HomeMy WebLinkAboutResolutions - 2017.11.09 - 23187MISCELLANEOUS RESOLUTION#17318 November 9, 2017
BY: Commissioner Thomas Middleton, Chairperson, Finance Committee
IN RE: RISK MANAGEMENT AND INFORMATION TECHNOLOGY — POLICY FOR THE HEALTH
INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) AS AMENDED BY THE
HITECH ACT OF THE AMERICAN RECOVERY AND REINVESTMENT ACT OF 2009 AND HIPAA
COMPLIANCE PROJECT
To the Oakland County Board of Commissioners
Chairperson, Ladies and Gentlemen:
WHEREAS Oakland County (County) and the Oakland County Board of Commissioners are committed to
compliance with all applicable laws and regulations relating to data privacy and security; and
WHEREAS in 1996 Congress adopted the Health Insurance and Portability and Accountability Act (Pub.
L, 104-191) (HIPAA) in order to improve the efficiency of the nation's health care system and protect the
security and confidentiality of health information; and
WHEREAS the Health Insurance and Portability and Accountability Act was amended by the Health
Information Technology for Economic and Clinical Health Act (HITECH) Act of the American Recovery
and Reinvestment Act of 2009; and
WHEREAS the County has been designated a Hybrid Covered Entity pursuant to Sections 164.103 and
164.105 of the HIPAA Security Regulations; and
WHEREAS the County as a Hybrid Covered Entity is responsible for adhering to the requirements of the
privacy and security rules of HIPAA as amended; and
WHEREAS there are costs associated for HIPAA compliance including Information Technology
development costs, software implementations/updates and licensing, employee training, installation of
card readers, and periodic HIPAA audit requirements; and
WHEREAS the HIPAA Compliance Project is estimated at $1,135,745 with the breakdown of cost noted
in the attached schedule; and
WHEREAS an appropriation of $1,113,861 is required for the HIPAA Compliance Project and the
remaining $21,884 in identified costs will be absorbed within existing departmental budgets; and
WHEREAS the project is estimated to be complete in FY 2019; and
WHEREAS the costs of the project will be tracked under the Major Departmental Support Projects Funds
with a separate fund and project number; and
WHEREAS the use of the Major Departmental Support Project Funds is typically used to account for
projects with an estimated cost of over $5.0 million and funded by current available resources rather than
bond issues; and
WHEREAS an exception is requested to use the Major Departmental Support Project Funds to track the
HIPAA Compliance Project given the size, range of departments impacted, and multi-year implementation
timeframe; and
WHEREAS funding in the amount of $1,113,861 for the HIPAA Compliance Project is available from the
General Fund Unfunded Mandates Assigned Fund Balance (G/L Account #383515); and
WHEREAS on-going IT support and maintenance labor after implementation will be covered by the IT
Development quarterly billing; and
WHEREAS the requirement of biannual HIPAA compliance audit services will be bid out in accordance
with Oakland County's Purchasing Policies and Procedures with the initial audit services incorporated into
the HIPAA Compliance Project and on-going audit services costs to be incorporated into future operating
budgets; and
WHEREAS the Information Technology and Risk Management Departments have developed the
attached Oakland County Health Insurance and Portability and Accountability Act Privacy & Security
Policies document to comply with the requirements of HIPAA and HITECH; and
WHEREAS the Departments have also drafted internal procedures to effectuate the proposed Policy.
NOW THEREFORE BE IT RESOLVED the Oakland County Board of Commissioners hereby approves
the HIPAA Policy document.
BE IT FURTHER RESOLVED that the Board of Commissioners authorizes the appropriation and transfer
of $1,113,861 for the HIPAA Compliance Project.
BE IT FURTHER RESOLVED the $1,113,861 for the HIPAA Compliance Project will be funded by the
General Fund Unfunded Mandates Assigned Fund Balance (G/L Account #383515).
FINANCE COMMITTEE VOTE:
Motion carried on a roll call vote with Taub voting no.
