HIPAA Privacy Policies and Procedures
Uses and Disclosures of Protected Health Information
A) GENERAL RULES
The Department of Elder Affairs (DOEA), a Covered Entity, will not use or disclose Protected Health Information (PHI), except as permitted or required by HIPAA privacy regulation subpart E of Part 164 or subpart C of Part 160 and applicable state privacy laws.
Protected Health Information (abbreviated as “PHI”) is individually identifiable health information about:
Examples of Identifiers
Identifying data (a/k/a “an identifier”) is data that could reasonably be used to identify the person. Please note that identifiers include data that directly identifies the individual, as well as any relatives, employers, or household members.
The following are examples of identifiers:
PHI Can Be in Any Form of Communication or Media
PHI includes written, electronic, and oral communications.
Past, Present and Future
PHI relates to an individual’s past, present or future health condition, health care, or the payment for health care.
Exclusions: (20 U.S.C., Chapter 31, Section 1232g)
Some types of health information are excluded from being considered PHI even if they can be used to identify the individual. The exclusions are:
Apart from the requirements of HIPAA, federal Medicaid regulations restrict the use and disclosure of information concerning Medicaid program applicants and beneficiaries to purposes directly connected with the administration of the Medicaid State Plan. These purposes include:
State Law (Florida Statutes)
Older Americans Act §430.105, F.S.
Community Care for the Elderly §430.207, F.S.
Alzheimer’s Disease Initiative §430.504, F.S.
Home Care for the Elderly §430.608, F.S.
PROCEDURE FOR APPROPRIATE USE OF PHI
Employees using or disclosing Medicaid beneficiary information are required to follow the requirements of both HIPAA and Medicaid law. Regardless of HIPAA, information about Medicaid recipients may only be disclosed for purposes directly connected with administering the Medicaid State Plan.
An employee, grantee or Business Associate may disclose PHI as described in their role in the normal course of performing their job. Employees, grantees or Business Associates may use and disclose PHI to any Business Associate or agency that has an agreement with the Department of Elder Affairs to protect health information. These would include, but not be limited to, Florida Agency of Health Care Administration, Florida Department of Health, Florida Department of Children & Families, Area Agencies on Aging, United States Department of Agriculture, Centers for Medicare & Medicaid Services (CMS), formerly called the Health Care Financing Administration (HCFA), and any vendors with whom the Department maintains a Business Associate agreement
45 CFR § 164.502(a)
B) OTHER REQUIREMENTS
This policy applies to all DOEA employees, agents and Business Associates that perform duties in conjunction with the access, distribution, dissemination, modification, and management of Protected Health Information (PHI).
It is DOEA’s policy to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by establishing standards relating to uses and disclosures, and the de-identification of PHI.
DOEA has established standards relating to uses and disclosures and de-identification of PHI it creates, collects and maintains.
A checklist has been developed containing all of the PHI identifiers in the Privacy Rule to use when de-identifying data.
c. The Covered Entity cannot actually have knowledge that the above information could be used alone or in combination with other information to identify the individual.
PHI will be re-identified for DOEA use or disclosure. Acceptable methods are redacting paper information, deleting electronic fields or locking aspects of files or database from viewing.
Violations must be reported to the DOEA Privacy Officer, Office of the General Counsel.
Prior to any disclosure of PHI, DOEA employees must:
Employees must follow the verification procedures of their individual work unit, which must, at minimum, comply with the above requirements of law.
Requests from legislators about a constituent’s PHI must be forwarded to the HIPAA Administrator.
Requests from public officials (law enforcement, etc.) concerning PHI should be forwarded to the Privacy Officer, Office of the General Counsel.
If an employee is uncertain whether a person has the authority to request PHI, or whether the person’s identity is adequately verified, the employee should consult with his or her supervisor, the Privacy Officer, Office of the General Counsel, or the HIPAA Administrator.
45 CFR 164.514
C) DISCLOSURES FOR WHICH AN AUTHORIZATION IS REQUIRED
DOEA, as a Covered Entity, will obtain authorization to use or disclose Protected Health Information (PHI) for purposes other than treatment, payment or health care operations.
Authorizations For Uses And Disclosures
1. General rule
Except as otherwise permitted or required by HIPAA, DOEA, as a Covered Entity, may not use or disclose Protected Health Information (PHI) without a valid authorization.
When DOEA obtains or receives a valid authorization for its use or disclosure of Protected Health Information (PHI), such use or disclosure must be consistent with such authorization.
2. Psychotherapy Notes
DOEA must obtain an authorization for any use or disclosure of psychotherapy notes, except for:
DOEA, as a covered, entity must obtain an authorization for any use or disclosure of Protected Health Information (PHI) for marketing, except if the communication is in the form of:
Employees shall obtain an authorization from the individual for any use or disclosure of psychotherapy notes for reasons other than listed above. If an employee is uncertain whether a particular use or disclosure of psychotherapy notes is permitted under a certain situation, the employee should consult with his or her supervisor or the Privacy Officer, General Counsel, or HIPAA Administrator prior to use or disclosure.
Implementation Specifications: General Requirements
(1) Valid authorizations
A valid authorization must be written in plain language, and include:
(2) Defective authorizations
An authorization is not valid if the document submitted has any of the following defects:
(3) Compound authorizations
An authorization for use or disclosure of PHI may not be combined with any other document, except:
(4) Prohibition on conditioning of authorizationsDOEA may not condition the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization by an individual, except under certain circumstances permitted by law.
(5) Revocation of authorizations
DOEA must document and retain any signed authorizations in the client file for no less than six (6) years.
If DOEA seeks an authorization from an individual for a use or disclosure of PHI DOEA must provide the individual with a copy of the signed authorization.
Authorizations should be filled out using the Authorization for Use and Disclosure of Health Information Form. See Appendix: Forms. DOEA can accept a written authorization that is not submitted on the DOEA’s authorization form, provided that the authorization complies with the above requirements of law. In general, employees should encourage the use of the authorization form. If an employee is uncertain whether an authorization is valid, the employee should consult with his or her supervisor, the HIPAA Administrator, or the Privacy Officer, General Counsel.
DOEA employees shall not use or disclose PHI unless the use or disclosure is either:
Each individual work unit shall document and retain signed authorizations in the case files for no less than six (6) years.
45 CFR 164.512
D) DISCLOSURE FOR WHICH AN AUTHORIZATION OR OPPORTUNITY TO AGREE OR OBJECT IS NOT REQUIRED
DOEA, a Covered Entity, may use or disclose Protected Health Information (PHI) without the written consent or authorization of the individual in the following circumstances:
The regulations provide methods by which these uses and disclosures may be conducted. These uses and disclosures are limited and are outlined in detail in the regulations. The regulations give considerations to entities acting in good faith to protect the privacy rights of individuals when disclosing PHI for these purposes.
45 CFR 164.512
E) DISCLOSURE REQUIRING AN OPPORTUNITY FOR THE INDIVIDUAL TO AGREE OR TO OBJECT
PHI may be disclosed by DOEA without the consent or authorization when used for facilities directories or update family members and individuals involved in the individuals care.
Individuals must be informed in advance of the use or disclosure and must be given the opportunity to prohibit or restrict certain disclosures of PHI.
45 CFR 164.510
Return to Top