0130.000.00 LEGAL ASPECTS

0130.005.00 CONFIDENTIALITY

This section explains the various confidentiality provisions that staff must follow when using and disclosing client information.

0130.005.00.05 Legal Basis

  1. #45 Code of Federal Regulations, Section 205.50 provides for the safeguarding of information and is the federal legal basis for policy in AFDC. The legal basis for policy in Medicaid is in #42 CFR, Sections 431.300 - 431.307.

    45 Code of Federal Regulations, Sections 164.500 - 164.534, provides for the privacy of individually identifiable health information. Refer to 0130.005.10 “Health Insurance Portability and Accountability Act” below for the instructions on how to comply with 45 CFR Part 164.

    1. The use or disclosure of information concerning applicants and recipients will be limited to purposes directly connected with the administration of any federal or federally assisted program which provides assistance, in cash or in kind, or services, directly to individuals on the basis of need.
    2. Directly connected includes:
      • Establishing eligibility
      • Determining amount of assistance
      • Providing services for applicants and recipients and,
      • Any investigation, prosecution, or criminal or civil proceeding in connection with the administration of the programs.
    3. When requests for information are received from sources other than identified in a. above, including governmental authorities, the courts, or law enforcement officials, the following apply:
      • The family or individual should be informed of the request and permission obtained to meet the request.
      • In emergency situations when the consent of the individual cannot be obtained, (s)he will be notified immediately.
    4. If a subpoena is issued for the case record or for any agency representative to testify concerning an applicant or recipient, the attention of the court must be called to the statutory provisions against disclosure of information.
  2. Section 208.120, RSMo contains the following provisions regarding the safeguarding of case information in Income Maintenance cases:
    1. Restrictions on Disclosure

      “For the protection of applicants and recipients, all officers and employees of the State of Missouri are prohibited, except as hereinafter provided, from disclosing any information obtained by them in the discharge of their official duties relative to the identity of applicants for or recipients of benefits or the contents of any records, files, papers, and communications, except in proceedings or investigations where eligibility of an applicant to receive benefits, or the amount received or to be received by any recipient, is called into question, or for the purposes directly connected with the administration of public assistance. In any judicial proceedings except such proceeding as are directly concerned with the administration of these programs, such information obtained in the discharge of official duties relative to the identity of applicants for or recipients of benefits, and records, files, papers, communications and their contents shall be confidential and not admissible in evidence.”

    2. Payrolls Available for Public Inspection:

      “The Family Support Division shall in each county welfare office maintain monthly a report showing the name and address of all recipients certified by such county welfare office to receive old age assistance, aid to dependent children and aid to the permanently and totally disabled benefits, together with the amount paid to each recipient during the previous month, and such report and information contained therein shall be open to public inspection at all times during the regular office hours of the county welfare office; provided, however, that all information regarding applicants or recipients other than names, addresses and amounts of grant shall be considered as confidential.”

    3. Publication Restriction and the Penalty Clause

      “It shall be unlawful for any person, association, firm, corporation or other agency to solicit, disclose, receive, make use of or authorize, knowingly permit, participate in or acquiesce in the use of any name or lists of names for commercial or political purposes of any nature; or for any name or list of names of recipients secured from such report in the county welfare office to be published in any manner. Anyone willfully or knowingly violating any provisions of this section shall be guilty of a misdemeanor. If the violation is by other than an individual, the penalty may be adjudged against any officer, agent, employee, servant or other person of the association, firm, corporation or other agency who committed or participated in such violation and is found guilty thereof.”

      (1952) (Dictum) This statute does not forbid disclosure of the contents of old age assistance records in response to subpoena duces tecum where such contents are pertinent to a judicial inquiry. Jones v. Giannola (A.), 252 S.W. (2d)660.

      Note: The programs included in the statute are AFDC, GR, MA, NC, SAB, and SP. The Family Support Division, by policy, applied the same principle of confidentiality to the BP program.

0130.005.05 Availability of Information

The worker must make every effort to protect the claimant's right to confidentiality.

Case material should not be discussed outside the office except in performance of regular work of the agency. It should never be discussed where there is likelihood of the discussion being overheard. Refer to 0130.005.10 for additional restrictions on the use and disclosure of medical information.

  1. Case Records:

    The worker must explain to the claimant or household that the case record and all the information contained in it is available to:

  2. Specific Information from Case Records

    The worker must explain to the claimant or household that certain information contained in the case record may be shared. Refer to 0130.005.05.05 through 0130.005.05.20.

0130.005.05.05 Obtaining Collateral Verification:

In obtaining collateral verification of the claimant's eligibility when appropriate as specified in the Verification section of each categorical chapter, the worker should discuss only that information which specifically relates to obtaining the necessary collateral verification and only after the collateral has been determined qualified. Do not discuss the claimant's protected health information with the collateral.

