Overview of HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, resulted in the establishment of HIPAA Privacy Rule in December of 2000. The HIPAA Privacy Rule is a federal rule designed to protect individuals’ medical records and other personal health information. This federal law provides further requirements and restrictions in addition to the confidentiality provisions set out in this chapter.
In the course of business, the Children’s Division (CD) receives, discloses and utilizes Protected Health Information of employees and clients for a variety of reasons. Employees should exercise care at all times to discuss confidential, sensitive, or personal health information in a manner or place where the discussion is not able to be easily overheard. Measures should be taken to ensure that health information is not accessible to anyone other than the authorized personnel. CD staff will maintain privacy, confidentiality and integrity with regard to protected health information as required by state and federal laws, rules and regulations and professional ethics. Employees found to be in violation of this policy may be subject to disciplinary action up to and including dismissal as well as prosecution in a court of law.
Related Subject: Section 1 Chapter 3 Attachment A: Foster Parent Bill of Rights And Responsibilities.
Protected Health Information (PHI) refers to health information that is individually identifiable and created or received by a covered entity, such as Children’s Division. PHI is defined as any information relating to past, present or future physical or mental health of an individual; the provision of health care to the individual; or the payment for health care. Individually identifiable health information is health information that identifies or reasonably may be used to identify the individual. Health information that is created or received by the Children’s Division is protected under the regulation, including but not limited to the following:
- Name/Address
- Employer
- Names of Relatives
- DOB/SSN
- Telephone number
- DCN/MO HealthNet number
- Occupation
- Diagnosis
- Hospital/Physician/Psychologist/Therapist evaluations and/or records
- Authorizations/payments to a medical/mental health provider
- Child/family investigations, assessments, service plans
- Child/family contact and progress notes and/or summaries
Major Provisions of HIPAA:
- Define a “minimum necessary” standard;
- Distinguish between “authorization to disclose” and “accounting for disclosure”;
- Give the individual an opportunity to agree or object to use and disclosure of PHI;
- Require the use of a privacy notice;
- Allow individuals to access PHI;
- Permit individuals to request an amendment of PHI;
- Allow persons to request an accounting of certain disclosures of PHI;
- Establish who has access to PHI;
- Create civil and criminal penalties for violating the HIPAA standards;
- Require workforce members to be trained on and to acknowledge the HIPAA provisions;
- Verify the identity and authority of persons requesting a client’s PHI;
- Allow recipients to request restrictions on the use and disclosure of PHI; and
- Mandate that organizations have a privacy officer.
Key Terms Regarding HIPAA
- “Covered Entity” – a Health Plan (Insurance Company and HMO’s), a Healthcare Clearinghouse, or a Healthcare Provider that transmits any health information electronically. The Department of Social Services (DSS) administers the MO HealthNet Program, which is considered a Health Plan. Consequently, DSS is a “covered entity” and has chosen to designate itself as a “single covered entity”. Therefore, all programs and each Division within DSS are subject to and must comply with HIPAA requirements and privacy rules.
- “Use” – when we use or share information internally, either within our Children’s Division county/circuit, between Children’s Division counties/circuits, or between DSS agencies (such as Children’s Division and Division of Youth Services). We would “use” consumer PHI to make treatment/service decisions, or to make payment decisions, or for other parts of our children’s services operations. For example, we may “use” Protected Health Information to make a decision to request removal of a child from their parents during a sexual abuse investigation. HIPAA does not require staff to obtain disclosure authorizations when PHI information is being used for treatment, payment, or health care operations.
- “Disclose” – when we share information outside the Department of Social Services (which is a covered entity), to an individual, agency, or organization external to us. One example would be when we disclose information to the courts when we are ordered to do so. The court is outside our agency and the sharing of such customer information is not considered in the course of treatment/services, so we are disclosing information to the court. While disclosures to the juvenile courts, law enforcement, and prosecutors now allowable under current policy and law are exempt from HIPAA disclosure requirements as described in subsection 2.7.2., other kinds of disclosures are not exempt such as described in subsection 2.7.3.
- “Psychotherapy notes”— notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record and designated specifically as psychotherapy notes. Psychotherapy notes excludes medications prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. There should not be an instance during the provision of Children’s Division services when such recordings would be designated in a client file as psychotherapy notes.