HIPAA Privacy Policies and Procedures
Client’s Privacy Rights Policy
Return to Top
The purpose of this policy is to provide information for management and workforce members about the privacy rights that clients have regarding the use and disclosure of their Protected Health Information (PHI) and to describe the process for filing a complaint should clients feel their rights have been violated.
The Florida Department of Elder Affairs' (DOEA) clients have the right to, and DOEA may not deny, the following:
Access to their own information, consistent with certain limitations;
Receive an accounting of disclosures DOEA has made of their Protected Health Information (PHI) for up to six years prior to the date of requesting such accounting. Information may not be available prior to the effective date of this policy (April 14, 2003) and certain limitations do apply as outlined in Rights of Clients to An Accounting of Disclosures of Protected Health Information in this policy; and
Submit complaints if they believe or suspect that information about them has been improperly used or disclosed, or if they have concerns about the privacy policies of DOEA.
Clients may ask DOEA to take specific actions regarding the use and disclosure of their information and DOEA may either approve or deny the request. Specifically, clients have the right to request:
That DOEA restrict uses and disclosures of their individual information while carrying out treatment, payment activities, or health care operations;
To receive information from DOEA by alternative means, such as mail, e-mail, fax or telephone, or at alternative locations; and
That DOEA amend their information that is held by DOEA.
DOEA will use the "Notice of Privacy Practices" to inform clients about how DOEA may use and/or disclose their information. The "Notice of Privacy Practices" also describes the actions a client may take, or request DOEA to take, with regard to the use and/or disclosure of their information.
Nothing in this policy shall prevent DOEA from changing its policies or the "Notice of Privacy Practices" at any time, provided that the changes in the policies or the "Notice of Privacy Practices" comply with state or federal law.
Decision-Making Authority Within DOEA
DOEA may deny a client access to their own health information on the grounds that access may result in risk or harm to the client or to another person. However, prior to any decision to deny such access, DOEA’s General Counsel shall review the request and any related documentation.
Decisions related to any other requests made to DOEA under this policy shall be handled in a manner consistent with federal and state rules and regulations and/or DOEA policies and procedures applicable to the treatment, program, service or activity.
Rights of Clients to Request Privacy Protection of Their Information
Clients have the right to request restrictions on the use and/or disclosure of their information.
DOEA applies confidentiality laws to protect the privacy of client information. Even if those laws would permit DOEA to make a use or disclosure of information, a DOEA client has the right to request a restriction on a use or disclosure of that information.
All requests by clients will be submitted on a “Restriction of Use and Disclosures Request Form”.
DOEA is not obligated to agree to a restriction and may deny the request or may agree to a restriction more limited than what the client requested.
Exception: Certain programs can only use information that is authorized by the client, such as alcohol and drug programs or vocational rehabilitation participants. For those program participants, DOEA will honor their requests for restriction by making sure that the authorization clearly identifies the authorized recipients of the information.
Rights of Clients to Request to Receive Information by Alternative Means or at Alternative Locations
DOEA will accommodate reasonable requests by clients to receive communications by alternative means, such as by mail, e-mail, fax or telephone; and
DOEA will accommodate reasonable requests by clients to receive communications at an alternative location.
In some cases, sensitive health information or health services will be handled with strict confidentiality under state law. For example, information about substance abuse treatment, mental health treatment, and certain sexually transmitted diseases, may be subject to specific requirements. DOEA will comply with the more restrictive requirements.
Rights of Clients to Access Their Information
Clients have the right to access, inspect, and obtain a copy of information on their own cases in DOEA files or records, consistent with federal and state law.
All requests for access will be made having the client complete an Access to Records Request for Inspection of Protected Health Information”.
If DOEA maintains information about the client in a record that includes information about other people, the client is only authorized to see information about him or herself, with the following exceptions:
A. If a person identified in the file is a minor child of the client, and the client is authorized under State law to have access to the minor’s information or to act on behalf of the minor for making decisions about the minor’s care, the client may also obtain information about the minor.
