Privacy Policy

Policy created on April 28, 2003
If you have questions or concerns about this policy, please contact Ron Davis at 650-573-2054.

1.1 INTRODUCTION

The County of San Mateo (“the County”) collects and maintains protected health information (PHI) about its patients and health plan members (“members”). These functions define the County as a covered entity, subject to federal HIPAA laws and regulations. The federal HIPAA regulations on privacy and confidentiality (45 CFR. 160 et.seq) (“HIPAA regulations”) require that the County maintain the privacy of its patients and members’ PHI, and limit how the County uses and disclosed this information. The HIPAA regulations also provide patients and members with certain rights with respect to their PHI. In order to protect the privacy and confidentiality of the County’s patients’ and members’ PHI and to comply with federal law, all affected workforce members of the County are required to comply with the provisions of this policy.

This policy applies to the County health care components, as designated by Administrative Memorandum B-26. It is the responsibility of the County health care components to develop policies and procedures in compliance with HIPAA regulations and this policy.

The County understands that HIPAA privacy regulations set forth a minimum federal standard. If any provision of California law is more stringent than HIPAA, then California law will be followed. The County health care components will analyze applicable California Law in conjunction with the HIPAA privacy regulations, determine which provision is stricter, and adhere to the stricter provision in developing and implementing their policies and procedures.

1.2 DEFINITIONS

1.2.1

Business Associate means a person or entity that, on behalf of the County, acts in a capacity other than a County workforce member to assist the County in carrying out covered functions. For example, these functions could include but are not limited to:

  • Performing or assisting in the performance of a function or activity involving the use or disclosure of PHI, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and re-pricing; or
  • Providing or assisting in the performance of legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the County where the provision; of the service involves the disclosure of PHI from the County to the person or entity performing the services.

1.2.2

Covered Functions. These functions include health care services, health plan services and their respective support services such as:

  • Collecting bad debts;
  • Handling delinquent accounts;
  • Performing internal audit functions;
  • Maintaining databases;
  • Systems and infrastructure management with the potential for access to PHI
  • Performing risk management functions; and
  • Legal Services

1.2.3

Disclosure means the release, transfer, provision of access to, or divulging in any other manner of PHI to persons not employed by or working within the County, or to persons employed by or working within the County who are not performing or assisting with a covered function of the County.

1.2.4

Protected health information (PHI) means information that is created or received by the County; and relates to the past, present, or future physical or mental health or condition of a patient or member; the provision of health care to a patient or member; or the past, present, or future payment for the provision of health care to a patient or member; and that identifies the patient or member, or for which there is a reasonable basis to believe the information can be used to identify the patient or member. PHI includes information of persons both living and deceased.

The following components of a patient’s or member’s information also are considered part of PHI:

  • Names;
  • Street address, city, county, precinct, zip code;
  • Dates directly related to a patient or member, including birth date admission date, discharge date, and date of death;
  • Telephone numbers, fax numbers, and electronic mail addresses;
  • Social Security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Universal Resource Locators (URLs) and Internet Protocol (IP) address numbers;
  • Biometric identifiers, including finger and voice prints;
  • Full face photographic images and any comparable images; and
  • Any other unique identifying number, characteristic, or code.

1.2.5

Workforce means employees, temporary employees, leased employees, volunteers, trainees, and other persons whose work performance is under the direct control of the County, whether or not they are paid by the County.

1.3 USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION (PHI)

1.3.1 Authorization.

Except for situations outlined in this policy, the County will not use or disclose a patient’s or member’s (PHI) for any purpose without an authorization signed by the patient or member in accordance with 45 CFR 164.508 (a)(1).

  • A valid authorization must meet the requirements of 45 CFR 164.508(b) and include the following core elements in accordance with 45 CFR 164.508(c)(1):
  • A description of the information to be used or disclosed;
  • The name or other specific identification of person or class of persons authorized to make the disclosure;
  • The name or other specific identification of person or class of persons to whom the disclosure ay be made;
  • A description of each purpose of the requested disclosure;
  • An expiration date; and
  • The signature of the patient or member or person representative; however, if the authorization is signed by a person representative of the patient of the member, a description of the representative’s authority to act for the individual must be produced.

