This memorandum serves to provide information regarding the
federal Health Insurance Portability and Accountability Act (HIPAA) and introduce
related necessary policy, procedures, and forms. Children’s Services staff
have followed long-standing policies and procedures regarding the confidentiality
of certain client information. In addition, we will be observing HIPAA requirements
regarding the privacy and protection of personal health information.
HIPAA--Public Law 104-191, enacted in 1996, resulted in the HIPAA Privacy Rule
of December 2000. The HIPAA Privacy Rule sets forth privacy standards for the
protection of medical records and other personal health information of all individuals.
Privacy Standards specifically address:
HIPAA will have a significant impact on how Children’s Services staff
manage client health information. It provides greater control to clients of their
health information. HIPAA also creates civil and criminal penalties for the mis-management
of Protected Health Information (PHI). HIPAA, in its entirety, is a rather complex
piece of legislation; however, we have tried to translate its application to Children’s
Services in as user friendly a manner as possible. All Children’s Services
staff must become familiar with the new requirements, policies, procedures, and
forms in order to comply with HIPAA by April 14, 2003.
The attached Child Welfare Manual, Section 5, Chapter 2.7, covers in detail
Children’s Services policy regarding HIPAA compliance. However, there are
key points, specific practices, timeframes, and new forms that are highlighted
Protected Health Information (PHI) – Defined as individually identifiable
health information that is created or received by a covered entity, such as Children’s
Services. This includes information that identifies or may be used to identify
the individual, information regarding physical or mental health, and payments
for medical care. To be considered PHI, medical information (physical and/or mental
health) and a personal identifier must be included. PHI may be transmitted in
paper, electronic, or voice format. In the course of service delivery, Children’s
Services staff must adhere to HIPAA requirements as well as continue to abide
by agency policy and state statute regarding the privacy, confidentiality, and
integrity of PHI.
Privacy Notice – Individuals must be formally informed of how
PHI is managed by DSS and specifically how staff may use and disclose such information.
DSS created the Notice of Privacy Practices Regarding Your Protected Health
Information (Exhibit 8)
form for this purpose. Beginning on April 14, 2003, staff must provide a copy
of this form to each client they are serving as of April 14, 2003, and thereafter
when conducting a CA/N investigation/assessment and at other designated points
of time. Offices must post the notice in a clear and prominent location as well
as make copies of the notice available to individuals upon their request. An initial
supply of the notices will be mailed to each county office prior to April 14,
2003, for local distribution and availability.
Children’s Services Staff Training – All current and future
Children’s Services staff are required to receive HIPAA training that is
appropriate to their job duties. All Children’s Services staff are required
to receive HIPAA Training by April 14, 2003 to comply with federal requirements.
In order to accomplish this, Children’s Services Supervisory staff will
be responsible for the distribution, review, and discussion of Children’s
Services HIPAA policy and procedures with all Children’s Services staff
under their supervision. This review and discussion is to include the information
contained in this memorandum, the attached Children’s Services Manual Chapter
5, Section 2.7, and the accompanying forms and materials. Upon completion of the
training, CS supervisory staff should ensure all staff sign and complete the attached
Training Attendance Record (TAR) form (see attached).
Additional copies of the form should be made locally as needed. The completed
TARS forms should be faxed to the attention of Jeff Adams, Children’s Services
Staff Training and Development at 314/416-2932. Each employee completing this
process will receive one hour training credit on HIPAA.
New employees who are hired after the initial HIPAA training will be given
HIPAA information at the local level as part of their On-the-Job Training at the
time they begin employment with the agency.
Foster, Relative, Kinship, and Respite family Care Provider Training –
Out-of-home family care providers, as defined by HIPAA policies, are considered
an extension of the Children’s Services work force and also must receive
HIPAA training no later than April 14, 2003. In order to accomplish this,
all current family care providers are being mailed from Central Office a Notice
of Privacy Practices Regarding Protected Health Information Regarding Foster Children/Youth
and Their Families (see attached)
along with an explanatory cover letter and a TAR form. Providers will be given
one hour of in-service training credit by completing the review of the HIPAA information
and returning the completed TARS form to the local Children’s Services office.
Using the new course code, V980 HIPAA, one hour in-service training credit should
be entered locally in the SS-60B system.
All new foster parents who are licensed after the initial HIPAA training will
receive HIPAA information at the time of initial licensure.
Privacy and Complaint Officers – HIPAA requires that DSS have
a Privacy Officer and a Complaint Officer to oversee compliance. The address for
both is: Division of Legal Services, PO Box 1527, Jefferson City, MO 65102-1527.
HIPAA requires that Children’s Services (CS) have a Privacy Officer to
address issues and questions that may arise. The CS Privacy Officer works in tandem
with the DSS Privacy Officer to maintain departmental privacy efforts. Direct
questions and necessary forms by fax or mail to: Children’s Services Privacy
Officer, Children’s Services Program and Policy Section, PO Box 88, Jefferson
City, MO 65103.
