text size A  A  A 

HIPAA Privacy Policies and Procedures
Individual Rights to Protected Health Information

A) Access of Individuals to PHI

POLICY

This policy applies to all clients, their authorized recipients, DOEA employees, agents and Business Associates that perform duties in conjunction with the access, distribution, dissemination, modification, and management of Protected Health Information (PHI).

It is DOEA’s policy to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by establishing means for a client to access and inspect his/her PHI in a designated record set, (medical records; billing records; enrollment, payment or claims adjudication records; and case or medical management records, used in whole or in part to make decisions about the client) for as long as DOEA maintains the PHI in the designated record set.

A client has the right of access to inspect and obtain a copy of PHI about them in a designated record set for as long as DOEA maintains the PHI in the designated record set.

Violation of this or any other DOEA Privacy Policy is to be communicated to the Privacy Officer, Office of the General Counsel.

PROCEDURE

DOEA may deny access without providing the client an opportunity for review in the following cases:

  1. Psychotherapy notes.
  2. Information compiled in anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
  3. PHI maintained by DOEA that is subject to the Clinical Laboratory exemptions.
  4. Information created or obtained in the course of research that includes treatment may be temporarily suspended for as long as the research is in progress.
  5. For records subject to the Privacy act, 5USC § 552a, access may be denied, if the denial of access would meet the requirements of that Act.
  6. If the PHI was obtained from someone other than a health care provider under the promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.

DOEA may deny access, provided the client is given the right to have the denial reviewed in the following circumstances:

  1. A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the client or another person.
  2. The PHI makes reference to another person (unless the other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is likely to cause substantial harm to such other person.
  3. The request for access is made by the client’s personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the client or another person.

If request to access PHI is denied, the client has the right to have the denial reviewed by a licensed health care professional who is designated by DOEA to act as a reviewing official and who did not participate in the original decision to deny. DOEA must abide by the reviewing official’s decision as final.

If DOEA denies a request to access PHI it must comply with the requirements of § 164.524(d), which include:

  1. Making other information accessible.
  2. DOEA must provide a timely, written denial in plain language that must include the basis for the denial, a statement of the client’s review (if applicable) and a description of the complaint and procedures for complaints to DOEA or to the Secretary of DHHS.
  3. If DOEA does not maintain the PHI for which access has been requested, but knows where the requested PHI is maintained, DOEA must inform the client where to direct the request for access.
  4. DOEA must promptly refer a request for a review to the designated reviewing official. The designated official must make a determination within a reasonable period of time.

DOEA must act on a request for access generally within 30 days. There may be one extension for an additional 30 days.

Denials must be in writing, and approved by the Privacy Officer, Office of the General Counsel.

DOEA may charge reasonable fees for access based on actual cost, if the client agrees to the fees in advance subject to § 119.07(1)(a) F.S.

DOEA must document the designated record sets that are subject to access by clients. The documents will generally be the CARES clients file or the CDC file or associated databases in the case of DOEA.

CARES offices (case managers) are responsible for receiving and processing requests for access. CDC Program Administrator is responsible for receiving and processing requests for access for DOEA.

Requests for access must be kept in the department client file. DOEA must retain all documentation for six (6) years.

Violations must be reported to the DOEA Privacy Officer, Office of the General Counsel.

Reference:

45 CFR 164.524

B) RIGHT TO REQUEST PRIVACY PROTECTION FOR PROTECTED HEALTH INFORMATION

POLICY

This policy applies to all DOEA employees, agents and Business Associates that perform duties in conjunction with the access, distribution, dissemination, modification, and management of Protected Health Information (PHI).

It is DOEA’s policy to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by obtaining authorization, as appropriate, from clients whose PHI is used or disclosed for any purpose not otherwise permitted by federal Medicaid rules or the Privacy Rule.

DOEA must have a written authorization from a client before using or disclosing PHI for any purpose not otherwise permitted or allowed by federal Medicaid rules or the Privacy Rule.

Violation of this or any other DOEA Privacy Policy is to be communicated to the Privacy Officer, Office of the General Counsel.

PROCEDURE

The DOEA authorization form is in the appendix. All clients must receive an authorization form for the disclosure of PHI that is not for the purpose of treatment payment or operations. DOEA staff is required to use the approved form, however, authorizations received from clients that meet the following criteria must be accepted:

Authorization forms must contain the following core elements:

  1. Description of the information to be used or disclosed.
  2. Name of the covered entity or class of entities or persons, authorized to use or disclose the PHI.
  3. Name of the receiving entity (is) of the use or disclosure.
  4. An expiration date, time period or event.
  5. A statement regarding the client’s right to revoke the authorization and a description of how the client may revoke the authorization.
  6. A statement that the information may be subject to re-disclosure by the receiving entity and may no longer be protected by federal privacy law.
  7. The client’s signature and date of signature.
  8. If signed by a representative, a description of the representative’s authority to act for the client and/or relationship to the client.

