St. Louis City Ordinance 68109

An Ordinance pertaining to the Health Insurance Portability and Accountability Act of 1996, P.L. 104-91 (hereinafter HIPAA); repealing Ordinance 66281 and enacting in lieu thereof a new ordinance providing for compliance by the City with both the HIPAA Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Part 160 and Part 164, Subparts A and E (the Privacy Rule) and the HIPAA Security Standards for the Protection of Electronic Protected Health Information, 45 C.F.R. Part 160 and Part 164, Subparts A and C (the Security Rule); re-designating the City's Hybrid Entity Health Care Components, with removal of the Health Department from such designation; re-designating the City's Business Associate Components, with removal of the Department of Public Service Building Division, and requiring Business Associate Components to meet certain requirements of the Privacy Rule and Security Rule; appointing the City Privacy Officer and the Privacy Officers for each of the designated Health Care Components, providing for their duties, and providing for amendments of such designations; appointing the City Security Officer and the Security Officers for each of the designated Health Care Components, providing for their duties, and providing for amendments of such designations; authorizing the Health Care Component Privacy Officers, upon recommendation of the City Counselor, to enter into Business Associate Agreements in compliance with the Privacy Rule and the Security Rule, and upon recommendation of the City Counselor and the Board of Estimate and Apportionment, to enter into all other agreements required for compliance with the Privacy Rule and the Security Rule; and providing for a severability clause.

WHEREAS, the HIPAA Privacy Rule and the Security Rule impose privacy and security standards and requirements upon Covered Entities, which are health plans, health care clearing houses, and health care providers that transmit any health information in electronic form in connection with standard transactions within the scope of HIPAA, as defined under 45 C.F.R. ' 160.103 of the Privacy Rule, and

WHEREAS, the City, a municipal corporation under the laws of the State of Missouri, is a single legal entity which does not function primarily as a Covered Entity, and

WHEREAS, while most City departments, offices, and agencies do not perform Covered Entity functions that are covered by the Privacy Rule and the Security Rule, there are City departments, offices, and agencies, and divisions or sections thereof, and the City's group health plan(s) that perform such covered functions, and therefore, the City is a Covered Entity that is subject to the Privacy Rule and the Security Rule, and

WHEREAS, with the designation of City Health Care Components, the City comes within the definition of Hybrid Entity under the provisions of 45 C.F.R. ' 164.105, and

WHEREAS, a City Health Care Component that discloses Protected Health Information to a non-City entity that provides services to or acts on behalf of the Health Care Component must require that the non-City entity enter into a Business Associate Agreement with the City for its Health Care Component in compliance with the Privacy Rule and the Security Rule, and

WHEREAS, when a City Health Care Component discloses Protected Health Information to another City department, office, agency, or division or section thereof that would constitute a Business Associate capacity if such entities were separate and distinct, such other City department, office, agency, or division or section thereof, herein designated as City Business Associate Component, must comply with certain requirements of the Privacy Rule and the Security Rule.

NOW THEREFORE BE IT ORDAINED BY THE CITY OF ST. LOUIS AS FOLLOWS:

SECTION ONE. Ordinance 66281, approved July 7, 2004, pertaining to the City's compliance with the HIPAA Privacy Rule and the designation of Health Care Components of the City as a Hybrid Entity, is repealed, and in lieu thereof a new ordinance is hereby enacted to read as follows:

SECTION TWO. Definitions. The definitions of terms set forth in the HIPAA Privacy Rule and the Security Rule are adopted and incorporated herein by reference as if fully set forth; unless otherwise defined herein, the terms used in this ordinance shall have the same definitions as those set forth in the Privacy Rule and the Security Rule.

SECTION THREE. Health Care Component Designation for Hybrid Entity.

A. A City department, agency, office, and any division or section thereof, and City group health plan(s) that performs a Covered Entity function under the Privacy Rule and the Security Rule shall be designated as Health Care Component of the City. The following City departments, agencies, offices, or divisions or sections thereof, and City group health plan(s) are each hereby designated as a Health Care Component of the City:

1. The Fire Department's Emergency Medical Services Division, including its billing service; and

2. The City's Group Health Plan(s).

B. Upon recommendation of the City Counselor, the Board of Aldermen, may, by resolution, amend the designation of the City Health Care Components by adding or removing a City department, agency, office, and any division or section thereof, or group health plan to or from such designation. Any amendment of the City's designation of its Health Care Components shall be certified in writing by the Clerk of the Board of Aldermen, which certification shall be filed with the City Register within thirty (30) days of such amendment.

