Health Insurance Portability and Accountability Act (HIPPA)
This memorandum serves to provide information regarding the federal Health Insurance Portability and Accountability Act (HIPAA) and introduce related necessary policy, procedures, and forms. Children’s Services staff have followed long-standing policies and procedures regarding the confidentiality of certain client information. In addition, we will be observing HIPAA requirements regarding the privacy and protection of personal health information.
HIPAA--Public Law 104-191, enacted in 1996, resulted in the HIPAA Privacy Rule of December 2000. The HIPAA Privacy Rule sets forth privacy standards for the protection of medical records and other personal health information of all individuals. Privacy Standards specifically address:
- How an individual’s health information can be used and should be handled;
- When, and to whom, an individual’s health information may be disclosed; and
- Providing individuals with the right to review and request corrections to their health information.
HIPAA will have a significant impact on how Children’s Services staff manage client health information. It provides greater control to clients of their health information. HIPAA also creates civil and criminal penalties for the mis-management of Protected Health Information (PHI). HIPAA, in its entirety, is a rather complex piece of legislation; however, we have tried to translate its application to Children’s Services in as user friendly a manner as possible. All Children’s Services staff must become familiar with the new requirements, policies, procedures, and forms in order to comply with HIPAA by April 14, 2003.
The attached Child Welfare Manual, Section 5, Chapter 2.7, covers in detail Children’s Services policy regarding HIPAA compliance. However, there are key points, specific practices, timeframes, and new forms that are highlighted as follows:
Protected Health Information (PHI) – Defined as individually identifiable health information that is created or received by a covered entity, such as Children’s Services. This includes information that identifies or may be used to identify the individual, information regarding physical or mental health, and payments for medical care. To be considered PHI, medical information (physical and/or mental health) and a personal identifier must be included. PHI may be transmitted in paper, electronic, or voice format. In the course of service delivery, Children’s Services staff must adhere to HIPAA requirements as well as continue to abide by agency policy and state statute regarding the privacy, confidentiality, and integrity of PHI.
Privacy Notice – Individuals must be formally informed of how PHI is managed by DSS and specifically how staff may use and disclose such information. DSS created the Notice of Privacy Practices Regarding Your Protected Health Information (Exhibit 8
) form for this purpose. Beginning on April 14, 2003, staff must provide a copy of this form to each client they are serving as of April 14, 2003, and thereafter when conducting a CA/N investigation/assessment and at other designated points of time. Offices must post the notice in a clear and prominent location as well as make copies of the notice available to individuals upon their request. An initial supply of the notices will be mailed to each county office prior to April 14, 2003, for local distribution and availability.
Children’s Services Staff Training – All current and future Children’s Services staff are required to receive HIPAA training that is appropriate to their job duties. All Children’s Services staff are required to receive HIPAA Training by April 14, 2003 to comply with federal requirements. In order to accomplish this, Children’s Services Supervisory staff will be responsible for the distribution, review, and discussion of Children’s Services HIPAA policy and procedures with all Children’s Services staff under their supervision. This review and discussion is to include the information contained in this memorandum, the attached Children’s Services Manual Chapter 5, Section 2.7, and the accompanying forms and materials. Upon completion of the training, CS supervisory staff should ensure all staff sign and complete the attached Training Attendance Record (TAR) form (see attached
New employees who are hired after the initial HIPAA training will be given HIPAA information at the local level as part of their On-the-Job Training at the time they begin employment with the agency.
Foster, Relative, Kinship, and Respite family Care Provider Training –
Out-of-home family care providers, as defined by HIPAA policies, are considered an extension of the Children’s Services work force and also must receive HIPAA training no later than April 14, 2003. In order to accomplish this, all current family care providers are being mailed from Central Office a Notice of Privacy Practices Regarding Protected Health Information Regarding Foster Children/Youth and Their Families (see attachedAll new foster parents who are licensed after the initial HIPAA training will receive HIPAA information at the time of initial licensure.
Privacy and Complaint Officers – HIPAA requires that DSS have a Privacy Officer and a Complaint Officer to oversee compliance. The address for both is: Division of Legal Services, PO Box 1527, Jefferson City, MO 65102-1527.
HIPAA requires that Children’s Services (CS) have a Privacy Officer to address issues and questions that may arise. The CS Privacy Officer works in tandem with the DSS Privacy Officer to maintain departmental privacy efforts. Direct questions and necessary forms by fax or mail to: Children’s Services Privacy Officer, Children’s Services Program and Policy Section, PO Box 88, Jefferson City, MO 65103.
Minimum Necessary – Staff at all times must limit PHI to the minimum necessary amount of information to carry out the intended purpose of use, disclosure, or request. In other words, only refer to the least amount of information to achieve the desired outcome.
Use – Staff may find it necessary to share an individual’s PHI within DSS for treatment/services, payment, or other DSS operations. No authorization is required from the client for these purposes. For example, we may “use” PHI to make a decision whether to remove a child who has been suffered severe physical injury without having to obtain any authorizations for the medical information.