B. If the person requesting information is recognized under State law as a guardian or legal custodian of the client and is authorized by State law to have access to the client’s information or to act on behalf of the client for making decisions about the client’s services or care, DOEA will release information to the requestor.
C. Any other exceptions or restrictions as may be required under State law.
DOEA may deny clients access to their own health information if federal law prohibits the disclosure. Under federal law, clients have the right to access, inspect, and obtain a copy of health information on their own cases in DOEA files or records except for:
A. Psychotherapy notes;
B. Information compiled for use in civil, criminal, or administrative proceedings;
C. Information that is subject to the Federal Clinical Labs Improvement Amendments of 1988, or exempt pursuant to 42 CFR 493.3(a)(2);
D. Information that, in good faith, DOEA believes can cause harm to the client, participant or to any other person;
E. Documents protected by attorney work-product privilege; and
F. Information where release is prohibited by State or Federal Laws.
Before DOEA denies a client access to their information because there is a good faith belief that its disclosure could cause harm to the client or to another person, DOEA must make a review of this denial available to the client. If the client wishes to have this denial reviewed, the review must be done by a licensed health care professional other than DOEA as selected by DOEA.
Rights of Clients to Request Amendments to Their Information
Clients have the right to request that DOEA amend their information in DOEA's files.
All requests for amendments will be made by having the client complete an “Amendment of Health Record Request Form”.
DOEA is not obligated to agree to an amendment and may deny the requests or limit its agreement to amend.
Rights of Clients to an Accounting of Disclosures of Protected Health Information
Clients have the right to receive an accounting of disclosures of Protected Health Information (PHI) that DOEA has made for any period of time, not to exceed six years, preceding the date of requesting the accounting.
The accounting will only include health information NOT previously authorized by the client for use or disclosure, and will not include information collected, used or disclosed for treatment, payment or health care operations for that client.
All requests for an accounting of disclosures will be made by having the client complete an “Accounting of Disclosures of Protected Health Information Form."
This right does not apply to disclosures made prior to the effective date of this policy, which is April 14, 2003.
Rights of Clients to File Complaints Regarding Disclosure of Information
Clients have a right to submit a complaint if they believe that DOEA has improperly used or disclosed their protected information, or if they have concerns about the privacy policies of DOEA or concerns about DOEA's compliance with such policies.
Complaints may be filed with either of the following:
A. The Florida Department of Elder Affairs, Privacy Officer, Office of the General Counsel.
B. The U.S. Department of Health and Human Services, Office for Civil Rights.
Requesting Restrictions of Uses and Disclosures
Clients may request that DOEA restrict use and/or disclosure of their information for:
A. Carrying out treatment, payment, or health care operations;
B. Disclosure of health information to a relative or other person who is involved in the client’s care;
All requests for restrictions will be made by having the client complete a “Restriction of Use and Disclosures Request Form”.
DOEA is not required to agree to a restriction requested by the client.
DOEA will not agree to restrict uses or disclosures of information if the restriction would adversely affect the quality of the client’s care or services.
DOEA cannot agree to a restriction that would limit or prevent DOEA from making or obtaining payment for services.
Emergency treatment should be provided even with an agreed upon restriction with exceptions as noted below.
Exception: For Alcohol and Drug or Vocational Rehabilitation participants, Federal regulations (42 CFR Part 2 and 34 CFR) prohibit DOEA from denying client requests for restrictions on uses and disclosures of their information regarding treatment or rehabilitation.
DOEA will document the client’s request, and the reasons for granting or denying the request in the client’s copy (printed or electronic) DOEA case record file.
Prior to any use of disclosure of client information, DOEA staff will confirm that such use or disclosure has not been granted a restriction by reviewing the client’s case file. If DOEA agrees to a client’s request for restriction, DOEA will not use or disclose information that violates the restriction.