Collateral verification is defined as:

Selecting qualified collaterals involves evaluating:

Example: The claimant had recently moved to the community; residing in his/her aunt's home; on a rental basis. (S)he states they do not yet know anyone who could serve as a collateral for them. It would then become the worker's responsibility to determine if the Claimant's aunt would be a qualified collateral.

The worker would do this based upon:

In some cases, and for some eligibility factors, the worker processing the case or other members of the staff may have the necessary information and thereby serve as a collateral on the case. When this is done, the worker must follow the procedures outlined in any collateral situation.

Verification by collateral meets requirements only when the caseworker believes that the collateral has either general or specific knowledge applicable to the point in question. His/her reason for knowing may be by virtue of his/her position, e.g., a current employer who knows the client's financial and household status.

The worker must evaluate the information and the basis for the information (s)he receives from the collateral and make a decision regarding it's validity.

0130.005.05.10 Informational Request from Support Enforcement Unit:

If authorized persons make requests through the Support Enforcement Unit (SEU) for information from case files, the caseworker must give full and prompt cooperation in providing the requested information, which is restricted to:

The restrictions above apply to information about the absent parent. It is permissible to provide SEU with the income and resources of the claimant if this information is needed to determine ability to repay retained child support and to determine the amount to be repaid.

Section 208.120(1) RSMo 1978 prohibits the disclosure of recipient information except “... for the purposes directly connected with the administration of public assistance.” This section also makes recipient information confidential and not admissible in evidence in any judicial proceedings “... except such proceedings as are directly concerned with the administration of these programs.”

While IV-A and IV-D agree that Prosecutors, Circuit Clerks, Judges, and their staff would be entitled to IV-A information pertaining to IV-D matters, IV-A staff must be certain that the request is in fact pertaining to IV-D. In order to alleviate any problems in this area, the following policy will apply.

Any request for IV-A information from Prosecutors, Circuit Clerks, Judges, or their staff pertaining to IV-D matters must be directed to the appropriate IV-D agency serving the IV-A office in question. IV-D staff will then secure the requested information from IV-A. Prosecutors, Circuit Clerks, Judges, and their staff should not contact IV-A directly as IV-A will not release any information directly to them.

Instances will still arise in which information from the IV-A office will need to be provided to the prosecutor or the court, or testimony of a Division employee will be needed so that the prosecuting attorney can prepare or litigate a IV-D matter. If the IV-D supervisor determines that IV-A can best or most cost-effectively provide this information or testimony, (s)he will contact the county IV-A director and request that the information or witness be available to the prosecuting attorney or court at the time and place specified. This will be done without the necessity of the court's issuing a subpoena or other mandate.

0130.005.05.11 Requests for Medical Records from Disability Determination Services (DDS)

IM-#45, May 23, 2012, IM-#46, May 22, 2007

Disability Determination Services (DDS) process adult and children's disability claims for the Social Security Disability Insurance (SSDI) and Supplemental Security Income (SSI) programs for the Social Security Administration (SSA). SSA has implemented a new electronic process for requesting and receiving medical records that will assist applicants in receiving more timely decisions regarding their SSDI and SSI claims.

REQUESTS FOR MEDICAL RECORDS FROM DISABLITY DETERMINATION SERVICES

DDS requests for medical records on individuals are bar-coded and sent to FSD by fax or mail along with a signed HIPPA Authorization for Disclosure of Consumer Medical/Health Information (MO 650-2616) form. FSD staff can accept and respond to these requests. Medical records can be submitted to DDS by fax, mail, or electronically.

NOTE: All medical records must be sent via encrypted email. Refer to Email Encryption instructions for more information.

Whether returning medical records to DDS by fax or by mail, staff must place the bar-coded DDS letter on top of each set of the claimant's medical records or other documents sent to DDS. FSD staff submitting faxed records for DDS must send the fax to SSA's Secure Front End Capture System (FECS). All FECS server numbers are toll free. The FECS reads the bar-code from the DDS request and then transfers the records to the claimant's file.

FSD may submit medical records electronically to DDS only if the medical records are stored in an electronic file. FSD offices do not currently store medical records electronically, but FSD may have received records already stored electronically by a provider. In these situations, FSD may transmit the records electronically to DDS. Contact the Social Security Electronic Records Express Help Desk at 1-866-691-3061 or send them an email at electronic-records-express@ssa.gov for additional information on submitting records electronically.