Disclose – Staff may need to release, transfer, provide access to, or divulge PHI in any manner to parties outside of DSS. One example, is disclosing information to the court when we are ordered to do so.
Authorization for Disclosure – Usually authorization is only required from the individual when disclosure of their PHI is for non-treatment related purposes. For example, a worker is attempting to obtain an emergency food referral for a mother who is diagnosed with leukemia. The mother’s medical diagnosis would not be disclosed without her authorization as the situation is non-treatment related. The Authorization for Disclosure of Health Information by DSS (Exhibit 2
Accounting of Disclosure – Certain disclosures do not require tracking (e.g., for treatment or payment, to the individual, to the parent of a minor, and disclosures authorized by the individual, etc.); however, certain disclosures do require tracking (e.g., to law enforcement officials as required by law, to GAL’s appointed for a child, or any other instance required by law). Work is in progress to develop an on-line DSS Intranet database for the entry of required disclosure tracking information. Until the database is fully operational, staff will use the PHI Disclosure Tracking Log (Exhibit 6
Right to Request Restriction of Use and Disclosure – Individuals have a right to request specific restrictions on the how PHI contained in case files may be used or to whom and under what circumstances it may be disclosed. Clients must file this request by completing a new Request for Restriction of Health Information (Exhibit 3
Right to Request Amendment – Individuals have the right to request amendment or correction of PHI contained in case files. Clients must file this request by completing the Request for Amendment/Correction of Protected Health Information (Exhibit 5
Right to Access – Individuals have a right to access and copy the PHI held by DSS as well as a parent of a minor, and/or their personal representative or legal guardian. Staff must continue to verify the requestor’s identity and authority to obtain PHI prior to proceeding with the request. The requestor must complete the Individual’s Request for Access to Protected Health Information (Exhibit 4
Complaint Process – Individuals may file a complaint if they believe that Children’s Services is not complying with HIPAA requirements. In order to file a complaint, the individual must complete a Health Insurance Portability and Accountability Act Complaint (Exhibit 9
Retention/Destruction of PHI – Specific guidelines are set forth regarding the retention and destruction of PHI; records of PHI disclosures must be maintained for six years forward from April 14, 2003.
Staff Access to PHI and Confidentiality Agreement – Staff are granted access to PHI in accordance with state and federal law and other DSS/Children’s Services policies/procedures. Such access is limited to the minimum necessary to accomplish the purpose of any use or disclosure. Staff must protect the privacy of individually identifiable health information, must recognize the importance of such confidentiality provisions, and affirmatively acknowledge those guidelines.
Penalties and Other Restrictions – HIPAA provides for civil penalties from $100 to $25,000 and in the case of knowingly violating an individual’s privacy, criminal penalties from $50,000 to $250,000 and prison sentence for up to ten years.
HIPAA prohibits staff from intimidating, threatening or coercing, discriminating, or taking any retaliatory actions against persons who exercise their HIPAA rights or for participating in a HIPAA established process.
A decision has been made that Children’s Services will not create separate forms, but rather use those forms developed by DSS. Copies of the DSS forms referenced in this memorandum and accompanying material may not be available by April 14, 2003. If this occurs, please copy the attached DSS forms as needed.
It is expected that all Children’s Services staff adhere closely to HIPAA requirements and the privacy and protection of personal health information. We appreciate everyone’s commitment and participation in meeting these standards of practice for the benefit of those whom we serve.
- Review this memorandum and accompanying materials with all Children’s
Service staff.
- Accomplish HIPAA Training of all Children’s Services staff by April
14, 2003, through review and discussion of Children’s Services HIPAA policy,
procedures, forms, and related materials.
- Ensure that staff sign and complete the Training Attendance Record (TAR)
form and that the TAR is faxed to Jeff Adams (314/416-2932).
- Receive TAR forms from foster, relative, and respite family care providers
and enter provider training information locally in the SS-60B system.
- Retain this copy until you receive the new Children’s Services Child
Welfare Manual. This information will be included in Section 5, Chapter 2.
- All comments and questions regarding this subject should be directed through
normal supervisory channels.
DC/VG
- HIPPA Letter From Denise Cross
- HIPPA Information for Foster Parents
- HIPPA Training Attendance Record
- Exhibit 2 - Authorization for Disclosure of Health Information by DSS
- Exhibit 3 - Request for Restriction of Health Information
- Exhibit 4 - Individual’s Request for Access to Protected Health Information
- Exhibit 5 - Request for Amendment/Correction of Protected Health Information
- Exhibit 6 - PHI Disclosure Tracking Log
- Exhibit 7 - Request for an Accounting of Disclosures
- Exhibit 8 - Notice of Privacy Practices Regarding Your Protected Health Information
- Exhibit 9 - Health Insurance Portability and Accountability Act Complaint
- Link to - Children’s Services Manual Chapter 5, Section 2.7
Note: The information below is in acrobat pdf format unless otherwise noted.