Technical safeguards

a. County of Sacramento shall have technical policies and procedures for electronic information systems that contain electronic protected health information to limit access to authorized individuals only.

Procedures

These requirements apply only to those parts of the County of Sacramento designated as healthcare components. (Note: Some Administrative Safeguards do not apply to Group Health Plans. Please see Policy AS-100-10, “Group Health Plans” for additional information.)

1. General

There are no accompanying procedures.

2. Administrative Safeguards a. Policies and Procedures.

i. County of Sacramento has HIPAA Privacy Rule Policies and Procedures and HIPAA Security Rule Policies and Procedures.

ii. The County shall periodically update its HIPAA Policies and Procedures.

iii. The County’s HIPAA Policies and Procedures are accessible to all County workforce members via the Office of Compliance’s intranet website:

http://inside.compliance.saccounty.net .

b. Risk Analysis, Risk Management, Information System Activity Review, and Evaluation.

i. The Office of Compliance shall conduct site assessments of HIPAA-covered work sites in order to evaluate and improve the effectiveness of current safeguards for protected health information at HIPAA covered worksites.

ii. The Office of Compliance shall conduct application assessments of electronic applications that contain protected health information to evaluate and improve the effectiveness of current safeguards.

iii. The results of the Assessments shall be documented in the appropriate HIPAA Assessment form and shared with the County of Sacramento Privacy Officer, Information Security Officer, and Department and Division

management. The Office of Compliance shall maintain the completed Assessment documents.

iv. Additional information can be found in the County of Sacramento HIPAA Security Rule Policies and Procedures Policy 14, “Risk Analysis and Management”.

c. Sanction Policy.

i. County of Sacramento shall apply sanctions against workforce members who fail to comply with HIPAA Policies and Procedures. All sanctions shall be documented.

ii. Workforce sanctions may include suspension or termination of access privileges to protected health information; remedial training; appropriate disciplinary action; or personnel actions. The County’s covered component shall decide upon the appropriate workforce sanction(s).

iii. Sanctions may include criminal or civil penalties in accordance with applicable law, as required.

iv. Violations of County HIPAA Policies and Procedures may result in notification to law enforcement officials and regulatory, accreditation and licensure

organizations, as required.

d. Assigned Compliance Responsibility

i. The assigned County of Sacramento privacy official is the County

Clerk/Recorder. The Clerk/Recorder may delegate responsibility for the development and implementation of the County's privacy policies and procedures to the Office of Compliance. The Office of Compliance shall be responsible for receiving HIPAA privacy complaints and shall provide information about matters covered by the required HIPAA Notice of Privacy Practice.

e. Workforce Security—Information Access Management.

i. County of Sacramento HIPAA-covered components shall ensure that all access to protected health information is role-based access, and shall employ the Minimum Necessary Standard to all access.

A. Role Based Access (RBA) is a form of security allowing access to data based on job function in accordance with County of Sacramento security procedures. Workforce members shall receive access only to the minimum necessary protected health information to fulfill their job functions.

B. Only the application user's manager or an appropriate designee (authorized requestor) shall authorize access to protected health information (PHI).

C. Workforce members shall receive access only if it is required to perform their assigned job duties

D. Workforce members shall receive access only to the minimum necessary protected health information required to perform their assigned job duties.

E. Access shall be altered or terminated when the workforce member’s role and responsibilities change, or the workforce member is on a leave of absence, transfers outside of the HIPAA-covered component, or no longer works for the County.

F. The supervisor or manager who is an authorized requestor shall as soon as possible notify Department of Technology to change or terminate computer access.

ii. Additional information can be found in the County’s HIPAA Security Rule Policies and Procedures Policy 3, “User Access Management”.

f. HIPAA Privacy and Security Training

i. The County of Sacramento’s HIPAA-covered workforce shall be trained in the County’s HIPAA policies, procedures and security awareness.

ii. All County employee workforce members in HIPAA-covered components shall attend HIPAA Privacy and Security training within 60 days of assuming a position in a HIPAA covered component, and shall attend re-training at a minimum every three years thereafter.

iii. Other County workforce members, including employees from temporary agencies, volunteers, registry staff and contractors, shall be trained on the County’s HIPAA Privacy and Security Rules, as soon as they are assigned to a HIPAA-covered component.

iv. All workforce members shall sign a County of Sacramento Form 3013 Acknowledgement Form, attesting to their receipt of County HIPAA Privacy and Security Training, and their compliance with the County’s HIPAA Privacy and Security Policies and Procedures.

A. The signed Acknowledgement Form will be maintained by the Office of Compliance for a period of seven years.

v. The Office of Compliance shall develop, revise and conduct HIPAA training for the County of Sacramento workforce, and shall document and maintain training records.

A. Training records and copies of the training materials shall be maintained by the Office of Compliance for a period of seven years.

vi. County of Sacramento departments may have additional training requirements.

vii. County of Sacramento HIPAA Security Rule Policy 15, “Security Awareness and Training” contains additional information.

g. Security Incident Reporting

i. County of Sacramento workforce members are required to report and document all incidents that may affect the privacy, security and integrity of client’s protected health information.

a. County of Sacramento HIPAA Privacy Rule Policies and Procedures Policy AS-100-02, Section 7, “Right to Breach Notification”, contains additional security incident reporting requirements.

ii. Incidents shall be promptly reported to supervisors or managers, who shall in turn report the incidents to either the Department of Technology Service Desk or the Office of Compliance, or both.

iii. All incidents shall be documented and maintained by the Office of

Compliance. The Office of Compliance shall work with the reporting HIPAA covered component to ascertain all facts and investigate as needed.

iv. The Office of Compliance shall coordinate notification and reporting of all incidents and breaches.

A. The Office of Compliance shall report reportable breaches to the federal Department of Health and Human Services Secretary in compliance with 45 CFR, Subpart D.

I. The Office of Compliance shall perform a Risk Analysis to determine if an incident meets the definition of a breach of protected health

information.

B. The responsible HIPAA-covered component shall notify individuals whose protected health information has been breached without unreasonable delay and in no case later than 60 days after discovery of the breach.

I. The Office of Compliance shall work with the HIPAA-covered

component to ensure the notification complies with the requirements in 45 CFR 164.404.

C. In order to evaluate the actions leading up to an incident and to mitigate harm, the responsible HIPAA covered component shall, to the extent practicable, prepare a correction action plan (CAP) that includes

reasonable steps taken to reduce the harmful effect of the incident, and prevent further violations.

I. The Office of Compliance may provide guidance with the CAP.

D. County Counsel may advise the Office of Compliance, County Privacy Officer, and the HIPAA-covered component responsible for the breach as to actions required.

v. The Office of Compliance shall maintain documentation of reported incidents and breaches for a period of seven years.

vi. County of Sacramento HIPAA Security Rule Policies and Procedures Policy 9,

“Security Incident Reporting and Response” contains additional information.

h. Contingency Plan

i. The Contingency Plan is addressed in County of Sacramento HIPAA Security Rule Policies and Procedures Policy 12, “Contingency Plan”.

i. Business Associates

i. Business Associate requirements are addressed in detail in Policy AS-100-08, Business Associates.

j. Special Rules for Some Group Health Plans

i. Group Health Plans are addressed in detail in Policy AS-100-10, Group Health Plans.

3. Physical Safeguards