title
PROPOSED ORDINANCE
DESIGNATION OF COOK COUNTY AS A HYBRID ENTITY FOR THE PURPOSES OF COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
WHEREAS, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its Rules (codified in the Code of Federal Regulations at 45 CFR parts 160 and 164, Pub. Law No. 10-191) impose privacy and security standards and requirements upon health plans, health care clearing houses, and health care providers that transmit any health information in electronic form in connection with standard transactions within the scope of HIPAA, otherwise known as Covered Entities; and
WHEREAS, Cook County (“County”), a unit of local government under the laws of the State of Illinois, is a single legal entity which conducts both Covered Functions and non-covered Functions; and
WHEREAS, the operation of the Cook County Health & Hospitals System (“CCHHS”) and the County’s patient arrestee program, self-insured health, dental, vision and pharmacy benefit plans as administered by the Department of Risk Management are Covered Functions subject to the HIPAA Privacy and Security Rules; and
WHEREAS, HIPAA allows a Covered Entity to designate itself as a Hybrid Entity when it performs both Covered and non-Covered Functions and to designate Health Care Components, which must comply with HIPAA; and
WHEREAS, a Hybrid Entity limits the Covered Entity’s potential liability by requiring only those departments designated as Health Care Components to comply with HIPAA; and
WHEREAS, HIPAA requires any entity that performs a function on behalf of a Covered Entity or a Health Care Component of a Hybrid Entity, which involves the use or disclosure of protected health information (“PHI”), shall be required to execute a business associate agreement (“BAA”); and
WHEREAS, the Cook County Board of Commissioners desires to declare Cook County a Hybrid Entity, designates the County’s Health Care Components; directs the Cook County Health System Board to designate a Privacy and Security Officer at the CCHHS and directs that the Director of Risk Management or his/her designee serve as the Privacy Officer and designate a Security Officer to ensure that the County’s patient arrestee program, self-insured health, dental, and pharmacy benefit plans are HIPAA compliant; and
BE IT ORDAINED, by the Cook County Board of Commissioners that Chapter 2 - ADMINISTRATION, ARTICLE XIV- HIPAA Compliance, SECTION 2-1020 - 2-1026- is hereby enacted as follows:
ARTICLE XIV - HIPAA Compliance
Sec. 2-1020 - Definitions
The definitions of terms set forth in HIPAA are adopted and incorporated herein by reference as if fully set forth.
Business Associate - A person or entity that performs a function on behalf of a Covered Entity or assists a Covered Entity with a function or activity involving the use or disclosure of PHI.
Business Associate Agreement (“BAA”) - A contract between a HIPAA covered entity and a HIPAA business associate which protects PHI in accordance with HIPAA guidelines.
Covered Entity - A health plan, a health care clearinghouse or a health care provider that transmits any health information in electronic form within the scope of HIPAA.
Covered Functions - Those functions of a Covered Entity which make it a health plan, health care provider or health care clearinghouse.
Electronic Protected Health Information (“ePHI”) - Protected health information created or received by a Covered Entity that is transmitted by electronic media or maintained by electronic media.
Health Care Component - A component or combination of components of a Hybrid Entity designated by the Hybrid Entity, including any component that would meet the definition of a Covered Entity if it were a separate legal entity. Health Care Component(s) may include a component only to the extent that it performs covered functions.
Hybrid Entity - A single legal entity that is a Covered Entity whose business functions include covered and non-covered functions as defined by HIPAA. The entity must designate Health Care Components and document the designation in accordance with HIPAA requirements.
Non-covered Functions- Those functions performed by components of a Hybrid Entity that are not subject to HIPAA requirements.
Protected Health Information (“PHI”) - Individually identifiable health information collected from an individual that is created or received by a Covered Entity. PHI encompasses information that identifies an individual and relates to the past, present or future physical or mental health of an individual, the provision of health care to an individual or payment for the provision of health care to the individual.
Sec. 2-1021 - Health Care Component Designation for Hybrid Entity
(a) Cook County is required to comply with HIPAA privacy and security standards to maintain the confidentiality of PHI as referenced in Cook County Resolution 03-R-300 (adopted on July 1, 2003).
(b) Cook County delegates itself as a Hybrid Entity pursuant to HIPAA as it conducts business activities which include Covered Functions and non-Covered Functions.
(c) In accordance with HIPAA, only departments or organizations which administer Cook County’s patient arrestee program, self-insured health plans or provide electronically billed health care services and transmit ePHI will be designated as a Health Care Component of Cook County.
(d) The following Cook County self-insured health plans and organizations are hereby designated as Health Care Components of Cook County:
1. Self-insured health, dental, vision and pharmacy plans as administered by the Department of Risk Management;
2. Patient Arrestee Medical Care program as administered by the Department of Risk Management; and
3. Cook County Health and Hospitals System.
(e) All other departments, organizations or functions of Cook County that do not engage in covered functions are hereby designated as non-covered functions of Cook County.
(f) The Cook County Board may amend the designation of the Health Care Components by adding or removing a department, office, division or self-insured health plan to or from such designation.
Sec. 2-1022 - HIPAA Privacy Rule and Security Rule Compliance
(a) Notwithstanding the designation of the County Health Care Components herein, the County shall be responsible for developing policies and procedures to ensure compliance with the HIPAA Privacy Rule and Security Rule, and shall be responsible for activities related to oversight of compliance with, and enforcement of the aforementioned rules.
A Health Care Component shall not disclose any PHI, ePHI or HIPAA-required documentation which it receives or maintains to another County department or agency 1) if such disclosure would be prohibited by the HIPAA Privacy or Security Rules, 2) if the Health Care Component and 3) such other County department or agency were separate and distinct legal entities.
Sec. 2-1023 - Designation of Privacy Officers and Security Officers
(a) Each Health Care Component shall have a designated Privacy Officer and Security Officer. A Health Care Component’s Privacy Officer and Security Officer may appoint an employee of the Health Care Component to assist in the performance of the Privacy Officer and/or Security Officer’s responsibilities.
(b) The Privacy Officer and Security Officer for the Healthcare Components of the County (other than the CCHHS) shall be the Director of the Department of Risk Management or his or her designee.
(c) The Privacy Officer and a Security Officer for the CCHHS shall be the Chief Compliance and Privacy Officer for the Cook County Health and Hospital System or his or her designee.
(d) The Privacy and Security Officers for their respective Health Care Components shall each develop written policies and procedures and perform any other duties or obligations as required by HIPAA.
Sec. 2-1024 - HIPAA Required Agreements; Authorization
(a) Any entity (including another County department or agency) that performs a function on behalf of the County or a Health Care Component of the County as defined in Section 2-1021 (d), which involves the use or disclosure of PHI shall be required to execute a business associate agreement.
(b) The Chief Compliance and Privacy Officer of CCHHS and the Director of Risk Management of the County are hereby authorized to enter into BAAs necessary to comply with the HIPAA Privacy and Security Rules and, to enter into all other agreements required by the HIPAA.
Sec. 2-1026 - Severability
If any section, subsection, sentence, clause, phrase or portion of this ordinance is held to be invalid or unconstitutional, or unlawful for any reason, by any court of competent jurisdiction, such portion shall be deemed and is hereby declared to be a separate, distinct and independent provision of this ordinance, and such holding or holdings shall not affect the validity of the remaining portions of this ordinance.
Effective date: This ordinance shall be in effect immediately upon adoption.
end