100-8          HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

The purpose of the Privacy Rule is to establish minimum Federal standards for safeguarding the privacy of individually identifiable health information. Covered entities, which must comply with the Rule, are health plans, health care clearinghouses, and certain health care providers. Public Assistance must comply with the Privacy Rules because it is a division of the Department of Health and as such is part of the DOHDepartment of Health Covered Entity.

Covered entities may not use or disclose protected health information except as permitted or required under the provisions of the Privacy Rule.

The Rule also confers certain rights on individuals, including rights to access and amend certain health information and to obtain a record of when and how their protected health information has been shared with others for certain purposes. In addition, the Rule establishes administrative requirements for covered entities.

Covered entities that fail to comply with the Privacy Rule may be subject to civil monetary penalties, criminal monetary penalties, and/or imprisonment.

100-8 A.      PROTECTED HEALTH INFORMATION

Protected Health Information (PHIProtected Health Information) is individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form.

PHIProtected Health Information excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer.

Health Information - Any information, whether oral or recorded in any form, that:

1. is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
2. relates to the past, present, or future physical or mental health or condition of an individual; or the past, present, or future payment for the provision of health care to an individual.

Individually Identifiable Health Information - Information that:

1. is a subset of health information, including demographic information collected from an individual, and
2. is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
3. relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
   1. that identifies the individual; or
   2. with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

HIPAAHealth Insurance Portability and Accountability Act Identifiers

HIPAAHealth Insurance Portability and Accountability Act lists 18 identifiers, any of which when combined with health information makes it Protected Health Information. PHIProtected Health Information = health information + identifiers.

PHIProtected Health Information contains any or all of the following identifiers:

• Name/initials
• Street address, city, county, precinct, zip code, and equivalent geocodes
• All elements of dates (except year) directly related to an individual (including dates of admission, discharge, birth, death, and, for individuals over 89 years old, the year of birth must not be used)
• Telephone number
• Fax number
• Electronic mail address
• Social Security Number
• Medical record numbers
• Health plan ID numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers
• Web addresses (URLs)
• Internet IP address
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic or code**

**A code is an identifier if the person holding the coded data can re-identify the individual (i.e., if the code is linked to an individual and the person has access to the master list).

Possible Sources of PHIProtected Health Information (Patient Health Information)

This is not an exhaustive list:

• Billing records
• Hospital/medical (in and out patient)
• Lab, pathology, and/or radiology results
• Mental Health records
• Physician/clinic records
• PHIProtected Health Information previously collected for research purposes
• Questionnaires/Interviews
• MRI scans, x-rays, etc.

100-8 B.      PRIVACY NOTICE

DPADivision of Public Assistance is required to give individuals a Notice of Privacy Practices explaining their rights under HIPAAHealth Insurance Portability and Accountability Act. The notice is automatically sent to all Medicaid and CAMAChronic and Acute Medical Assistance applicants when benefits are authorized. In addition, EISEligibility Information System sends a Privacy Notice to all Medicaid and CAMAChronic and Acute Medical Assistance recipients at least once every three years. An electronic version of this privacy notice is also available at http://health.alaska.gov/fms/Documents/DOH-Notice-of-Privacy-Practices.pdf.

100-8 C.      AUTHORIZATION FOR RELEASE OF PROTECTED HEALTH INFORMATION FORM GEN 150

In the administration of its programs, DPADivision of Public Assistance gathers and discloses medical and mental health information. To insure compliance with HIPAAHealth Insurance Portability and Accountability Act requirements, DPADivision of Public Assistance designed a specific Authorization for Release of Protected Health Information form (GEN 150).

This form must be used when gathering or disclosing information from/to health care providers. A separate form must be used for each provider and must identify the specific information requested.

A copy of the signed authorization must be kept in the client's case file, and a copy give to the client.

