CITY OF AUSTIN HIPAA PRIVACY PRACTICES   

THE FOLLOWING PRACTICES DESCRIBE IN GENERAL TERMS HOW AN INDIVIDUAL’S PROTECTED HEALTH INFORMATION ( PHI ) MAY BE USED AND DISCLOSED BY THE AFFECTED HEALTH CARE COMPONENT DEPARTMENTS WITHIN THE CITY OF AUSTIN, AND WHAT “RIGHTS“ AN INDIVIDUAL HAS TO ACCESS, AMEND, AND PROTECT THE PRIVACY AND CONFIDENTIALITY OF THEIR PHI.

THE CITY HAS ESTABLISHED A NEW STRUCTURE TO MEET FEDERAL AND STATE REQUIREMENTS FOR PROTECTING PHI.  FOUR DEPARTMENTS HAVE BEEN DESIGNATED AS COVERED HEALTH CARE COMPONENTS.  EACH HAS ESTABLISHED PRIVACY POLICIES AND PROCEDURES THAT SAFEGUARD PHI AND PROTECTS ITS USE AND DISCLOSURE.  

THE CITY HAS ALSO DESIGNATED A “ PRIVACY OFFICER “ TO COORDINATE, OVERSEE, INTEGRATE AND LEAD ALL CITYWIDE PHI PRIVACY AND CONFIDENTIALITY PROGRAMS.

The City of Austin has four departments that are medical and health care components under HIPAA privacy rules and regulations.  These components create electronic and paper medical records and documents concerning an individual’s health, as well as provide direct medical care and treatment services, health care operations, and the submission of claims and receipt of payments.  The City requires these records in order to provide continuity and quality of health care and to comply with the federal Health Insurance Portability and Accountability Act of 1996  ( “ HIPAA “ ) and State of Texas legal requirements.

The HIPAA  “ Privacy Rule “ affords patients and individuals the right to access, amend, and safeguard the privacy and confidentiality of their personal, protected  health information ( PHI ).   PHI is defined as any identifiable health, medical or demographic information that describes the individual’s personal identity.  This includes but is NOT limited to name, address, phone number, e-mail, photographs, charts, tests, records etc. 

There are conditions and circumstances identified in federal and state law which allow and/or require the City to release and disclose an individual’s PHI. Those conditions are outlined below in general, and more specifically in each health care component department’s  “ Notice of Privacy Practices “ ( NPP ) listed on the department’s website.  Other than these noted federal and state requirements, the City of Austin will NOT release or disclose PHI without an individual’s personal written authorization and consent. The City is committed to protecting an individuals PHI privacy and confidentiality.

HOW THE CITY OF AUSTIN MAY USE AND / OR DISCLOSE  PROTECTED HEALTH INFORMATION  (PHI)

1.    Treatment.    The City may use and disclose information previously compiled about individuals to provide the best possible current or future health care treatment or services. Therefore, The City may, and most likely will disclose PHI information to doctors, nurses, and other health care providers who are involved in patient care and treatment operations.  We could also contact individuals about treatment alternatives and appointment reminders or other health-related benefit services.

2,    Payment.     The City may use and disclose medical information about individuals concerning services and procedures so they may be billed and collected from the individual, their insurance company or third party reimbursement entities.

3.    Operational Uses.     The City may use and disclose certain medical information about individuals in order to operate the City of Austin’s medical and health care operations more efficiently and cost effectively and to provide greater levels of customer service. We are committed to providing the highest quality of health care.  

4.   External Entities.     In an emergency, The City may disclose information to an entity assisting disaster relief or accidents so family members might be notified about an individuals medical condition, status, and treatment location.

5.    Research.     The City may participate in research concerning the use of certain treatment protocols that have COA and governmental approval.  In that case, The City would secure the individuals informed consent that would identify all aspects of their involvement, risks, benefits, and possible disclosures.

6.    Required by Law.     The City may disclose PHI if required to do so by federal, state, and local law.

7.    To Avert a Serious Threat to Health and Safety.   The City may use or disclose  PHI to persons who need to know when necessary to prevent a serious threat to an individuals health or the health, welfare and safety of others in the community.