FSD REQUESTS FOR MEDICAL RECORDS FROM DISABILITY DETERMINATION SERVICES

FSD staff can also request records from DDS. The DDS can share the medical records if they have the requested information in their possession and after consulting with their Professional Relations Officer. There is no fee charged to request or receive these records.

NOTE: Remember to send requests for medical records via encrypted email. Refer to Email Encryption instructions for more information.

Staff may contact Professional Relations Officers at Disability Determination Services for more information about the process for requesting medical records. Refer to Appendix A pdf logo for a listing of DDS Professional Relations Officer Contact Information and SSA's toll-free FECS fax numbers.

0130.005.05.15 Other Requests For Information

IM-#59 November 4, 2014
  1. Copies of any information in the case record will be furnished to the claimant, and his/her representative who has been designated in writing:
  2. Release of Information for Federal Programs:

    Information can be released for the administration of any Federal or federally assisted program which provides assistance in cash, in kind, or services directly to individuals on the basis of need. For example: Human Resource Agency, SSI, HUD.

    When an agency under contract for the purchase of services under Title XX requests information to document eligibility for Title XX services for Income Maintenance recipients, the County Office may release the information without the written authorization of the claimant.

    Refer to 0130.005.10.10 Uses and Disclosures for the privacy restrictions on protected health information.

  3. Exchange of Information with Vocational Rehabilitation

    The confidentiality requirements included in the Cooperative Agreement provide for the release of certain requested information without prior consent of the client. The information that can be shared with Vocational Rehabilitation includes records of Medicaid payments, diagnostic data, medical reports and other records that are for administrative purposes.

    Refer to 0130.005.10.10 Uses and Disclosures for the privacy restrictions on protected health information.

  4. Release of Information for Administrative Purposes:

    An applicant's or recipient's Medicaid number may be released to a provider without the applicant or recipient's written consent. This procedure is allowed in Section 1902 (a) (19) of the Social Security Act. The Act requires that a State plan for medical assistance must ensure that “eligibility for care and services under the plan will be determined, and such care and service will be provided, in a manner consistent with simplicity of administration and the best interest of the recipients”. This procedure does not permit the disclosure of lists of names and addresses of Medicaid beneficiaries.

    Refer to 0130.005.10.10 Uses and Disclosures for the privacy restrictions on protected health information.

  5. Release of Information Requiring Client Consent

    When requests for information are received from sources other than those already identified at 0130.005.05, the worker cannot release any information, except for the information on the Income Maintenance Payroll, without the consent of the claimant.

    Other sources could include governmental authorities, the courts (if subpoena is involved refer to 0130.005.05.25), law enforcement officials, service agencies, private individuals or businesses.

    If the signed authorization does not accompany a request, the claimant should be informed of the request and permission obtained to meet the request.

    Refer to 0130.005.10.10 Uses and Disclosures for the privacy restrictions on protected health information.

  6. Requests by Household for Review of Case Record Information:

    If there is a written request by a responsible member of the household, its currently authorized representative or a person acting in its behalf, to review materials in the Income Maintenance case record, the agency shall make this information available to the household during normal business hours. The agency may decide to screen material it considers confidential, as it deems necessary, if criminal prosecution is pending. However, it should be noted, confidential information not provided to the household or its representative, if requested by them, shall not be considered in a hearing's decision.

    If the requested information is protected health information, refer to 130.005.10.25 Client's Right to Access Their Health Information on File in FSD Record“. This section provides instructions on the types of information that are not accessible to the client and the procedures that an individual must follow to request copies of medical information.

    If the person's representative requests information that is protected health information, review 0130.005.10.40 Who May Exercise Privacy Rights and Personal Representatives. This section explains who may act as the client's personal representative and discuses the situations in which staff cannot share information with the personal representative.

0130.005.05.20 Availability of Payrolls

Income Maintenance payrolls are open for public inspection during normal work hours.

Listings of pending applications, closed cases or rejected applications are not open for public inspection.

0130.005.05.24 Complaint Concerns Protected Health Information

IM-#78 August 29, 2012

Section 570.145, RSMo, Financial exploitation of the elderly and disabled, penalty—definitions, defines financial exploitation of the elderly and disabled as a crime. It is an unlawful under §570.145 RSMo to fail to remit to a licensed nursing facility the MO HealthNet eligible participant's money owed to the facility (their surplus amount.)

The Family Support Division (FSD) is allowed to release records regarding the income or assets of a resident of a licensed nursing facility to prosecuting or circuit attorneys who are investigating or prosecuting an offense of financial exploitation against an elderly or disabled person. The request must be made in writing. The financial records are the only information that can be released. The records regarding the income and assets of a nursing facility resident must not be released to other law enforcement.

