Confidentiality of Information (Health Insurance Portability and Accountability Act)(HIPAA)
Overview of HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, resulted in the establishment of HIPAA Privacy Rule in December of 2000. The HIPAA Privacy Rule is a federal rule designed to protect individuals’ medical records and other personal health information. This federal law provides further requirements and restrictions in addition to the confidentiality provisions set out in RSB confidentiality policy.
In the course of business, the Rehabilitation Services for the Blind receives, discloses and utilizes Protected Health Information of employees and consumers for a variety of reasons. Employees should exercise care at all times to discuss confidential, sensitive, or personal health information in a manner or place where the discussion is not able to be easily overheard. Measures should be taken to ensure that health information is not accessible to anyone other than authorized personnel. RSB staff will maintain privacy, confidentiality and integrity with regard to protected health information as required by state and federal laws, rules and regulations and professional ethics. Employees found to be in violation of this policy may be subject to disciplinary action up to and including dismissal as well as prosecution in a court of law.
With certain exceptions, PHI refers to any individually identifiable health information that is created or received by a covered entity. PHI is defined as any information relating to past, present or future physical or mental health of an individual; the provision of health care to the individual; or the payment of health care. Individually identifiable health information is health information that identifies or may reasonably be used to identify the individual. To be PHI, it must include medical information and a personal identifier. PHI includes but is not limited to:
Hospital/physician/therapist evaluations and/or records;
Eye examination reports;
Authorizations, payments, statement of charges for services;
Consumer contacts, progress notes and/or summaries;
All information contained in the case record is considered PHI.
The major provisions of HIPAA provide for:
In limited circumstances, giving the individual an opportunity to agree or object to uses and disclosure of PHI;
Requiring the use of the DSS privacy notice;
Allowing individuals to access PHI;
Permitting individuals to request an amendment of PHI;
Allowing persons to request an accounting of disclosures of PHI;
Defining a minimum use standard;
Establishing who has access to PHI;
Civil and criminal penalties for violating the HIPAA standards;
Requiring workforce members to be trained on and to acknowledge the HIPAA privacy provisions;
Verifying the identity and authority of persons requesting a consumer’s PHI;
Allowing recipients to request restrictions on the use and disclosure of PHI;
Mandating that organizations have a privacy officer.
The DSS “Notice of Privacy Practices” must be provided to consumers and documented in the case record effective April 14, 2003 and then thereafter by:
Providing a copy upon an individual’s request;
Providing a copy at the time a person applies;
Posting the notice in each office in a clear and prominent location;
Making the notice available at each office so an individual can request and obtain a copy;
Issuing a copy within 60 days of a material revision of the notice;
Notifying clients no less frequently than once every three years of the availability and how to obtain a copy;
Posting the notice on the agency’s Web site;
Emailing a copy upon an individual’s request for an electronic notice.
Federal regulations provide that employee use and access to PHI be limited to the minimum necessary to carry out the intended purpose of use, disclosure or request. In general, the minimum necessary does not apply when requested by the individual who is the subject of the information, when requested by a health care provider for treatment, or disclosures required by law. Staff must ensure that PHI is not unnecessarily or inappropriately accessed or disclosed. The following are examples:
A pharmacy calls to verify an individual’s Medicaid number. The purpose is for providing a service to the consumer and for billing the state for those services. Giving the provider the consumer’s Medicaid number and eligibility dates gives the minimum necessary information. It would be inappropriate to share additional information such as the consumer’s Social Security Number, medical diagnosis and other PHI.
A RSB office receives a consumer’s medical records. The employee who is distributing the mail needs only to verify from the incoming records which staff person gets them. On the other hand, the staff person needs to arrange and view all PHI. The intended purpose is to determine eligibility for services. Both workers followed the minimum necessary use. However, it would be inappropriate for personnel distributing the mail to read the complete records.
If staff have any concerns that what is being requested is beyond the minimum necessary, directly ask the requestor if they believe this is the minimum that is required to accomplish the task. If staff still have a question involving disclosure of more than the minimum amount and it concerns situations named in this paragraph, contact the FSD privacy officer through appropriate supervisory channels for guidance.
With regard to individually identifiable health information, use means the sharing, examination, utilization, employment, or analysis of the information within DSS. Disclosure means the release, transfer, provision of access to, or divulging information outside of DSS.
An individual’s medical records such as hospital and doctor reports and medical claims are PHI and confidential. Release of these medical records requires a signed authorization from the consumer or consumer’s representative except as listed below. Staff should use form MO 650-2616 “Authorization for Disclosure of Consumer Medical/Health Information” when requesting health information from medical providers or other agencies.
In certain situations, staff may not use or disclose PHI without a valid authorization that has been completed and signed by the consumer or consumer’s personal representative. An “Authorization for Disclosure of Health Information by DSS” form may be used to obtain required authorizations from consumers. All authorizations must be filed in the case record.