SECTION FOUR. City Responsibility for Compliance with the Privacy Rule and the Security Rule.

A. Notwithstanding the designation of the City Health Care Components herein, the City shall be ultimately responsible for developing policies and procedures to ensure compliance with the Privacy Rule and the Security Rule, and shall be ultimately responsible for activities related to compliance with and enforcement of the Privacy Rule and the Security Rule.

B. A Health Care Component shall not disclose any Protected Health Information or HIPAA-required documentation which it receives or maintains to another City department, agency, or office if such disclosure would be prohibited by the Privacy Rule or the Security Rule if the Health Care Component and such other City department, agency, or office were separate and distinct legal entities.

SECTION FIVE. Privacy Officers.

A. The Chief of the Fire Department's Emergency Medical Services is hereby designated as the City Privacy Officer to implement and coordinate the City's compliance with the Privacy Rule.

B. Each Health Care Component shall have a designated Privacy Officer. The Chief of the Fire Department's Emergency Medical Services shall serve as the Privacy Officer for the Emergency Medical Services Division, and the Employee Benefits Group Insurance Supervisor of the Department of Personnel shall serve as the Privacy Officer for the City's group health plan(s). A Health Care Component Privacy Officer may appoint an employee of the Health Care Component to assist in the performance of the Privacy Officer's responsibilities set forth herein.

C. Upon recommendation of the City Counselor, the Board of Aldermen, may, by resolution, amend the designation of a Health Care Component Privacy Officer. Any amendment of the designation of the Health Care Component Privacy Officer shall be certified in writing by the Clerk of the Board of Aldermen and filed with the City Register within thirty (30) days of such amendment. For the designation of any additional City Health Care Component as provided for under Section Three hereof, the Board of Aldermen shall also designate the Privacy Officer for that Health Care Component and assign the responsibilities set forth in this Section Five.

D. Each Health Care Component Privacy Officer has the following responsibilities:

1. Develop written policies and procedures for the Health Care Component as required by the Privacy Rule and in consultation with the City Counselor;

2. Receive, process, and respond to requests for or regarding Protected Health Information received or used by the Health Care Component;

3. Serve as the Complaint Officer for the Health Care Component; and

4. Implement the Privacy Rule policies and procedures of the Health Care Component.

SECTION SIX. Security Officers.

A. The Fire Department's Administrative Deputy Fire Chief is hereby designated as the City Security Officer to implement and coordinate the City's compliance with the Security Rule.

B. Each Health Care Component shall have a designated Security Officer. The Fire Department's Administrative Deputy Fire Chief shall serve as the Security Officer for the Emergency Medical Services Division, and the Employee Benefits Group Insurance Supervisor of the Department of Personnel shall serve as the Security Officer for the City's group health plan(s). A Health Care Component Security Officer may appoint an employee of the Health Care Component to assist in the performance of the Security Officer's responsibilities set forth herein.

C. Upon recommendation of the City Counselor, the Board of Aldermen, may, by resolution, amend the designation of a Health Care Component Security Officer. Any amendment of the designation of the Health Care Component Security Officer shall be certified in writing by the Clerk of the Board of Aldermen and filed with the City Register within thirty (30) days of such amendment. For the designation of any additional City Health Care Component as provided for under Section Three hereof, the Board of Aldermen shall also designate the City official who shall serve as the Security Officer for that Health Care Component and assign the responsibilities set forth in this Section Six.

D. Each Health Care Component Security Officer has the following responsibilities:

1. Develop written policies and procedures for the Health Care Component as required by the Security Rule and in consultation with the City Counselor; and

2. Implement the Security Rule policies and procedures of the Health Care Component.

SECTION SEVEN. City Business Associate Components.

A. Any City department, office, agency, or division or section thereof that receives Protected Health Information from a Health Care Component in providing services or performing activities and functions that would be in the capacity of a Business Associate if such City department, office, agency, or division or section thereof were a separate and distinct legal entity, is hereby designated a Business Associate Component of the City's Hybrid Entity.