0130.005.05.25Subpoenaed Requests for Information by the Courts:

  1. Subpoenas:

    When subpoena is issued for a case record or for an employee of the Family Support Division to appear in court, the following procedure should be followed:

    When the subpoena is for a case record, the County Director or designated representative will appear at the hearing with the record.

    When the subpoena is issued for a worker, the worker will appear at the hearing.

  2. Court Appearance

    When questioned, the employee should explain to the Court that (s)he has been instructed not to disclose contents of the case record or information obtained in the course of his/her work as a representative of the Family Support Division, and a copy of the law should be given to the Judge so that he may read the following sentence from Section 208.120:

    “In any judicial proceedings except such proceedings as are directly concerned with the administration of these programs, such information obtained in the discharge of official duties related to the identity of applicants for or recipients of benefits, and records, files, papers, communications and their contents shall be confidential and not admissible in evidence.”

    When the subpoena involves the program not included in the statute (BP), the employee should explain to the Court that the Family Support Division has, by policy, applied the same principle of confidentiality to all programs administered by the agency.

    If the Court then instructs the employee to testify, he must do so.

  3. Travel Expenses:

    Attention is called to Section 491.130, RSMo: “A witness shall not be compelled to attend, as such in a civil suit, at a greater distance than forty miles from his place of legal residence, unless his legal fees for traveling, in going to and returning from the place of trial, and the day's attendance, are paid or tendered to him at the time of summoning such witness.”

  4. Fraud Procedures:

    When an employee of the Family Support Division is requested or subpoenaed to testify in Court in alleged client fraud proceedings, the employee will appear and will provide any information requested as the result of the fraudulent act. The confidentiality portion of Section 208.120 does not apply, since this type of proceeding is within the exceptions to disclosure. It is considered as part of the administration of the Income Maintenance Programs.

0130.005.10 Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) protects individuals' medical records and other protected health information (PHI). This federal law provides further requirements and restrictions in addition to the other confidentiality provisions beginning at 0130.005.00.

With certain exceptions, PHI refers to any individually identifiable health information. This includes information that identifies or can be used to identify the individual, information about physical or mental health, and payments for medical care. To be PHI, it must include medical information and a personal identifier. PHI includes but is not limited to:

The major provisions of HIPAA provide for:

0130.005.10.05 Minimum Necessary

  1. Federal regulations provide that employees limit PHI to the minimum necessary to carry out the intended purpose of use, disclosure or request. In general, the minimum necessary does not apply to disclosures made to or authorized by the client. Consequently, staff must ensure that PHI is not unnecessarily or inappropriately accessed or disclosed. The following are examples:
  2. The minimum necessary does not apply in certain circumstances involving victims of abuse, neglect, or domestic violence, in certain legal proceedings, and in specific law enforcement purposes. If staff has a question involving disclosure of more than the minimum amount and it concerns situations named in this paragraph, contact the FSD privacy officer for guidance.

0130.005.10.10 Uses and Disclosures

With regard to individually identifiable health information, use means the sharing, examination, utilization, employment, or analysis of the information within DSS. Disclosure means the release, transfer, provision of access to, or divulging information outside of DSS.

An individual's medical records such as hospital and doctor reports and medical claims are confidential. Release of these medical records requires a signed authorization from the claimant or the claimant's personal representative in order for FSD to receive these records. Staff uses a form such as the IM-60 to get the authorization for the release of protected information. In some instances, the claimant may give the records to staff. How staff uses or discloses this information determines whether further authorization from the client is needed.

In general, HIPAA covers health plans, health care clearinghouses, and health care providers. Health plans include the Medicaid program. For the most part, HIPAA allows covered entities such as the Department of Social Services, including FSD, to use or disclose PHI for purposes of treatment, payment or health care operation without requiring the client's authorization. Using PHI to determine Medicaid eligibility falls within treatment, payment or health care operations.

  1. Medicaid Eligibility Purposes

    No further authorization from the client is required if staff uses the information to establish Medicaid eligibility. Such purposes include determining disability, pregnancy, blindness, need for emergency care (Medicaid for illegal aliens), medical insurance premiums, incurred medical expenses, and uninsured status for the MC+ under the Children's Health Initiative or the Breast Cervical Cancer Treatment Medical Assistance Program.

    Releasing the minimum necessary PHI to a Medicaid provider to allow the provider to charge for provided services (see first bullet under 0130.005.10.05 Minimum Necessary above) requires no further authorization from the client.

  2. Purposes Other than the Medicaid Program

    If staff uses the PHI to determine eligibility for a DSS program, no further authorization from the client is required. Examples include but are not limited to:

    If staff needs to disclose PHI for a non-Medicaid purpose, a DSS Authorization for Disclosure of Health Information form may be needed.