Staff may use and disclose PHI without the consumer’s authorization, subject to certain restrictions, in the following situations:
To the consumer;
For treatment, payment or health care operations;
To family and friends involved in the person’s healthcare (refer to the section “Who May Exercise Privacy Rights and Personal Representatives);
To a public health authority (for example, sharing information with the Missouri Department of Health and Senior Services who is conducting a public health surveillance, investigation or intervention);*
To report child abuse or neglect;*
To the United States Food and Drug Administration for purposes concerning quality or effectiveness of such FDA regulated products or activity;*
To a health oversight agency that is authorized by law to conduct audits, investigations, inspections and other activities for oversight of health care systems, certain government programs, etc., (for example, RSA conducts an audit of VR case records);*
To respond to court orders or subpoenas and discovery requests. Staff should immediately fax a copy of such requests to state office. State office will consult with the DSS Privacy Officer or legal counsel;*
To law enforcement officials as required by law or pursuant to a court order, a court-ordered warrant, or a subpoena or summons issued by a judicial officer; a grand jury subpoena; or an administrative request, such as an administrative summons or a civil investigative demand; for purposes of identifying or locating a suspect, fugitive, material witness, or missing person; or regarding a crime victim;*
To avert a serious threat to health or safety e.g., staff contacts the local police department to request assistance to prevent or lessen serious or imminent threats;*
To certain governmental functions (such as national security purposes, veteran’s information);*
As required by law such as in legal proceedings in which the consumer is represented by an attorney or legal aid;*
To agencies that are government programs providing public benefits (staff must coordinate with that program and referral/participation is necessary for RSB program eligibility).*
The above releases marked with an asterisk (*) are subject to tracking requirements. If staff disclose PHI for reasons above listed with asterisks, or if an unauthorized disclosure is inadvertently made, the disclosure should be tracked by completing the “Disclosure Tracking Log” form, placing a copy in the case record and submitting a copy to the FSD privacy officer.
Consumers may complete the DSS “Request for an Accounting of Disclosures” to request an accounting of disclosures. The consumer should submit this form directly to the DSS privacy officer.
Disclosures to Business Associates
A “business associate” is a person or organization, other than a member of a covered entity’s workforce, that performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information or provides services to DSS. With certain conditions, HIPAA allows DSS to share and disclose to a business associate any PHI necessary to perform the job. A business associate may separately create or receive PHI for the Department. HIPAA requires that DSS obtain satisfactory assurance through written contract (DSS Business Associate Agreement) that the business associate will appropriately safeguard the information. DSS will use Memorandums of Understanding (MOU”S) rather than Business Associate Agreements with governmental entities.
For research requests from agencies outside of DSS, employees may only disclose information containing PHI if the request has been approved by the division director and is accompanied by a signed authorization from the consumer or a waiver of the required authorization is obtained from the Privacy Review Board. If there is no signed authorization or waiver, staff should forward the research request to the divisional privacy officer. The divisional privacy officer may submit the request to the Privacy Review Board. The Board will review the request, determine whether the waiver will be granted, and will notify the division as to whether the information can be released. Research requests presented to the Board for consideration should include divisional approval and the information necessary for the Board to make the findings required by federal guidelines. The “Application to Conduct Research/Study” form is used to submit such information.
Consumer Requests to Restrict the Use and Disclosure of Protected Health Information
Consumers have the right to request specific restrictions on the use or disclosure of PHI by completing the DSS “Request for Restriction of Information” form. Staff must send the completed request to the FSD privacy officer. The privacy officer will then determine whether to accept or deny the request.
Amendment of Protected Health Information
A consumer or the consumer’s personal representative who believes his or her health records are incomplete or incorrect may request an amendment or correction of the health records.
Do not consider information learned during the regular course of business to be an amendment. Examples include when a consumer provides the name of a new treating physician. Additions to the file are not amendments.
1. Minor discrepancies
For minor discrepancies such as typing errors, misspelled names, wrong dates, etc., staff may correct the entry by drawing a single line through the error, adding a note that explains the error, dating it, initialing it, and by making the correction as close as possible to the original entry in the record.
2. All other requests
All other requests for amendment of PHI must be in writing and include the reason to support the amendment. The request should include any documentation that explains or verifies the incorrect or incomplete PHI that the consumer is requesting to amend.
Have the consumer complete theDSS “Request for Amendment/Correction of Protected Health Information form”. Staff should process the request as instructed on the form and send a copy to the divisional privacy officer for determination.
Consumer’s Right to Access Their Health Information
Consumers may request to have access to and obtain a copy of their PHI. The request may include the complete case record or specific PHI, such as an eye report. Have the consumer complete the DSS “Request for Individual’s Access to Protected Health Information”. Process the request as instructed on the form.