100-8 D.      GATHERING MEDICAL INFORMATION

A signed GEN 150Authorization for Release of Protected Health Information form must accompany each of the following forms when requesting information from health care providers:

• Health Status Report Form (TA 10)
• Preliminary Examination for Interim Assistance (AD 2)
• Certification of Medical Status (MED 11)
• Long Term Care Programs (MED 12)
• Children Entering Institutional Treatment (MED 18)

100-8 E.      DISCLOSING MEDICAL INFORMATION

Health information may be shared between the Division and it's contractors and grantees when it is necessary for the administration of our programs or the delivery of services to clients. For example, if a case manager receives medical information on a TA 10Health Status Report Form, they may share that information with the eligibility worker to ensure that a work activity exemption is properly coded. A separate authorization is not needed for this exchange since contractors and grantees are agents of the Division.

However, any disclosure or exchange of medical information outside the Division requires a signed authorization from the client. For example, if a client is referred to the Division of Vocational Rehabilitation for services, a completed Authorization for Release of Protected Health Information (06-5870) is needed before disclosing any medical information regarding the reason for the referral.

100-8 F.      REVOCATION

An individual may revoke an authorization at any time by completing the Revocation Section on the back of the authorization form. Any exchanges of medical information made before the authorization form. Any exchanges of medical information made before the authorization is revoked are not affected by the revocation.

100-8 G.      ASSISTING AN INDIVIDUAL IN FILING A HIPAAHealth Insurance Portability and Accountability Act COMPLAINT

Individuals who are concerned that DPADivision of Public Assistance has violated HIPAAHealth Insurance Portability and Accountability Act or Privacy Policies and Procedures may file an incident report with the Division HIPAAHealth Insurance Portability and Accountability Act Privacy Officer. The policy and its accompanying procedures are based on the obligation of the Department under the Health Insurance Portability and Accountability Act (HIPAAHealth Insurance Portability and Accountability Act) of 1996 and its implementing regulations to protect the privacy and security of protected health information. DHSS Policy 722 states that, "No individual, including members of DHSSDepartment of Health and Social Services's workforce, may be subjected to intimidation, threats, coercion, or other retaliatory action for bringing a complaint of a HIPAAHealth Insurance Portability and Accountability Act violation."

Instructions for assisting an individual in filing a HIPAAHealth Insurance Portability and Accountability Act complaint:

1. Have the individual with the complaint fill out the Health Information Complaint form and submit it to DOSTDivision Operations Support Team.
2. DPADivision of Public Assistance HIPAAHealth Insurance Portability and Accountability Act Privacy Officer will timely and thoroughly investigate all complaints and shall consult with the Department Privacy Officer regarding investigations as needed.
3. A response to a complaint must include notifying the complainant of the results of the investigation and final action, if any, to be taken in response to the complaint.

100-8 H.      BREACH OR SUSPECTED BREACH OF CONFIDENTIAL INFORMATION

If a DPADivision of Public Assistance employee becomes aware of a compromise of PHIProtected Health Information, ePHIElectronic Protected Health Information, or confidential information, a breach, a violation of the Department's HIPAAHealth Insurance Portability and Accountability Act policy, or receives a complaint regarding HIPAAHealth Insurance Portability and Accountability Act or other confidentiality issues, the employee will report the incident to the DPADivision of Public Assistance HIPAAHealth Insurance Portability and Accountability Act Privacy Officer at hss.dpadost@alaska.gov.

Under the Memorandum of Agreement (MOAMemorandum of Agreement) with Social Security Administration (SSASocial Security Administration), DPADivision of Public Assistance staff must properly safeguard Personal Identifying Information (PIIPersonal Identifiable Information) and Personal Health Information (PHIProtected Health Information) furnished by SSASocial Security Administration from loss, theft, or inadvertent disclosure. When DPADivision of Public Assistance staff and/or contractors/agents working under the MOAMemorandum of Agreement become aware of possible or suspected loss of PIIPersonal Identifiable Information, they will report immediately DOSTDivision Operations Support Team. DOSTDivision Operations Support Team will notify and work with DPADivision of Public Assistance Policy & Program Development. DPADivision of Public Assistance Policy & Program Development will notify Disability Determination Services (DDSDisability Determination Service) management of the breach or suspected breach of confidential information. DDSDisability Determination Service will provide updates and information to SSASocial Security Administration regarding the loss of PIIPersonal Identifiable Information, as needed.