  3. Authorization is not required:

    No authorization is required to disclose information when all of the following are met:

    An example is when staff refers a Temporary Assistance claimant to the state Workforce Development or shares information with Disability Determinations. Although no authorization is required, such disclosures are subject to certain tracking or reporting requirements as identified in 0130.005.10.30 Accounting for Disclosures of Protected Health Information.

  4. Authorization Required

    If no exception is met above, an authorization is required. The following is an example when the form is required:

    Staff gets PHI to determine Permanent and Total Disability and an exemption from the Temporary Assistance job requirements. The client has severe financial, medical, and housing problems. Staff calls a private charitable organization and advises the organization of the client's financial problems to include the immediate need for medication to treat diabetes. Disclosure of the medical information (diabetes information) to the organization violates HIPAA unless the client completed the DSS Authorization for Disclosure of Health Information form. In this example, staff should have obtained the client's authorization or withheld the PHI.

    In this example, an option to avoid disclosure issues would be to address a letter to the client and give it to him and her. Let the letter confirm that the client needs assistance.

  5. Other disclosures of PHI which do not require an authorization are:

    The above releases marked with an asterisk (*) are subject to the tracking requirements found in 0130.005.10.30 Accounting for Disclosures of Protected Health Information.

    Staff must also obtain an authorization for any use or disclosure of psychotherapy notes except for program operations such as Medicaid determinations or when used by FSD in defending itself in litigation or other legal proceedings brought by the client.

0130.005.10.15 Client Requests to Restrict the Use and Disclosure of Protected Health Information

Clients have the right to request specific restrictions on the use or disclosure of PHI. Claimants must file this request in writing. Staff must send the completed request to the FSD privacy officer. The privacy officer will then determine whether to accept or deny the request.

  1. Requesting the Restriction

    Clients must indicate their request for restriction by using the DSS Request for Restriction of Information form. The form must be completed, signed and dated by the client or his or her personal representative.

  2. Agreement or Denial of the Request

    The FSD Privacy Officer must receive the written request and determine whether it will be approved. The privacy officer will provide staff and the client with the final decision.

  3. Termination of Restriction

    If the client wants to terminate the approved restriction, have the client to complete a Request for Restriction of Information form and to indicate the request for termination of the restriction. Send the request to the FSD privacy officer. After a client has terminated the restriction, the privacy officer will sign and date the form, and return a copy to staff for implementation.

0130.005.10.20 Amendment of Protected Health Information

A client or the claimant's personal representative who believes his or her health records are incomplete or incorrect may request an amendment or correction of the health records.

Do not consider information learned during the regular course of business to be an amendment. Examples include when a client provides the name of a new treating physician.

Additions to the file are not amendments.

  1. Minor discrepancies

    For minor discrepancies such as typing errors, misspelled names, wrong dates, etc., staff may correct the entry by drawing a single line through the error, adding a note that explains the error, dating it, initialing it, and by making the correction as close as possible to the original entry in the record.

  2. All other requests

    All other requests for amendment of PHI must be in writing and include the reason to support the amendment. The request should include any documentation that explains or verifies the incorrect or incomplete PHI that the client is requesting to amend.

    Have the client complete the DSS Request for Amendment/Correction of Protected Health Information form. The decision whether to grant the request must be approved or denied within 60 days. Based on the client's request and information provided, determine whether to amend the PHI. Staff cannot approve the amendment if:

    1. If staff approves the amendment request, take the following actions:
      • Insert the amendment or reference the amendment to the site of the information that is the subject of the request for amendment, and then document the change in the same section of the record as the original information; AND
      • Inform the individual that the amendment is accepted; AND
      • Within 60 days, make reasonable efforts to provide the amendment to the persons identified by the client and any persons that staff knows that have been provided the PHI that is the subject of the amendment and who may have relied on or could possibly rely on the information to the detriment of the client.
    2. Denying Requests for Amendment of Protected Health Information

      If staff believes that the request should be denied, immediately forward the form to the FSD Privacy Officer who will then forward it to the DSS Privacy Officer. Include the reason to deny the amendment and any documentation that explains or verifies the incorrect or incomplete PHI that the client is requesting to amend.

      The privacy officer may request an extension of 30 days by notifying the client in writing. If the amendment request is denied, the privacy officer notifies the client and staff, and explains the reason for the denial and provides other information.

    3. Client Disagrees with the Denial

      The individual has the right to submit a written statement disagreeing with the denial of all or part of a requested amendment and the basis for the disagreement. Submit the written statement to the privacy officer. The departmental privacy officer may prepare a written rebuttal to the statement of disagreement and send it to the client and staff.