B. Pursuant to 45 C.F.R. ' 164.504(e), each Business Associate Component shall meet the following requirements of the Privacy Rule:

1. Establish permitted uses and disclosures of Protected Health Information received by each Business Associate Component in compliance with the Privacy Rule;

2. Use and apply appropriate safeguards to prevent any use or disclosure of Protected Health Information not permitted by the Health Care Component under the Privacy Rule;

3. Report to the Health Care Component and the City Privacy Officer any use or disclosure of the Protected Health Information of which it becomes aware that is not permitted by the Health Care Component under the Privacy Rule;

4. Ensure that any party to whom the Business Associate Component provides Protected Health Information received from, or created or received by the Business Associate Component on behalf of the Health Care Component, agrees to the same restrictions and conditions that apply to the Business Associate Component with respect to the Protect Health Information;

5. Make available Protected Health Information in accordance with 45 C.F.R. ' 164.524;

6. Make available Protected Health Information for amendment and incorporate any amendments to Protected Health Information in accordance with 45 C.F.R. ' 164.526;

7. Make available the information required to provide an accounting of disclosure in accordance with 45 C.F.R. ' 164.528;

8. Make its internal practices, books and records relating to the use and disclosure of Protected Health Information received from, or created or received by the Business Associate Component on behalf of the Health Care Component available to the United States Secretary of Health and Human Services for purposes of determining compliance with the Privacy Rule; and

9. Upon completion of the services to or activities on behalf of the Health Care Component, return or destroy all Protected Health Information received from, or created or received by the Business Associate Component on behalf of, the Health Care Component that is maintained in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the privacy protections established and as required by the Privacy Rule and limit further uses and disclosure to those purposes that make the return or destruction of the Protected Health Information infeasible.

C. Pursuant to 45 C.F.R. ' 164.314(a), each Business Associate Component shall meet the following requirements of the Security Rule:

1. Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic Protected Health Information that it creates, receives, maintains, or transmits on behalf of the Health Care Component as required by the Security Rule;

2. Ensure that any party to whom the Business Associate Component provides Electronic Protected Health Information received from, or created or received by the Business Associate Component on behalf of the Health Care Component agrees to implement reasonable and appropriate safeguards to protect it; and

3. Report to the Health Care Component any security incident of which it becomes aware.

D. The Comptroller's Office Internal Audit Section, the City Counselor=s Office, and the Information Technology Services Agency are each hereby designated a City Business Associate Component to the extent that each provides services to or performs activities on behalf of a Health Care Component that would be in the capacity of a Business Associate as defined under 45 C.F.R. ' 160.103 of the Privacy Rule if such City components were separate and distinct legal entities.

D. Upon recommendation of the City Counselor, the Board of Aldermen may, by resolution, amend the designation of City departments, agencies, offices, or divisions or sections thereof as City Business Associate Components by adding or removing a City department, agency, office, or division or section to or from such designation. Such amendment of the City's designation of its Business Associate Components shall be certified in writing by the Board of Aldermen and filed with the City Register within thirty (30) days of such amendment.

SECTION EIGHT. Contract Authorization.

Each Health Care Component Privacy Officer, upon recommendation of the City Counselor, is hereby authorized to enter into Business Associate Agreements necessary to comply with the Privacy Rule and the Security Rule and, upon recommendation of the City Counselor and approval of the Board of Estimate and Apportionment, to enter into all other agreements required by the Privacy Rule and the Security Rule, including but not limited to trading partner agreements and confidentiality agreements.

SECTION NINE. Severability. If any section, subsection, sentence, clause, phrase or portion of this ordinance is held to be invalid or unconstitutional, or unlawful for any reason, by any court of competent jurisdiction, such portion shall be deemed and is hereby declared to be a separate, distinct and independent provision of this ordinance, and such holding or holdings shall not affect the validity of the remaining portions of this ordinance.

Return to Top of this Document.
Return to Top of Charter, Code, and Ordinances.
Return to Search Ordinances.

HOME | KIDZONE |CATALOG | CONTACT US | SEARCH| HINTS