Effective Date: 5-1-19
Overview of HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, resulted in the establishment of HIPAA Privacy Rule in December of 2000. The HIPAA Privacy Rule is a federal rule designed to protect individuals’ medical records and other personal health information. This federal law provides further requirements and restrictions in addition to the confidentiality provisions set out in this chapter.
In the course of business, the Children’s Division (CD) receives, discloses and utilizes Protected Health Information of employees and clients for a variety of reasons. Employees should exercise care at all times to discuss confidential, sensitive, or personal health information in a manner or place where the discussion is not able to be easily overheard. Measures should be taken to ensure that health information is not accessible to anyone other than the authorized personnel. CD staff will maintain privacy, confidentiality and integrity with regard to protected health information as required by state and federal laws, rules and regulations and professional ethics. Employees found to be in violation of this policy may be subject to disciplinary action up to and including dismissal as well as prosecution in a court of law.
Protected Health Information (PHI) refers to health information that is individually identifiable and created or received by a covered entity, such as Children’s Division. PHI is defined as any information relating to past, present or future physical or mental health of an individual; the provision of health care to the individual; or the payment for health care. Individually identifiable health information is health information that identifies or reasonably may be used to identify the individual. Health information that is created or received by the Children’s Division is protected under the regulation, including but not limited to the following:
- Name/Address
- Employer
- Names of Relatives
- DOB/SSN
- Telephone number
- DCN/MO HealthNet number
- Occupation
- Diagnosis
- Hospital/Physician/Psychologist/Therapist evaluations and/or records
- Authorizations/payments to a medical/mental health provider
- Child/family investigations, assessments, service plans
- Child/family contact and progress notes and/or summaries
Major Provisions of HIPAA:
- Define a “minimum necessary” standard;
- Distinguish between “authorization to disclose” and “accounting for disclosure”;
- Give the individual an opportunity to agree or object to use and disclosure of PHI;
- Require the use of a privacy notice;
- Allow individuals to access PHI;
- Permit individuals to request an amendment of PHI;
- Allow persons to request an accounting of certain disclosures of PHI;
- Establish who has access to PHI;
- Create civil and criminal penalties for violating the HIPAA standards;
- Require workforce members to be trained on and to acknowledge the HIPAA provisions;
- Verify the identity and authority of persons requesting a client’s PHI;
- Allow recipients to request restrictions on the use and disclosure of PHI; and
- Mandate that organizations have a privacy officer.
Key Terms Regarding HIPAA
- “Covered Entity” – a Health Plan (Insurance Company and HMO’s), a Healthcare Clearinghouse, or a Healthcare Provider that transmits any health information electronically. The Department of Social Services (DSS) administers the MO HealthNet Program, which is considered a Health Plan. Consequently, DSS is a “covered entity” and has chosen to designate itself as a “single covered entity”. Therefore, all programs and each Division within DSS are subject to and must comply with HIPAA requirements and privacy rules.
- “Use” – when we use or share information internally, either within our Children’s Division county/circuit, between Children’s Division counties/circuits, or between DSS agencies (such as Children’s Division and Division of Youth Services). We would “use” consumer PHI to make treatment/service decisions, or to make payment decisions, or for other parts of our children’s services operations. For example, we may “use” Protected Health Information to make a decision to request removal of a child from their parents during a sexual abuse investigation. HIPAA does not require staff to obtain disclosure authorizations when PHI information is being used for treatment, payment, or health care operations.
- “Disclose” – when we share information outside the Department of Social Services (which is a covered entity), to an individual, agency, or organization external to us. One example would be when we disclose information to the courts when we are ordered to do so. The court is outside our agency and the sharing of such customer information is not considered in the course of treatment/services, so we are disclosing information to the court. While disclosures to the juvenile courts, law enforcement, and prosecutors now allowable under current policy and law are exempt from HIPAA disclosure requirements as described in subsection 2.7.2., other kinds of disclosures are not exempt such as described in subsection 2.7.3.
- “Psychotherapy notes”— notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record and designated specifically as psychotherapy notes. Psychotherapy notes excludes medications prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. There should not be an instance during the provision of Children’s Division services when such recordings would be designated in a client file as psychotherapy notes.