8.    Public Health Issues and Risks.     The City may report your health information as required by law OR by the individuals authorization concerning health conditions to prevent or control disease, injury, disability, births and deaths, child or elder abuse or neglect, reactions to medications or products, recalls of products, or notice of exposure to a condition.

9.    Victims of Abuse, Neglect or Domestic Violence.     The City may disclose PHI to law enforcement, social services, or other government agencies authorized to receive the report if the City has reason to believe that an individual was the victim of abuse, neglect, or domestic violence.

10.    Investigations and Government Activities.    The City may disclose PHI to a local, state, or federal agency for oversight activities authorized by law that may concern inspections, licensure, illegal conduct, or compliance with other laws and regulations including civil rights.

11.    Lawsuits and Disputes.     The City may disclose PHI if an individual is involved in a lawsuit or legal dispute, in response to a subpoena, court order, discovery request or other lawful process by someone else involved in a legal dispute.

12.    Law Enforcement.     The City may release PHI to law enforcement officials in response to a court order, subpoena, warrant, summons or similar process, to identify or locate a suspect witness or missing person, concerning the victim of a crime, about a death we believe may involve criminal actions, criminal conduct in progress, crimes on City property, or emergency situations to report a crime or details of a crime.

13.    Coroners, Medical Examiners and Funeral Directors.     The City may release PHI to a coroner, medical examiner or funeral director as necessary for them to carry out their duties and responsibilities.

14.    Military and national/HomeLand Security.    The City may disclose PHI information to the military upon request.  The City may also disclose PHI to federal officials conducting national security and/or intelligence activities.

15.    Workman’s Compensation.     The City may disclose PHI if required by workman’s compensation laws and other similar laws and regulations.

16.   Enforcement and implementation.   City of Austin Department Directors who maintain, safeguard, process or use PHI are fully responsible and accountable for the implementation of all PHI privacy, confidentiality and security policies, procedures,, and standards within their departments. These departments also have designated a “ Privacy Representative “ who is responsible for the day-to-day coordination and implementation of all PHI privacy policies, procedures, and complaints within their department. 

17.         Finally, a “ Privacy Officer“  has been appointed in the City and will coordinate and integrate all federal and state PHI privacy policies and standards city-wide.  

The above is a general overview of how the City of Austin may use and disclose an individuals PHI.   IF YOU HAVE ANY QUESTIONS,  COMPLAINTS, OR NEED CLARIFICATION ON ANY PHI OR MEDICAL-HEALTH PRIVACY ISSUE, YOU SHOULD CONTACT THE HIPAA PRIVACY REPRESENTATIVE LISTED BELOW, FROM ONE OF THE CITY’S HEALTH CARE COMPONENTS OR, THE CITY OF AUSTIN’S PRIVACY OFFICER.

YOUR  PRIVACY  RIGHTS

HIPAA and Texas law safeguard and protect an individual’s PHI.   The City of Austin is committed to protecting these rights through effective policies and procedures in each of our four covered health care component departments.  (see below).   Additional detail is listed in The Notice of Privacy Practices (NPP) on each department’s website.

In general, an individual has the right to ….

1.     Inspect and copy their health information PHI.   An individual may ask to review or request a copy of their health care information  (PHI) from the appropriate City of Austin department.  The Department may charge a reasonable fee for any copies requested.   Please make this request in writing to the appropriate Department where treatment or services were rendered.  See the Department’s NPP on the website link below. 

2.    Amend health information if an individual believes it is incorrect or not complete.     An individual may request that the City amend or modify PHI.  If the appropriate City Department accepts the request the change or modification will become a permanent document and added to the individuals medical record.  Please make this request in writing to the appropriate Department involved.  See the NPP on the website links below.

3.    Request a limit to the health information disclosed by the City.    An individual may request the appropriate City department not use or disclose PHI.  The request must describe the specific limits and requirements. The City may deny a request.  Please make this request in writing to the appropriate Department listed on the website links below.

