Staff must account for all disclosures of PHI made by CD in the six years prior to the date on which the accounting is requested by the client, effective April 14, 2003. However, no tracking or accounting is required in the following exceptions:
- Disclosures made to carry out treatment, payment, and healthcare operations that are not required by law. This would include protected health information disclosures made to the members of the multi-disciplinary treatment team and Family Support Team (i.e., school personnel, counselors, day-care staff, para-professionals, etc.) who are responsible for decision making and carrying out treatment in regard to a child who is in our custody unless that disclosure is required by law. Note that in general all disclosures about protected health information made to the juvenile court, Guardian-ad-Litem, CASA, law enforcement, prosecutors and courts are broadly required by law and, accordingly, do have to be tracked—see section below on when and how to use the PHI Disclosure Tracking Log;
- Disclosures made to the individual client about their own PHI;
- Disclosures made with an authorization from the individual;
- For national security or intelligence purposes;
- To correctional institutions;
- As part of a limited data set;
- Disclosures made for DSS operating purposes (i.e., staff are working with the MO HealthNet Division (MHD) to coordinate MO HealthNet eligibility);
- Incidental to a use or disclosure otherwise permitted or required;
- That occurred prior to the compliance date of April 14, 2003; and
- Disclosures of protected health information made to foster parents, who are considered extensions of staff;
Use the PHI Disclosure Tracking Log form to record all disclosures unless exempted above. The employee releasing the information must immediately update this form upon the disclosure. File the PHI Disclosure Tracking Log in the front of the client case record. The log must be maintained for at least six years from the date of the most recent disclosure. Disclosures that must be accounted for on the log include:
- To public health authorities as required by law (i.e., birth, death, and required disease reporting);
- To avert a serious threat to health or safety of a person or the public
- To the Food and Drug Administration (i.e., adverse events, product defects, tracking product recalls, post marketing surveillance);
- To health oversight agencies for oversight activities authorized by law;
- To law enforcement officials as required by law or pursuant to a court order, or subpoena, or administrative request; for purposes of identifying or locating a suspect, fugitive, material witness, or missing person; or regarding a crime victim;
- Information about victims of abuse, neglect, or domestic violence disclosed to a government authority to the extent the disclosure is required by law; this would include reports of death made by staff to Child Fatality Review panel (RSMo 210.115);
- For some research purposes;
- To governmental functions (i.e., national security, military command authority, veteran’s information); and
- As otherwise required by law, including:
- Referrals for children exposed to substance abuse/Newborn Assessments to Department of Health where referral discloses Protected Health Information – RSMo 191.737;
- Reports of child abuse/neglect containing PHI disclosed to law enforcement which Division personnel determine merit an investigation, or, which if true, would constitute suspected violation of – RSMo 210.145 (3);
- Information regarding status of an investigation containing Protected Health Information provided to the public school district liaison – RSMo 210.145 (4);
- Disclosures (records/files/written reports and verbal reports) of records containing Protected Health Information for administrative review by the child abuse and neglect review board – RSMo 210.153;
- Records containing PHI assessed by grand, jury, juvenile officer, prosecuting attorney, law enforcement officer, juvenile court or other court conducting abuse or neglect or child protective proceedings and other federal state and local government entities, or any agent of such entity with a need for such information in order to carry out its responsibilities under law, multidisciplinary agency or physician or physician’s designee who is providing services, – RSMo 210.150 – (6);
- Written reports (CS-1) containing PHI about the status of a child required every six months disclosed to the juvenile court – RSMo 210.720;
- Disclosure of Protected Health Information by staff to GAL or CASA of all reports and to fully inform of all aspects (records/files/written and verbal reports) of the case of which staff have knowledge or belief – RSMo 210.160;
- Disclosure of Protected Health Information (records/files/written and verbal reports) to Child Fatality Review Panel to investigate deaths – RSMo 210.194;
- Disclosure of record (records/files/written and verbal reports) containing PHI to ICPC – RSMo 210.620;
- Reports (records/files/written and verbal reports) disclosed to the court containing PHI in permanency hearings- RSMo 210.720; and
- Disclosure (records/files/written or verbal reports) of information containing PHI pursuant to a subpoena or court order.
NOTE: Many exchanges of information whether made in writing or verbally while speaking with juvenile court staff, GAL’s, and law enforcement authorities will contain Protected Health Information. These disclosures of PHI do require logging and providing an accounting upon request by the parent or personal representative of a child, including a child who is in CD custody.
Individuals requesting information about disclosures as described above should complete the Request for an Accounting of Disclosures, MO 886-4061 to request an accounting. Upon receipt of this form, send a copy of the PHI Disclosure Tracking Log along with the request form to the CD Privacy Officer who will contact DSS Privacy Officer. If staff determines that providing copies of the disclosed information or other information may be helpful to the DSS Privacy Officer, include with the log sheet and any necessary summary. The DSS Privacy Officer will review all disclosure logs pertaining to the client held by any of the Divisions within DSS. Once review is completed, the DSS Privacy Officer will provide the accounting of disclosure to the client.
NOTE: Once the construction of the DSS PHI Disclosure Tracking database on the DSS Intranet is completed, all disclosures logged per instructions in above section must be entered into the data base within 5 days of the disclosure.
DSS must provide an accounting no later than 60 days after receipt of the Request for an Accounting of Disclosures form. The deadline can be expended up to 30 days. The first accounting is without charge to the individual in any 12-month period.
Chapter Memoranda History: (prior to 1/31/07)