Loading...
HomeMy WebLinkAboutRES 012621-Q - City as HIPPA Hybrid EntityRESOLUTION NO. 0 12L 7-1 _Q A RESOLUTION OF THE CITY OF GEORGETOWN, TEXAS DESIGNATING THE CITY OF GEORGETOWN AS A HIPAA HYBRID ENTITY IN COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ("HIPAA"); AND PROVIDING AN EFFECTIVE DATE WHEREAS, the City of Georgetown, Texas (the "City") is a home rule city acting under its charter adopted by the electorate pursuant to Article XI, Section 5 of the Texas Constitution and Chapter 9 of the Local Government Code; and, WHEREAS, the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the regulations promulgated thereunder, the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and the regulations promulgated thereunder, require public and private entities that provide certain health care services to comply with regulations related to the collection, use, disclosure and security of individually identifiable health information; and, WHEREAS, as a "covered entity" under HIPAA, the City strives to protect the confidentiality, integrity and availability of protected health information ("PHI") by taking reasonable and appropriate steps to protect the security and privacy of PHI and comply with all applicable laws and regulations relating to data privacy and security, including, without limitation, HIPAA, HITECH, the Texas Medical Records Privacy Act and the Texas Identify Theft Enforcement and Protection Act; and, WHEREAS, because the City is a single legal entity with business activities that include both covered and non -covered functions, the City may declare itself a Hybrid Entity as defined by 45 C.F.R. § 164.103 and in accordance with 45 C.F.R. § 164.105(a)(2)(iii); and, WHEREAS, the City Council has determined that the City can more effectively and efficiently comply with HIPAA by declaring the City as a "Hybrid Entity" and formally designating the City's covered entity components in accordance with 45 C.F.R. § 164.105(a)(2)(iii). NOW, THEREFORE, BE IT RESOLVED BY THE CITY COUNCIL OF THE CITY OF GEORGETOWN, TEXAS, THAT: 1. The City Council of the City of Georgetown, Texas ("City Council") hereby finds and determines that the recitals made in the preamble of this Resolution are true and correct, and incorporates such recitals herein. 2. The City Council hereby designates the City as a "Hybrid Entity" pursuant to 45 C.F.R. § 164.105 (a)(2)(iii)(D) and the following components are designated as "covered components" of the Hybrid Entity: A. The Georgetown Fire Department to the extent it performs covered functions; B. The Georgetown Police Department to the extent that it performs covered functions; C. The Information Technology Department to the extent it performs covered functions; D. The Human Resources Department, including Employee Benefits and Workers' Compensation, to the extent it performs covered functions; E. The City Attorney's Office to the extent it performs covered functions; F: The Finance Department to the extent it performs covered functions; G. The City Manager's Office to the extent it performs covered functions; and H. The City Secretary's Office to the extent it performs covered functions. 3. The City Council affirms that all covered components are required to protect the security and privacy of PHI and comply with all applicable laws and regulations relating to data privacy and security, including, without limitation, HIPAA, HITECH, the Texas Medical Records Privacy Act and the Texas Identify Theft Enforcement and Protection Act. To this end, the City Council directs and authorizes the Privacy Officer and all Heads of Departments of the City that have been designed as "covered components" to take any and all action necessary to implement this Resolution and ensure the following policy guidelines are followed: A. All employees, agents and volunteers are to comply with HIPAA, the Texas Medical Records Privacy Act and those regulations that implement these laws; B. All employees, agents and volunteers are to comply with City policies and procedures implementing HIPAA and the Texas Medical Records Privacy Act; C. Access, use and disclosure of PHI is limited to authorized personnel; D. All personnel are to be trained and updated on all new requirements on a continuing basis; E. All personnel are to immediately document and notify the Privacy and Security Officer of any unauthorized disclosures; F. All personnel are to take steps to mitigate any damages caused by unauthorized disclosure; G. All personnel are to ensure that access to PHI is for only "permitted uses" and is within the scope of the "authorizations," safeguard the confidentiality, integrity and availability of PHI in accordance with the Security Regulations promulgated pursuant to HIPAA; H. All personnel are to ensure security of facilities and technological operations; I. Department heads are to ensure that business associate agreements are executed with contractors that perform duties involving PHI on behalf of the City; J. All personnel do not disclose protected health information to another department of the City if HIPAA would prohibit such disclosure; K. All personnel are to protect electronic protected health information with respect to another department of the City to the same extent that would be required under HIPAA as if the covered entity component and the other department were separate and distinct legal entities; and L. If a person performs duties for both the covered entity component in the capacity of a member of the workforce of such component and for another department of the City in the same capacity with respect to that department, such workforce member must not use or disclose protected health information created or received in the course of or incident to the member's work for the covered entity component in a way prohibited by HIPAA. 4. The City Council designates the following position of the City as the City's HIPAA Privacy Officer responsible for the development, implementation and oversight of the City's HIPAA privacy policies and procedures: • Director of Human Resources, or his or her designee. ► The Director of Human Resources, or his or her designee, will designate the Quality Improvement & Compliance Coordinator of the Georgetown Fire Department as the Privacy Officer exclusively for the Georgetown Fire Department. 5. The City Council designates the following position of the City as the City's HIPAA Security Officer responsible for security policies and procedures: • Lead Systems Administrator 6. The City directs and authorizes the HIPAA Privacy and Security Officer to work in conjunction with the City Attorney and City Manager to approve changes in the designation of departments, divisions, units and/or programs as health care components to maintain compliance with HIPAA and the Texas Medical Records Privacy Act, to develop policies and procedures, and outline other actions as necessary for the implementation of this Resolution and compliance with HIPAA and the Texas Medical Record Privacy Act. 7. This Resolution shall take effect immediately from and after the date of passage and it is so resolved. PASSED AND FFROVED on this z� day of , 2021. Signed: Josh Schroeder Mayor Attest: Robyn DerYsmore City Secretary Approved as to form: Grp Skye ass City Attorney