BE IT FURTHER RESOLVED that the HIPAA Compliance Project will be tracked under the Major
Departmental Support Project Fund 42085 Project #100000002681.
BE IT FURTHER RESOLVED that the FY 2018 Budget is amended as follows:
GENERAL FUND (#10100) (GL #383515) FY 2018
Revenue
9010101-196030-665882 Planned Use of Balance $1,113,861
Total Revenues $1,113,861
Expenditures
9010101-152130-788001-42085Transfer Out —HIPAA Compliance Proj
Total Expenditures
HIPAA Compliance Proiecti#42085)
Proj Business Unit MAJOR, Project #100000002681, Activity A
Revenue
9016001-152130-695500-10100 Transfer In -General Fund
Total Revenue
$1,113,861
$1,113,861
$1,113,861
$1,113,861
Expenditures
9016001-152130-731773
9016001-152130-750170
9016001-152130-773630
9016001-152130-731458
1010210-182090-712020
Total Expenditures
Software Purchase
Expendable Equipment
IT Development
Professional Services
Overtime
$246,125
9,575
811,293
40,000
6,868
$1,113,861
Chairperson, on behalf of the Finance Committee, I move the adoption of the foregoing resolution.
Commissioner Thomas Middleton, District #4
Chairperson, Finance Committee
HIPAA Compliance Project Cost Estimates Area Items HIPAA Compliance Existing Budget Comments Project Fund Dept Resources IT 5,519 IT hours needed next phase $ 811,293.00 Proj mgmt, governance, Health, Children's Village, HR, Sheriff, IT, with contingency Human Resources Staff time - County wide all employees required to take computer based training for Basic HIPAA and some will need to take Advanced HiPAA computer based training Training - Basic and Advanced Computer Based Training $ 8,668.00 annual training cost to be covered by Fringe Benefit In-Services Training budget Health Myinsight software and implementation $ 229,000.00 User Support Specialists hours $ 12,334.00 OT for Health dept resources Absorbed additional manhours $ - Children's Village Additional License fees $ 15,000.00 Electronic Assessment Tool $ 2,125.00 Purchasing 6 hours of IT support $ 882.00 existing IT Master Plan enhancement budget Additional Purchasing staff hours $ 6,868.00 Overtime required to complete manual review of all contracts Contract Administrator training Purchasing to incorporate HIPAA requirements into contract administrator training FM&O Install four card readers in Health $ 9,575.00 Add locks to existing file cabinets in Health Maint Dept Charges for file cabinet locks as needed Corp Counsel Extra Manhours - absorbed $ - Risk Management County wide audit (year 2; $7500 to $40,000 estimate) $ 40,000.00 HIPAA audit compliance services to be bid out Extra Manhours - absorbed $ Total $ 1,113,861.00 $ 21,884.00 Updated 10/02/17
Oakland County
Health Insurance Portability and Accountability Act
Privacy & Security Policies
Effective Date
Approval Date
PART I: HIPAA PRIVACY
Introduction to Oakland County, Michigan HIPAA Privacy Policies
Privacy regulations under HIPAA—the Health Insurance Portability and Accountability Act of 1996—
require Oakland County, Michigan (the "County") to protect the privacy of individually identifiable
health information of participants in the County's health plans and patients in the County's capacity as a
health care provider. This information is known as protected health information, or "PHI" for short.
These policies and procedures reflect the County's compliance with the HIPAA privacy regulations
("Privacy Rules"). The County is a hybrid entity, and these policies and procedures apply only to
Protected Health Information that the County has in connection with the County's self-insured health
plans and those health care components that are subject to HIPAA. References to the "County" are
intended to refer to just those components that are subject to HIPAA.
The County's policy is to strive for compliance with the Privacy Rules. All members of the County's
workforce who use or have access to PHI must comply with the policies and procedures set forth herein
("Policies and Procedures"). Failure to comply shall result in discipline up to and including employment
or contract termination in accordance with the County's normal disciplinary practices. For purposes of
these Policies and Procedures, the County's workforce includes employees, contractors, vendors,
volunteers, trainees, and other persons whose work performance is under the direct control of the
County, whether-or-not they are paid by the County. These policies shall be reviewed on a periodic
basis, upon state/federal regulation updates, or significant changes in the County's operating,
technological, and legal environment.