In addition to the core elements, the authorization must contain certain required statements in accordance with 45 CFR 164.508(c)(2). The authorization must be in plain language and the person signing the authorization must be offered a copy of the signed authorization. The patient or member has the right to evoke a authorization in writing at any time, except to the extent that the County has taken action on the authorization

1.3.2 Business Associates.

In accordance with 45 CFR 160.508.103, certain components of the County’s services may be performed by entities or individuals that receive PHI in the course of providing such services. A business associate relationship exists when an individual or entity, acting on behalf of the County assists in the performance of a function or activity involving the use or disclosure of PHI. These services may include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services. In all cases where there is a “business associate” relationship, the contract must set forth requirements compliant with 45 CFR 164.504(e)(2), implementing appropriate safeguards to protect privacy of patient and member information.

1.3.3 Confidential Communications with Patients and Members.

Pursuant to 45 CFR 164.522(b) (i) and (ii), the County may communicate with patients and members regarding test results, appointment reminders, claims, premiums, or other things connected with their health care or health plan; however, patients and members have the right to confidential communications. Patients have the right to request, and the County will accommodate Reasonable requests, to receive communications regarding their PHI From the County by alternative means or at alternative locations. For instance, if a patient wishes that test results not be left on voice mail or sent to a particular address, the County will accommodate reasonable requests in writing if the individual provides an alternate address or other Method of contact. Patients must submit their written request to:

San Mateo County Compliance & Privacy Officer
222 West 39th Avenue
San Mateo, CA 94403

Members may request, and the County may accommodate reasonable requests to receive communications regarding protected health information by alternative means or at least alternative locations. The County is required to honor such requests only if the member clearly states that the disclosure of all or part of the information could endanger the member. Members may sent their written request to:

San Mateo County Compliance and Privacy Officer
222 West 39th Avenue
San Mateo, CA 94403

1.3.4 Facility Directory.

In accordance with 45 CFR 510(a)(1)&(2), the County maintains a facility directory for San Mateo Medical Center which lists patients names, room numbers, general conditions and, if a patient wishes, religious affiliation. Patients have the right during registration to have their information excluded from the facility directory. Unless a patient chooses to have his or her personal information excluded from this directory, the information, except religious affiliation, may be disclosed to anyone who requests it by asking for the patient by name. This information, including religious affiliation, may also be provided to members of the clergy.

1.3.5 Family and Friends Involved in Patient or Member Care.

In accordance with 45 CFR 164.510(b)(1), the County will disclose limited PHI to designated family, friends, and others who are involved in the patient’s or member’s care, or in payment for such care in order to facilitate that person’s involvement in caring for the patient or member, or to facilitate payment for such care under the following circumstances:

  • When the patient is present and has the capacity to make a health decision (is competent), PHI will be disclosed only if the County obtains the patient’s agreement, provides the patient with an opportunity to object to the disclosure, and if the patient does not object, or the County reasonably infers that the patient does not object in accordance with 45 CFR 164.510(b)(2); or
  • When the patient or member is incompetent, unavailable, incapacitated, or facing an emergency medical situation, PHI will be disclosed only if the County determines, in its professional judgment, that a limited disclosure is in the patient’s or member’s best interest unless, disclosure is preempted by California law. The County may share limited PHI with family and friends without the patient’s or member’s approval in accordance with 45 CFR 164.510(b)(3).

Unless otherwise preempted by California law, the County may also disclose limited PHI to a public or private entity that is authorized to assist in disaster relief efforts in order for that entity to locate a family member or other persons that my be involved in some aspect of caring for a patient or member in accordance with 45 CFR 164.510(b)(4).