      If the client has submitted a statement of disagreement and the request for amendment was denied, staff must identify the PHI that is the subject of the disputed amendment. If staff discloses the disputed information, they must also include with the disclosure the client's statement of disagreement, the denial of the request for amendment, and the privacy officer's rebuttal statement if any, or an accurate summary of the information.

      If the person has not submitted a written statement of disagreement, the individual may request that staff includes the request and the letter of denial with any subsequent disclosure of PHI.

0130.005.10.25 Client's Right to Access Their Health Information on File in FSD Records

Under HIPAA, clients have a right to look at their files with the exceptions listed below. Have the client complete the DSS Request for Individual's Access to Protected Health Information. Provide access unless the PHI concerns:

If staff provides the access, send a copy of the DSS Request for Individual's Access to Their Protected Health Information to the FSD privacy officer.

  1. Staff determines that the PHI is covered by one or more of the above eight bullets that restrict access.

    Do NOT give the claimant the requested PHI. Immediately forward to the FSD privacy officer a copy of the information that the client is requesting and the DSS Request for Individual's Access to Their Protected Health Information form. Advise the Privacy Officer if one or more of the reasons for denial apply and which one(s). Use an IOC, letter or memorandum to provide the Privacy Officer with any information or recommendations that may assist the officer in reviewing the request.

  2. Privacy Officer Decision

    The privacy officer will determine whether to approve or deny the request. If the request is denied, the privacy officer will notify the claimant and staff of the decision.

    If FSD denies access, in whole or in part, to PHI, the privacy officer may provide or instruct staff to provide:

  3. Appeal and Review of Denials.

    Claimants have a right to request a review if the denial is based on one of the following reasons:

    The DSS Request for Individual's Access to Protected Health Information form notifies the client of the denial and how to appeal the decision. An IM-87, Application for State Hearing is not used.

    The Departmental Privacy Officer will then designate a licensed health care professional to review the denial. The designated licensed health care professional who did not participate in the original decision to deny access shall review the record and the request for access to the client's record.

    1. If the reviewer determines that the initial denial was appropriate, the Privacy Officer notifies the client and staff that the review resulted in another denial of access. The notice includes the reasons for denial and describes the process the individual may use to make a complaint to the Secretary of the Department of Health and Human Services.
    2. If the denial was not appropriate, the licensed health care professional who acts as the reviewer shall refer the request to the Privacy Officer for action. The Privacy Officer may provide this PHI to the individual or direct staff to provide it.
    3. If access is denied to any portion of the PHI, access may still be granted to those portions of the PHI that are not restricted.
  4. Providing Information, Use of a Designated Record Set, and Summaries

    When information is provided, it must be provided in a designated record set. A designated record set is all PHI contained in the client's file. For example, copy the requested PHI that is maintained in the client's medical file used by the Medical Review Team to determine Permanent and Total Disability. If the requested information is in more than one section (for example, the hospital discharge summary is in the MRT medical file and the hospital bill is with the income or budget section), this becomes the designated record set.

    The privacy officer may provide a summary or explanation of the requested PHI if:

    If the requested information is maintained electronically and the client requests an electronic or faxed copy, accommodate the request if possible and explain the risk to security of the information when transmitted as requested. If the information is downloaded to a computer disk, the consumer may be charged a reasonable amount for the disk and mailing. If the information is not available in the format requested, produce a hard copy document or other format agreed upon by the client.

    Provide the access requested in a timely manner, and arrange for a time and place for the client to inspect the PHI or obtain copies, unless access by another method has been requested by the client and agreed to by staff.

    If staff or the privacy officer is providing access, certain time frames exist. The individual must be allowed to inspect or obtain a copy of his or her PHI no later than 30 days after staff gets the request (60 days if the information is not maintained or accessible to FSD on-site). The deadline may be extended up to 30 days if the individual gets a written statement of the reasons for the delay and the date staff or the privacy officer will fulfill the request.

  5. Release of PHI of a Deceased Client.

    The PHI of a deceased consumer may only be released to the personal representative or executor of the estate.