The County does not intend to create any third-party rights (including rights of Health Plan and
beneficiaries, patients, or outside service providers) by adopting these Policies and Procedures. The
County may amend or change these Policies and Procedures at any time, even retroactively, without
notice. The County intends that these Policies and Procedures implement HIPAA's Privacy Rules and
shall interpret them consistent with the regulations promulgated under HIPAA. To the extent that these
Policies and Procedures establish requirements and obligations beyond those required by HIPAA, they
are aspirational and not binding upon the County. These Policies and Procedures do not address
requirements under other federal, state, or local laws.
Effective Date
Oakland County HIPAA Policy Page 2 of 11 Revised 8/22/2017
I. Important Definitions and Concepts Used in These Policies.
These Policies and Procedures use important terms and concepts in describing the County's obligations
under the Privacy Rules. All definitions in the Privacy Rules are hereby incorporated by reference into
these Policies and Procedures. If a term is not defined in the Privacy Rules, the term shall have its
generally accepted meaning. Key terms and concepts from the Privacy Rules may be found on the US
Department of Health & Human Services website (hhs.gov ) Glossary of Key Enterprise Terms.
The County's Responsibilities as a Covered Entity
Privacy Officer and Contact Person'
At all times Oakland County shall have one individual identified and assigned to be the Privacy officer.
The County shall develop the responsibilities and procedures regarding that individual in the Privacy
Officer Procedure.
Workforce Training'
All members of the County's workforce who need access to PHI shall receive training on these HIPAA
policies and procedures as necessary and appropriate for them to carry out their functions. Newly-hired
employees shall be trained before they are given access to PHI, or as soon as possible thereafter.
Existing workforce members shall periodically receive reminder training to reinforce their
responsibilities under these Policies and Procedures. At a minimum, such training shall occur on an
annual basis. All training shall be documented as set forth in the Documentation and Record Retention
Requirements Procedure.
Safeguards'
The Privacy Rules require the County to have in place appropriate administrative, technical, and physical
safeguards to protect the privacy of PHI. The County's policy is to maintain appropriate safeguards as
required by the Privacy Rules. The County shall develop procedures for these safeguards as described in
the Safeguards Procedure.
Complaints'
The Privacy Rules require the County to implement a process by which individuals may file complaints
about privacy violations. The County's policy is that anyone who believes that the Policies and
Procedures or the Privacy Rules have been violated at the County may complain to the Privacy Officer. If
the complaint is verbal, the person receiving the complaint shall document the details of the complaint.
The County shall develop complaint procedures as can be found in the Complaint Procedure.
1 45 CFR 164.530(a).
2 45 CFR 164.530(b).
45 CFR 164.530(c).
4 45 CFR 164.530(d).
Oakland County HIPAA Policy Page 3 of 11 Revised 8/22/2017
Disciplines
The County employees who violate these policies and procedures are subject to discipline pursuant to
the Oakland County Merit Rules.
Crime Victims
The County shall not discipline an employee who is a crime victim and discloses PHI to a law
enforcement official, so long as the PHI concerns the suspected perpetrator of the criminal act and the
PHI is limited as required by the Privacy Rules (see 45 CFR § 164.502(j)). 164.502(j)).
Mitigation 6
The County shall mitigate, to the extent practicable, any harmful effect that is known to the County of a
use or disclosure of protected health information in violation of its policies and procedures or the
requirements of HIPAA by the County or its business associate.
No Intimidating or Retaliatory Acts7
Consistent with the Privacy Rules, the County shall not intimidate, threaten, coerce, discriminate
against, or take other retaliatory action against individuals for exercising their privacy rights, filing a
complaint, participating in an investigation, or opposing any improper practice under the Privacy Rules.