1.3.6 Fundraising.

The County may use or disclose to business associates or an (institutionally related foundation” patient or member demographic information and service dates for its own fundraising purposes in accordance with 45 CFR 164.514(f). Patients have the right to “opt-out” of receiving fundraising materials/communications and may do so by sending their name and address to:

San Mateo County Compliance and Privacy Officer
222 West 39th Avenue
San Mateo, CA 94403

Together with a statement that they do not wish to receive fundraising materials or communications from the County. The County’s Notice of Privacy Practices and all fundraising materials must include a statement describing how patients and members can voluntarily opt-out of receiving fundraising communications

1.3.7 Health Products and Services.

The County may from time to time use a patient’s PHI to communicate with patient about health products and services necessary for his or her treatment, to advice him or her of new products and services the County offers and to provide general health and wellness information in accordance with CFR 164.501. The County may use a member’s PHI to determine whether he or she might be interested in, or benefit from, treatment alternatives or other health-related programs, products or services which may be available to him or her as a member of the health plan.

1.3.8 Information Received Pre-enrollment.

The County may request and receive PHI from potential members and their health care providers prior to enrollment in the health plan. The County will use this information to determine whether an individual is eligible to enroll in the health plan, and to determine rates in accordance with 45 CFR 164.501 and 164.514(g). The County may protect the confidentiality of that information in the same manner as all other PHI it maintains and, if an individual does not enroll in the health plan, the Count will not use or disclose the information obtained for any other purpose as required by 45 CFR 164.522(g).

1.3.9 Limited Data Set.

The County may use PHI to create a limited data set that excludes facially identifiable information of the patient or member or of relatives, employers, or household members of the patient or member in accordance with 45 CFR 164.514(e)(2)&(3). The County may use or disclose a limited data set only for the purposes of research, public health or health care operations, and only if the County receives satisfactory assurances from the recipient of the limited data set in the form of a properly executed Data Use Agreement. The Data Use Agreement must:

  • Establish permitted uses and disclosures of the limited data set for research purposes;
  • Not authorize the recipient to use or further disclose the information in a manner that would violate the privacy regulations if done by the County;
  • Establish who is permitted to use or receive the limited data set;
  • Prohibit use or disclosure of the information other than as provided by the Data Use Agreement or required by law;
  • Require the recipient to use appropriate safeguards to prevent use or disclosure other than as provided by the Data Use Agreement or required by law;
  • Report any use or disclosure not permitted by the Data Use Agreement that the recipient becomes aware of;
  • Ensure that any agent or subcontractor of the recipient to whom the limited data set is provided agrees to the same restrictions and conditions set forth in the Data Use Agreement; and
  • Require that the recipient not identify the information or contact the individual to whom it belongs in accordance with 45 CFR 164.514(e).

1.3.10 Marketing.

The County will obtain an authorization for any use or disclosure of PHI for marketing, except when the communication is in the form of:

  • A face-to-face communication made by the County to a patient in accordance
  • A promotional gift of nominal value provided by the County pursuant to 45 CFR 164.508(a)(3)(B).

1.3.11 Minimum Necessary.

When using or disclosing PHI or when requesting PHI from another entity, the County will make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request in accordance with 45 CFR 164.502(b).

This requirement does not apply to:

  • Disclosures to or requests by a health care provider for treatment as permitted by 45 CFR 164.502(b)(2)(i);
  • Uses or disclosures made to the patient or member pursuant to 45 CFR 164.502(b)(2)(ii);
  • Uses or disclosures made pursuant to an authorization in accordance with 45 CFR 165.502(b)(2)(iii);
  • Uses or disclosures that are required by law as permitted under 45 CFR 164.502(b)(2)(v); or
  • Uses or disclosures that are required for compliance with the HIPAA regulations, including disclosures made to the Secretary of the U.S. Department of Health and Human Services in accordance with 45 CFR 164.502(b)(2)(vi).