3.7.1 “Minimum Necessary” Requirements for Sharing Protected Health Information
Federal regulations provide that staff at all times make a reasonable effort to limit PHI to the minimum necessary to carry out the intended purpose of use, disclosure or request. Consequently, staff must ensure that PHI is not unnecessarily or inappropriately accessed or disclosed. The following are examples:
- A pharmacy calls to verify a foster child’s MO HealthNet number. The purpose is for providing a service to the child and for billing the state for those services. Giving the provider the child’s MO HealthNet number and current eligibility gives the minimum necessary information and is appropriate. It would be inappropriate to share additional information such as why the child is in foster care or other PHI.
- A Children’s Service Worker following confidentiality procedures as outlined in the appropriate Child Welfare Manual sections calls a local food pantry to secure an emergency food order for a family. The worker provides the food pantry with the family members’ names, ages, and a brief description that the family is in need because they were recently robbed. The Children’s Service Worker does not provide information that the mother is schizophrenic or that the father is currently in outpatient alcohol treatment. Sharing of the mother’s diagnosis or father’s diagnosis/treatment (both considered PHI) was not necessary to securing an emergency food order (as Protected Heath Information is not being shared, a client authorization specifically for release of heath information is not necessary).
- A Children’s Service Worker is expecting a psychological evaluation of a client he is currently serving and alerts the office clerk to this fact. The office clerk who receives the evaluation in the mail only needs to verify from the name of the client and the worker who currently has that client in his caseload. The caseworker and the person who distributed the mail followed the minimum necessary standard. However, it would have been inappropriate for the clerk to read the evaluation contents.
When “Minimum Necessary” Does Not Apply
The requirement for disclosing the “Minimum Necessary” information to accomplish the intended purpose does not apply to the following:
- Disclosures to or requests by a health care provider for treatment;
- Uses or disclosures made to the individual;
- Uses or disclosures made pursuant to an authorization (refer to section on Authorizations for Disclosures for Protected Health Information);
- Uses or disclosures that are required by law; and
- Investigations of complaints made to the Secretary of the Department of Health and Human Services and/or compliance reviews conducted by the Department.
3.7.2 Uses and Disclosures of PHI which do not Require Authorization for Disclosure of Health Information
Staff may use and disclose PHI without a completed Authorization for Disclosure of Health Information by DSS for the purposes of treatment, payment, and healthcare for an individual. In addition, the following list summarizes other instances in which an authorization to use or disclose PHI is not required from the individual.
NOTE: The program policy may, however, require a standard release of information from the client even in cases where HIPAA does not require a PHI authorization for disclosure.
- To a public health authority (i.e., sharing information with the Missouri Department of Health and Senior Services, which is conducting a public health surveillance, investigation, or intervention);
- To report child abuse/neglect situations, and other situations involving abuse, neglect or domestic violence (if disclosure is allowed by law);
- To the United States Food and Drug Administration under certain circumstances;
- To a health oversight agency that is authorized by law to conduct audits, investigations, inspections and other activities for oversight of health care systems, certain government programs, etc., (i.e., the United States Department of Health and Human Services conducts periodic reviews and audits of the MO HealthNet program);
- To judicial or administrative proceedings under certain circumstances; (refer to Child Welfare Manual policies and procedures in regard to information shared with the juvenile courts);
- To law enforcement officials as required by law or pursuant to a court order, a court-ordered warrant, or a subpoena or summons issued by a judicial officer; a grand jury subpoena; or an administrative request, such as an administrative summons or a civil investigative demand; for purposes of identifying or locating a suspect, fugitive, material witness, or missing person; or regarding a crime victim;
- To avert a serious threat to health or safety;
- To certain governmental functions such as national security;
- To certain agencies that are government programs providing public benefits (i.e., CD sharing information with the Department of Health and Senior Services or the Department of Mental Health regarding for the intent of securing Community-Based Services treatment for an individual);
- As required by law (refer to Child Welfare Manual policy in regard to information sharing with juvenile courts, law enforcement and prosecutors as defined by statute and state law).
- Other situations that do not require an Authorization for Disclosure
of Health Information by DSS - Use of PHI for treatment, payment or health care operations:
- If staff are using PHI to arrange counseling, evaluation, medical exams or other treatment, payment or health care operations for adults or children, a HIPAA authorization for disclosure from the client is not required. (The provider may require an authorization for disclosure to release information back to staff). Examples of when authorizations for disclosures are not required include following situations:
- Releasing the minimum necessary PHI to a MO HealthNet provider to allow the provider to charge for provided services;
- Making a referral to a CTS provider for treatment;
- Making a referral to a doctor for a SAFE exam;
- Using PHI to determine eligibility for MO HealthNet;
- Obtaining medical reports to document domestic violence to establish good cause for not cooperating in child support collections for a Temporary Assistance; claimant.