No Waiver of Rights ('
Individuals will not be required to waive their rights under the Privacy Rules as a condition of enrollment
in the Health Plan, eligibility for benefits, treatment or payment.
Limited Exception for the Health Plan's Eligibility or Enrollment Determinations. The County may
condition enrollment in the Health Plan or eligibility for benefits on provision of an authorization
requested by the Health Plan prior to an individual's enrollment in the Health Plan if (1) the
authorization is sought for the Health Plan's eligibility or enrollment determination relating to the
individual or for its underwriting or risk rating determinations; and (2) the authorization is not for a use
or disclosure of psychotherapy notes.
Notice of Privacy Practices9
The County shall provide its patients and participants in the Health Plan with a notice describing (1) how
the County may use and disclose their PHI; (2) individuals' rights under the Privacy Rules; and (3) the
County's legal duties with respect to PHI. The County shall develop a procedure for notice of privacy
practices as described in Notice Procedure.
5 45 CFR 164.530(e).
45 CFR 164.530(f).
7 45 CFR 164.530(g).
45 CFR 164.530(h).
9 45 CFR 164.520.
Oakland County HIPAA Policy Page 4 of 11 Revised 8/22/2017
Uses and Disclosures of PHI
Who Must Comply with These Policies'
All members of the County's workforce involved in PHI must comply with these Policies and Procedures.
Limitations on Access to PHI'
It is the County's policy to limit access to PHI to employees with certain job functions ("Authorized
Employees"). The county shall develop a procedure to comply with this policy; see Limitations on Access
Procedure.
Policy on Minimum Necessary Standard'
The Privacy Rules require that, for most purposes, the County limit its uses and disclosures to the
minimum necessary to accomplish the purpose of the use or disclosure. The County's policy is to limit
the uses and disclosures to the minimum necessary, unless an exception applies. The County shall
develop a procedure for the minimum necessary standard; see Minimum Necessary Standard
Procedure.
These policies and procedures are for the County's internal uses and disclosures. Uses and disclosures
by third-party administrators and/or service providers are governed by that party's business associate
agreement with the County.
Permitted Uses and Disclosures of PHI for Payment, Treatment and Health Care Operations'
The County may use and disclose an individual's PHI for treatment purposes and to perform the
County's own payment activities, health care or Health Plan operations, and to provide treatment,
including but not limited to, the activities described in the Permitted Use and Disclosures Payment
Procedure.
Mandatory Disclosures of PHI
The Privacy Rules require the County to disclose an individual's PHI when requested by the individual or,
under certain circumstances, by HHS. The County's policy is to cooperate with these requests and to
disclose the PHI in accordance with the Privacy Rules.
Requests from the InclividuaL l4An individual (or the individual's personal representative) may request a
disclosure of his or her own PHI. The County shall respond to such requests by following the procedures
under Individual Request Procedure.
10 45 CFR 160.101; 45 CFR 162.100; 45 CFR 164.104; 45 CFR 164.302; 45 CFR 164.400; and 45 CFR 164.500.
11 45 CFR 164.502(a).
12 45 CFR 164.502(4
13 45 CFR 164.506.
14 45 CFR 164.524.
Oakland County HIPAA Policy Page 5 of 11 Revised 8/22/2017
Request from HHS. If the County receives a request from an HHS official for disclosure of PHI, the County
shall verify the identity and authority of the HHS official using the procedures set forth in the section
entitled Verification. The County shall document the disclosure as required under the Documentation
and Record Retention Requirements Procedure.
Permitted Uses and Disclosures of PHI'
From time to time, the County may receive requests from courts, parties to litigation, law enforcement
officials, public health authorities, or various other government agencies or officials to use or disclose an
individual's PHI. The County shall develop a procedure consistent with guidelines set forth in the Privacy
Rules; see Permitted Uses and Disclosures Procedure.
Use of PHI for Marketine
The County's general policy is not to use PHI for marketing activities. Any use of PHI for marketing
would require approval by the HIPAA Privacy Officer. Before any such marketing use could occur, the
County would first have to obtain authorization from each individual whose information was to be sold.