1.3.12 Permitted Disclosures.

The County may use and disclose patients’ and members’ PHI without their authorization as follows:

  • The County may release PHI for any purpose permitted or required by law as set forth in 45 CFR 164.512(a)
  • The County may release PHI for public health activities, such as required reporting of disease, injury, and birth and death, and for required public health investigations pursuant to 45 CFR 164.512(b)(i);
  • The County may release PHI as permitted or required by law if the County suspects child abuse or neglect, and will also release PHI as permitted or required by law if the County believes the patient may be a victim of abuse, neglect, or domestic violence in accordance with 45 CFR 164.512(b)(ii) and 45 CFR 164.512(c);
  • The County may release PHI to the Food and Drug Administration (FDA) if necessary to report adverse events, product defects, or to participate n product recalls pursuant to 45 CFR 164-512(b)(iii);
  • The County may release PHI to a member’s plan sponsor; however, the plan sponsor must certify that the information provided with be maintained in a confidential manner and not be used for employment related decisions or for other employee benefit determinations or in any other manner not permitted by law;
  • The County may release PHI to a patient’s employer when the County has provided health care to the patient at the request of his or her employer; in most cases, the patient will receive notice that information is disclosed to his or her employer in accordance with 45 CFR 164.512(b)(v);
  • The County may release PHI if required by law to a government oversight agency conducting audits, investigations, or civil or criminal proceedings pursuant to 45 CFR 164-512(d)(1);
  • The County may release PHI if required to do so by a court or administrative ordered subpoena or discovery request; in most cases, the patient or member will be notified of such release in accordance with 45 CFR 164.512(d)(1);
  • The County may release PHI to law enforcement officials to report wounds and injuries and crimes, as permitted or required by law, or to avert a serious threat to health or safety pursuant to 45 CFR 164.512(f);
  • The County may release to a correctional institution or a law enforcement official having lawful custody of an inmate PHI about such inmate, if the correctional institution or such law enforcement official represents that such PHI is necessary for the provision of healthcare to such inmate, for the health and safety of the inmate or other inmates, officers or employees of the correctional institute, for the health and safety of law enforcement on the premises of the correctional institution, for the health and safety of those responsible for transporting or transfer of such inmate, or for the administration and maintenance of the safety, security, and good order of the correctional institution as set forth in 45 CFR 164.512(k)(5);
  • The County may release PHI to coroners and/or funeral directors consistent with aw as permitted by 45 CFR 164.512(g);
  • The County may release PHI if necessary to arrange an organ or tissue donation pursuant to 45 CFR 164.512(h);
  • The County may release PHI if the patient or member is a member of the military as required by armed forces services and if necessary for national security or intelligence activities in accordance with 45 CFR 164.512(k);
  • The County may release PHI to workers’ compensation agencies if necessary for a patient’s or member’s workers’ compensation benefit determination in accordance with 45 CFR 164.512(l)

In some instances, California law may be more restrictive than HIPAA regulations in the use and disclosure of PHI without an authorization. It is the responsibility of the County designated health care components to develop their own policies and procedures based on a preemption analysis of applicable California and federal law.

1.3.13 Psychotherapy Notes.

In accordance with 45 CFR 164.508(a)(2), psychotherapy notes may only be used as follows:

  • An authorization is signed by the patient or the patient’s representative; or
  • If the psychotherapy notes are used for one of the following purposes By the originator of the psychotherapy notes for treatment; o
  • By the originator of the psychotherapy notes for treatment;
  • By the County’s own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling;
  • Defense of the County in a legal action or other proceeding brought by a patient;
  • To the Secretary of the US Department of Health and Human Services for compliance investigations;
  • As required by law;
  • To a health oversight agency for oversight of the originator of the notes;
  • To coroners and medical examiners; and
  • To avert serious threats to health and safety.

Each County health care component will determine whether it creates and maintains psychotherapy notes as defined in 45 CFR 164.501. If so, then each County health care component will conduct a preemption analysis of the use and disclosure of psychotherapy notes by comparing HIPAA privacy regulations with existing California law.