1. Staff provides access
Place original DSS Request for Individual’s Access to Their Protected Health Information in the case file. Send a copy of the form to the FSD privacy officer.
If the requested information is maintained electronically and the consumer requests an electronic or faxed copy, accommodate the request if possible and explain the risk to security of the information when transmitted as requested. If the information is not available in the format requested, produce a hard copy document or other format agreed upon by the consumer.
Provide the access requested in a timely manner, and arrange for a time and place for the consumer to inspect the PHI or obtain copies, unless access by another method has been requested by the consumer and agreed to by staff.
If staff or the privacy officer is providing access, certain time frames exist. The individual must be allowed to inspect or obtain a copy of his or her PHI no later than 30 days after staff gets the request (60 days if the information is not maintained or accessible to FSD on-site). The deadline may be extended up to 30 days if the individual gets a written statement of the reasons for the delay and the date staff or the privacy officer will fulfill the request.
2. Staff determines the PHI is covered by one or more of the nine bullets that restrict access.
DO NOT give the claimant the requested PHI. Immediately forward to the FSD privacy officer a copy of the information that the consumer is requesting and the DSS Request for Individual’s Access to Their Protected Health Information form. Advise the Privacy Officer if one or more of the reasons for denial apply and which one(s). Use an IOC, letter or memorandum to provide the Privacy Officer with any information or recommendations that may assist the officer in reviewing the request.
3. Privacy Officer Decision
The privacy officer will determine whether to approve or deny the request. If the request is denied, the privacy officer will notify the claimant and staff of the decision.
If FSD denies access to PHI, in whole or in part, the privacy officer may instruct staff to provide the consumer:
Other PHI information accessible to the individual after excluding the denied PHI;
Information where to direct the request if the PHI requested is not maintained by DSS and staff knows where the requested information is kept.
4. Providing Summaries
The privacy officer may provide a summary or explanation of the requested PHI if:
The consumer agrees in advance to the summary or explanation in place of the record.
The consumer agrees in advance to any fees imposed for the summary or explanation.
5. Release of PHI of a Deceased Consumer. The PHI of a deceased consumer may only be released to the personal representative or executor of the estate.
Who May Exercise Privacy Rights and Personal Representatives
A consumer for the most part exercises his or her own privacy rights. However, some persons may be legally or otherwise incapable of applying their privacy rights. Moreover, an individual may authorize another person to act on his or her behalf. In general, we must treat the personal representative as the individual unless a restriction occurs.
1. Adults and Emancipated Minors
Examples of an adult’s or emancipated minor’s personal representatives include a person who has a health care power of attorney, is a court appointed legal guardian, or has a power of attorney that includes a health care decision clause.
Usually the parent not the unemancipated minor has the right to receive a minor’s PHI. Exceptions to the unemancipated minor parent’s exercising privacy rights concern when the law allows a minor to consent to the treatment, a court or other law allows a person other than the parent to make treatment decisions for the minor, or the parent agrees to a confidential arrangement between a physician and the minor.
3. Neglect, Abuse, and Endangerment Issues
Do not treat the person as the individual’s personal representative if:
staff has a reasonable belief that (1) the consumer has been or may be subjected to domestic violence, abuse, or neglect by such person or (2) treating such person could endanger the individual; OR
staff in the exercise of professional judgement decides that it is not in the best interest of the individual to treat the person as the individual’s personal representative.
4. Other Individuals
Under certain circumstances, HIPAA permits disclosures “. . . to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person’s involvement with the individual’s care or payment related to the individual’s health care.” Before disclosing information to one of these persons, staff must:
a. Obtain the consumer’s agreement
b. Give the consumer an opportunity to object to disclosure, and the consumer does not object; OR
c. Staff infers from the circumstances based on professional judgment that the individual does not object to the disclosure; OR
d. If the consumer is not present due to his or her incapacity or emergency circumstances, staff concludes that it is in the best interest of the consumer to disclose the minimum necessary PHI that is directly relevant to the person’s involvement with the consumer’s health care. This is the type of situation that may occur when a family member or relative is applying for and handling the affairs of their hospitalized, institutionalized, disabled, blind, or elderly relative.
5. Deceased Consumers
PHI of a deceased consumer is protected by HIPAA. However, consider the person with the legal authority to act on behalf of the deceased consumer or the deceased consumer’s estate to be the personal representative e.g., an executor of the estate.
Verifying the Identity and the Authority of the Requestor
Staff must ensure that PHI is not improperly released. To avoid this, verify the requestor’s identity. Ensure that the person has the proper authority to obtain the PHI. If the consumer is unknown to the FSD employee who is releasing the information, require the consumer to verify his or her identity
Examples of written verification that may verify identity and purpose of the request include proof of government status (a badge, identification card, etc.), a request on government letterhead, a copy of conservator/guardian’s court appointment, an order from the Probate Court, and correspondence from a medical facility.