A detailed description of the County's procedure with regards to marketing can be found in the Use of
PHI for Marketing Procedure.
Sale of PHI
The County's policy states it will not sell PHI.
Uses and Disclosures of PHI with an Individual's Authorization °
The Privacy Rules provide that unless expressly authorized by the individual who is the subject of the PHI
or the individual's personal representative), any use or disclosure of that individual's PHI is prohibited
unless it falls within one of the categories for which disclosure is permitted or required or the individual
has been deceased for at least fifty years. An individual may, however, expressly authorize a use or
disclosure of PHI for any purpose.
The County shall develop procedures for the use or disclose PHI pursuant to an authorization; see
Individual's Authorization Procedure.
Uses and Disclosures of PHI by Business Associates 18
Business Associate Agreements. The County may share PHI with outside service providers. The outside
service providers must contractually obligate themselves to protect the PHI. The Privacy Rules call these
third-parties that provide services to or on behalf of the County "business associates." The County shall
maintain a copy of each business associate agreement that it has entered into according to the
15 45 CFR 164.512.
16 45 CFR 164.508(03).
17 45 CFR 164.508.
18 45 CFR 164.504(e).
Oakland County HIPAA Policy Page 6 of 11 Revised 8/22/2017
Documentation and Record Retention Requirements Procedure. The County shall develop a procedure
regarding Business Associates; see Business Associate Procedure.
Requests for Disclosure of PHI from Spouses, Family Members, and Friends
Generally, the County shall not disclose an individual's PHI to another person (except to service
providers and authorized County employees involved in the administration of the plan). The County,
however, may disclose an individual's PHI to another person if authorized by the individual or in
emergency situations if the Privacy Officer concludes that the disclosure is in the individual's best
interest.
Disclosures Subject to Authorizations. County may provide individuals an authorization form that can be
used to designate family members or others who are permitted to access the individual's Health Plan or
medical record. The individual can, at any time, revoke his or her designation or authorize additional
persons to whom the individual's PHI should be disclosed. These authorization forms and any
subsequent revocations shall be kept with the Health Plan records or medical records, as applicable.
Information About Deceased Individuals. If the County receives a request for information from a family
member, other relative, or a close personal friend of the individual who were involved in the individual's
care or payment for health care prior to the individual's death, the County, at its discretion, may disclose
the information relevant to that person's involvement, unless doing so is inconsistent with any prior
expressed preference of the individual that is known to the County.
Verification. If the county receives a request for a disclosure from a person claiming to have
authorization to access an individual's Health Plan record or medical record, the county shall check the
applicable Health Plan or medical records to determine if the individual has signed an authorization
giving this person access to the individual's PHI. If the person is not authorized to receive the PHI, the
County may not make the disclosure, except that either parent of a minor child may access the minor
child's records without an authorization unless the Health Plan has received a copy of a court order
prohibiting such access. The County employee receiving the request should verify the validity of the
authorization using the procedures under "Uses and Disclosures of PHI with an Individual's
Authorization" (see Section 111.K., beginning at page[).
Emergency Disclosure of Information. If the County receives a request for information from a person
who has not been identified in an authorization form to receive an individual's PHI (and is not otherwise
authorized to receive the PHI for purposes of administering the Health Plan or providing health care),
the County shall normally deny the request. In an emergency situation, the Privacy Officer may permit
disclosure to a family member or close friend who is involved in the individual's care or payment for the
individual's care, if (1) the individual is aware that such disclosure may be made, has had an opportunity
to object to the disclosure and does not object; or (2) the County is unable to notify the individual about
the proposed disclosure and the Privacy Officer determines that the disclosure is in the individual's best
interest.
Uses and Disclosures of De-Identified Information
Under the Privacy Rules, health information from which all individual identifiers have been removed is
called de-identified information, and can be used and disclosed without an individual's authorization;
see Definition Procedure.