Exception: If the client needs emergency treatment and the restricted information is needed to provide emergency treatment, DOEA may use or disclose such information to
the extent needed to provide the emergency treatment. However, once the emergency situation subsides DOEA will not re-disclose the information.
DOEA may terminate its agreement to a restriction if:
A. The client agrees to or requests termination of the restriction in writing;
B. The client orally agrees to, or requests termination of the restriction. DOEA will document the oral agreement or request in the client’s DOEA case record file; or
C. DOEA informs the client in writing that DOEA is terminating its agreement to the restriction. Information created or received while the restriction was in effect shall remain subject to the restriction.
Requesting Alternative Means or Locations
The client must specify the preferred alternative means or location to receive information.
Requests for alternative means or alternative locations for information may be made orally or in writing.
If a client makes a request orally, DOEA will document the request and ask for the client’s signature.
If a client makes a request by telephone or electronically, DOEA will document the request and verify the identity of the requestor.
Prior to any information being sent to the client, DOEA staff must confirm if the client has requested an alternate location or by alternate means, and if DOEA has granted that request, by reviewing the client’s case file.
DOEA may terminate its agreement to an alternative location or method of communication if:
A. The client agrees to or requests termination of the alternative location or method of communication in writing or orally. DOEA will document the oral agreement or request in the client’s DOEA case record file.
B. DOEA informs the client that DOEA is terminating its agreement to the alternative location or method of communication because the alternative location or method of communication is not effective. DOEA may terminate its agreement to communicate at the alternate location or by the alternative means if:
1. DOEA is unable to contact the client at the location or in the manner requested; or
2. If the client fails to respond to payment requests if applicable.
Requesting Access to Information
DOEA will assure that clients may access their information that DOEA uses in whole or part to make decisions about them, subject to certain limitations as outlined in Rights of Clients to Access Their Information of this Policy.
Clients may request to access, inspect and obtain information about themselves, subject to limitations as outlined in this policy.
All requests for access will be made by having the client complete an “Access to Records Request Form”.
DOEA may deny a client access to their information if:
A. It is excepted under Rights of Clients to Access Their Information of this Policy, or
B. Was obtained from someone other than a health care provider under a promise of confidentiality, and access would reveal the source of the information.
DOEA may deny a client access to their information, provided that DOEA gives the client a right to have the denial reviewed, in the following circumstances:
A. DOEA has determined, in the exercise of professional judgment, that the information requested may endanger the life or physical safety of the client or another person; or
B. The protected information makes reference to another person, and DOEA has determined, in the exercise of professional judgment, that the information requested may cause substantial harm to the client or another person; or
C. The request for access is made by the client’s personal representative, DOEA has determined, in the exercise of professional judgment, that allowing the personal representative to access the information may cause substantial harm to the client or to another person.
If DOEA denies access the client has the right to have the decision reviewed by a licensed health care professional not directly involved in DOEA's original denial decision. DOEA will then proceed based on the decision from this review.
DOEA must promptly refer a request for review to the DOEA designated reviewer within 30 days.
The reviewer must determine, within a reasonable time, whether or not to approve or deny the client’s request for access, in accordance with this policy.
DOEA must then:
A. Promptly notify the client in writing of the reviewer’s determination; and
B. Take action to carry out the reviewer’s determination.
DOEA must act on a client’s request for access no later than 30 days after receiving the request.
In cases where the information is not maintained or accessible to DOEA on-site, DOEA must act on the client’s request no later than 60 days after receiving the request.
If DOEA is unable to act within these 30-day or 60-day limits, DOEA may extend this limitation by up to an additional 30 days, subject to the following:
A. DOEA must notify the client in writing of the reasons for the delay and the date by which DOEA will act on the request.
B. DOEA will use only one such 30-day extension to act on a request for access.
If DOEA grants the client’s request, in whole or in part, DOEA must inform the client of the access decision and provide the requested access.
