100-8 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
The Health Insurance Portability and Accountability Act provides individuals with certain rights about how their health care information is used and disclosed. HIPAA:
Allows individuals to find out how their health information is used, and what health information is disclosed outside of DHSS.
Limits the release of information to the minimum amount necessary for the purpose of the disclosure.
Allows individuals to examine and obtain a copy of their health information and to request corrections to that information.
HIPAA also requires DPA to ensure the confidentiality and security of an individual’s health care information.
Please contact the DPA Privacy Official at 465-3347 or the DHSS Privacy Official at (907) 465-4722 with any concerns or questions you have regarding information privacy, security or access.
100-8 A. PROTECTED HEALTH INFORMATION
Information that is protected by HIPAA includes any information about an individual’s medical or mental health condition. It also includes all information related to health care eligibility, claims, and billing and payment information.
DPA is required to give individuals a Notice of Privacy Practices explaining their rights under HIPAA. The notice is automatically sent to all Medicaid and CAMA applicants when benefits are authorized. In addition, EIS sends a Privacy Notice to all Medicaid and CAMA recipients at least once every three years. An electronic version of this privacy notice is also available at http://health.hss.state.ak.us/das/is/hipaa/pdfs/privatehealthcareinfo.pdf
100-8 C. AUTHORIZATION FOR RELEASE OF PROTECTED HEALTH INFORMATION FORM GEN 150
In the administration of its programs, DPA gathers and discloses medical and mental health information. To insure compliance with HIPAA requirements, DPA designed a specific Authorization for Release of Protected Health Information form (Gen 150).
This form must be used when gathering or disclosing information from/to health care providers. A separate form must be used for each provider and must identify the specific information requested.
A copy of the signed authorization must be kept in the client’s case file, and a copy given to the client.
100-8 D. GATHERING MEDICAL INFORMATION
A signed GEN 150 form must accompany each of the following forms when requesting information from health care providers:
Health Status Report Form (TA10)
Preliminary Examination for Interim Assistance (AD 2)
Certification of Medical Status (MED 11)
Long Term Care Programs (MED 12)
Children Entering Institutional Treatment (MED 18)
100-8 E. DISCLOSING MEDICAL INFORMATION
Health information may be shared between the Division and it’s contractors and grantees when it is necessary for the administration of our programs or the delivery of services to clients. For example, if a case manager receives medical information on a TA 10, they may share that information with the eligibility worker to ensure that a work activity exemption is properly coded. A separate authorization is not needed for this exchange since contractors and grantees are agents of the Division.
However, any disclosure or exchange of medical information outside the Division requires a signed authorization from the client. For example, if a client is referred to the Division of Vocational Rehabilitation for services, a completed Authorization for Release of Protected Health Information (06-5870) is needed before disclosing any medical information regarding the reason for the referral.
An individual may revoke an authorization at any time by completing the Revocation Section on the back of the authorization form. Any exchanges of medical information made before the authorization is revoked are not affected by the revocation.
100-8 G. ASSISTING AN INDIVIDUAL IN FILING A HIPAA COMPLAINT
Individuals who are concerned that DPA has violated HIPAA or Privacy Policies and Procedures may file an incident report with the Privacy Officer. The policy and its accompanying procedures are based on the obligation of the Department under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and its implementing regulations to protect the privacy and security of protected health information. DHSS Policy 722 states that, “No individual, including members of DHSS’s workforce, may be subjected to intimidation, threats, coercion, or other retaliatory action for bringing a complaint of a HIPAA violation.”
Instructions for assisting an individual in filing a HIPAA complaint:
A complaint that cannot be resolved at the office should be submitted to the Division’s Privacy Officer. Complaints shall be filed in writing, preferably on the Department’s complaint form. If an individual requests assistance in writing the complaint, the division, program manager, or office shall document the complaint on the Department’s complaint form.
The Health Information Privacy Complaint Form is available under this link: http://in.dhss.ak.local/hipaa/docs/Forms/Health%20Information%20Privacy%20Complaint%20Form%20(06-5898)%2012-03.pdf.
Supervisors will timely and thoroughly investigate all complaints and shall consult with the Division or Department Privacy officer regarding all investigations.
A response to a complaint must include notifying the complainant of the results of the investigation and final action, if any, to be taken in response to the complaint.
100-8 H BREACH OR SUSPECTED BREACH OF CONFIDENTIAL INFORMATION
Enforcement of HIPAA is first tasked at the office level. As needed, offices may consult with the Department Privacy Officer regarding complaints received.
If employees suspect a breach of confidential information, they need to notify their supervisor as soon as they suspect or have been made aware of the situation and fill out the Notification of Suspected Breach form (GEN 170). Provide as many details as possible and submit the form to the Division’s Privacy Officer listed under MS 100-8I.
Contact the Division’s Privacy Officer with any HIPAA compliance, or information security concerns or questions. Be aware that if you lose Protected Health Information (PHI)/Electronic Protected Health Information (ePHI) or suspect that PHI\ePHI may have been breached, lost, or stolen, you are required to report this to the Privacy Officer.
100-8 I HIPAA PRIVACY OFFICERS
Division of Public Assistance: Claudia Cook
907-465-5838
Department of Health & Social Services: Daniel Kantak
907-465-4734
|
||
|
|