- Children in CD Custody:
- When children are in CD custody, staff have the same authority as parents do under HIPAA regulations with regard to disclosure of information.
3.7.3 Uses and Disclosures Requiring Authorizations for Disclosure of Health Information by DSS
If staff believe it is necessary to disclose PHI for a non-treatment-related purpose for a family member or a child not in our custody, an Authorization for Disclosure of Health Information by DSS is required. All such authorizations obtained from the client must be filed in the client’s case file. Two examples are as follows:
- Staff have information regarding a father’s psychiatric diagnosis of Obsessive-Compulsive Disorder (OCD). The client has severe financial, utility and rent problems. Staff calls a private charitable organization and advises the organization of the client’s financial problems to include the immediate need for funds to cover the cost of psychotropic medication to treat his OCD diagnosis. Disclosure of the identifiable medical information (OCD diagnosis and prescription medication information) to the organization violates HIPAA unless the client completed the Authorization for Disclosure of Health Information by DSS. In this example, staff should have obtained the client’s authorization or withheld the PHI.
- The Children’s Service Worker has been providing Family Centered Services to a family. The mother in the family has been diagnosed with depression and is under treatment with a psychiatrist and individual therapist. One of the mother’s children, an 8-year old boy, has been tardy 10 times and absent 11 days in the past quarter. The worker has been invited to participate in Crisis Team meeting at the boy’s school. During the course of the meeting the team explores possible reasons behind the boy’s school attendance difficulties. Although the worker is aware that the mother’s depression is interfering with her ability to get the boy up and ready to catch the school bus, the worker refrains from sharing information regarding the mother’s diagnosis and treatment. Disclosure of the medical information (diagnosis of depression and treatment/therapy) violates HIPAA unless the client completed the Authorization for Disclosure of Health Information by DSS.
NOTE: The Authorization for Disclosure of Health Information by DSS is not necessary when: (1) Protected Health Information is shared with juvenile courts, law enforcement and prosecutors per current policy and procedures, which are based on existing law; (2) for children who are in CD custody; (3) when Protected Health Information is shared for treatment, payment or health care operations; or (4) shared with other divisions of the Department of Social Services, as all of DSS is considered a “single covered entity”.
If it is necessary to disclose PHI in order to protect either the individual or the health and safety of others, CD staff must document to whom information is given, the reason the information was given, and the contact /clearance with supervisory staff using the PHI Disclosure Tracking Log, MO 886-4452.
3.7.4 Client Requests to Restrict the Use and Disclosure of Protected Health Information
Individual Request for Restriction of PHI
Clients have the right to request specific restrictions on the use or disclosure of PHI. Clients must file this request in writing by completing a Request for Restriction of Health Information, MO 886-4450. Staff must send the completed request through supervisory channels to the CD Privacy Officer.
Agreement or Denial of the Request
The CD Privacy Officer must receive the written request and determine whether it will be approved. The CD Privacy Officer will consult with the DSS Privacy Officer and provide staff and the client with the final decision. DSS will act on the request no later than 60 days after receipt of the request. DSS may request an extension of 30 days by notifying the client in writing.
- If approved, staff must notify the parties of the change, implement the restriction and ensure that such protected information is easily identifiable in the client’s record to avoid possible use or disclosure. One method would be to attach a cover sheet to the PHI, identifying to whom the information may or may not be released.
- If denied, do not implement client’s request for the restriction.
- File the original Request for Restriction of Health Information form in the front of the client case file.
While the individual has the right to request any kind of restriction of PHI uses and disclosures, the Division is not required to agree to those restrictions.
Termination of Restriction
Terminate the agreement to a restriction of information as follows:
- The client requests the termination in writing; and
- File the written request for termination of restriction in the front of the case together with the initial request for restriction
Emergency Exception
If DSS has agreed to the restriction, but the individual who requested the restriction is in need of emergency treatment, and the restricted PHI is needed to provide the emergency treatment, staff may disclose that PHI to a health care provider to provide such treatment. If such PHI is disclosed in an emergency situation, the facility must require that the health care provider to whom the information was disclosed to not further use or disclose that PHI.