100-8 I.      SENDING ELECTRONIC INFORMATION

In order to ensure that HIPAAHealth Insurance Portability and Accountability Act Protected Health Information is transferred securely, DPADivision of Public Assistance uses Direct Secure Messaging (DSMDirect Secure Messaging).

1. You must use DSMDirect Secure Messaging to email or transfer documents that contain PHIProtected Health Information. Do not use Outlook email to send PHIProtected Health Information information.
2. It is permissible to send documents and messages that do not contain PHIProtected Health Information but contain confidential Personal Identifiable information (PIIPersonal Identifiable Information) to people within the state wide area network (WAN) who have a business need to see the information. This means the information may be sent by email to addresses that end with alaska.gov.
3. If PIIPersonal Identifiable Information information needs be sent outside of WAN or to a non-alaska.gov address, DSMDirect Secure Messaging should be used. Regular email outside of the WAN is not secure.

Exception:

Information about clients may also be exchanged between DPADivision of Public Assistance and non-DPADivision of Public Assistance Work Services contractors (e.g., Nine Star, Alaska Family Services, Center for Community, etc.). However, the client must only be identified in the email by their first name, last name's initial, and client ID. In the event that an ETEligibility Technician or non-DPADivision of Public Assistance Work Services case manager need to send or attach information that contains other personal information as noted above (i.e., paystubs, birth records, etc.), the information or document must be sent by fax.

4. If the confidential information is not protected health information, you do not need to use DSMDirect Secure Messaging. You can send it using Outlook to other alaska.gov addresses within the state network.
5. The rule of thumb is: if you are dealing with electronic Protected Health Information (ePHIElectronic Protected Health Information), you must use DSMDirect Secure Messaging. Never use email to send Protected Health Information.

There are two primary laws involved with your use of electronic messaging: These are HIPAAHealth Insurance Portability and Accountability Act and APIPAAlaska Personal Information Protection Act. 

1. HIPAA is the federal regulation that governs ePHIElectronic Protected Health Information which is further defined at: http://health.alaska.gov/dhcs/Pages/hipaa/default.aspx. 
2. APIPA is the Alaskan State regulation that governs Personal Identifiable Information. This is further defined at: http://law.alaska.gov/department/civil/consumer/4548.html.

APIPAAlaska Personal Information Protection Act – Personal Information

You may send personal information by email to other alaska.gov email addresses, but not to non-alaska.gov email addresses. "Personal information" is defined to include information on an individual, that is not encrypted, that consists of the individual's name and one or more of several other pieces of information, including a social security number, driver's license number, bank account number, password, or other access codes.

Exception:

Information about clients may also be exchanged between DPADivision of Public Assistance and non-DPADivision of Public Assistance Work Services contractors (e.g., Nine Star, Alaska Family Services, Center for Community, etc.). However, the client must only be identified in the email by their first name, last name's initial, and client ID. In the event that an ETEligibility Technician or non-DPADivision of Public Assistance Work Services case manager need to send or attach information that contains other personal information as noted above (i.e., paystubs, birth records, etc.), the information or document must still be sent by fax.

HR records that contain medical information (such as FMLA/AFLA paperwork, ADA paperwork, or workers compensation paperwork) may be sent using the regular state email system to other state employees. There is an exemption in the definition of protected health information (see below) that allows DPADivision of Public Assistance to process this information in such a manner as described in 45 CFR160.103.

100-8 J.      HIPAA PRIVACY OFFICERS

1. Division of Public Assistance:
   Division Operations Support Team (DOST)
   hss.dpadost@alaska.gov

2. Department of Health:
   Tara Heafer
   907-269-0076
   privacyofficial@alaska.gov