100-8 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
The purpose of the Privacy Rule is to establish minimum Federal standards for safeguarding the privacy of individually identifiable health information. Covered entities, which must comply with the Rule, are health plans, health care clearinghouses, and certain health care providers. Public Assistance must comply with the Privacy Rules because it is a division of the Department of Health and as such is part of the DOH Covered Entity.
Covered entities may not use or disclose protected health information except as permitted or required under the provisions of the Privacy Rule.
The Rule also confers certain rights on individuals, including rights to access and amend certain health information and to obtain a record of when and how their protected health information has been shared with others for certain purposes. In addition, the Rule establishes administrative requirements for covered entities.
Covered entities that fail to comply with the Privacy Rule may be subject to civil monetary penalties, criminal monetary penalties, and/or imprisonment.
100-8 A. PROTECTED HEALTH INFORMATION
Protected Health Information (PHI ) is individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form.
PHI excludes education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g, records described at 20 U.S.C. 1232g(a)(4)(B)(iv), and employment records held by a covered entity in its role as employer.
Health Information - Any information, whether oral or recorded in any form, that:
Individually Identifiable Health Information - Information that:
HIPAA Identifiers
HIPAA lists 18 identifiers, any of which when combined with health information makes it Protected Health Information. PHI = health information + identifiers.
PHI contains any or all of the following identifiers:
**A code is an identifier if the person holding the coded data can re-identify the individual (i.e., if the code is linked to an individual and the person has access to the master list).
Possible Sources of PHI (Patient Health Information)
This is not an exhaustive list:
DPA is required to give individuals a Notice of Privacy Practices explaining their rights under HIPAA . The notice is automatically sent to all Medicaid and CAMA applicants when benefits are authorized. In addition, EIS sends a Privacy Notice to all Medicaid and CAMA recipients at least once every three years. An electronic version of this privacy notice is also available at http://health.alaska.gov/fms/Documents/DOH-Notice-of-Privacy-Practices.pdf.
100-8 C. AUTHORIZATION FOR RELEASE OF PROTECTED HEALTH INFORMATION FORM GEN 150
In the administration of its programs, DPA gathers and discloses medical and mental health information. To insure compliance with HIPAA requirements, DPA designed a specific Authorization for Release of Protected Health Information form (GEN 150).
This form must be used when gathering or disclosing information from/to health care providers. A separate form must be used for each provider and must identify the specific information requested.
A copy of the signed authorization must be kept in the client's case file, and a copy give to the client.
100-8 D. GATHERING MEDICAL INFORMATION
A signed GEN 150 form must accompany each of the following forms when requesting information from health care providers:
100-8 E. DISCLOSING MEDICAL INFORMATION
Health information may be shared between the Division and it's contractors and grantees when it is necessary for the administration of our programs or the delivery of services to clients. For example, if a case manager receives medical information on a TA 10 , they may share that information with the eligibility worker to ensure that a work activity exemption is properly coded. A separate authorization is not needed for this exchange since contractors and grantees are agents of the Division.
However, any disclosure or exchange of medical information outside the Division requires a signed authorization from the client. For example, if a client is referred to the Division of Vocational Rehabilitation for services, a completed Authorization for Release of Protected Health Information (06-5870) is needed before disclosing any medical information regarding the reason for the referral.
An individual may revoke an authorization at any time by completing the Revocation Section on the back of the authorization form. Any exchanges of medical information made before the authorization form. Any exchanges of medical information made before the authorization is revoked are not affected by the revocation.
100-8 G. ASSISTING AN INDIVIDUAL IN FILING A HIPAA COMPLAINT
Individuals who are concerned that DPA has violated HIPAA or Privacy Policies and Procedures may file an incident report with the Division HIPAA Privacy Officer. The policy and its accompanying procedures are based on the obligation of the Department under the Health Insurance Portability and Accountability Act (HIPAA ) of 1996 and its implementing regulations to protect the privacy and security of protected health information. DHSS Policy 722 states that, "No individual, including members of DHSS 's workforce, may be subjected to intimidation, threats, coercion, or other retaliatory action for bringing a complaint of a HIPAA violation."
Instructions for assisting an individual in filing a HIPAA complaint:
100-8 H. BREACH OR SUSPECTED BREACH OF CONFIDENTIAL INFORMATION
If a DPA employee becomes aware of a compromise of PHI , ePHI , or confidential information, a breach, a violation of the Department's HIPAA policy, or receives a complaint regarding HIPAA or other confidentiality issues, the employee will report the incident to the DPA HIPAA Privacy Officer at hss.dpadost@alaska.gov.
Under the Memorandum of Agreement (MOA ) with Social Security Administration (SSA ), DPA staff must properly safeguard Personal Identifying Information (PII ) and Personal Health Information (PHI ) furnished by SSA from loss, theft, or inadvertent disclosure. When DPA staff and/or contractors/agents working under the MOA become aware of possible or suspected loss of PII , they will report immediately DOST . DOST will notify and work with DPA Policy & Program Development. DPA Policy & Program Development will notify Disability Determination Services (DDS ) management of the breach or suspected breach of confidential information. DDS will provide updates and information to SSA regarding the loss of PII , as needed.
100-8 I. SENDING ELECTRONIC INFORMATION
In order to ensure that HIPAA Protected Health Information is transferred securely, DPA uses Direct Secure Messaging (DSM ).
Exception:
Information about clients may also be exchanged between DPA and non-DPA Work Services contractors (e.g., Nine Star, Alaska Family Services, Center for Community, etc.). However, the client must only be identified in the email by their first name, last name's initial, and client ID. In the event that an ET or non-DPA Work Services case manager need to send or attach information that contains other personal information as noted above (i.e., paystubs, birth records, etc.), the information or document must be sent by fax.
There are two primary laws involved with your use of electronic messaging: These are HIPAA and APIPA .
APIPA – Personal Information
You may send personal information by email to other alaska.gov email addresses, but not to non-alaska.gov email addresses. "Personal information" is defined to include information on an individual, that is not encrypted, that consists of the individual's name and one or more of several other pieces of information, including a social security number, driver's license number, bank account number, password, or other access codes.
Exception:
Information about clients may also be exchanged between DPA and non-DPA Work Services contractors (e.g., Nine Star, Alaska Family Services, Center for Community, etc.). However, the client must only be identified in the email by their first name, last name's initial, and client ID. In the event that an ET or non-DPA Work Services case manager need to send or attach information that contains other personal information as noted above (i.e., paystubs, birth records, etc.), the information or document must still be sent by fax.
HR records that contain medical information (such as FMLA/AFLA paperwork, ADA paperwork, or workers compensation paperwork) may be sent using the regular state email system to other state employees. There is an exemption in the definition of protected health information (see below) that allows DPA to process this information in such a manner as described in 45 CFR160.103.
100-8 J. HIPAA PRIVACY OFFICERS
Department of Health:
Tara Heafer
907-269-0076
privacyofficial@alaska.gov
Previous Section | ||