Minimum Necessary – Staff at all times must limit PHI to the minimum
necessary amount of information to carry out the intended purpose of use, disclosure,
or request. In other words, only refer to the least amount of information to achieve
the desired outcome.
Use – Staff may find it necessary to share an individual’s
PHI within DSS for treatment/services, payment, or other DSS operations. No authorization
is required from the client for these purposes. For example, we may “use”
PHI to make a decision whether to remove a child who has been suffered severe
physical injury without having to obtain any authorizations for the medical information.
Disclose – Staff may need to release, transfer, provide access
to, or divulge PHI in any manner to parties outside of DSS. One example,
is disclosing information to the court when we are ordered to do so.
Authorization for Disclosure – Usually authorization is only required
from the individual when disclosure of their PHI is for non-treatment related
purposes. For example, a worker is attempting to obtain an emergency food referral
for a mother who is diagnosed with leukemia. The mother’s medical diagnosis
would not be disclosed without her authorization as the situation is non-treatment
related. The Authorization for Disclosure of Health Information by DSS
form will be used for this purpose.
Accounting of Disclosure – Certain disclosures do not require
tracking (e.g., for treatment or payment, to the individual, to the parent of
a minor, and disclosures authorized by the individual, etc.); however, certain
disclosures do require tracking (e.g., to law enforcement officials as required
by law, to GAL’s appointed for a child, or any other instance required by
law). Work is in progress to develop an on-line DSS Intranet database for the
entry of required disclosure tracking information. Until the database is fully
operational, staff will use the PHI Disclosure Tracking Log (Exhibit
form. Clients requesting an accounting of PHI disclosures by DSS must complete
the Request for an Accounting of Disclosures (Exhibit
form, which will be forwarded along with PHI Disclosure Tracking Log to
the Children’s Services Privacy Officer for processing and response.
Right to Request Restriction of Use and Disclosure – Individuals
have a right to request specific restrictions on the how PHI contained in case
files may be used or to whom and under what circumstances it may be disclosed.
Clients must file this request by completing a new Request for Restriction
of Health Information (Exhibit 3)
form. Staff will forward this completed form to the Children’s Services
Privacy Officer for review, decision, and response.
Right to Request Amendment – Individuals have the right to request
amendment or correction of PHI contained in case files. Clients must file this
request by completing the Request for Amendment/Correction of Protected Health
Information (Exhibit 5)
form. Staff will forward this completed form together with pertinent information
to the Children’s Services Privacy Officer for review, decision, and response.
Right to Access – Individuals have a right to access and copy
the PHI held by DSS as well as a parent of a minor, and/or their personal representative
or legal guardian. Staff must continue to verify the requestor’s identity
and authority to obtain PHI prior to proceeding with the request. The requestor
must complete the Individual’s Request for Access to Protected Health
Information (Exhibit 4)
form to request access. Staff must review the request, file it in the case record,
and provide access unless the records include psychotherapy notes or meet another
restriction. If staff determine there is reason to deny access, the request together
with pertinent information will be forwarded to the Children’s Services
Privacy Officer for review, determination, and response.
Complaint Process – Individuals may file a complaint if they believe
that Children’s Services is not complying with HIPAA requirements. In order
to file a complaint, the individual must complete a Health Insurance Portability
and Accountability Act Complaint (Exhibit 9)
form and submit to the DSS Privacy Officer. In addition, the individual may file
a written complaint with the Secretary of the Department of Health and Human Services,
Retention/Destruction of PHI – Specific guidelines are set forth
regarding the retention and destruction of PHI; records of PHI disclosures
must be maintained for six years forward from April 14, 2003.
Staff Access to PHI and Confidentiality Agreement – Staff are
granted access to PHI in accordance with state and federal law and other DSS/Children’s
Services policies/procedures. Such access is limited to the minimum necessary
to accomplish the purpose of any use or disclosure. Staff must protect the privacy
of individually identifiable health information, must recognize the importance
of such confidentiality provisions, and affirmatively acknowledge those guidelines.
Penalties and Other Restrictions – HIPAA provides for civil penalties
from $100 to $25,000 and in the case of knowingly violating an individual’s
privacy, criminal penalties from $50,000 to $250,000 and prison sentence for up
to ten years.
HIPAA prohibits staff from intimidating, threatening or coercing, discriminating,
or taking any retaliatory actions against persons who exercise their HIPAA rights
or for participating in a HIPAA established process.
A decision has been made that Children’s Services will not create separate
forms, but rather use those forms developed by DSS. Copies of the DSS forms referenced
in this memorandum and accompanying material may not be available by April 14,
2003. If this occurs, please copy the attached DSS forms as needed.
It is expected that all Children’s Services staff adhere closely to HIPAA
requirements and the privacy and protection of personal health information. We
appreciate everyone’s commitment and participation in meeting these standards
of practice for the benefit of those whom we serve.