100-8 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
The purpose of the Privacy Rule is to establish minimum Federal standards for safeguarding the privacy of individually identifiable health information. Covered entities, which must comply with the Rule, are health plans, health care clearinghouses, and certain health care providers. Public Assistance must comply with the Privacy Rule because it is a division of the Department of Health and Social Services and as such is part of the DHSS Covered Entity.
Covered entities may not use or disclose protected health information except as permitted or required under the provisions of the Privacy Rule.
The Rule also confers certain rights on individuals, including rights to access and amend certain health information and to obtain a record of when and how their protected health information has been shared with others for certain purposes. In addition, the Rule establishes administrative requirements for covered entities.
Covered entities that fail to comply with the Privacy Rule may be subject to civil monetary penalties, criminal monetary penalties, and/or imprisonment.
100-8 A. PROTECTED HEALTH INFORMATION
Protected Health Information (PHI) is individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form.
PHI
excludes education records covered by the Family Educational Rights and
Privacy Act, as amended, 20 U.S.C. 1232g, records described at 20 U.S.C.
1232g(a)(4)(B)(iv), and employment records held by a covered entity in
its role as employer.
Health Information - Any information, whether oral or recorded in any form, that:
is created or received by a health care
provider, health plan, public health authority, employer, life insurer,
school or university, or health care clearinghouse; and
relates to the past, present, or future
physical or mental health or condition of an individual; the provision
of health care to an individual; or the past, present, or future payment
for the provision of health care to an individual.
Individually
Identifiable Health Information -
Information that:
is a subset of health information, including
demographic information collected from an individual, and
is created or received by a health care
provider, health plan, employer, or health care clearinghouse; and
relates to the past, present, or future
physical or mental health or condition of an individual; the provision
of health care to an individual; or the past, present,or future payment
for the provision of health care to an individual; and
that identifies the individual; or
with respect to which there is a reasonable basis to believe the information can be used to identify the individual
HIPAA
Identifiers
HIPAA lists 18 identifiers, any of which when combined with health information makes it Protected Health Information. PHI = health information + identifiers.
PHI
contains any or all of the following identifiers:
Name/initials
Street address, city, county, precinct, zip code and equivalent geocodes
All elements of dates (except year) directly related to an individual (including dates of admission, discharge, birth, death and, for individuals over 89 years old, the year of birth must not be used)
Telephone number
Fax number
Electronic mail address
Social Security Number
Medical record numbers
Health plan ID numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers
Web addresses (URLs)
Internet IP address
Biometric identifiers, including finger and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic or code**
**A code is an identifier if the person holding the coded data can re-identify the individual (i.e., if the code is linked to an individual and the person has access to the master list).
Possible Sources of PHI
(Patient Health Information)
This is not an exhaustive list:
• Billing records
• Hospital/medical records (in and out patient)
• Lab, pathology and/or radiology results
• Mental Health records
• Physician/clinic records
• PHI previously collected for research purposes
• Questionnaires/Interviews
• MRI scans, x-rays, etc.
DPA is required to give individuals a Notice of Privacy Practices explaining their rights under HIPAA. The notice is automatically sent to all Medicaid and CAMA applicants when benefits are authorized. In addition, EIS sends a Privacy Notice to all Medicaid and CAMA recipients at least once every three years. An electronic version of this privacy notice is also available at http://dhss.alaska.gov/Documents/Pdfs/DHSS_Notice_of_Privacy_Practices.pdf.
100-8 C. AUTHORIZATION FOR RELEASE OF PROTECTED HEALTH INFORMATION FORM GEN 150
In the administration of its programs, DPA gathers and discloses medical and mental health information. To insure compliance with HIPAA requirements, DPA designed a specific Authorization for Release of Protected Health Information form (Gen 150).
This form must be used when gathering or disclosing information from/to health care providers. A separate form must be used for each provider and must identify the specific information requested.
A copy of the signed authorization must be kept in the client’s case file, and a copy given to the client.
100-8 D. GATHERING MEDICAL INFORMATION
A signed GEN 150 form
must accompany each of the following forms when requesting information
from health care providers:
• Health Status Report Form (TA10)
• Preliminary Examination for Interim Assistance (AD 2)
• Certification of Medical Status (MED 11)
• Long Term Care Programs (MED 12)
• Children Entering Institutional Treatment (MED 18)
100-8 E. DISCLOSING MEDICAL INFORMATION
Health information may be shared between the Division and it’s contractors and grantees when it is necessary for the administration of our programs or the delivery of services to clients. For example, if a case manager receives medical information on a TA 10, they may share that information with the eligibility worker to ensure that a work activity exemption is properly coded. A separate authorization is not needed for this exchange since contractors and grantees are agents of the Division.
However, any disclosure or exchange of medical information outside the Division requires a signed authorization from the client. For example, if a client is referred to the Division of Vocational Rehabilitation for services, a completed Authorization for Release of Protected Health Information (06-5870) is needed before disclosing any medical information regarding the reason for the referral.
An individual may revoke an authorization at any time by completing the Revocation Section on the back of the authorization form. Any exchanges of medical information made before the authorization is revoked are not affected by the revocation.