4.    Request a list of disclosures the City has made of an individual’s PHI.  An individual  may request a list of disclosures that the City of Austin has made of their health and medical records.  This list will not include routine disclosures of PHI for treatment, payment, or operations  (TPO) as described above.   Please make this request in writing directly to the appropriate City Department listed below.

5.    Request confidential communications.   The City will not disclose PHI except as described in this notice.  However, an individual may request that The City contact an individual by another means or at a different address or limit the number or type of people who have access to an individuals PHI.   Please make this request in writing to the appropriate City department listed below.

6.    File Written Complaints.   If an individual believes their privacy rights have been violated or has questions on the use and disclosure of their PHI health information the individual should immediately call, write or file a written complaint to the individual department HIPAA Privacy Representative listed below.

An individual may also register requests or complaints directly with the City of Austin’s Privacy Officer ;  e-mail, Privacy_Officer@ci.austin.tx.us or the Privacy Officer’s HOTLINE telephone number at  ( 512 ) 974 – 7848.

A third option is also available.  An individual may contact the United States Office of Civil Rights, U.S. Department of Health and Human Services ( OCR ) with their issues and/or complaints.   The OCR may be contacted at the following: 

             Office of Civil Rights, U.S. Department of Health and Human Services  Region VI

1301 Young Street    Suite  1169
Dallas, Texas 75202
Phone :  ( 214) 767-4056
Fax:      ( 214) 767-0432

CITY OF AUSTIN PRIVACY REPRESENTATIVES

The City of Austin has identified four city departments that initiate, maintain, and utilize PHI as part of their community health and medical treatment, payment, or health care operations and services.

An individual should contact the Privacy Representative from the appropriate city department with any questions, comments, issues, problems or complaints concerning the use, disclosure, security, or confidentiality of their PHI.

The CITY OF AUSTINHIPAA PRIVACY REPRESENTATIVES :

• Primary Care Division of Community Care Services :

Debra Hedges
Phone:  ( 512) 972-4097
Fax:     ( 512) 972-4142

Mailing address:
15 Waller Street
Austin, Texas 78702

/primarycare/

• Emergency Medical Services

Terry Cardona
Phone: ( 512) 972-7281
Fax:     ( 512) 482-9407

Mailing address:
15 Waller Street, 2^nd Floor
P.O. Box 1088
Austin, Texas 78702

/ems/

• Health and Human Services -  Public Health Division; Medical Assistance Program

Pete Oxner   –  (512)  972-5030
Marti Cascio -  (512)  972-5022

2100 E. St. Elmo Rd.  Bldg. 30 E
Austin, Texas 78767

/health/

• Human Resources – Employee Benefits / Employee Services Division  (group health plan)

Don Ellison
Human Resources Department

City of Austin
P.O. Box 1088
Austin, Texas 78767
Phone: (512) 974-3407
Fax:    (512) 974-3284

/hr/

PRIVACY  OFFICER     

In compliance with federal regulations the City has appointed a Privacy Officer to lead, coordinate, integrate and facilitate ALL citywide HIPAA and PHI privacy compliance, implementation, and enforcement responsibilities.   The Privacy Officer will work closely with each health care component department in developing and continuously improving, implementing, and enforcing ALL federal and state laws that relate to the privacy, confidentiality, access, and security of PHI.

ROLE and RESPONSIBILITY of THE PRIVACY  OFFICER

The Privacy Officer oversees all on-going activities related to HIPAA compliance and the development, implementation, maintenance, and adherence to all City of Austin’s policies and procedures, activities and practices covering the privacy, access, disclosure, confidentiality and security of personal protected health information in compliance with federal and state law.

Duties and responsibilities of the Privacy Officer include the following. 

1.     Oversee the on-going development, implementation, monitoring, maintenance of citywide PHI privacy policies and procedures.

2.     Conduct independent privacy risk assessments and compliance monitoring programs.  This could include internal quality reviews, compliance/performance audits, or engaging  “ outside “ technical privacy and security specialists, or internal COA staff specialists for support. 