1.3.14 Research.

The County will not use or disclose PHI for research purposes without a patient’s or member’s authorization meeting the requirements of 45 CFR 164.508 unless:

  • The PHI has been de-identified pursuant to 45 CFR 164-514(a);
  • The PHI is a “limited data set” disclosed and used pursuant to a data use agreement meeting the requirements of 45 CFR 164.514(e);
  • An alteration to or waiver of the authorization in whole or in part is granted by an Institutional Review Board pursuant to federal law and documented in accordance with 45 CFR 164.512(i)(2);
  • The PHI is necessary to prepare a research protocol or other similar purpose preparatory to research, where the PHI being sought is necessary for research purposes, and the researcher does not remove any PHI from the County health care component that created or maintains the PHI in accordance with 45 CFR 164.512(i)(1)(ii);
  • The researcher documents the death of the individuals whose PHI is sought, and represents that the use or disclosure is being sought solely for research on the PHI of decedents and that access to such PHI is necessary for a research purpose in accordance with 45 CFR 164.512(i)(1)(iii).

1.3.15 Uses, Requests and Disclosures for Health Care Operations.

Pursuant to 45 CFR 164.512(a)(1)(ii) and 45 CFR 164.506(c)(1), the County may use and disclose PHI for its own health care operations consistent with the minimum necessary requirement and as permitted by law. Health care operations include but are not limited to:

  • Clinical improvement,
  • Professional peer review,
  • Business management,
  • Accreditation and licensing,
  • Enrollment,
  • Underwriting,
  • Reinsurance,
  • Compliance,
  • Auditing, and
  • Rating.

The County may also disclose a patient’s or member’s PHI to another covered entity for such things as quality assurance and case management, but only if that covered entity also has or had a patient or member relationship with that individual.

1.3.16 Uses, Requests, and Disclosures for Payment.

Pursuant to CFR 164.502(a)(1)(ii) and 45 CFR 164.506(c)(1), the County may use and disclose patients’ and members’ PHI to obtain reimbursement for those health care professionals and facilities that have treated or provided services to such patients and members as needed, consistent with the minimum necessary requirement. For instance, the County may forward patient information regarding medical procedures and treatment to a patient’s insurance company to arrange payment for the services provided. The County may also use PHI to prepare a bill to send to the patient or to the person responsible for payment in accordance with 45 CFR 164.502(a)(1)(ii) and 45 CFR 506(c)(1). For health plan members, the County may use information regarding their medical procedures and treatment to process and pay claims, to determine whether services are medically necessary, or to otherwise pre-authorize or certify services as covered under the health benefits plan. The County may also forward such information to another health plan, which may also have an obligation to process and pay claims on a member’s behalf.

1.3.17 Uses, Requests and Disclosures for Treatment.

Pursuant to 45 CFR 164.501(a)(1)(ii) and 45 CFR 164.506(c)(1), and count may use and disclose patient or member PHI for their treatment consistent with the minimum necessary requirement. The County may also disclose PHI to another provider for treatment. The County may release the patient’s PHI to a home health care agency so that a plan of care can be prepared if the patient is to receive home health care after leaving the hospital.

1.4 PATIENTS AND MEMBERS RIGHTS

1.4.1 Access to Protected Health Information.

Patients and members have the right to copy and/or inspect much of their PHI that the County maintains on their behalf in accordance with 45 CFR 164.524. All requests for access must be made in writing and signed by the patient or member or his or her representative.

Patients and members may obtain an access request form from:

San Mateo County Compliance and Privacy Officer
222 West 39th Avenue
San Mateo, CA 94403

Or from the site of service.

The County must provide access to a patient or member’s records within thirty days of receipt of a written request, unless otherwise pre-empted by California law. If more time is needed, the County may request an extension of no more than thirty days by notifying the patient or member in writing of the need for more time.