Oakland County HIPAA Policy Page 7 of 11 Revised 8/22/2017
The County shall use and disclose de-identified information only if the Privacy Officer has verified that
the information is in fact de-identified. De-identified information is not PHI, so once the information has
been approved as de-identified information, the County may freely use and disclose the de-identified
information.
Verifying the Identity of Those Requesting PHI'
The Privacy Rules require that the County verify the identity and authority of persons or entities
exercising their individual rights or otherwise seeking access to PHI (if the identity or authority is not
known). County employees shall use reasonable verification steps, such as those outlined in the
Verification Procedure. If a County employee is unable to verify identity, the County employee shall
discuss the request for PHI with the Privacy Officer.
Documentation and Record Retention Requirements
The Privacy Rules require the County to maintain documentation of its compliance with the Privacy
Rules. The County shall maintain records pursuant to the Documentation and Record Retention
Requirements Procedure.
Mitigation of Inadvertent Disclosures of PHI
The Privacy Rules require that the County minimize as much as possible any harmful effects resulting
from an unauthorized use or disclosure of PHI that comes to the County's attention.
When an employee of the County becomes aware of a use or disclosure of PHI that is not in compliance
with these Policies and Procedures, the employee must immediately notify the Privacy Officer of the
unauthorized use or disclosure. The Privacy Officer shall:
• Determine if there are steps that should be taken immediately to prevent any further
potential harm to individuals whose PHI is involved in the unauthorized use, and take
reasonable and appropriate action to prevent further potential harm. The Privacy
Officer may consult as necessary with the County management and legal counsel.
• Document the known details of the unauthorized use or disclosure for purposes of
responding to a request for an accounting of disclosures.
• Follow any other instructions given by the Privacy Officer to minimize any harm
resulting from the use or disclosure.
o If appropriate, follow the Breach Notification Policy contained in the County's
Security Policies and Procedures.
19 45 CFR 164.514(h),
Oakland County HIPAA Policy Page 8 of 11 Revised 8/22/2017
o Evaluate current policies and procedures to determine whether modifications
are appropriate.
IV. Policy for Complying with Individual Rights
The Privacy Rules give to individuals certain rights concerning their PHI that the County (or its business
associates) maintains in a Health Plan or medical record in connection with the Health Plan or the
provision of health care. Individuals have the right to (1) inspect and copy their PHI, (2) request
correction of their PHI, (3) receive an accounting of certain uses and disclosures of their PHI, (4) request
confidential communication of their PHI, and (5) request additional protection for their PHI.
Protected Health Information about individuals covered by the County Health Plan is found in Health
Plan or medical records maintained by the County and in records maintained by insurers and third-party
administrators or other business associates involved in the administration of the Health Plan. The
County shall respond to individual requests relating to records that it maintains. An individual seeking to
exercise his or her individual rights with respect to records held by the Health Plan's insurers or business
associates shall be directed to submit his or her request directly to the insurer or business associate with
the relevant records. If an individual reports that an insurer or third-party administrator has not
properly handled the request, the Privacy Officer shall investigate the report under the Complaint
procedures (see Complaint Procedure).
The County shall develop a procedure for complying with the policy for individual rights; see Individual
Rights Procedure.
Oakland County HIPAA Policy Page 9 of 11 Revised 8/22/2017
PART HIPAA SECURITY
Introduction to Oakland County, Michigan HIPAA Security Policies and Procedures
The information security policy describes how Oakland County, Michigan ("the County") protects
electronic PHI ("ePHI") on its electronic information systems. Specifically, this policy and related
procedures address the steps that the County uses to keep the ePHI available on a timely basis, to
protect the integrity of the data, and to limit access to those who have a need to use the information.
The policies and procedures were developed considering security practices described in the HIPAA
security regulations ("Security Rules"). It is meant to coordinate with other County policies/departments
designed to protect the confidentiality of ePHI. The policy and procedures apply to all members of the
County's workforce with access to ePHI, which includes employees, contractors, vendors, agents, and
other persons who access County resources. This policy shall be reviewed on a periodic basis. It shall be
revised based on state/federal regulation updates, or significant changes in the County's operating,
technological, and legal environment.