3.       Establish and administer additional processes for full privacy compliance with all City of Austin

health care component department’s policies and procedures, Notice of Privacy Practices ( NPP ), GAP Analyses, and privacy and security procedures.   Close coordination with departments on establishing efficient and effective PHI privacy and confidentiality internal controls. 

Recommend and monitor appropriate and effective sanctions to any employee who knowingly and unlawfully uses or discloses PHI or otherwise knowingly violates privacy policies, procedures and practices.  Coordinate such efforts through the Human Resource and Law Departments, and other appropriate city entities.

4.      Establish and administer a citywide complaint and dispute resolution process.   Includes monitoring and enforcing processes and procedures for receiving, documenting, tracking, and investigating privacy policy and procedure complaints.  Work closely with each department Privacy Representative to resolve and mediate disputes and/or complaints quickly, fairly, impartially.

5.      Initiate and promote the awareness and dissemination of information on privacy policies, procedures and practices throughout the City of Austin AND the community.   Review training materials and conduct and/or monitor ongoing privacy/security awareness or role-specific training.  Covered departments will conduct specific privacy training with support and sponsorship from the Privacy Officer and maintain logs of all attendees. 

6.      Oversee and monitor citywide HIPAA and/or privacy training and development for appropriate employees, volunteers, medical and service staff, city departments and third parties when necessary.  Monitor  “ health care component departments “ and ascertain that all appropriate personnel have completed required training.

7.     Monitor advancements in information technology and privacy compliance rules and regulations. Share this information with all appropriate city officials, departments and staff.  Attend seminars, conferences and workshops on new techniques and approaches in the privacy field.  Integrate these technologies and best practices into current work/task practices where appropriate within the City.

8.     Work closely with all COA staff and support departments to effectively, efficiently and responsively implement and continuously improve privacy and security processes, policies and procedures.  Includes such departments as ISD, Law, FSD Audit, COA Audit, and other appropriate departments.

9.     Report periodically to the City of Austin executive leadership team on emerging legislative, judicial, and enforcement developments. 

10.     Provide information, assistance, and guidance on PHI privacy issues to any City of Austin department and entity as requested.

11.     Develop, implement and monitor the annual Privacy Office budget.   Recommend adequate and appropriate funding which supports compliance with federal and state privacy rules and regulations.

12.     Maintain a comprehensive listing / log of all complaints registered within any covered health care component department, COA department, U.S. Department of Health and Human Services / Office of Civil Rights ( OCR ), or The Privacy Office.  Coordinate the full resolution of complaints within each health care component department.  Mediate and help resolve disputes as requested.

13.    Coordinate and integrate technical, transaction and security needs and requirements with the City of Austin Security Officer.  Coordinate, communicate and integrate efforts and programs with various sponsorship and privacy leadership teams including city officials, department directors and representatives, the Privacy Steering Team, and Privacy Action and Implementation teams

14.    Privacy Officer reports to the Chief Executive Officer, Community Care Services Department,

The Privacy Officer for the City of Austin :

Bob McConaughy
Community Care Services Department
625 East 10^th Street 8^th Floor
Austin, Texas   78701

HOTLINE:  ( 512)  974 – 7848

e-mail :    PrivacyOfficer@ci.austin.tx.us

Privacy Officer Complaint – Investigations  Process

The Privacy Officer will work closely with all health care components and their department privacy representative (s) and support staff in coordinating, integrating, documenting AND resolving any problems, complaints, or issues raised by individuals concerning their PHI confidentiality and privacy rights.   

The City takes every complaint seriously, and will endeavor to resolve each complaint quickly and satisfactorily with the individual involved.   Each City health care component department has developed and are now implementing detailed processes, policies and procedures which will facilitate any questions, issues and complaints from individuals concerning their PHI.  

An individual should contact the appropriate department privacy representative for further details and information on these processes.

To further enhance and strengthen the complaint and complaint resolution process the City’s Privacy Officer will coordinate and integrate efforts on a citywide basis to help resolve complaints in an effective, efficient, and timely manner.