If DOEA maintains the same information in more than one format (such as electronically and in a hard-copy file) or at more than one location, DOEA need only provide the requested protected information once.
DOEA must provide the requested information in a form or format requested by the client, if readily producible in that form or format. If not readily producible, DOEA will provide the information in a readable hard-copy format or such other format as agreed to by DOEA and the client.
If DOEA does not maintain, in whole or in part, the requested information, and knows where the information is maintained, DOEA will inform the client of where to request access, such as the Area Agency for Aging (AAA), or lead agency.
DOEA may provide the client with a summary of the requested information, in lieu of providing access, or may provide an explanation of the information if access had been provided, if:
A. The client agrees in advance; and
B. The client agrees in advance to any fees DOEA may impose, and as allowed by law and/or described below.
DOEA must arrange with the client for providing the requested access at a time and place convenient for the client and DOEA. This may include mailing the information to the client if the client so requests or agrees.
A client (or legal guardian or custodian) may request a copy of their information at no cost once every 12 months. If the client requests a copy of the requested information, or a written summary or explanation, more frequently than once every 12 months, then DOEA may impose a reasonable, cost-based fee, limited to covering the following:
A. Copying the requested information, including the costs of supplies and of the labor of copying at the rates prescribed in § 119.07(1)(a), F.S.
B. Postage, when the client has requested or agreed to having the information mailed; and
C. Preparing an explanation or summary of the requested information, if agreed to in advance by the client, per Rights of Clients to Access Their Information in this policy.
If DOEA denies access, in whole or in part, to the requested information, DOEA must:
A. Give the client access to any other requested client information, after excluding the information to which access is denied;
B. Provide the client with a timely written denial. The denial must:
1. Be sent or provided within the time limits specified in Rights of Clients to Access Their Information in this policy;
2. State the basis for the denial, in plain language;
3. If the reason for the denial is due to danger to the client or another, explain the client’s review rights as specified in Rights of Clients to Access Their Information in this policy including an explanation of how the client may exercise these rights; and
4. Provide a description of how the client may file a complaint with DOEA, and if the information denied is Protected Health Information, with the United States Department of Health and Human Services (DHHS)-Office for Civil Rights, pursuant to Rights of Clients to File Complaints Regarding Disclosure of Information in this policy.
If DOEA does not maintain the requested protected information, and knows where such information is maintained (such as by a medical provider, insurer, other public agency, private business, or other non-DOEA entity), DOEA must inform the client of where to direct the request for access.
Requesting Amendments of Information
All requests for amendments will be made by having the client complete an “Amendment of Health Record Request Form”.
DOEA will honor requests for alternative methods of making this request if reasonable accommodations are needed, such as large font, mailing, e-mailing, or sending a fax.
DOEA must act on the client’s request no later than 30 days of receiving the request. If DOEA is unable to act on the request within 30 days, DOEA may extend this time limit by up to an additional 30 days, subject to the following:
A. DOEA must notify the client in writing of the reasons for the delay and the date by which DOEA will act on the receipt; and
B. DOEA will use only one such 30-day extension.
If DOEA grants the request, in whole or in part, DOEA must:
A. Make the appropriate amendment to the protected information or records, and document the amendment in the client’s file or record;
B. Provide timely notice to the client that the amendment has been accepted, pursuant to the time limitations in Rights of Clients to Access Their Information of this policy;
C. Seek the client’s agreement to notify other relevant persons or entities, with whom DOEA has shared or needs to share the amended information, of the amendment; and
D. Make reasonable efforts to inform, and to provide the amendment within a reasonable time to:
1. Persons named by the client as having received protected information and who thus need the amendment; and
2. Persons, including Business Associates of DOEA, whom DOEA knows have the protected information (such as AAA’s, or Lead Agencies) that is the subject of the amendment and that may have relied, or could foreseeably rely, on the information to the client’s detriment.
