The URL can be used to link to this page

Home My WebLink AboutIR 25-0068INFORMAL REPORT TO CITY COUNCIL MEMBERS No. 25-0068 To the Mayor and Members of the City Council June 3, 2025 Page 1 of 2 SUBJECT: HIPAA POLICIES, NOTICE OF PRIVACY PRACTICES, BUSINESS ASSOCIATE AGREEMENTS, AND HIPAA HYBRID ENTITY DESIGNATION PURPOSE: The purpose of this informal report is to outline a proposal to the City Council of plans to adopt certain Health Insurance Portability and Accountability Act of 1996 (HIPAA) policies, a Notice of Privacy Practices, a Business Associate Agreement (BAA) template, and to designate the City of Fort Worth as a hybrid entity under HIPAA to ensure effective compliance with federal regulations governing protected health information (PHI). OVERVIEW OF HIPAA: HIPAA is a federal law that establishes standards to protect the privacy and security of individuals' PHI, such as identifiable health data created, received, or maintained by a covered entity. HIPAA mandates that covered entities implement policies to safeguard PHI, notify individuals of their privacy rights, and ensure secure handling of PHI by its business associates. Due to the City's operation of an Emergency Medical Services (EMS) function, which provides healthcare services and handles PHI, the City of Fort Worth is a covered entity under HIPAA. As such, the City must comply with HIPAA's Privacy, Security, and Breach Notification Rules. Non- compliance risks significant penalties, legal liabilities, and damage to public trust. PROPOSED ACTIONS AND REQUIREMENTS: To ensure compliance with HIPAA, the City must take certain steps, including: • Adopt HIPAA Policies: Implement comprehensive policies to govern the use, disclosure, and protection of PHI within the City's HIPAA covered functions and operations handling PHI. These policies will outline staff training, data security measures, and procedures for responding to PHI breaches. City legal has prepared a set of twenty-five different HIPAA Policies for approval by City management. To date, the proposed HIPAA policies govern matters related to, among others, the following topics: patient requests for PHI; contracts with business associates; designated record sets; media interactions; breaches of unsecured PHI; employee access to e-PHI; disaster management and recovery of e-PHI; physical security of PHI and e-PHI; third party access; encryption; electronic communications; and workforce sanctions for violations of HIPAA Policies. • Adopt a Notice of Privacy Practices (NPP): Approve a draft NPP, prepared by the Legal Department, to inform EMS patients of their PHI rights and the City's privacy practices. The NPP will be maintained on a public -facing City website, as required by HIPAA. ISSUED BY THE CITY MANAGER FORT WORTH, TEXAS INFORMAL REPORT TO CITY COUNCIL MEMBERS No. 25-0068 x� � VA 1673 To the Mayor and Members of the City Council June 3, 2025 Page 2 of 2 SUBJECT: HIPAA POLICIES, NOTICE OF PRIVACY PRACTICES, BUSINESS ASSOCIATE AGREEMENTS, AND HIPAA HYBRID ENTITY DESIGNATION • Adopt and Use a Business Associate Agreement (BAA): Approve a standardized BAA template, drafted by the Legal Department, for agreements with third -party vendors (e.g., billing or IT services) handling PHI on the City's behalf. The BAA ensures vendors comply with HIPAA requirements. • Training: The HIPAA Privacy Rule and HIPAA Security Rule require the City to train certain relevant members of its workforce. Under the HIPAA Privacy Rule, the City must train all members of its workforce on policies and procedures as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. This includes those who may be exposed to PHI although it is not a part of their regular job function. The HIPAA Security Rule requires the City to implement a security awareness and training program for all members of its workforce, including management. Generally, the training must be provided to new hires and those affected by policy changes within a reasonable period of time. Finally, to ensure the City's covered entity status is limited to covered functions of the City, it is necessary to designate the City as a HIPAA Hybrid Entity. As the City performs both covered and non -covered functions, designating the City as a hybrid entity under HIPAA limits compliance obligations to covered functions, streamlining efforts and training requirements across other departments. The implementation of HIPAA policies, the NPP, and the BAA template will be managed by the Fire Department through the City's designated HIPAA Compliance Officer, in coordination with other relevant departments including ITS, HR, and Law. Staff training and compliance measures will be funded through the Fire Department and its EMS division's existing budget. No additional funding is required at this time. NEXT STEPS: The proposed actions —adoption of HIPAA policies, the Notice of Privacy Practices, and the hybrid entity designation —will be brought before the City Council for consideration on June 24, 2025. A detailed implementation plan and sample documents will be provided for review prior to the meeting. If you have questions or concerns related to this report, please contact Assistant City Attorney, Taylor Paris, 817-392-6285. Jesus "Jay" Chapa City Manager ISSUED BY THE CITY MANAGER FORT WORTH, TEXAS