will be forwarded to County Counsel for review prior to taking any action.

A plan participant may request that DES restrict the uses and disclosures of PHI to carry out treatment, payment or health care operations.  However, DES is not required to agree to the request and may terminate agreement to any previous request.

DES will make reasonable efforts not to use, disclose or request more than the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request, taking into consideration practical and technological limitations.

DES and its business associates may use or disclose “summary health information” which does not identify individual plan participants for administrative purposes, such as plan underwriting, obtaining premium bids or modifying, amending, renewing or terminating the group health plan. 

DES will maintain a record of all PHI disclosures.  This record will identify the plan participant, the person or institution the disclosure was made to, the exact record disclosed and the purpose of the disclosure.

Privacy and Security Officers

The County Privacy Officer is the Director of the Department of Employee Services.  The DES Privacy Officer is the Benefits Manager.  The DES Security Officer is the Risk Manager. 

Procedure

CLACKAMAS COUNTY
DEPARTMENT OF EMPLOYEE SERVICE
HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996
PRIVACY & SECURITY PROCEDURES

  1. Benefits Selection forms and COBRA/Retiree enrollment forms will contain the disclaimer: “Enrollment information (enrollment forms and electronically transmitted enrollment data) and premium payment information will be disclosed to health plans and health care providers to carry out treatment, payment and health care operations.”
  2. Each employee will be provided with an “Authorization to Release Protected Health Information” in the packet for Benefits New Employee Workshop. This authorization will be required before we can share any PHI information with any other individual or organization. Participant will be provided with a copy, which includes a revocation. Authorization will note that individual health plans and health care providers may also require a similar release. Authorizations will be maintained in the participant’s benefits file.
  3. Each employee will be provided with an “Request to Restrict the Release Protected Health Information” in the packet for Benefits New Employee Workshop. Request form will include area for response (approval or denial with reason) to be completed by DES. Employee will be provided with a copy, which includes a revocation. Requests will be maintained in the employee’s benefits file.
  4. New employees will receive the “DES Notice of Privacy Practices” (NPP) at orientation and must sign that they have received. NPP’s will be sent out each year with Benefits Confirmations after Open Enrollment. Copies will be maintained in the employee’s benefits file. NPP will be posted on the DES web page.
  5. Each current plan participant will be provided with the “Authorization to Release Protected Health Information”, “Request to Restrict the Release Protected Health Information” and “DES Notice of Privacy Practices” by April 14, 2003.
  6. Forms will be available for employees to request to inspect, copy, amend and receive an accounting of disclosures describing the process and timelines. Must include timelines for response. Copies of these requests will be maintained in the benefits file.
  7. Accounting of Disclosures will identify the plan participant, the person or institution the disclosure was made to, the exact record disclosed and the purpose of the disclosure.
  8. DES Privacy Officer will identify individuals who need access to PHI and other medical information to carry out their duties by completing “Employee Health Information Access Authorization.” All authorizations must be counter-signed by the employee and the County Privacy Officer. Employees also will be required to sign “DES Confidentiality Agreement.”

HIPAA Information

Share this page

Public Services Building

Contact Us

Employee Services
2051 Kaen Road
Suite 310
Oregon City, OR 97045
map

(503) 655-8459
Fax: (503) 742-5468
TTY: (503) 657-4544

Monday–Thursday
7:00am – 6:00pm

Email Us