The Privacy Officer Complaint and Resolution Process  

1.     The Privacy Officer will monitor and facilitate the effective, efficient implementation and enforcement of a citywide HIPAA privacy complaint process.   Verify that the covered health care component departments are following policies and procedures and handling and resolving disputed issues and/or complaints in an efficient, effective and timely manner.

2.     Any individual with PHI information created or maintained by one of the health care component departments has a right to inquire, complain, or request access, amendment, or an accounting of any disclosures made by that department.  Please see their “Notice of Privacy Practice “  (NPP) on the department website listed above.  

3.    If a PHI privacy and/or confidentiality request or complaint originates directly with one of the City’s health care component departments that Department’s Privacy Representative will implement their department’s internal policies, procedures, and processes for handling any PHI privacy and confidentiality complaints.  The health care component department is THE focal point for handling and resolving all complaints.  The responsibility to resolve the issue or complaint rests with the Department Director and Privacy Representative.  

The Privacy Officer will closely monitor and coordinate all complaints with each department’s privacy representative and offer any and all assistance and support necessary.

4.     The department Privacy Representative will immediately contact the Privacy Officer as each new complaint is filed.   The responsibility for resolving the complaint rests with the department. The Privacy Officer will…

• Log the complaint and all details for documentation purposes.

• Coordinate the complaint resolution process with the Privacy Representative 

• Monitor the complaint resolution process and ascertain that all policies, procedures, and processes are being followed to resolve the dispute / complaint promptly and expeditiously. 

• Mediate complaints if requested.

• Periodically review the complaint process and offer recommendations and suggestions for process improvement.

• Coordinate periodic “ quality reviews “ or “ audits “ to ensure the process is functioning  as intended.

• Maintain full disposition status of the complaint and action (s) taken by the respective department to resolve the complaint.
  
• Mitigation -  Any individual who becomes aware of inappropriate use or disclosure of PHI has a duty to mitigate, to the extent practicable, any harmful effect.   Any violation or alleged violation of any privacy practices, policies or procedures MUST be reported immediately to an immediate supervisor or manager, then to the Privacy Officer.  The Privacy Officer will investigate all reported incidences and document sanctions and mitigated action.

5.    If the request or complaint comes directly to the Privacy Officer, the Privacy Officer will contact the affected health care component department’s Privacy Representative for disposition and resolution.   The steps are similar to # 2 above.   If the complaint has a basis other than for a particular department, The Privacy Officer will take all steps to investigate, review any relevant policies and procedures or documentation in an effort to resolve the complaint fairly and expeditiously.  The Privacy Officer may engage any necessary internal or external resources for investigation and resolution.

6.     Periodically questions, issues, and complaints on PHI may be directed to various City of Austin officers, City Council members, department directors and staff personnel.   Given the City’s commitment to PHI privacy confidentiality and compliance under federal and state law, the following safeguards and procedures should be followed:

• All City of Austin officers, council members, directors, and staff should direct all PHI inquiries and complaints immediately to the Privacy Officer for disposition and resolution.  Federal and state laws and regulations are complex. The Privacy Officer will advise appropriate actions and processes to meet the request or complaint.

• The Privacy Officer will determine whether a PHI privacy compliance issue exists and, will either address the issue or complaint directly, OR transfer the inquiry, issue, or complaint to one of the City’s health care component departments for review, analysis, and resolution.   In the latter instance, the Privacy Officer will coordinate and monitor all resolution activities with that department’s Privacy Representative.

• The Privacy Officer will collaborate and communicate the disposition and resolution of the issue with the initiating officer, director or City staff personnel.

• Fines, sanctions, and penalties can be severe to the City of Austin and it’s covered health care components that knowingly and purposely violate HIPAA and state laws with an inappropriate disclosure or abuse of PHI  privacy and confidentiality.  It is imperative all inquiries, issues and complaints be handled swiftly, courteously, and responsively under the legal timeframes and requirements. 

• Contact the Privacy Officer immediately on any PHI issue.  The Privacy Officer and department Privacy Representatives can then protect the COA and all personnel from a knowing, or unknowing privacy violation. Such a violation could have serious consequences for the City.

