HIPAA Privacy Policies and Procedures
Individual Rights to Protected Health Information
|
A) Access of Individuals to PHI POLICY This policy applies to all clients, their authorized recipients, DOEA employees, agents and Business Associates that perform duties in conjunction with the access, distribution, dissemination, modification, and management of Protected Health Information (PHI). It is DOEA’s policy to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by establishing means for a client to access and inspect his/her PHI in a designated record set, (medical records; billing records; enrollment, payment or claims adjudication records; and case or medical management records, used in whole or in part to make decisions about the client) for as long as DOEA maintains the PHI in the designated record set. A client has the right of access to inspect and obtain a copy of PHI about them in a designated record set for as long as DOEA maintains the PHI in the designated record set. Violation of this or any other DOEA Privacy Policy is to be communicated to the Privacy Officer, Office of the General Counsel. PROCEDURE DOEA may deny access without providing the client an opportunity for review in the following cases:
DOEA may deny access, provided the client is given the right to have the denial reviewed in the following circumstances:
If request to access PHI is denied, the client has the right to have the denial reviewed by a licensed health care professional who is designated by DOEA to act as a reviewing official and who did not participate in the original decision to deny. DOEA must abide by the reviewing official’s decision as final. If DOEA denies a request to access PHI it must comply with the requirements of § 164.524(d), which include:
DOEA must act on a request for access generally within 30 days. There may be one extension for an additional 30 days. Denials must be in writing, and approved by the Privacy Officer, Office of the General Counsel. DOEA may charge reasonable fees for access based on actual cost, if the client agrees to the fees in advance subject to § 119.07(1)(a) F.S. DOEA must document the designated record sets that are subject to access by clients. The documents will generally be the CARES clients file or the CDC file or associated databases in the case of DOEA. CARES offices (case managers) are responsible for receiving and processing requests for access. CDC Program Administrator is responsible for receiving and processing requests for access for DOEA. Requests for access must be kept in the department client file. DOEA must retain all documentation for six (6) years. Violations must be reported to the DOEA Privacy Officer, Office of the General Counsel. Reference: 45 CFR 164.524 B) RIGHT TO REQUEST PRIVACY PROTECTION FOR PROTECTED HEALTH INFORMATION POLICY This policy applies to all DOEA employees, agents and Business Associates that perform duties in conjunction with the access, distribution, dissemination, modification, and management of Protected Health Information (PHI). It is DOEA’s policy to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by obtaining authorization, as appropriate, from clients whose PHI is used or disclosed for any purpose not otherwise permitted by federal Medicaid rules or the Privacy Rule. DOEA must have a written authorization from a client before using or disclosing PHI for any purpose not otherwise permitted or allowed by federal Medicaid rules or the Privacy Rule. Violation of this or any other DOEA Privacy Policy is to be communicated to the Privacy Officer, Office of the General Counsel. PROCEDURE The DOEA authorization form is in the appendix. All clients must receive an authorization form for the disclosure of PHI that is not for the purpose of treatment payment or operations. DOEA staff is required to use the approved form, however, authorizations received from clients that meet the following criteria must be accepted: Authorization forms must contain the following core elements:
Authorizations for DOEA’s own uses and disclosures must be on the approved authorization form. Authorizations for research that includes treatment must include the core elements and the following additional information:
A copy of the authorization form must be made available to the client. DOEA may not condition treatment, payment, enrollment or eligibility for benefits on provision of an authorization except in the case of:
Authorizations are to be submitted to the case manager for the CARES program and the CDC Program Administrator for approval and retention in the client file. A client may revoke an authorization at any time, in writing, except to the extent that DOEA has taken action in reliance on the authorization. DOEA must document any signed authorizations and revocations and must retain them in the client file for six (6) years. Violations must be reported to the DOEA Privacy Officer, Office of the General Counsel. Reference: 45 CFR 164.50245 CFR 164.508 45 CFR 164.522 C) AMENDMENT OF PROTECTED HEALTH INFORMATION This policy applies to all clients, authorized recipients, DOEA employees, agents and Business Associates that perform duties in conjunction with the access, distribution, dissemination, modification, and management of Protected Health Information (PHI). POLICY It is DOEA’s policy to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by establishing a process for a clients to request an amendment of his/her PHI as created or maintained by the Agency. Violation of this or any other DOEA Privacy Policy is to be communicated to the Privacy Officer, Office of the General Counsel. A client has the right to request DOEA amend PHI or a record about him/her in a designated record set (medical records; billing records; enrollment, payment or claims adjudication records; and case or medical management records, used in whole or in part to make decisions about the client) for as long as DOEA maintains the PHI in the designated record set. PROCEDURE This procedure describes the method for DOEA employees to allow clients to request amendments to their PHI maintained by the Agency. DOEA may deny a client’s request for amendment, if it determines the PHI or record that is the subject of the request:
If DOEA accepts the amendment, in whole or in part, it must:
In the case of CARES, the requests are to be sent to the case manager for review. CARES Supervisors are the final authority in determining whether the amendment should be made. In the case of CDC, the Program Administrator makes the decision. All disputes must be referred to the Privacy Officer, Office of the General Counsel, for final determination. If DOEA denies the requested amendment, in whole or in part, it must comply with the following:
1) Provide the client with a timely, written denial, written in plain language and containing: 2) DOEA must permit the client to submit to DOEA a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such a disagreement. DOEA may reasonably limit the length of the statement. The statement must be kept in the client file. 3) DOEA may prepare a written rebuttal to the client’s statement of disagreement. Whenever such a statement is prepared, DOEA must provide a copy to the client who submitted the statement of disagreement. All rebuttals must be approved by the Privacy Officer, Office of the General Counsel and retained in the client file. 4) Future disclosure: If the client has submitted a statement of disagreement, DOEA must include the written disagreement appended in accordance with #3 above, or an accurate summary of the information in #3 above, with any subsequent disclosure of the PHI to which the disagreement relates. If the client has not submitted a written statement of disagreement, DOEA must include the client’s request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the PHI only if the individual has requested such action. If DOEA is notified by another covered entity of an amendment to a client’s PHI, it must amend the designated record sets. The CARES case managers and the CDC Program Administrator are responsible for receiving and processing requests for amendments by clients. DOEA must retain all documentation for six (6) years. Violations must be reported to the DOEA Privacy Officer, Officer of the General Counsel. Reference: 45 CFR 164.526 D) RIGHT TO AN ACCOUNTING OF DISCLOSURES POLICY A client or their representative has a right to receive an accounting of disclosures of PHI made by DOEA, for the six years prior to the date on which the accounting is requested (going forward from April 14, 2003). (The individual can request an accounting of a period of time of less than six years.) Denial of Request for an Accounting of Disclosures DOEA is not required to account for disclosures made:
Temporary Suspension of Accounting Upon Request by Law Enforcement DOEA must temporarily suspend an individual’s right to receive an accounting of disclosures to a health oversight or law enforcement official, if the Agency or official provides DOEA with a written statement that such an accounting to an individual would be reasonably likely to impede that Agency’s or official’s activities, and must specify the time for which such a suspension is required. If the Agency or official makes an oral statement, then DOEA can limit the temporary suspension to no longer than thirty (30) days. DOEA must document the statement, including the identity of the Agency or official making the statement. Content of the Accounting The accounting must include for each disclosure:
Accounting of Multiple Disclosures to the Same Entity for the Same Purpose If, during the period covered by the accounting, DOEA has made multiple disclosures to the same person or entity for a single purpose, DOEA may provide (in addition to the above) the date of the first accounting; the frequency, periodicity, or number of the disclosures made during the accounting period; and the date of the last such disclosure during the accounting period (so as to avoid having to list each and every single disclosure separately). Accounting of Disclosures for Research If the disclosure was made for a particular research purpose for 50 or more individuals, the accounting may provide (1) the name or the protocol or other research activity; (2) a brief description, in plain language, of the activity, including the purpose of the research and the criteria for selecting particular records; (3) a brief description of the type of PHI that was disclosed, the date or period of time during which the disclosures occurred; (4) the name, address, and telephone number of the entity that sponsored the research and of the research to whom the information was disclosed; and (5) a statement that the PHI may or may not have been disclosed for a particular protocol or other research activity. If it is reasonably likely that the PHI was disclosed for a research activity, DOEA shall, at the request of the individual, assist in contacting the entity that sponsored the research and the researcher. Timely Action DOEA must provide an accounting to an individual no later than sixty (60) days after receiving the request. DOEA may extend the time by an additional thirty (30) days if unable to provide the accounting within the specified time. DOEA must provide the individual with a written statement of the reasons for the delay and the date by which DOEA will provide the accounting. DOEA may have only one such extension of time. Cost of the Accounting DOEA must provide the first accounting to an individual in any 12-month period without charge. Documentation DOEA must document and retain for six (6) years the information required to be included in an accounting for disclosures of PHI; the written accounting provided to the individual; and the titles of the persons or offices responsible for receiving and processing requests for an accounting by individuals. PROCEDURE Requests for an accounting of disclosures of PHI must be submitted in writing to the Privacy Officer, who will evaluate the request, coordinate the gathering of information from DOEA, prepare the accounting, and communicate with the individual. All employees shall cooperate with and assist the Privacy Officer in researching and preparing the accounting. The Bureaus shall be responsible for maintaining the documentation of the disclosures of PHI. The Privacy Officer shall be responsible for maintaining the documentation of the written accountings provided to individuals. DOEA must retain all documentation for six (6) years. Violations must be reported to the DOEA Privacy Officer, Office of the General Counsel. Reference: 45 CFR 164.528 |
Return to Top