1.4.2 Accounting for Disclosures of Protected Health Information.

Patients and members have the right to receive an accounting of certain disclosures of their PHI made by the County after April 14, 2003 in accordance with 45 CFR 164.528, unless otherwise preempted by California law. Requests must be made in writing and signed by the patient, member or his or her representative. Accounting request forms are available from:

San Mateo County Compliance and Privacy Officer
222 West 39th Avenue
San Mateo, CA 94403

  • The first accounting in any 12-month period is provided free of charge. Patients and members may be charged a fee consistent with the direct cost for each subsequent accounting requested within the same 12-month period.
  • The content of the accounting must confirm to 45 CFR 164.528(b).
  • The County will conform to the implementation standards for provision of an accounting fund in 45 CFR 164.528(c).
  • The County will document the accounting in accordance with 45 CFR 164.528(d).

1.4.3 Amendments to Protected Health Information.

Pursuant to 45 CFR 164.526(a), patients and members have the right to request an amendment or correction to their PHI that the County maintains about them. The County is not obligated to make all requested amendments but will give each request careful consideration. All amendment requests, in order to be considered by the County, must be in writing;

  • signed by the patient, member or his or her representative; and
  • must state the reasons for the amendment/correction request.

The County may deny or grant the amendment request in accordance with 45 CFR 164.526. If the County makes an amendment or correction, the County may also notify others who have copies of the uncorrected record if the County believes that such notification is necessary in accordance with 45 CFR 164.526(c)(3). Patients and members may obtain an amendment request form from:

San Mateo County Compliance and Privacy Officer
222 West 39th Avenue
San Mateo, CA 94403

1.4.4 Complaints.

If patients or members believe their privacy rights have been violated, they can file a complaint by writing to:

San Mateo County Compliance and Privacy Officer
222 West 39th Avenue
San Mateo, CA 94403

In the case of services provided by the Mental Health Division, complaints may be made to Mental Health Advocacy Services or to the Privacy Officer. The Mental Health Advocacy Services (225 37th Avenue, San Mateo, CA 94403) will immediately report all privacy complaints to the Privacy Officer

  • The County will provide a process for receiving complaints from patients and members in accordance with 45 CFR 164.530(d).
  • Patients and members may also file a complaint with the Secretary of the U. S. Department of Health and Human Services in Washing D.C. in writing within 180 days of a violation of their rights.
  • There will be no retaliation for filing a complaint.
  • The County will document all complaints and their disposition.

1.4.5 No Waiver of Rights.

Pursuant to 45 CFR 164.530(h), a workforce member may not require a patient or member to waive any individual rights granted by federal HIPAA regulations as a condition for the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

1.4.6 Restrictions on Use and Disclosure of Protected Health Information.

Patients and members have the right to request restrictions on uses and disclosures by the County of their PHI for treatment, payment, or health care operations in accordance with 45 CFR 164.522. Patients and members may request such restrictions by writing to:

San Mateo County Compliance and Privacy Officer
222 West 39th Avenue
San Mateo, CA 94403

The County will develop a procedure for processing restriction request forms.

Pursuant to 45 CFR 164.522(a)(1)(ii), the County is not required to agree to a patient’s or member’s restriction request.

The County retains the right to terminate an agreed-to restriction if the County believes such termination is appropriate in accordance with 45 CFR 164.522(a)(2).

In the event of a termination by the County, the County will notify the patient or member of such termination in accordance with 45 CFR 164.522(a)(2)(iii).

Pursuant to 45 CFR 164.522(a)(2)(i), patients and members also have the right to terminate, in writing, any agreed-to restriction to the provider or plan.

1.4.7 Right to Notice.

Patients and members have the right to adequate notice of the uses and disclosures of PHI that may be made by the County, and of the patient’s or member’s rights and the County’s legal duties with respect to PHI. The County will have a Notice of Privacy Practices that will be disseminated to patients and members and updated pursuant to 45 CFR 164.520.