0130.005.10.30 Accounting Disclosures of Protected Health Information

  1. Accounting for Disclosures

    Staff must account for all disclosures of PHI upon the client's request unless exempted below. The client may request an accounting of disclosures made by FSD six years before the date the client requests the accounting. Staff is not required to account for disclosures that occurred before April 14, 2003. This includes paper copies, faxes, electronic transmissions, and verbal releases. However, no tracking or accounting is required in the following exceptions:

    1. Disclosures made for treatment, payment, and healthcare operation purposes. This covers our use and disclosure of PHI for Medicaid purposes. For example, staff discloses the individual's Medicaid number to a health care provider, staff sends the vendor nursing facility a copy of the approval notice, or is working with the Division of Medical Services to coordinate Medicaid eligibility. These disclosures are part of the Medicaid eligibility process.
    2. Disclosures made to the client.
    3. Disclosures made for national security.
    4. Disclosures made prior to April 14, 2003.
    5. Disclosures authorized by the client.
    6. Disclosures to correctional institutions and other law enforcement custodial situations. These would involve cases in which the organization has lawful custody of the person, and the information is needed for health, safety or security.
    7. Incidental disclosures e.g., another client overhears a confidential conversation between staff and the claimant, or the other client might have glimpsed a computer screen.
    8. Disclosures for protective services for the President.
    9. Disclosures made to individuals involved in the client's care. Refer to 0130.005.10.40, number 4, Other Individuals.
  2. Disclosure Tracking Examples

    These are some examples of disclosures that must be accounted for and documented on the DSS Disclosure Tracking Log:

  3. Recording Disclosures

    Use the DSS tracking disclosure screen to record all disclosures unless excluded in 0130.005.10.30, number 1, a through i. Access this screen by going to the DSS Intranet. Staff MUST update this screen upon the disclosure. The screen captures information about what was disclosed, who received the PHI, the authority of the person to receive the PHI, the purpose of request, a brief description of the PHI released and other information. Print a copy of the updated screen, and file it next to the Change of Status Summary form. Keep the printout and disclosed information for six years from the date of the disclosure.

  4. Client Requests Accounting

    Claimants use the DSS Request for an Accounting of Disclosures to request an accounting. Upon receipt of this form, immediately send it to the Department of Social Services Privacy officer. If staff has other information that may be helpful to the Privacy Officer, include it with the disclosed PHI.

  5. Privacy Officer Decision

    The privacy officer must provide an accounting no later than 60 days after the request. The deadline can be extended up to 30 days. The first accounting is without charge to the individual in any 12-month period.

0130.005.10.35 Privacy Notices

Individuals have a right to receive the DSS “Notice of Privacy Practices Regarding your Protected Health Information” form. Staff must provide the notice at the initial application and whenever a client requests the form. County offices must make the notice available so an individual can request and obtain a copy. Offices must also post the notice in a clear and prominent location.

Staff must provide the Notice of Privacy Practices to individuals effective April 14, 2003 and then thereafter by:

HIPAA establishes procedures on when material revisions occur and the frequency on when clients must be notified of the availability of the notices. Staff will be notified how FSD will comply with these requirements.

The privacy notice will also be posted on the DSS internet web site.

0130.005.10.40 Who May Exercise Privacy Rights and Personal Representatives

IM-#58 October 22, 2014

A client for the most part exercises his or her own privacy rights. However, some persons may be legally or otherwise incapable of applying their privacy rights. Moreover, an individual may authorize another person to act on his or her behalf. In general, treat the personal representative as the individual unless a restriction occurs.

  1. Adults and Emancipated Minors

    Examples of an adult's or emancipated minor's personal representatives include a person who has a health care power of attorney, is a court appointed legal guardian, or has a general power of attorney or power of attorney that includes a health care decision clause.

  2. Minors

    Usually the parent not the unemancipated minor has the right to receive a minor's PHI. Exceptions to the unemancipated minor parent's exercising privacy rights concern when the law allows a minor to consent to the treatment, a court or other law allows a person other than the parent to make treatment decisions for the minor, or the parent agrees to a confidential arrangement between a physician and the minor.

  3. Neglect, Abuse, and Endangerment Issues

    Do not treat the person as the individual's personal representative if:

  4. Other Individuals

    Under certain circumstances, HIPAA permits disclosures “. . . to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person's involvement with the individual's care or payment related to the individual's health care.” Before disclosing information to one of these persons, staff must:

    1. Obtain the client's agreement; OR

      Give the client an opportunity to object to disclosure, and the client does not object; OR

    2. Staff infers from the circumstances based on professional judgement that the individual does not object to the disclosure; OR

      EXAMPLE: A MO HealthNet participant is the ward of a public administrator. Staff contacts the public administrator’s office and speaks to a staff member working for the public administrator about the case.

    3. If the client is not present due to his or her incapacity or emergency circumstances, staff concludes that it is in the best interest of the client to disclose PHI that is directly relevant to the person's involvement with the client's health care. This is the type of situation that may occur when a family member or relative is applying for and handling the affairs of their hospitalized, institutionalized, disabled, blind, or elderly relative
  5. Deceased Clients

    PHI of a deceased client is protected by HIPAA. However, consider the person with the legal authority to act on behalf of the deceased client or the deceased client's estate to be the personal representative e. g., an executor of the estate.

