M E M O R A N D U M

IM-50 03/31/03 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT MANUAL REVISION #14 AND FORMS MANUAL REVISION #6


SUBJECT:
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT MANUAL REVISION #14 AND FORMS MANUAL REVISION #6
DISCUSSION:
The Division of Family Services follows various confidentiality provisions that restrict the disclosure of client information.  Staff should be familiar with these long-standing confidentiality requirements.  In addition to these protections, the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes nationwide standards for the protection of personal health information.

HIPAA will have a significant impact on how all DFS employees handle client, medical information.  It provides individuals greater control over the use of their medical information.  HIPAA also creates civil and criminal penalties for the misuse of protected health information.  All staff must become familiar with the new mandates and procedures in order to comply with HIPAA effective April 14, 2003.  The following summarizes the major points, notifies staff of a new computer screen, and announces new forms. 

Protected Health Information (PHI)

PHI refers to any individually identifiable health information.  This includes information that identifies or can be used to identify the individual, information about physical or mental health, and payments for medical care.  To be PHI, it must include medical information and a personal identifier.  PHI can be in a paper format, electronic medium or transmitted by voice.

Privacy Notices

Individuals have a right to receive a notice that explains how staff may use and disclose PHI.  The Department of Social Services (DSS) developed the "Notice of Privacy Practices Regarding Your Protected Health Information" form for this purpose.  Beginning on April 14, 2003, provide the notice to each applicant and whenever a client requests the form.  Offices must post the notice in a clear and prominent location.  Offices must also make the notice available so individuals can request and obtain the form.

Minimum Necessary

Staff must take reasonable efforts to limit PHI to the minimum necessary to carry out the intended purpose of use, disclosure or request.  For example, giving the pharmacy the client's Medicaid number and eligibility dates is the minimum amount of information necessary for the intended purpose.  In this example, it would be inappropriate to share further information about the client's medical condition with the pharmacy.

Uses, Disclosures and Authorizations

Continue to get the client's signed authorization for the release of medical information from medical providers. How staff uses or discloses PHI determines whether further authorization from the client is needed.

1.   Medicaid Eligibility Purposes

Use or disclose PHI for the purpose of treatment, payment or health care operations without requiring further authorization from the client. Determining Medicaid eligibility falls within treatment, payment or health care operations. Examples include establishing disability, pregnancy, blindness, need for emergency care (Medicaid for illegal aliens), medical insurance premiums, incurred medical expenses, and uninsured status for the MC+ under the Children's Health Initiative or the Breast Cervical Cancer Treatment Medical Assistance Program.

2.   Non-Medicaid Purposes

No further authorization is required from the client if staff uses the PHI to determine eligibility for a DSS program.  Examples include, using medical records to determine a Temporary Assistance or Food Stamp claimant's disability or to establish a child's special needs for Child Care. 

3.  Other Uses and Disclosures 

Staff may use and disclose PHI without authorization in certain cases.  In general, these cases involve specified purposes to certain government agencies, law enforcement officials, and courts activities. For example, no authorization is necessary if staff shares the minimum necessary amount of information with the Department of Health and Senior Services or the Department of Mental Health regarding a client's eligibility for a Home and Community Based Waiver program.  If staff needs to release PHI and the disclosure is not covered by an exemption, get a signed and completed "DSS Authorization for Disclosure of Health Information" form from the client. 

Accounting for Disclosures of Protected Health Information

Releases of PHI by paper, faxes, electronic transmissions, and verbal conversations may be subject to certain tracking or record keeping requirements, and other procedures.  If the disclosure is NOT for Medicaid purposes or covered by some other exemption, staff MUST record information about the disclosure. 

Work is in progress to develop a computer screen that staff can use to record the disclosures. The computer screen will be on the DSS intranet.  Until it becomes available for updating, use the DSS PHI Disclosure Tracking Log paper form.

Clients have the right to request an accounting of PHI disclosures that are subject to the mandatory tracking.  If a client requests an accounting, the individual completes the DSS Request for An Accounting of Disclosures form.  Send the client's completed and signed request to the Department of Social Services Privacy Officer for decision.