7.     If the request or complaint is registered directly to the Office of Civil Rights, U.S. Department of Health and Human Services, the Privacy Officer will coordinate ALL city complaint activities directly with OCR.   Further, the Privacy Officer will:

• Contact the affected department Representative and the City Law Department.
  
• Log all complaints, inquiries, or requests.
   
• Affected department will implement their full complaint review, investigations, and resolution process.
  
• Monitor and oversee all COA resolution activities.
  
• Coordinate  and communicate with the OCR as necessary.
  
• Use full weight and authority of the office to reach a satisfactory solution to the complaint.
  
• Enforce modifications or changes to existing policies & procedures when and if necessary

Privacy  Quality  Review  -  Audit  Process

The Privacy Office will implement a continuous monitoring and quality review – audit process for all covered health care component departments to ascertain that each is in full compliance with the privacy rule under both federal and state law.  Recommendations may also be made for process improvements and enhancements to the compliance process.

The Privacy Officer will periodically develop and organize independent “quality reviews - audits“ of each department’s policies and procedures, GAP analyses, Notice of Privacy Practice, security, complaint resolution processes, business associates’ agreements and other privacy standards as appropriate.  

With the assistance of internal and external quality review resources The Privacy Officer will determine that each health care component department and the City are in full compliance with federal and state privacy laws.  The Privacy Officer will work closely with each Privacy Representative to recommend and implement policy- procedures-security process improvements citywide.

Internal  Quality Review – Audit Process

The Privacy Officer will periodically organize, coordinate and integrate independent quality and process reviews by various internal City of Austin resources experienced in quality review assessments and analyses and performance reviews.  Some of the areas to be reviewed could include, but are not limited to :

• Use and disclosure policies and procedures
  
• Staff compliance with privacy policies and procedures
  
• HIPAA compliance policies and procedures
  
• Documentation and accuracy of privacy notices and privacy rights
  
• Complaints and resolutions
  
• Safeguarding PHI; Security processes
  
• Documentation
  
• Training
  
• Performance of business associates.
  
• Other

The Privacy Officer will utilize appropriate and available City of Austin resources for these quality review-audits.

The Quality Review-Audit Team would report to the Privacy Officer, and offer findings and recommendations.   The Team and the Privacy Officer will review the findings and recommendations with the respective health care component department Director, privacy representative and appropriate staff.  Suggested action items and implementation plans for improvement would also be discussed.

The Privacy Officer will monitor and assess progress within the health care component department toward completing quality review-audit recommendations.

External  Quality Review - Audit  Process

The Privacy Officer may periodically retain the services of outside technical, legal, and privacy specialists in a continuous effort to maintain the highest privacy standards, security, and confidentiality of PHI.   These reviews could cover privacy, transactions, code sets, security and other processes necessary for the city to remain fully compliant with federal and state privacy law and regulations.

Areas covered could include the areas listed above for internal reviews.  The Privacy Officer will utilize technical, systems integration, legal counsel, HIPAA, security and privacy specialists in a quality review of processes and compliance policies and procedures.

Privacy Officer responsibilities for these external reviews:

• Ensure budget dollars available for quality-audit reviews
  
• Develop an RFP.
  
• Assemble a vendor review and selection team
  
• Review responses. Select vendor.
  
• Work closely with vendor in developing scope, work-plan, timeframes, and deliverables
  
• Coordinate review with covered entity department(s) involved
  
• Coordinate vendor’s findings and recommendations
  
• Coordinate the presentation of those findings and recommendations to the department(s) involved and senior management.
  
• Monitor, coordinate and integrate implementation of findings and recommendations

	Austin City Connection - The Official Web site of the City of Austin
	Contact Us: privacyofficer@ci.austin.tx.us or 512-974-7848.
	Legal Notices | Privacy Statement
	© 1995 City of Austin, Texas. All Rights Reserved.
	P.O. Box 1088, Austin, TX 78767 (512) 974-2000