0130.005.00 Confidentiality

0130.005.10.30 Accounting for Disclosures of Protected Health Information

  1. Accounting for Disclosures: Staff must account for all disclosures of PHI upon the client’s request unless exempted below. The client may request an accounting of disclosures made by FSD six years before the date the client requests the accounting. Staff is not required to account for disclosures that occurred before April 14, 2003. This includes paper copies, faxes, electronic transmissions, and verbal releases. However, no tracking or accounting is required in the following exceptions:
    1. Disclosures made for treatment, payment, and healthcare operation purposes. This covers our use and disclosure of PHI for Medicaid purposes. For example, staff discloses the individual’s Medicaid number to a health care provider, staff sends the vendor nursing facility a copy of the approval notice, or is working with the Division of Medical Services to coordinate Medicaid eligibility. These disclosures are part of the Medicaid eligibility process.
    2. Disclosures made to the client.
    3. Disclosures made for national security.
    4. Disclosures made prior to April 14, 2003.
    5. Disclosures authorized by the client.
    6. Disclosures to correctional institutions and other law enforcement custodial situations. These would involve cases in which the organization has lawful custody of the person, and the information is needed for health, safety or security.
    7. Incidental disclosures e.g., another client overhears a confidential conversation between staff and the claimant, or the other client might have glimpsed a computer screen.
    8. Disclosures for protective services for the President.
    9. Disclosures made to individuals involved in the client’s care. Refer to 0130.005.10.40 Who May Exercise Privacy Rights and Personal Representatives, number 4, Other Individuals.
  2. Disclosure Tracking Examples: These are some examples of disclosures that must be accounted for and documented on the DSS Disclosure Tracking Log:
    • To public health authorities;
    • About a decedent to medical examiners and funeral directors;
    • In response to a court order;
    • To health oversight agencies for audits, civil or criminal investigations, or inspections e.g., state auditor reviews a client’s file that includes PH;
    • Unlawful and unauthorized disclosures staff knows about;
    • In response to a subpoena or discovery request;
    • A case manager shares PHI with an agency to arrange for training or services for a Temporary Assistance client. In this example, no tracking would be required if the client gives his or her written authorization for the disclosure.
  3. Recording Disclosures: Use the DSS tracking disclosure screen to record all disclosures unless excluded under “Accounting for Disclosures” above (number 1, a through i). Access this screen by going to the DSS Intranet. Staff MUST update this screen upon the disclosure. The screen captures information about what was disclosed, who received the PHI, the authority of the person to receive the PHI, the purpose of request, a brief description of the PHI released and other information. Print a copy of the updated screen, and file it next to the Change of Status Summary form. Keep the printout and disclosed information for six years from the date of the disclosure.
  4. Client Requests Accounting: Claimants use the DSS Request for an Accounting of Disclosures to request an accounting. Upon receipt of this form, immediately send it to the Department of Social Services Privacy officer. If staff has other information that may be helpful to the Privacy Officer, include it with the disclosed PHI.
  5. Privacy Officer Decision: The privacy officer must provide an accounting no later than 60 days after the request. The deadline can be extended up to 30 days. The first accounting is without charge to the individual in any 12-month period.