Right to Request a Restriction of the Use and Disclosure of PHI

An individual can request specific restrictions on the use or disclosure of PHI by completing the DSS Request for Restriction of Information form.  Staff forwards the form to the DFS Privacy Officer for decision.

Right to Request an Amendment of PHI

Individuals may request an amendment or correction of the health records if they believe the health records are incomplete or incorrect.  Clients must complete the DSS Request for Amendment/Correction of Protected Health Information form.  Staff can amend the records if appropriate.  If staff recommends the denial of the request, forward the request to the DFS privacy officer for decision.

Client's Right to Access Their Health Information on File in DFS Records

Clients must complete the DSS Request for Individual's Access to Protected Health Information form to request access. Provide access unless the records are psychotherapy notes or meet some other restriction.  If the PHI is psychotherapy notes or meets another restriction, forward the request to DFS privacy officer for decision. 

Who May Exercise Privacy Rights and Personal Representatives

Claimants usually exercise their own privacy rights e.g., signing authorizations or requests.  Some individuals may not be capable of applying their privacy rights. 
HIPAA provides guidance on who can represent the client. 

Verifying the Identity and the Authority of the Requestor 

Staff must not improperly release PHI.  Continue to verify the requestor's identity and authority to obtain the PHI before releasing the information. 

Staff Access to Protected Health Information and Training

Staff must protect the privacy of individually identifiable health information, must recognize the importance of such confidentiality provisions, and affirmatively acknowledge those guidelines.  All current and future DFS employees must receive training that is appropriate to their job duties to include reading and affirming an understanding of the DSS Administrative Manual on HIPAA and the DSS training on HIPAA.  Caseworkers, case managers, and their supervisors must take additional training in a Take 45 group meeting. 

Volunteers who work in DFS offices must review the DSS Administrative Manual and the DSS training on HIPAA and sign an acknowledgement that they have reviewed those provisions, just as a regular employee would.

Penalties and Other Restrictions

HIPAA provides for civil penalties from $100 up to $25,000 and in the case of knowingly violating an individual's privacy, criminal penalties from $50,000 up to $250,000 and time in prison from one year up to ten years. 

HIPAA prohibits staff from intimating, threatening or coercing, discriminating, or taking other retaliatory actions against persons who exercise their HIPAA rights or for participating in a HIPAA established process.  Offices must lessen any harmful effect that is known to staff of the use or disclosure of PHI that violates the HIPAA privacy provisions.  It is DSS policy that staff will take appropriate action to prevent further inappropriate uses of disclosures and pursue any feasible actions to lessen the harmful effects of any such violations. 

Complaints and Privacy Officers

HIPAA requires that DSS have a complaint official to handle complaints and a privacy officer to oversee compliance. The address for both officials is: Division of Legal Services, P.O. Box 1527, Jefferson City, Missouri 65102-1527, (phone: 573-751-3229), (fax: 573-526-1484), (text: 1-800-735-2966), (voice: 1-800-735-2466).  Individuals can also file complaints with the United States Department of Health and Human Services or the United States Office of Civil Rights. 

DFS will also have a privacy officer to address issues and questions that staff may have.  The DFS privacy officer works with the DSS privacy officer to maintain departmental privacy efforts.  Send forms and questions to State Office, Income Maintenance Program and Policy, Attention: IM Privacy Officer, P. O. Box 88, Jefferson City, Missouri 65103.

Other

The confidentiality and complaints sections from Chapter X are moved to the on-line manual under 0130.000.00, Legal Aspects.  The HIPAA policy is under the Legal Aspects section.

The Department of Social Services Administrative Manual, Records and Records Management, section provides the departmental policy on HIPAA.  Staff may access it through the DSS intranet. 

An initial supply of the privacy notice is being distributed.  A supply of the DSS forms may not be available by April 14.  If this occurs, copy the DSS forms as needed.
 

NECESSARY ACTION:
  •  Discuss this memorandum with staff.
  • Comply with the HIPAA instructions effective April 14, 2003.
  • Take the required training.
  • File the DSS HIPAA forms in the Forms Manual.
  • Copy forms as needed.
  • Stop using the paper tracking form when the computer screen becomes available.
ATTACHMENTS:

DC/LW
DISTRIBUTION #6


IM-49
[ 2003 Memorandums ]
IM-51