Sec. 2-423 Health Insurance Portability and Accountability Regulations.
   a.   The Town hereby acknowledges, recognizes and implements the provisions of the Health Insurance Portability and Accountability Act of 1996 (hereinafter referred to as the "HIPAA Regulations") as the same apply to the Town, its Departments and those persons and/or entities who conduct business with the Town pertaining to these matters, under the designation of a "hybrid covered entity."
   b.   The HIPAA Regulations shall be followed by the Town's Departments and personnel, and those persons and/or entities who conduct business with the Town (hereinafter referred to as "business associates"), pertaining to these matters, to insure the protection of individuals' Protected Health Information.
   c.   The following definitions shall apply pursuant to the Town's HIPAA Policy:
      1.   "Business Associate" shall mean a person and/or entity who, on behalf of the Town or any of its Departments, performs, or assists in the performance of:
         (a)   a function or activity involving the use or disclosure of individually identifiable health information, including, but not limited to, claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
         (b)   provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person; or
         (c)   any other function or activity regulated by HIPAA Regulations or this Ordinance.
         (d)   This definition does not apply to persons who are members of the workforce of the Town or its Departments.
      2.   "Covered Entity" shall mean a health care provider who transmits any health information in electronic form in connection with a transaction covered by the HIPAA Regulations or this Ordinance.
      3.   "Health Care" shall include, but is not limited to:
         (a)   preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; or
         (b)   sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
      4.   "Health Care Provider" shall mean a provider of medical or health services, and any other person or entity who furnishes, bills, or is paid for health care in the normal course of business.
      5.   "Health Information" shall mean any information, whether oral or recorded in any form or medium, that
         (a)   is created or received by a health care provider; and
         (b)   that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
      6.   "Individually Identifiable Health Information" shall mean information that is a subset of health information, including demographic information collected from an individual and:
         (a)   that is created or received by a Town Department or Town Business Associate; and
         (b)   relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; and
            (1)   that identifies the individual; or
            (2)   with respect to which there is a reasonable basis to believe the information could be used to identify the individual.
      7.   "Permitted Disclosure" shall mean a patient-authorized or legally permitted disclosure of individually identifiable health information by a covered entity.
      8.   "Protected Health Information" shall mean individually identifiable health information that is transmitted and/or maintained in any form or medium by the Town's Departments and/or its business associates.
      9.   "Required Disclosure" shall mean a disclosure of individually identifiable health information that is required by applicable law, namely, the HIPAA Regulations.
      10.   "Transaction" shall mean the transmission of information between two (2) parties to carry out financial or administrative activities related to health care. It shall include, but not be limited to, the following types of information transmissions:
         (a)   health care claims or equivalent encounter information;
         (b)   health care payment and remittance advice;
         (c)   coordination of benefits;
         (d)   health care claim status;
         (e)   enrollment and disenrollment in a health plan;
         (f)   eligibility for a health plan;
         (g)   health plan premium payments;
         (h)   referral certification and authorization;
         (i)   first report of injury;
         (j)   health claims attachment; and
         (k)   other transactions that the Secretary of Health and Human Services, or his/her duly authorized designee, may prescribe by regulation.
      11.   "Unpermitted Disclosure" shall mean an unauthorized or legally prohibited disclosure of individually identifiable health information by a covered entity.
      12.   "Workforce" shall mean employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not such persons are paid by the covered entity.
   d.   1.   The following shall constitute "Permitted Disclosures" pursuant to the HIPAA Regulations and the provisions of this Ordinance:
         (a)   to the individual patient;
         (b)   for treatment, payment, or health care operations;
         (c)   incident to a use or disclosure permitted or required by HIPAA Regulations with respect to an otherwise permitted or required use or disclosure;
         (d)   when authorization has been obtained from the individual patient.
      2.   When making a permitted disclosure, or when requesting the permitted disclosure of individually identifiable health information from another covered entity, reasonable efforts shall be made to limit the disclosure of protected health information to the minimum necessary to satisfy the use, disclosure, or request. However, this does not apply in the following circumstances:
         (a)   disclosures to or requests by a health care provider for treatment;
         (b)   uses or disclosures made to the individual;
         (c)   uses or disclosures made pursuant to a patient authorization;
         (d)   disclosures made to the Secretary of Health and Human Services, or his/her duly authorized designee;
         (e)   uses or disclosures that are required by law;
         (f)   uses or disclosures that are required for compliance with applicable HIPAA Regulation requirements.
   e.   1.   The following shall constitute "Required Disclosures" pursuant to the HIPAA Regulations and the provisions of this Ordinance:
         (a)   to an individual pursuant to 164.524 or 164.528;
         (b)   when required by the Secretary of Health and Human Services, or his/her duly authorized designee, to investigate and determine a covered entity's compliance with HIPAA Regulations.
      2.   When making a required disclosure, or when requesting the required disclosure of individually identifiable health information from another covered entity, reasonable efforts shall be made to limit the disclosure of protected health information to the minimum necessary to satisfy the use, disclosure, or request. However, this does not apply in the following circumstances:
         (a)   disclosures to or requests by a health care provider for treatment;
         (b)   uses or disclosures made to the individual;
         (c)   uses or disclosures made pursuant to a patient authorization;
         (d)   disclosures made to the Secretary of Health and Human Services, or his/her duly authorized designee,
         (e)   uses or disclosures that are required by law;
         (f)   uses or disclosures that are required for compliance with applicable HIPAA Regulation requirements.
   f.   Any use or disclosure that is not permitted or required constitute an "Unpermitted Disclosure" pursuant to the HIPAA Regulations and the provisions of this Ordinance.
   g.   A "Notice of Privacy Rights" shall be issued to all persons to whom the Town's various Departments provide emergency, and other, medical services, for whom the Town's various Departments and personnel create and store medical records pertaining to those services, and for whom the Town's Departments and/or personnel create billing pertaining to those services.
   h.   The Notice of Privacy Rights to be issued shall contain an advisement that individuals can execute an Authorization for Release of Medical Information/ Protected Health Information to a covered or non-covered entity. Said Authorization shall explain all patient rights regarding the same and shall include an advisement that the Authorization is valid for one (1) year from the date of its execution and that it is able to be revoked by the patient, in writing, at any time.
   i.   Any person and/or entity who contracts with, or otherwise does business with the Town, pertaining to the provision of emergency, or other, medical services, creation and storage of records related to the same and creation of billing related to the same, shall comply with the provisions of the HIPAA regulations and shall be required to execute Business Associate Agreements, as defined by applicable HIPAA regulations and containing all required provisions.
   j.   The HIPAA Regulations and the provisions of this Ordinance, passed and adopted in accordance therewith, shall preempt any State law, rule, regulation or Ordinance to the contrary; however, in addition, any State law, rule, regulation or Ordinance that is more stringent than the HIPAA Regulations or provisions of this Ordinance shall be controlling.
(Ord. No. 1609, §§ 1-10, 3-10-04)