Prior to any decision to amend a health or medical record, the request and any related documentation shall be reviewed by DOEA.
Prior to any decision to amend any other information that is not a health or medical record, DOEA shall review the request and any related documentation.
DOEA may deny the client’s request for amendment if:
A. DOEA finds the client’s information to be accurate and complete in its present form;
B. The information was not created by DOEA, unless the client provides a reasonable basis to believe that the originator of such information is no longer available to act on the requested amendment;
C. The information is not part of DOEA records; or
D. If it would not be available for inspection or access by the client, as specified above in Rights of Clients to Access Their Information.
If DOEA denies the requested amendment, in whole or in part, DOEA must:
A. Provide the client with a timely written denial. The denial must:
1. Be sent or provided within the time limits as specified in this policy above;
2. State the basis for the denial, in plain language;
3. Explain the client’s right to submit a written statement disagreeing with the denial and how to file such a statement. If the client does so:
a. DOEA will enter the written statement into the client’s DOEA case file;
b. DOEA may also enter a DOEA written rebuttal of the client’s written statement into the client’s DOEA case record. DOEA will send or provide a copy of any such written rebuttal to the client;
c. DOEA will include a copy of that statement, and of the written rebuttal by DOEA if any, with any future disclosures of the relevant information; and
d. Explain that if the client does not submit a written statement of disagreement, the client may ask that if DOEA makes any future disclosures of the relevant information, DOEA will also include a copy of the client’s original request for amendment and a copy of the DOEA written denial; and
e. Provide information on how the client may file a complaint with DOEA, or with the U.S. Department of Health and Human Services (DHHS), Office for Civil Rights, subject to provisions in the Complaints section in this policy.
Requesting an Accounting of Disclosures
When a client requests an accounting of disclosures that DOEA has made of their Protected Health Information, DOEA must provide that client with a written accounting of such disclosures made during the six-year period (or lesser time period if specified by the requesting client) preceding the date of the client’s request.
All requests for an accounting of disclosures will be made by having the client complete an “Accounting of Disclosures Request”.
Examples of disclosures of Protected Health Information (PHI) that are required to be listed in an accounting (assuming that the disclosure is permitted by other confidentiality laws applicable to the individual’s information and the purpose for which it was collected or maintained) include:
A. Abuse Report: PHI about an individual provided by DOEA staff pursuant to mandatory abuse reporting laws to an entity authorized by law to receive the abuse report.
B. Audit Review: PHI provided by DOEA staff from an individual’s record in relation to an audit or review (whether financial or quality of care or other audit or review) of a Business Associate.
C. Health and Safety: PHI about an individual provided by DOEA staff to avert a serious threat to health or safety of a person.
D. Licensee/Business Associate: PHI provided by DOEA from an individual’s records in relation to licensing or regulation or certification of a Business Associate or licensee or entity involved in the care or services of the individual.
E. Legal Proceeding: PHI about an individual that is ordered to be disclosed pursuant to a court order in a court case or other legal proceeding. A copy of the court order must be included with the accounting.
F. Law Enforcement Official/Court Order: PHI about an individual provided to a law enforcement official pursuant to a court order. A copy of the court order must be included with the accounting.
G. Law Enforcement Official/Deceased: PHI provided to law enforcement officials or medical examiner about a person who has died for the purpose of identifying the deceased person, determining cause of death, or as otherwise authorized by law.
H. Law Enforcement Official/Warrant: PHI provided to a law enforcement official in relation to a fleeing felon or for whom a warrant for arrest has been issued and the law enforcement official has made proper request for the information, to the extent otherwise permitted by law.
I. Media: PHI provided to the media (TV, newspaper, etc.) that is not within the scope of an authorization by the individual.
J. Public Health Official: PHI about an individual provided by DOEA staff (other than staff employed for public health functions) to a public health official, such as the reporting of disease, injury, or the conduct of a public health study or investigation.
