Staff may use and disclose PHI without a completed Authorization for Disclosure of Health Information by DSS for the purposes of treatment, payment, and healthcare for an individual. In addition, the following list summarizes other instances in which an authorization to use or disclose PHI is not required from the individual.
NOTE: The program policy may, however, require a standard release of information from the client even in cases where HIPAA does not require a PHI authorization for disclosure.
- To a public health authority (i.e., sharing information with the Missouri Department of Health and Senior Services, which is conducting a public health surveillance, investigation, or intervention);
- To report child abuse/neglect situations, and other situations involving abuse, neglect or domestic violence (if disclosure is allowed by law);
- To the United States Food and Drug Administration under certain circumstances;
- To a health oversight agency that is authorized by law to conduct audits, investigations, inspections and other activities for oversight of health care systems, certain government programs, etc., (i.e., the United States Department of Heath and Human Services conducts periodic reviews and audits of the MO HealthNet program);
- To judicial or administrative proceedings under certain circumstances; (refer to Child Welfare Manual policies and procedures in regard to information shared with the juvenile courts);
- To law enforcement officials as required by law or pursuant to a court order, a court-ordered warrant, or a subpoena or summons issued by a judicial officer; a grand jury subpoena; or an administrative request, such as an administrative summons or a civil investigative demand; for purposes of identifying or locating a suspect, fugitive, material witness, or missing person; or regarding a crime victim;
- To avert a serious threat to health or safety;
- To certain governmental functions such as national security;
- To certain agencies that are government programs providing public benefits (i.e., CD sharing information with the Department of Health and Senior Services or the Department of Mental Health regarding for the intent of securing Community-Based Services treatment for an individual);
- As required by law (refer to Child Welfare Manual policy in regard to information sharing with juvenile courts, law enforcement and prosecutors as defined by statute and state law).
Other situations that do not require an Authorization for Disclosure
of Health Information by DSS
Use of PHI for treatment, payment or health care operations:
If staff are using PHI to arrange counseling, evaluation, medical exams or other treatment, payment or health care operations for adults or children, a HIPAA authorization for disclosure from the client is not required. (The provider may require an authorization for disclosure to release information back to staff). Examples of when authorizations for disclosures are not required include following situations:
- Releasing the minimum necessary PHI to a MO HealthNet provider to allow the provider to charge for provided services;
- Making a referral to a CTS provider for treatment;
- Making a referral to a doctor for a SAFE exam;
- Using PHI to determine eligibility for MO HealthNet;
- Obtaining medical reports to document domestic violence to establish good cause for not cooperating in child support collections for a Temporary Assistance; claimant.
Children in CD Custody:
- When children are in CD custody, staff have the same authority as parents do under HIPAA regulations with regard to disclosure of information.