3.7.5 Amendment of Protected Health Information
A client who has, is receiving, or was denied services, a parent of a minor, and/or a personal representative or legal guardian as relevant to their representation, may request an amendment or correction of health information. Additionally, a personal representative or legal guardian must have written authorization from the client to amend or correct PHI. Individuals making this type of request should complete the Request for Amendment/Correction of Protected Health Information, MO 886-4450 to record the request, unless the information involves minor discrepancies, as described below.
Minor Discrepancies
For minor discrepancies such as typing errors, misspelled names, wrong dates, etc., staff may correct the entry by drawing a single line through the error, adding a note that explains the error, dating it, initialing it, and by making the correction as close as possible to the original entry in the record. In this situation, the individual is not required to fill out the Request for Amendment/Correction of Protected Health Information form.
Additions to the file should not be treated as amendments. For example, the name of a client’s new primary physician would not be considered an amendment.
Other Requests
All other requests for amendment of PHI must be in writing and include the reason to support the amendment. The request should include any documentation that explains or verifies the incorrect or incomplete information. As noted above, the client should be instructed to complete the Request for Amendment/Correction of Protected Health Information form to record this request. Immediately forward the form and all documentation to the CD Privacy Officer. The CD Privacy Officer will act on the request no later than 60 days after receipt of the request. The CD Privacy Officer may request an extension of 30 days by notifying the client in writing.
If the amendment request is accepted, staff must upon notification by the CD Privacy Officer:
- Insert the amendment or link the amendment to the site of the information that is the subject of the request for amendment, and then document the change in the same section of the record as the original information; and
- Inform the individual that the amendment is accepted; and
- Obtain the authorization of the individual to notify all relevant persons or entities with whom the amendment needs to be shared; and
- Within 60 days, make reasonable efforts to provide the amendment to the persons identified by the client and any persons that staff knows that have been provided the PHI that is the subject of the amendment and who may have relied on or could possibly rely on the information to the detriment of the client.
Denying Requests for Amendment of Protected Health Information
The request for amendment of the PHI may be denied if:
- Staff did not create the information (however, if the individual can provide reasonable proof that the person or entity that created the information is no longer available to make the amendment, and the request is not denied on other grounds, the amendment is permissible);
- The information is not part of the medical information kept in the client’s case record;
- The information is not part of the information that the client would be permitted to inspect and copy; and
- The information is accurate and complete.
If the amendment request is denied, the CD Privacy officer notifies the client and staff.
The denial notice explains the reason for the denial:
- the person’s right to submit a written statement disagreeing with the denial and how the individual may file such a statement;
- the name, title, address, and telephone number of the DSS Privacy Officer to whom a statement of disagreement should be addressed;
- the steps to file a complaint with the Secretary of the Department of Health and Human Services;
- a statement that if the client does not submit a statement of disagreement, the client may request that DSS provide the Request for Amendment/Correction of Protected Health Information and the denial notice with any future disclosures of PHI.
Client Disagrees with the Denial
The individual has the right to submit a written statement disagreeing with the denial of all or part of a requested amendment and the basis for the disagreement. This statement of disagreement shall be limited to one page and be submitted to the DSS Privacy Officer. DSS will complete a written response to the statement of disagreement and send it the to client and staff.
Staff must identify the record of PHI that is the subject of the disputed amendment and append or link the request for an amendment, the denial of the request, the individual’s statement of disagreement, if any, and DSS’ response statement if any. If the client has submitted a statement of disagreement, staff must include the documents listed in the prior sentence, or an accurate summary of the information, with any subsequent disclosure of the PHI to which the disagreement relates.
If the person has not submitted a written statement of disagreement, DSS must include the person’s request for amendment and its denial, or an accurate summary of the information, with any subsequent disclosure of PHI only if the client has requested it.
3.7.6 Client’s Right to Access their Health Information on File in Children’s Division Records
Individuals may have access to and obtain a copy of their PHI. A client who has, is receiving, or was denied services, a parent of a minor, and/or a personal representative or legal guardian as relevant to their representation, must request in writing access to inspect, or receive copies of PHI. Additionally, a personal representative or legal guardian must have written authorization from the client to access PHI. Use the Individual’s Request for Access to Protected Health Information, MO 886-4450, for the client’s request. This form should be used anytime a client is requesting access to and/or a copy of their file and the file has any Protected Health Information.
