The Department shall adhere to criteria established in the Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191.

The Department shall implement measures in the areas of training, monitoring and enforcement of safeguards to ensure understanding of, and compliance with, the HIPAA mandate by all staff. 

Federal and state legal mandates pertaining to mental health also govern the use and disclosure of information and shall be adhered to in conjunction with HIPAA standards.

Public Law 104-191 is designed to

• assure health insurance portability

• reduce health care fraud and abuse

•   guarantee integrity and confidentiality of health information, and

•  improve the operations of health care systems and reduce administrative cost

Authorization is the permission granted by the patient or the patient’s guardian to use or disclose protected health information for purposes other than health care operations; e.g., HIV testing, substance abuse screening.

Designated privacy staff is any DCF staff that, in the regular course of her/his duties, may be given permission to use or disclose PHI information.  Job titles in this category include but are not limited to:

Designated record set is the Uniform Case Record used in the Regional Offices, or its equivalent in the Department’s facilities.

Health is an individual’s overall condition, including emotional, medical and dental status.

Health care operations are the administrative, financial and legal activities that support the essential health care functions of treatment and payment.

Individual refers to the person who is the subject of the protected health information.

Payment is the activity undertaken by either a health plan or health care provider to obtain or provide reimbursement for the provision of health care.

Privacy Officer is the person responsible for the administrative overseeing of DCF’s compliance with HIPAA. Responsibilities include but are not limited to

·         ensuring that PHI disclosures are consistent with agreed-upon restrictions

·          establishing protocols to handle disclosures of de-identified PHI

·          ensuring that any PHI used for purposes other than for treatment, payment or health    care operations (TPO) be de-identified     

·         ensuring that the minimum necessary standard is applied for uses and disclosures       regarding research and/or marketing purposes

·          maintaining and displaying copies of the Notice of Privacy practices for Protected Health Information in a prominent location

·          maintaining an electronic version of the notice on the Department website

·          distributing any revisions made on the notice to the regional offices and 
Department-operated facilities

·           ensuring that the individual is aware of his/her rights to request restrictions to uses 
 and disclosures of PHI  

·           ensuring that all communications pertaining to the PHI are confidential                                                

 ·          implementing the denial review process by   

• providing the individual with a timely denial, in writing or an alternate format,  that shall accommodate for the reading, writing or sight impaired, stating why the request was denied

• granting the individual’s request to the information requested, except for what was denied

• informing the individual of any rights for a review of the denial and a  description of how to make a complaint to the Department, and

• including in the denial a contact’s name, title and telephone number for information on how to address or file a complaint with the Department.

The Privacy Oversight Committee meets quarterly to review, resolve, document and report on all privacy complaints received by the Department.

Protected Health Information (PHI) is any individually identifiable health information created, maintained, received or transmitted in any form by the Department in its capacity as a health care provider.

      The PHI may relate to

• the past, present or future physical or mental health or condition of an individual

• the provision of health care to an individual, or

• the payment for the provision of health care to an individual.

Treatment is the provision, coordination or management of health care and related services by one or more health care providers.

An individual shall have the right to 

•  receive confidential communications of PHI

• inspect and copy his or her health record

•  receive an accounting of disclosures of PHI made by the Department

• upon request, receive a copy of the Notice of Privacy Practices in any language, in writing or by alternative communication

• request amendment(s) to the PHI,

• request certain restrictions on uses and disclosures of PHI relevant to treatment, payment or health care operations, and

•   raise complaints.

The Department reserves the right to deny requested restrictions or amendments when warranted.

 Cross-References:  Policy 44-7-4, Notice of Privacy Practices for Protected Health Information; 44-7-5, Rights to Request Restrictions; 44-7-6, Right to Alternative Communication Methods; 44-7-7, Access of Individuals to Protected Health Information.

Procedures governing the regional offices and Department-operated facilities vary. 

The regional office staff shall communicate and work cooperatively with facility staff, and vice versa, when the subject of the PHI used or disclosed is or was a client of a Department-operated facility.

For detailed procedures referring to facility operations, refer to the individual facility’s manual pertaining to HIPAA.