K. Public Record: PHI about an individual that is disclosed pursuant to a Public Record request without the individual’s authorization.
L. Research: PHI about an individual provided by DOEA staff for purposes of research conducted without authorization, using a waiver of authorization approved by an IRB – a copy of the research protocol should be kept with the accounting, along with the other information required under the HIPAA privacy rule, 45 CFR §164.528(b)(4).
Disclosures that are not required to be tracked and accounted for are those that are:
A. Authorized by the client;
B. Made prior to the original effective date of this policy, which is April 14, 2003;
C. Made to carry out treatment, payment, and health care operations;
D. Made to the client;
E. Made to persons involved in the client’s health care;
F. Made as part of a limited data set in accordance with the “Policy For De-Identification of PHI.”
G. For national security or intelligence purposes; or
H. Made to correctional institutions or law enforcement officials having lawful custody of an inmate.
The accounting must include, for each disclosure:
A. The client name;
B. The date of the disclosure;
C. The name, and address if known, of the person or entity that received the disclosed information;
D. A brief description of the information disclosed;
E. The name and title of the person authorizing the information; and
F. A brief statement of the purpose of the disclosure that reasonably informs the client of the basis for the disclosure, or, in lieu of such statement, a copy of the client’s written request for a disclosure, if any.
If, during the time period covered by the accounting, DOEA has made multiple disclosures to the same person or entity for the same purpose, or as a result of a single written authorization by the client; DOEA may provide:
A. Although DOEA must provide a written accounting for disclosures limited to the prior six year period, if requested, only the first disclosure made for that time period is necessary (DOEA need not list the same identical information for each subsequent disclosure to the same person or entity) if DOEA adds;
B. The frequency or number of disclosures made to the same person or entity; and
C. The last date of the disclosure made during the requested time period.
DOEA must act on the client’s request for an accounting no later than 30 days after receiving the request, subject to the following:
A. If unable to provide the accounting within 30 days after receiving the request, DOEA may extend this requirement by another 30 days. DOEA must provide the client with a written statement of the reasons for the delay within the original 30-day limit, and inform the client of the date by which DOEA will provide the accounting.
B. DOEA will use only one such 30-day extension.
DOEA must provide the first requested accounting in any 12-month period without charge. DOEA may charge the client a reasonable cost-based fee for each additional accounting requested by the client within the 12-month period following the first request, provided that DOEA:
A. Informs the client of the fee (consistent with § 119.07 F.S.) before proceeding with any such additional request; and
B. Allows the client an opportunity to withdraw or modify the request in order to avoid or reduce the fee.
DOEA must document, and retain in the client’s DOEA case record file, the information required to be included in an accounting of disclosures, as listed under Rights of Clients to An Accounting of Disclosures of Protected Health Information in this policy, and send a copy of the written accounting provided to the client.
DOEA will temporarily suspend a client’s right to receive an accounting of disclosures that DOEA has made to a health oversight agency or to a law enforcement official, for a length of time specified by such agency or official, if:
A. The agency or official provides a written statement to DOEA that such an accounting would be reasonably likely to impede its activities.
B. However, if such agency or official makes an oral request, DOEA will:
1. Document the oral request, including the identity of the agency or official making the request in the client file;
2. Temporarily suspend the client’s right to an accounting of disclosures pursuant to the request; and
3. Limit the temporary suspension to no longer than 30 days from the date of the oral request, unless the agency or official submits a written request specifying a longer time period.
Filing a Complaint
Clients may file complaints with DOEA's Privacy Officer, and/or with the Department of Elder Affairs and/or with the U.S. Department of Health and Human Services (DHHS) - the Office for Civil Rights. DOEA must give clients the specific person or office and address of where to submit complaints.
Contact Information For Department of Elder Affairs
Contact Information For the U. S. Department of Health and Human Services, Office for Civil Rights
Region VI, Office for Civil Rights
45 CFR Parts 160 through 164