Staff Assistance to the Individual
Staff may assist the individual in initiating this process. For example, the client may want a copy of his or her doctor’s report from their Children’s Division case file, but he or she may not remember the examination date. Provide the date from the case record to help the person.
Approving the Request for Client Access to PHI
Individuals and/or their attorneys or representatives frequently request access to specific Protected Health Information in files, such as a copy of their counseling reports. At other times, the individual or representative may be requesting access to their entire case file or to their CA/N investigation record. Staff should refer to policies and procedures in the Child Welfare Manual on how to respond to these requests (see Child Welfare Manual Section 5.2.4). However, as many case files and CA/N investigation records contain PHI, if staff ascertain that any of the information in the file could be PHI, staff should also have the individual and/or personal representative fill out the Individual’s Request for Access to Protected Health Information. Staff should also verify that the personal representative requesting information is truly representing the individual.
The Request form could be completed at the time the individual comes in to review their file or to pick up copies of their information, or the form could be mailed to the individual and returned to staff. Copies of the Individual’s Request for Access to Protected Health Information should be retained in the file.
If after review staff approve the request, staff shall ensure access in a timely manner and arrange for a mutually convenient time and place for the client to inspect the PHI or obtain copies, unless access in another format has been requested by the client and agreed to by staff as (see Requested Format below). Charge the same per page copying fee that CD uses to reimburse medical providers. Do not charge any search or retrieval fees. The client’s agreement to any costs is confirmed by the person checking the appropriate box on the Individual’s Request for Access to Protected Health Information form. Any requests for additional accommodations shall be sent or given in writing to the CD Privacy Officer.
Providing a Summary of the PHI
If it is acceptable after discussion with the client, a summary of the PHI may be used. The client’s agreement to a summary shall be documented in writing by checking the appropriate box in the Individual’s Request for Access to Protected Health Information form. Staff should then forward to the DSS Privacy Officer the Individual’s Request for Access to Protected Health Information form, copies of the requested information and a cover memorandum. Advise the DSS Privacy Officer that you recommend that the client receive the requested summary.
Requested Format
The request is processed in the format requested (i.e., hard paper copy, microfiche, computer disk, etc.), if possible, and in a timely consistent manner according to established timeframes but not more than 30 days after receipt of the request. If the record cannot be accessed within the 30 days, the timeframe may be extended once for no more than an additional 30 days with notification in writing to the individual outlining reasons for the delay and the date the request will be concluded.
Request Denials
If after review of the request, staff believe that a request should be denied, the request together with appropriate documentation shall be forwarded to the CD Privacy Officer for review, decision, and response to the client.
Denials without a Right to Review
The CD Privacy Officer, in cooperation with CD staff, may deny requests for access to protected health information without a right to review in the following situations:
- If the information conforms to one of the following categories: psychotherapy notes; information compiled for use in a civil, criminal or administrative action or proceeding;
- If the client is participating in a research related treatment and has agreed to the denial of access to records for the duration of the study;
- If access is otherwise precluded by law;
- If the information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information; and
- If DSS has been provided a copy of a court order from a court of competent jurisdiction, which limits the release or use of PHI.
Psychotherapy Notes
Psychotherapy notes have special protections under HIPAA in terms of releasing such notes to the individual. As noted earlier, psychotherapy notes are defined as “notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.” Case narratives compiled by Children’s Division Children’s Service Workers are an integral part of the case record and do not meet the definition for psychotherapy notes.
Case records may, however, contain psychotherapy notes that originated from a mental health professional. Psychotherapy notes are a distinct and separate category from counseling reports, counseling summaries or psychological evaluations. Psychotherapy notes are exempt from individual access. If an individual requests a document that is labeled psychotherapy notes do not release that specific information and submit the request to the CD Privacy Officer. The CD Privacy Officer will review the request and notify staff of the decision. Other information should be released to the individual per the policies and procedures of the Child Welfare Manual upon execution of the signed Individual’s Request for Access to Protected Health Information.
Denials with a Right to Review
Although, the CD Privacy Officer, in cooperation with CD staff, may deny requests for access to protected health information, the client does have a right to review of this denial in the following situations:
- A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;
- The Protected Health Information makes reference to another person and a licensed health care professional has determined that the access requested is reasonably likely to cause substantial harm to such other person; or
- The request for access is made by the individual’s personal representative and a licensed health care professional has determined that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.