For telephone calls, staff may have to call the party back. Before returning the call, verify the number through the phone directory e.g., verifying the pharmacy’s telephone number when staff receives a call to confirm Medicaid eligibility on a consumer who needs to fill a prescription.
Staff Access to Protected Health Information
Staff are granted access to PHI in accordance with state and federal law and other DSS/FSD/RSB policies/procedures. Such access is limited to the minimum necessary to accomplish the purpose of any use or disclosures. Staff must protect the privacy of individually identifiable health information, must recognize the importance of such confidentiality provisions, and affirmatively acknowledge those guidelines.
All RSB staff must receive training that includes reading and affirming an understanding of the DSS Administrative Manual on HIPAA (section 5-103) and completing the DSS intranet training.
Volunteers, readers and drivers who work in RSB offices must review the DSS Administrative Manual and the DSS intranet training on HIPAA and sign an acknowledgment that they have reviewed those provisions, just as a regular employee would.
Penalties, Privacy Officer, Complaints and Administrative Requirements
HIPAA provides the following civil and criminal penalties for the misuse of PHI.
Civil Penalties–Civil penalties are $100 per violation, up to $25,000 per person, per year for each violation.
Criminal Penalties – HIPAA creates criminal penalties for knowingly violating an individual’s privacy: These penalties are up to $50,000 and one year in prison for obtaining or disclosing PHI; up to $100,000 and up to five years in prison for obtaining PHI under “false pretenses”; and up to $250,000 and up to ten years in prison for obtaining or disclosing PHI with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.
2. Privacy Officer
DSS has a Privacy Officer to oversee all ongoing activities related to HIPAA compliance. The address for the Privacy Officer is: Division of Legal Services, P. O. Box 1527, Jefferson City, Missouri 65102-1527, (phone: 573-751-3229), (fax: 573-526-1484), (text: 1-800-735-2966), and (voice 1-800-735-2466).
The Division of Family Services also has a privacy officer to address issues and questions that staff may have about HIPAA. The FSD privacy officer works with the DSS privacy officer to maintain departmental privacy efforts.
If an individual believes that RSB and/or its representative is not complying with the requirements of HIPAA, (s)he may file a complaint with one or both of the following:
DSS Complaint Officer; PO Box 1527; Jefferson City, MO 65102-1527
Secretary of the Department of Health and Human Services (DHHS); 200 Independence Avenue, SW; Washington, DC 20201.
The “Health Insurance Portability and Accountability Act Complaint” form will be provided to the complainant by the office where the complaint is lodged. The Complaint Officer will contact the facility from which the complaint originated and complete an investigation within thirty (30) days from the date it is received by the department. Once completed, the Complaint Officer will issue a response letter to the complainant with the determination and any indicated corrective measures. If the complainant is not satisfied with possible resolutions, the Complaint Officer will provide information regarding the process of filing a complaint with Secretary of DHHS.
4. Intimidation or Retaliation
RSB staff may not intimidate, threaten or coerce, discriminate, or take other retaliatory actions against a person for exercising his or her HIPAA rights or for participating in a HIPAA established process.
Staff must lessen any harmful effect that is known to staff of the use or disclosure of PHI that violates the HIPAA privacy provisions. It is DSS policy that staff will take appropriate action to prevent further inappropriate uses or disclosures and pursue any feasible actions to lessen the harmful effects of any such violations. Staff should contact the FSD privacy officer for instructions if mitigation is necessary.
Department of Social Services HIPAA Policy
RSB employees must comply with the DSS HIPAA policy. All employees will receive a copy of this policy and acknowledge such receipt by signing the DSS “Protection of Health Information Policy Acknowledgement” form. The Department of Social Services Administrative Manual, Records and Records Management section provides the departmental policy on HIPAA. Staff may view this section via the DSS Intranet.
Retention/Destruction of Protected Health Information
Documentation recording disclosures of PHI should be retained for a period of six years. Records involved in any open investigation, audit or litigation should not be destroyed/disposed of. If notification is received that any of the above situations have occurred or there is the potential for such, the record retentions shall be suspended for these records until such time as the situation has been resolved.
Destruction/disposal of protected health information will be carried out in accordance with federal and state law and divisional policies. This may include any record of consumer health information, regardless of medium or characteristic that can be retrieved at any time. This includes all original consumer records, documents, papers, letters, billing statements, x-rays, films, cards, photographs, sound and video recordings, microfilm, magnetic tape, electronic media, and other information recording media, regardless of physical form or characteristic, that are generated and/or received in connection with transacting consumer care or business.
Records scheduled for destruction/disposal should be secured against unauthorized or inappropriate access until the destruction/disposal of consumer health information is complete. Health information media must be destroyed/disposed of using a method that ensures the health information cannot be recovered or reconstructed.