No set of policies and procedures can ensure that information is always available, that determined
individuals will not gain inappropriate access to ePHI, or that individuals will never make mistakes. To
reduce the likelihood that security incidents will occur, HIPAA requires that the County conduct a
thorough and accurate assessment to identify risks to the operating and technical environment. It will
focus on risks perceived as most likely to occur and having the most significant adverse impact. Many
risks will be accepted based on impact and likelihood of occurrence, or the County has not found a
reasonable way to reduce the risk.
The County does not intend to create any third-party rights by adopting these policies and procedures.
Nor are these policies intended to create any expectation of privacy on behalf of any the County
workforce members with respect to information that they create, transmit and/or store using resources
owned or controlled by the County. The County may amend or change these policies and procedures at
any time, even retroactively, without notice. They are designed to allow flexibility in approach to
safeguarding ePHI, and shall be interpreted consistent-with HIPAA and other laws that may apply. To
the extent that the policies and procedures exceed what may be legally required, they are aspirational
and not binding upon the County.
Oakland County HIPAA Policy Page 10 of 11 Revised 8/22/2017
IT Information Regulatory Compliance Program w
The HIPAA Security Rule requirements define that Oakland County shall implement and monitor an
information management program to secure ePHI stored in systems. The County shall ensure
confidentiality, integrity, and availability of ePHI.
To execute the program under HIPAA, the County shall designate a HIPAA Security Officer. The IT
compliance function will manage, monitor, and implement requirements of the HIPAA Technology
Compliance Program along with other Information Technology, Information Security, and respective
business unit leadership. The following will comprise the Security Rule procedures.
• Information Access Management'
o Workforce Clearance
o Information Authorization and Authentication
• Access Authorization and Management'
o Authorization and/or Supervision
o Tracking and Logging
o Workforce Termination
o Emergency Access
o Periodic Access Review
o Authentication/Password Management
• Information Protection 23
o Workstation Security
o System Integrity
• IT Security M a nagement24
o IT Document Management
o Assigned Security Responsibility
o Audit of Security Process
o Risk Management
a Information Incident Handling
o Security Training and Awareness
• Facility Access'
References:
NIST 800-37, Rev 1: Applying the Risk Management Framework
NIST 800-53, Rev 4: Security and Privacy Controls for Federal Information Systems and Organizations
HIPAA Security Rule
23 45 CFR 164.306.
21 45 CFR 164.312(a).
22 45 CFR 164.312(d).
23 45 CFR 164.310(b)(c) and (d).
24 45 CFR 164.308.
25 45 CFR 164.310.
Oakland County HIPAA Policy Page 11. of 11 Revised 8/22/2017
Resolution #17318 November 9, 2017
Moved by Middleton supported by Weipert the resolution be adopted.
AYES: Dwyer, Fleming, Gershenson, Gingell, Hoffman, Jackson, Kochenderfer, KowaII, Long,
McGillivray, Middleton, Quarles, Spisz, Taub, Tietz, Weipert, Woodward, Zack, Berman,
Bowman, Crawford. (21)
NAYS: None. (0)
A sufficient majority having voted in favor, the resolutions was adopted.
I HEREIN APPROVE THIS RESOLUTION
CHIEF DEPUTY COUNTY EXECUTIVE
ACTING PURSUANT TO MCL 45.559A (7)
STATE OF MICHIGAN)
COUNTY OF OAKLAND)
I, Lisa Brown, Clerk of the County of Oakland, do hereby certify that the foregoing resolution is a true and
accurate copy of a resolution adopted by the Oakland County Board of Commissioners on November 9,
2017, with the original record thereof now remaining in my office.
In Testimony Whereof, I have hereunto set my hand and affixed the seal of the County of Oakland at
Pontiac, Michigan this 9th day of November, 2017.
41kt ,&-eccp,660ail a)/zozi,