If a client is denied access to all or part of their PHI contained in the CD case file, they have a right to appeal the denial decision. If the client or personal representative requests a review of the denial DSS has designated a licensed health care professional, who was not involved with the initial decision to deny access, to review the decision. Denial reviews will be referred by the DSS Privacy Officer to a designated departmental licensed health care professional for completion of the review. Such denial reviews shall under no circumstances be completed by any other licensed health care professional. Staff must complete the following in processing a request for review of a denial to access PHI:
- The appeal shall be submitted in writing to the DSS Privacy Officer. The DSS Privacy Officer will then designate a licensed health care professional to review the denial; and
- The designated licensed health care professional who did not participate in the original decision to deny access shall review the record and the request for access to the client’s record;
- If the reviewer determines that the initial denial was appropriate, the DSS Privacy Officer notifies in writing that the review resulted in another denial of access. The notice includes the reasons for denial and describes the process the individual may use to make a complaint to the Secretary of the Department of Health and Human Services.
- If the denial was not appropriate, the licensed health care professional who acts as the reviewer shall refer the request to the DSS Privacy Officer for action. The Privacy Officer may provide this PHI to the individual or direct staff to provide it.
- If access is denied to any portion of the PHI, access must still be granted to those portions of the PHI that are not restricted.
Denial of Access
If after review, CD denies access to PHI in whole or in part, CD may as directed:
- Make other PHI information accessible to the individual after excluding the denied PHI; or
- If the information requested is not maintained by CS and staff is aware of the location of such information, staff may inform the individual where to direct his or her request. Make other PHI information accessible to the individual after excluding request.
Release of PHI of a Deceased Client
- The PHI of a deceased client may only be released via a Probate Court order from the County Circuit Court where the deceased resided or from another Probate Court in the State of Missouri. In the case of a child victim who is the reported subject of abuse/neglect, information should be released per state law and statute with the juvenile court, law enforcement, prosecutors and members of the Child Fatality Team.
- Other requests for information should be referred to the CD Privacy Officer.
3.7.7 Accounting Disclosures of Protected Health Information
Staff must account for all disclosures of PHI made by CD in the six years prior to the date on which the accounting is requested by the client, effective April 14, 2003. However, no tracking or accounting is required in the following exceptions:
- Disclosures made to carry out treatment, payment, and healthcare operations that are not required by law. This would include protected health information disclosures made to the members of the multi-disciplinary treatment team and Family Support Team (i.e., school personnel, counselors, day-care staff, para-professionals, etc.) who are responsible for decision making and carrying out treatment in regard to a child who is in our custody unless that disclosure is required by law. Note that in general all disclosures about protected health information made to the juvenile court, Guardian-ad-Litem, CASA, law enforcement, prosecutors and courts are broadly required by law and, accordingly, do have to be tracked—see section below on when and how to use the PHI Disclosure Tracking Log;
- Disclosures made to the individual client about their own PHI;
- Disclosures made with an authorization from the individual;
- For national security or intelligence purposes;
- To correctional institutions;
- As part of a limited data set;
- Disclosures made for DSS operating purposes (i.e., staff are working with the MO HealthNet Division (MHD) to coordinate MO HealthNet eligibility);
- Incidental to a use or disclosure otherwise permitted or required;
- That occurred prior to the compliance date of April 14, 2003; and
- Disclosures of protected health information made to foster parents, who are considered extensions of staff;
Use the PHI Disclosure Tracking Log form to record all disclosures unless exempted above. The employee releasing the information must immediately update this form upon the disclosure. File the PHI Disclosure Tracking Log in the front of the client case record. The log must be maintained for at least six years from the date of the most recent disclosure. Disclosures that must be accounted for on the log include:
- To public health authorities as required by law (i.e., birth, death, and required disease reporting);
- To avert a serious threat to health or safety of a person or the public
- To the Food and Drug Administration (i.e., adverse events, product defects, tracking product recalls, post marketing surveillance);
- To health oversight agencies for oversight activities authorized by law;
- To law enforcement officials as required by law or pursuant to a court order, or subpoena, or administrative request; for purposes of identifying or locating a suspect, fugitive, material witness, or missing person; or regarding a crime victim;
- Information about victims of abuse, neglect, or domestic violence disclosed to a government authority to the extent the disclosure is required by law; this would include reports of death made by staff to Child Fatality Review panel (RSMo 210.115);