Authorizations for DOEA’s own uses and disclosures must be on the approved authorization form.

Authorizations for research that includes treatment must include the core elements and the following additional information:

  1. A description of the extent to which PHI will be used or disclosed to carry out treatment, payment or health care operations.
  2. A description of any PHI that will not be used or disclosed for purposes permitted or required by law, for which an opportunity to agree or object is required or for an authorization or opportunity to agree or to object is not required.
  3. If the Covered Entity has obtained or intends to obtain the client’s authorization or provide a privacy notice, the authorization must refer to that notice and state that the statements made pursuant to authorizations are binding.

A copy of the authorization form must be made available to the client. DOEA may not condition treatment, payment, enrollment or eligibility for benefits on provision of an authorization except in the case of:

  1. Research related treatment.
  2. Pre-enrollment underwriting or risk determinations.
  3. Disclosure necessary to determine payment of claim.
  4. Provision of health care solely for purpose of creating PHI for disclosure to a third party.

Authorizations are to be submitted to the case manager for the CARES program and the CDC Program Administrator for approval and retention in the client file.

A client may revoke an authorization at any time, in writing, except to the extent that DOEA has taken action in reliance on the authorization. DOEA must document any signed authorizations and revocations and must retain them in the client file for six (6) years.

Violations must be reported to the DOEA Privacy Officer, Office of the General Counsel.

Reference:

45 CFR 164.502
45 CFR 164.508
45 CFR 164.522

C) AMENDMENT OF PROTECTED HEALTH INFORMATION

This policy applies to all clients, authorized recipients, DOEA employees, agents and Business Associates that perform duties in conjunction with the access, distribution, dissemination, modification, and management of Protected Health Information (PHI).

POLICY

It is DOEA’s policy to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by establishing a process for a clients to request an amendment of his/her PHI as created or maintained by the Agency.

Violation of this or any other DOEA Privacy Policy is to be communicated to the Privacy Officer, Office of the General Counsel.

A client has the right to request DOEA amend PHI or a record about him/her in a designated record set (medical records; billing records; enrollment, payment or claims adjudication records; and case or medical management records, used in whole or in part to make decisions about the client) for as long as DOEA maintains the PHI in the designated record set.

PROCEDURE

This procedure describes the method for DOEA employees to allow clients to request amendments to their PHI maintained by the Agency.

DOEA may deny a client’s request for amendment, if it determines the PHI or record that is the subject of the request:

  1. was not created by DOEA, unless the client provides a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment.
  2. is for information that is not part of the designated record set.
  3. would not be available for inspection under Individual Access (§ 164.524(a)(2) or (3).
  4. is accurate and complete.

If DOEA accepts the amendment, in whole or in part, it must:

  1. Make the appropriate amendment to the PHI or record that is the subject of the request for amendment by, at a minimum, identifying the records in the designated record set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment.
  2. Inform the client that the amendment is accepted and obtain the client’s identification of and agreement to have DOEA notify the relevant persons with which the amendment needs to be shared as set forth below.
  3. Make reasonable efforts to inform and provide the amendment within a reasonable time to persons identified by the client as having received PHI about the client and needing the amendment; and business associates that DOEA knows may have the PHI that is the subject of the amendment and who may have relied on such information to the detriment of the client.

In the case of CARES, the requests are to be sent to the case manager for review. CARES Supervisors are the final authority in determining whether the amendment should be made. In the case of CDC, the Program Administrator makes the decision. All disputes must be referred to the Privacy Officer, Office of the General Counsel, for final determination.

If DOEA denies the requested amendment, in whole or in part, it must comply with the following:

    1) Provide the client with a timely, written denial, written in plain language and containing:

    1. The basis for the denial,
    2. b) The client’s right to submit a written statement disagreeing with the denial and how the client might file such a statement .
    3. A statement that, if the client does not submit a written statement of disagreement, the client may request DOEA provide his/her request for amendment and the denial with any future disclosures of the PHI that is the subject of the amendment.
    4. A description of how the client may complain to DOEA or to the Secretary of the Department of Health and Human Services, including name, or title, and telephone number of the contact office or person designated to receive complaints.
    5. The Privacy Officer, Office of the General Counsel, must approve denials.
    6. All denials must be maintained in the client file.

    2) DOEA must permit the client to submit to DOEA a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such a disagreement. DOEA may reasonably limit the length of the statement. The statement must be kept in the client file.

    3) DOEA may prepare a written rebuttal to the client’s statement of disagreement. Whenever such a statement is prepared, DOEA must provide a copy to the client who submitted the statement of disagreement. All rebuttals must be approved by the Privacy Officer, Office of the General Counsel and retained in the client file.