This Notice of Privacy Practices explains the instances that the County may use and disclose PHI including but not limited to:

  • Treatment, payment or health care operations;
  • Facility directory which includes listing the name of the patient, room number, general condition, and, if desired, the patient’s religious affiliation in accordance with 45 CFR 164.510(a);
  • To include friends and family involved in the patient’s care if the patient provides approval; however, if the patient is unable to provide approval, such protected health information may be shared with those involved in the patient’s care if it is determined to be in the best interests of the patient in accordance with 45 CFR 164.510(b);
  • To outside persons and organizations who assist the County in carrying out its services such as auditing, accreditation, legal services etc. pursuant to 45 CFR 164.512(d);
  • Fundraising; however, the patient will be informed that he or she has the right to opt out of receiving fundraising materials/communications and informed how to out pursuant to 45 CFR 164.514(f);
  • Appointments and services to provide the patient with such services and products specific for his/her care, to advise the patient of new products and to provide general wellness and health information in accordance with 45 CFR 164.522(b);
  • Research in accordance with 45 CFR 164.512(i);
  • Alcohol and drug abuse patient records are disclosed only if the patient consents to the disclosure, the disclosure is ordered by a court, the disclosure is made in an emergency, or if the disclosure is for research, audit or program evaluation; and
  • All uses and disclosures that may be made pursuant to 45 CFR 164.512 or a business associate relationship.

If the patient or member has questions or needs assistance regarding the County’s privacy practices, he or she may contact:

San Mateo County compliance and Privacy Officer
222 West 39th Avenue
San Mateo, CA 94403

1.4.8 Safeguards.

The County will take reasonable steps to safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the federal HIPAA regulations of patient privacy and confidentiality. The County must reasonably safeguard PHI to limit incidental uses or disclosures made, which are otherwise permitted or required pursuant to the HIPAA privacy regulations. PHI to be safeguarded may be in any medium, including paper, electronic, oral and visual representations. Safeguard policies and procedures for appropriate categorization, storage or destruction or PHI will be developed by each County health care component in carrying out its covered functions.

1.5 PRIVACY VIOLATIONS

1.5.1 Business Associated and Limited Data Set Users.

The County has agreements with business associates who use PHI in the provision of services to and on behalf of the County, and with limited data set users who use limited amounts of PHI for specified purposes. These agreements include provisions that require the business associate or limited data set user to keep PHI confidential. If any County workforce member has any information regarding a possible privacy violation by a business associate or a limited data set user, the workforce member must report such information to:

San Mateo County Compliance and Privacy Officer
222 West 39th Avenue
San Mateo, CA 94403

Within three (3) working days of obtaining such information.

1.5.2 Mitigating Misuses of Patient Information.

Any County workforce member that becomes aware of any misuses of patient or member protected health information, will promptly notify:

San Mateo County Compliance and Privacy Officer
222 West 39th Avenue
San Mateo, CA 94403

In accordance with 45 CFR 164.530(f), the County workforce member must work with the Compliance and Privacy Officer to mitigate, to the extent practicable, any harmful effect that is known regarding a use or disclosure of PHI in violation of this or any other policy of the County.

1.5.3 Non-Compliance Sanctions.

The County will take appropriate disciplinary measures against workforce members who violate any policy or procedure of the County concerning the privacy of patient information. The disciplinary measures taken will be consistent with the violation and circumstances of each case. Discipline for such infractions or our privacy policies and procedures may include reprimand, suspension, or discharge of the responsible County workforce member, depending on the severity of the misconduct.

1.6 TRAINING

The County will train all workforce members carrying out or assisting with covered functions on the policies and procedures regarding PHI, as necessary and appropriate for the members of the workforce to carry out their function within the County health care components and in compliance with 45 CFR 164.530(b). Any workforce members with questions or who requires assistance regarding the County’s privacy practices, shall be directed to:

San Mateo County Compliance and Privacy Officer
222 West 39th Avenue
San Mateo, CA 94403

All of the County health care components shall develop operation specific procedures compliant with policy.