100-8 G. ASSISTING AN INDIVIDUAL IN FILING A HIPAA COMPLAINT
Individuals who are concerned that DPA has violated HIPAA or Privacy Policies and Procedures may file an incident report with the Privacy Officer. The policy and its accompanying procedures are based on the obligation of the Department under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and its implementing regulations to protect the privacy and security of protected health information. DHSS Policy 722 states that, “No individual, including members of DHSS’s workforce, may be subjected to intimidation, threats, coercion, or other retaliatory action for bringing a complaint of a HIPAA violation.”
Instructions for assisting an individual in filing a HIPAA complaint:
Have the individual with the complaint fill
out the DHSS Complaint
form and submit it to the office manager. The office manager will
forward the complaint form to the DPA Privacy Officer.
The DPA Privacy Official
will contact the Department Privacy Officer. The Department Privacy
Officer will work with the DPA Privacy Officer
who will coordinate with the DPA office manager to resolve the complaint.
Refer to MS100-8J for the names of the Division and Department Privacy
Officers.
The Health Information Privacy Complaint
Form is available under this link:
http://in.dhss.ak.local/hipaa/docs/Forms/Health%20Information%20Privacy%20Complaint%20Form%20(06-5898)%2012-03.pdf.
Supervisors will timely and thoroughly investigate
all complaints and shall consult with the Division or Department Privacy
Officer regarding all investigations.
A response to a complaint must include notifying the complainant of the results of the investigation and final action, if any, to be taken in response to the complaint.
100-8 H. BREACH OR SUSPECTED BREACH OF CONFIDENTIAL INFORMATION
If a DPA employee becomes aware of a compromise of PHI, ePHI, or confidential information, a breach, a violation of the Department's HIPAA policy, or receives a complaint regarding HIPAA or other confidentiality issues, the employee will report the incident to their supervisor, and the supervisor will contact the DPA Policy & Program Development at dpapolicy@alaska.gov.
Under the
Memorandum of Agreement (MOA)
with Social Security Administration (SSA),
DPA staff must properly
safeguard Personal Identifying Information (PII)
and Personal Health Information (PHI)
furnished by SSA from
loss, theft, or inadvertent disclosure. When DPA
staff and/or contractors/agents working under the MOA become aware of possible or suspected
loss of PII they will
report immediately to DPA
Policy & Program Development. DPA
Policy & Program Development will notify Disability Determination
Services (DDS) management
of the breach or suspected breach of confidential information. DDS will provide updates and information
to SSA regarding the
loss of PII, as needed.
100-8 I. SENDING ELECTRONIC INFORMATION
In order to ensure that HIPAA Protected Health Information is transferred securely, DPA uses Direct Secure Messaging (DSM).
1. You must use DSM to email or transfer documents that contain PHI. Do not use Outlook email to send PHI information.
2. It is permissible to send documents and messages that do not contain PHI but contain confidential Personal Identifiable information (PII) to people within the state wide area network (WAN) who has a business need to see the information. This means the information may be sent by email to addresses that end with alaska.gov.
3. If PII information needs to be sent outside of WAN or to a non-alaska.gov address, DSM should be used. Regular email outside of the WAN is not secure.
Exception:
Information about clients may also be exchanged between DPA and non-DPA Work Services contractors (e.g., NineStar, Alaska Family Services, Center for Community, etc.). However, the client must only be identified in the email by their first name, last name’s initial, and client ID. In the event that an ET or non-DPA Work Services case manager need to send or attach information that contains other personal information as noted above (i.e., paystubs, birth records, etc.), the information or document must be sent by fax.
If the confidential information is not protected health information, you do not need to use DSM. You can send it using Outlook to other alaska.gov addresses within the state network.
The rule of thumb is: if you are dealing with electronic Protected Health Information (ePHI) you must use DSM. Never use email to send Protected Health Information.
There are two primary laws involved with your use of electronic messaging: These are HIPPA and APIPA:
HIPAA
is the federal regulation that governs ePHI which is further defined
at: http://dhss.alaska.gov/dhcs/Pages/hipaa/default.aspx.
APIPA is the Alaskan State regulation that governs Personal Identifiable Information. This is further defined at: http://law.alaska.gov/department/civil/consumer/4548.html.
APIPA – Personal Information
You may send personal information by email to other alaska.gov email addresses, but not to non-alaska.gov email addresses. "Personal information" is defined to include information on an individual, that is not encrypted, that consists of the individual's name and one or more of several other pieces of information, including a social security number, driver's license number, bank account number, password, or other access codes.
Exception:
Information about clients may also be exchanged between DPA and non-DPA Work Services contractors (e.g., NineStar, Alaska Family Services, Center for Community, etc.). However, the client must only be identified in the email by their first name, last name’s initial, and client ID. In the event that an ET or non-DPA Work Services case manager need to send or attach information that contains other personal information as noted above (i.e., paystubs, birth records, etc.), the information or document must still be sent by fax.
HR records that contain medical information (such as FMLA/AFLA paperwork, ADA paperwork, or workers compensation paperwork) may be sent using the regular state email system to other state employees. There is an exemption in the definition of protected health information (see below) that allows DPA to process this information in such a manner as described in 45 CFR160.103.
100-8 j. HIPAA PRIVACY OFFICERS
Division
of Public Assistance:
Tracie Dablemont
907-269-7873
Tracie.dablemont@alaska.gov
Department
of Health & Social Services:
Claudia Cook
907-465-4734
Claudia.cook@alaska.gov
|
||
|
|