    4) Future disclosure:

    If the client has submitted a statement of disagreement, DOEA must include the written disagreement appended in accordance with #3 above, or an accurate summary of the information in #3 above, with any subsequent disclosure of the PHI to which the disagreement relates.

If the client has not submitted a written statement of disagreement, DOEA must include the client’s request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the PHI only if the individual has requested such action.

If DOEA is notified by another covered entity of an amendment to a client’s PHI, it must amend the designated record sets. The CARES case managers and the CDC Program Administrator are responsible for receiving and processing requests for amendments by clients.

DOEA must retain all documentation for six (6) years.

Violations must be reported to the DOEA Privacy Officer, Officer of the General Counsel.

Reference:

45 CFR 164.526

D) RIGHT TO AN ACCOUNTING OF DISCLOSURES

POLICY

A client or their representative has a right to receive an accounting of disclosures of PHI made by DOEA, for the six years prior to the date on which the accounting is requested (going forward from April 14, 2003). (The individual can request an accounting of a period of time of less than six years.)

Denial of Request for an Accounting of Disclosures

DOEA is not required to account for disclosures made:

  1. To carry out treatment, payment or health care operations;
  2. To individuals about their PHI;
  3. Incident to a use or disclosure otherwise permitted by the Privacy Rule;
  4. Pursuant to an authorization;
  5. For a facility’s directory or to persons involved in the individual’s care, or other notification purposes as provided in §164.510;
  6. For national security or intelligence purposes;
  7. To correctional institutions or law enforcement officials;
  8. As part of a limited data set;
  9. Prior to April 14, 2003.

Temporary Suspension of Accounting Upon Request by Law Enforcement

DOEA must temporarily suspend an individual’s right to receive an accounting of disclosures to a health oversight or law enforcement official, if the Agency or official provides DOEA with a written statement that such an accounting to an individual would be reasonably likely to impede that Agency’s or official’s activities, and must specify the time for which such a suspension is required. If the Agency or official makes an oral statement, then DOEA can limit the temporary suspension to no longer than thirty (30) days. DOEA must document the statement, including the identity of the Agency or official making the statement.

Content of the Accounting

The accounting must include for each disclosure:

  1. The date of the disclosure;
  2. The name of the entity or person who received the PHI, and if known, the address of such entity or person;
  3. A brief description of the PHI disclosed; and
  4. A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis of the disclosure; or in lieu of such a statement, a copy of a written request for disclosure, if any.

Accounting of Multiple Disclosures to the Same Entity for the Same Purpose

If, during the period covered by the accounting, DOEA has made multiple disclosures to the same person or entity for a single purpose, DOEA may provide (in addition to the above) the date of the first accounting; the frequency, periodicity, or number of the disclosures made during the accounting period; and the date of the last such disclosure during the accounting period (so as to avoid having to list each and every single disclosure separately).

Accounting of Disclosures for Research

If the disclosure was made for a particular research purpose for 50 or more individuals, the accounting may provide (1) the name or the protocol or other research activity; (2) a brief description, in plain language, of the activity, including the purpose of the research and the criteria for selecting particular records; (3) a brief description of the type of PHI that was disclosed, the date or period of time during which the disclosures occurred; (4) the name, address, and telephone number of the entity that sponsored the research and of the research to whom the information was disclosed; and (5) a statement that the PHI may or may not have been disclosed for a particular protocol or other research activity. If it is reasonably likely that the PHI was disclosed for a research activity, DOEA shall, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher.

Timely Action

DOEA must provide an accounting to an individual no later than sixty (60) days after receiving the request. DOEA may extend the time by an additional thirty (30) days if unable to provide the accounting within the specified time. DOEA must provide the individual with a written statement of the reasons for the delay and the date by which DOEA will provide the accounting. DOEA may have only one such extension of time.

Cost of the Accounting

DOEA must provide the first accounting to an individual in any 12-month period without charge.

Documentation

DOEA must document and retain for six (6) years the information required to be included in an accounting for disclosures of PHI; the written accounting provided to the individual; and the titles of the persons or offices responsible for receiving and processing requests for an accounting by individuals.

PROCEDURE

Requests for an accounting of disclosures of PHI must be submitted in writing to the Privacy Officer, who will evaluate the request, coordinate the gathering of information from DOEA, prepare the accounting, and communicate with the individual. All employees shall cooperate with and assist the Privacy Officer in researching and preparing the accounting. The Bureaus shall be responsible for maintaining the documentation of the disclosures of PHI. The Privacy Officer shall be responsible for maintaining the documentation of the written accountings provided to individuals.

DOEA must retain all documentation for six (6) years.

Violations must be reported to the DOEA Privacy Officer, Office of the General Counsel.

Reference:

45 CFR 164.528


Return to Top