16-41 - RTOWN OF PROSPER, TEXAS
RESOLUTION NO. 16-41
A RESOLUTION OF THE TOWN COUNCIL OF THE TOWN OF PROSPER,
TEXAS, DECLARING THE TOWN AS A HYBRID ENTITY; DESIGNATING THE
TOWN'S HEALTH CARE COMPONENTS; DESIGNATING A HIPAA PRIVACY
AND SECURITY OFFICER; AND PROVIDING AN EFFECTIVE DATE.
WHEREAS, the Town of Prosper, Texas (the "Town") is a home rule city acting under its
charter adopted by the electorate pursuant to Article XI, Section 5 of the Texas Constitution and
Chapter 9 of the Local Government Code;
WHEREAS, the Health Insurance Portability and Accountability Act of 1996 ("HIPAK),
and regulations promulgated thereunder, the Health Information Technology for Economic and
Clinical Health Act ("HITECH"), and regulations promulgated thereunder, require public and
private entities that provide certain health care services to comply with regulations related to the
collection, use, disclosure and security of individually identifiable health information;
WHEREAS, as a "covered entity" under HIPAA, the Town strives to protect the
confidentiality, integrity and availability of protected health information ("PHI") by taking
reasonable and appropriate steps to protect the security and privacy of PHI and comply with all
applicable laws and regulations relating to data privacy and security, including, without limitation,
HIPAA, HITECH, the Texas Medical Records Privacy Act and the Texas Identify Theft
Enforcement and Protection Act;
WHEREAS, because the Town is a single legal entity with business activities that include
both covered and non -covered functions, the Town may declare itself a Hybrid entity as defined
by 45 C.F.R. § 164.103 and in accordance with 45 C.F.R. § 164.105(a)(2)(iii)(C);
WHEREAS, the Town Council has determined that the Town can more effectively and
efficiently comply with HIPAA by declaring the Town as a "Hybrid entity" and formally designating
the Town's Health care components in accordance with 45 C.F.R. § 164.105(a)(2)(iii)(C);
WHEREAS, after an assessment of the Town's divisions, programs and departments for
applicability of HIPAA, the Fire Department and the Human Resources Department are
components of the Town that create, transmit, use or maintain health information and are
designated as Health Care Components;
WHEREAS, HIPAA regulations require the Town to designate an individual as the privacy
officer to be responsible for the development and implementation of required privacy policies and
procedures for the Town, and the Director of Human Resources has assumed those duties
relative to HIPAA compliance;
WHEREAS, the Town must designate an individual as the security officer under the
HIPAA regulations, and the Director of Human Resources has assumed those duties relative to
HIPAA security compliance; and
WHEREAS, as a Hybrid entity, the Town has ongoing responsibilities to establish and
maintain ongoing policies, procedures and business practices to maintain compliance with HIPAA
requirements.
NOW, THEREFORE, BE IT RESOLVED BY THE TOWN COUNCIL OF THE TOWN OF
PROSPER, TEXAS THAT:
SECTION 1
The Town Council of the Town of Prosper, Texas ("Town Council") hereby finds and
determines that the recitals made in the preamble of this Resolution are true and correct, and
incorporates such recitals herein.
SECTION 2
The Town Council hereby designates the Town as a "Hybrid entity." In accordance with 45
C.F.R. 164.1058(a)(2)(iii)(C), the following components are designated as "covered components"
of the Hybrid entity:
• The Prosper Fire Department;
• The billing section of the Fire Department to the extent it performs covered
functions;
• The Police Department, to the extent it performs covered functions;
• The Records Management Division of the Office of the Town Secretary to the
extent it performs covered functions;
• The Human Resources Department of the Town to the extent it performs covered
functions; and
• The Benefits and Wellness Committee.
SECTION 3
The Town Council affirms that all covered components are required to protect the security
and privacy of PHI and comply with all applicable laws and regulations relating to data privacy and
security, including, without limitation, HIPAA, HITECH, the Texas Medical Records Privacy Act
and the Texas Identify Theft Enforcement and Protection Act. To this end, the Town Council
directs and authorizes the Privacy Officer and all Heads of Departments, Officers and
Commissions of the Town that have been designated as "covered components" to take any and
all action necessary to implement this Resolution and ensure the following policy guidelines are
followed:
All employees, agents and volunteers are to comply with HIPAA, the Texas
Medical Records Privacy Act and those regulations that implement these
laws;
2. All employees, agents and volunteers are to comply with Town policies and
procedures implementing HIPAA and the Texas Medical Records Privacy
Act;
3. Access, use and disclosure of PHI is limited to authorized personnel;
4. All personnel are to be trained and updated on all new requirements on a
continuing basis;
Resolution No. 16-41 Page 2
5. All personnel are to immediately document and notify the Privacy and
Security Officer of any unauthorized disclosures;
6. All personnel are to take steps to mitigate any damages caused by
unauthorized disclosure;
7.. All personnel are to ensure that access to PHI is for only "permitted uses"
and is within the scope of the "authorizations," safeguard the confidentiality,
integrity and availability of PHI in accordance with the Security Regulations
promulgated pursuant to HIPAA;
8. All personnel are to ensure security of facilities and technological
operations;
9. Ensure that business associate agreements are executed with contractors
that perform duties involving PHI on behalf of the Town;
10. All personnel do not disclose protected health information to another
department of the Town if HIPAA would prohibit such disclosure;
11. All personnel protect electronic protected health information with respect to
another department of the Town to the same extent that it would be required
under HIPAA if the health care component and the other department were
separate and distinct legal entities; and
12. If a person performs duties for both the health care component in the
capacity of a member of the workforce of such component and for another
department of the Town in the same capacity with respect to that
department, such workforce member must not use or disclose protected
health information created or received in the course of or incident to the
member's work for the health care component in a way prohibited by HIPAA.
SECTION 4
The Town Council designates the Director of Human Resources as the Town's HIPAA
Privacy and Security Officer responsible for the development, implementation and oversight of
the Town's HIPAA privacy and security policies and procedures, and the Director of Human
Resources shall have authority to ensure that the designated "covered components" comply with
the HIPAA policy guidelines enumerated herein.
SECTION 5
The Town further directs and authorizes the HIPAA Privacy and Security Officer to work in
conjunction with the Town Attorney's office to approve changes in the designation of
departments, divisions, units and/or programs as health care components to maintain compliance
with HIPAA and the Texas Medical Records Privacy Act, to develop policies and procedures, and
outline other actions as necessary for the implementation of this Resolution and compliance with
HIPAA and the Texas Medical Record Privacy Act.
Resolution No. 16-41 Page 3
SECTION 6
This Resolution shall be effective immediately upon its adoption, and it is so Resolved.
DULY PASSED AND APPROVED BY THE TOWN COUNCIL OF THE TOWN OF
PROSPER, TEXAS, THIS 14TH DAY OF JUNE, 2016.
ATTEST:,
Robyn Battle i Secretary
APPROVEZ TO FORM AND LEGALITY:
Terrence S. Welch, Town
T Attorney
Ray Smith, iMayor
Resolution No. 16-41 Page 4