- For some research purposes;
- To governmental functions (i.e., national security, military command authority, veteran’s information); and
- As otherwise required by law, including:
- Referrals for children exposed to substance abuse/Newborn Assessments to Department of Health where referral discloses Protected Health Information – RSMo 191.737;
- Reports of child abuse/neglect containing PHI disclosed to law enforcement which Division personnel determine merit an investigation, or, which if true, would constitute suspected violation of – RSMo 210.145 (3);
- Information regarding status of an investigation containing Protected Health Information provided to the public school district liaison – RSMo 210.145 (4);
- Disclosures (records/files/written reports and verbal reports) of records containing Protected Health Information for administrative review by the child abuse and neglect review board – RSMo 210.153;
- Records containing PHI assessed by grand, jury, juvenile officer, prosecuting attorney, law enforcement officer, juvenile court or other court conducting abuse or neglect or child protective proceedings and other federal state and local government entities, or any agent of such entity with a need for such information in order to carry out its responsibilities under law, multidisciplinary agency or physician or physician’s designee who is providing services, – RSMo 210.150 – (6);
- Written reports (CS-1) containing PHI about the status of a child required every six months disclosed to the juvenile court – RSMo 210.720;
- Disclosure of Protected Health Information by staff to GAL or CASA of all reports and to fully inform of all aspects (records/files/written and verbal reports) of the case of which staff have knowledge or belief – RSMo 210.160;
- Disclosure of Protected Health Information (records/files/written and verbal reports) to Child Fatality Review Panel to investigate deaths – RSMo 210.194;
- Disclosure of record (records/files/written and verbal reports) containing PHI to ICPC – RSMo 210.620;
- Reports (records/files/written and verbal reports) disclosed to the court containing PHI in permanency hearings- RSMo 210.720; and
- Disclosure (records/files/written or verbal reports) of information containing PHI pursuant to a subpoena or court order.
NOTE: Many exchanges of information whether made in writing or verbally while speaking with juvenile court staff, GAL’s, and law enforcement authorities will contain Protected Health Information. These disclosures of PHI do require logging and providing an accounting upon request by the parent or personal representative of a child, including a child who is in CD custody.
Individuals requesting information about disclosures as described above should complete the Request for an Accounting of Disclosures, MO 886-4061 to request an accounting. Upon receipt of this form, send a copy of the PHI Disclosure Tracking Log along with the request form to the CD Privacy Officer who will contact DSS Privacy Officer. If staff determines that providing copies of the disclosed information or other information may be helpful to the DSS Privacy Officer, include with the log sheet and any necessary summary. The DSS Privacy Officer will review all disclosure logs pertaining to the client held by any of the Divisions within DSS. Once review is completed, the DSS Privacy Officer will provide the accounting of disclosure to the client.
NOTE: Once the construction of the DSS PHI Disclosure Tracking database on the DSS Intranet is completed, all disclosures logged per instructions in above section must be entered into the data base within 5 days of the disclosure.
DSS must provide an accounting no later than 60 days after receipt of the Request for an Accounting of Disclosures form. The deadline can be expended up to 30 days. The first accounting is without charge to the individual in any 12-month period.
3.7.8 Privacy Notices
CD must provide a privacy notice to individuals as of April 14, 2003, and thereafter by:
- Providing a copy upon an individual’s request;
- Providing a copy at the time a person applies;
- Providing a copy at the time CD staff conduct a CA/N investigation, assessment or referral;
- Issuing a copy within 60 days of a material revision of the notice;
- Posting the notice in each office in a clear and prominent location;
- Making the notice available at each office so an individual can request and obtain a copy;
- Notifying clients no less frequently than once every three years of the availability of the notice and how to obtain a copy;
- Posting the notice on the agency’s web site; and
- Emailing a copy upon an individual’s request for an electronic notice.
3.7.9 No Intimidation or Retaliation
CD employees may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual or other person for exercising his/her rights under HIPAA or for participating in a process established by HIPAA. CD staff will comply with provisions of the Whistleblower Law (Department of Social Services policy 2-100), which states that supervisors and managers are not allowed to prohibit employees from discussing agency operations with members of the legislature or the state auditor.
3.7.10 Staff Access to Protected Health Information and Acknowledgement of Privacy Requirements
Staff are granted access to PHI in accordance with state and federal law and other DSS/Children’s Division policies/procedures. Such access is limited to the minimum necessary to accomplish the purpose of any use or disclosure. Staff must protect the privacy of individually identifiable health information, must recognize the importance of such confidentiality provisions, and affirmatively acknowledge those guidelines.
