(1) The Director of Information Services shall be the county-wide HIPAA privacy officer.
(2) The HIPAA privacy officer shall:
(a) Develop, adopt with the approval of the county executive, and maintain HIPAA privacy policies and procedures to provide for:
(ii) Ensuring appropriate administrative, technical and physical safeguards are in place to protect protected health information from unauthorized use or inadvertent disclosure to persons other than the intended recipient;
(iii) Assistance in identification of business associates;
(iv) Limitations on access to protected health information;
(v) Conditions for use and disclosure of protected health information;
(vi) Individual rights regarding protected health information maintained by the county;
(vii) A process for complaints concerning HIPAA policies and procedures, or covered components’ compliance with HIPAA policies and procedures, or other requirements under the HIPAA privacy regulations;
(viii) Mitigation for any use or disclosure of protected health information that is in violation of the county’s HIPAA privacy policies and procedures;
(ix) Such policies and procedures necessary to comply with amendments or additions to the HIPAA privacy regulations.
(b) Establish, with the approval of the county executive, and publish sanctions for employees who fail to comply with the county’s HIPAA privacy policies and procedures. Sanctions will be appropriate to the nature of the violation and will not apply to whistleblower activities, nor to complaints or investigations.
(c) Designate the county programs which are covered components using standards set out in the HIPAA privacy regulations, update the designations as necessary, and document the designations as provided in 45 C.F.R. 164.530(j). (Added by Ord. 03-035, Apr. 9, 2003, Eff date Apr. 21, 2003).