Item 9A MemoCity of Southlake, Texas
MEMORANDUM
March 30, 2004
TO: Billy Campbell, City Manager
FROM: Kevin Hugman, Director of Human Resources
SUBJECT: Resolution No. 04 -020, Amending City of Southlake personnel policies to adopt a
policy regulating Protected Health Information as required by the Health
Insurance Portability and Accountability Act ( HIPAA).
Action Requested: City Council approval of Resolution No. 04 -020, amending the personnel
policies to adopt a policy regulating Protected Health Information as required
by the Health Insurance Portability and Accountability Act ( HIPAA), to
become effective April 14, 2004.
Background
Information: The Health Insurance Portability and Accountability Act ( HIPAA) was enacted
by Congress in 1996. Certain sections of the Act required the U.S. Department
of Health and Human Services (HHS) to develop standards for the electronic
exchange, privacy and security of health information. In August 2002, the
HHS published the Standards for Privacy of Individually Identifiable Health
Information, known as the Privacy Rule.
The Privacy Rule applies to health plans, health care clearinghouses, and
health care providers. Since the City provides an employer- sponsored group
health plan, including a flexible spending account administered through a third
party, the City is required to be compliant with the HIPAA Privacy Rule. All
covered entities, except "small health plans" were required to be compliant by
April 14, 2003. The City's health plan, considered to be a "small health plan"
is required to be compliant by April 14, 2004.
The City's HIPAA Privacy Policy is applicable only to individually
identifiable health information associated with health, dental, vision,
prescription drug and flexible spending account benefits. HIPAA does not
apply to health information required by life or disability insurance, workers'
compensation, or that information held by the City in its role as an employer
(i.e., pre - employment health screenings, FMLA, ADA, etc.).
The City's Privacy Policy will:
• designate a Privacy Officer (to be the Director of Human Resources) as
required by law;
• establish policy requirements for safeguarding protected health
information that the City may possess, and provides a means for
individuals to authorize the use and disclosure of protected health
information by the City;
Billy Campbell, City Manager
March 30, 2004
Page 2
• provide for a Notice of Privacy Practices to be given to all employees
that describes when protected health information is required or
permitted to be disclosed without an individual's authorization; and
• define document retention requirements.
Financial
Considerations: There is no financial cost to the City to implement this policy. Failure to
comply with the HIPAA requirements can result in civil penalties up to
$25,000 per year.
Citizen Input/
Board Review: Not Applicable.
Legal Review: The City Attorney has reviewed the policy.
Alternatives: Input as desired by Council.
Supporting
Documents:
• Resolution No. 04 -020, Amending City of Southlake personnel policies
to adopt a policy regulating Protected Health Information as required by
the Health Insurance Portability and Accountability Act (HIPAA).
• Health Insurance Portability and Accountability Act (HIPAA) Privacy
Policy.
Staff
Recommendation: City Council approval of Resolution No. 04 -020, amending the personnel
policies to adopt a policy regulating Protected Health Information as required
by the Health Insurance Portability and Accountability Act (HIPAA), to
become effective April 14, 2004.