Staff Access:
- Employees shall be granted access to PHI in accordance with state and federal law and other relevant DSS/CD operating procedures. Such access shall be limited to the minimum necessary amount of protected health information to accomplish the purpose of any requested use or disclosure of PHI.
- Each office shall establish a procedure for how its workforce members are to physically access PHI in medical records (i.e., how to sign records in and out and under what conditions, etc.).
3.7.11 Duty to Mitigate
When CD learns that an employee or business has used or disclosed PHI in violation of HIPAA regulations, CD will take actions appropriate to prevent further inappropriate uses or disclosures and pursue any feasible actions to lessen the harmful effects of any such violations.
3.7.12 Emergency Policy
Provisions of this section will be coordinated between divisional privacy officers and the DSS privacy officer. In the event of an emergency that renders a local CD office incapable of providing an individual or their representative with information to which the individual is entitled under the requirements of HIPAA, the individual will be given a telephone number of web cite address where the said individual may obtain the required information upon proper verification. In the event of such an emergency, information will be released through a predetermined telephone number of via electronic media. No information will be released from a local office until it is verified that all information systems within that office are HIPAA compliant.
3.7.13 Retention/Destruction of Protected Health Information
Documentation recording disclosures of PHI (PHI Disclosure Tracking Log) should be retained for a period of six years. Records involved in any open investigation, audit or litigation should not be destroyed/disposed of. If notification is received that any of the above situations have occurred or there is the potential for such, the record retentions shall be suspended for these records until such time as the situation has been resolved. Divisions with federal regulations that supercede HIPAA should include retention information in their divisional procedures.
Destruction/disposal of protected health information will be carried out in accordance with federal and state law and divisional policies. This may include any record of client health information, regardless of medium or characteristic that can be retrieved at any time. This includes all original client records, documents, papers, letters, billing statements, x-rays, films, cards, photographs, sound and video recordings, microfilm, magnetic tape, electronic media, and other information recording media, regardless of physical form or characteristic, that are generated and/or received in connection with transacting client care or business.
Records scheduled for destruction/disposal should be secured against unauthorized or inappropriate access until the destruction/disposal of client health information is complete. A contract between DSS and a business associate should provide that, upon termination of the contract, the business associate will return or destroy/dispose of all patient health information. If such return or destruction/disposal is not feasible, the contract must limit the use and disclosure of the information to the purposes that prevent its return or destruction/disposal.
Health information media should be destroyed/disposed of using a method that ensures the health information cannot be recovered or reconstructed. Appropriate methods for destroying/disposing of media are outlined in Appendix N.
3.7.14 Other General Documentation Requirements
In addition to the requirements above, CD staff should maintain documentation as listed below. Copies of such information should be forwarded to the DSS Privacy Officer.
- Any signed Authorization for Disclosure of Health Information by DSS;
- Authorization for access to files by personal representatives;
- All complaints received, and their disposition;
- Any sanctions to employees that are applied as a result of non-compliance; and
- Any use or disclosure of protected health information for research without the individual authorization.
3.7.15 Complaint Process
If an individual believes that Children’s Division and/or its representative are not complying with the requirements of HIPAA, (s)he may file a complaint with one or both of the following:
- DSS Complaint Officer; PO Box 1527; Jefferson City, MO 65102-1527
- Secretary of the Department of Health and Human Services (DHHS); 200 Independence Avenue, SW; Washington, DC 20201.
The Health Insurance Portability and Accountability Act Complaint form will be provided to the complainant by the office where the complaint is lodged. The Complaint Officer will contact the facility from which the complaint originated and complete an investigation within thirty (30) days from the date it is received by the department. Once completed, the Complaint Officer will issue a response letter to the complainant with the determination and any indicated corrective measures. If the complainant is not satisfied with possible resolutions, the Complaint Officer will provide information regarding the process of filing a complaint with Secretary of DHHS.
3.7.16 Workforce Training
All members of the Children’s Division workforce must be trained on policies and procedures with respect to PHI in accordance with DSS/CD policy by mandatory participation in HIPAA Privacy Training. As foster family care providers are considered an extension of the Children’s Division workforce, they also must receive such training.
3.7.17 Sanctions
DSS employees who fail to comply with the privacy policies and procedures of this policy will be subject to disciplinary actions up to and including dismissal as well as prosecution in a court of law. Disciplinary actions will become part of the employee’s personnel record.