0130.005.10.45 Verifying the Identity and the Authority of the Requestor

Staff must ensure that PHI is not improperly released. To avoid this, verify the requestor's identity. Ensure that the person has the proper authority to obtain the PHI. If the client is unknown to the FSD employee who is releasing the information, require the client to verify his or her identity

Examples of written verification that may verify identity and purpose of the request include proof of government status (a badge, identification card, etc.), a request on government letterhead, a copy of conservator/guardian's court appointment, an order from the Probate Court, and correspondence from a medical facility.

For telephone calls, staff may have to call the party back. Before returning the call, verify the number through the phone directory e.g., verifying the pharmacy's telephone number when staff receives a call to confirm Medicaid eligibility on a client who needs to fill a prescription.

If staff has questions about the request, call the client to confirm that the contact or request for information is for Medicaid purposes and release is acceptable with the client.

0130.005.10.50 Staff Access to Protected Health Information and Required Confidentiality Agreement

Staff must protect the privacy of individually identifiable health information, must recognize the importance of such confidentiality provisions, and affirmatively acknowledge those guidelines.

  1. Staff Access
  2. Training

    Supervisors must inform employees of their obligations with respect to PHI in accordance with DSS/FSD policy. All employees are required to receive HIPAA training appropriate to their respective job duties. All employees must read and affirm an understanding of the DSS Administrative Manual on HIPAA.

    Training includes one or more of the following: reading and affirming an understanding of the HIPAA policy in the DSS Administrative Manual, taking the DSS HIPAA training presentation, reading the FSD policy, completing a Take 45 Training Session, receiving training during new employee orientation, and receiving on-going training as deemed necessary by supervisory staff.

    The receipt of HIPAA training shall become a part of the employee's personnel record.

  3. Volunteers

    Volunteers who work in FSD offices must review the DSS Administrative Manual and the DSS training on HIPAA and sign an acknowledgement that they have reviewed those provisions, just as a regular employee would.

0130.005.10.55 Penalties, Complaints, Privacy Officer, and Administrative Requirements

  1. Penalties

    HIPAA provides the following civil and criminal penalties for the misuse of PHI.

  2. Privacy Officer

    DSS has a Privacy Officer to oversee all ongoing activities related to HIPAA compliance. The address for the Privacy Officer is: Division of Legal Services, P. O. Box 1527, Jefferson City, Missouri 65102-1527, (phone: 573-751-3229), (fax: 573-526-1484), (text: 1-800-735-2966), and (voice 1-800-735-2466).

    The Family Support Division also has a privacy officer to address issues and questions that staff may have about HIPAA. The FSD privacy officer works with the DSS privacy officer to maintain departmental privacy efforts. Send HIPAA related policy questions through normal supervisory channels to State Office, Income Maintenance, Program and Policy, attention: IM Privacy Officer, P.O. Box 88, Jefferson City, MO 65103.

  3. Complaints

    Clients have the right to make a complaint about any policy or procedure used by staff to comply with HIPAA. Refer a person who wants to file a complaint about HIPAA compliance to the DSS Complaint Officer. Use the same address and phone numbers for the DSS Privacy Officer. Advise the individual that he or she may be required to file a written complaint.

    Persons may file a complaint with the Secretary of the Department of Health and Human Services if they believe that the department (to include the division) is not complying with HIPAA. Clients can contact/write them at 200 Independence Avenue, S. W. Washington, DC 2020l or call them at 1877-696-6775. Individuals may complain to the Office of Civil Rights by calling 866-627-7748 or 886-788-4989 TTY.

  4. Intimidation or Retaliation

    Do not intimate, threaten or coerce, discriminate, or take other retaliatory actions against a person for exercising his or her HIPAA rights or for participating in a HIPAA established process.

  5. Mitigation

    Staff must lessen any harmful effect that is known to staff of the use or disclosure of PHI that violates the HIPAA privacy provisions. It is DSS policy that staff will take appropriate action to prevent further inappropriate uses or disclosures and pursue any feasible actions to lessen the harmful effects of any such violations. Staff should contact the FSD privacy officer for instructions if mitigation is necessary.

  6. Copying Costs and Format

    The Privacy Officer may impose copying or other reproduction costs. The client's agreement to any costs is confirmed by the person's checking the appropriate box in the “Request for Individual's Access to Their Protected Health Information” form.

    The request is processed in the format requested i.e. microfiche, computer disk, etc, if possible, and in a timely consistent manner according to established timeframes but not more than 30 days after receipt of the request. If the record cannot be accessed within the 30 days, the timeframe may be extended once for no more than an additional 30 days with notification in writing from the privacy officer to the individual outlining reasons for the delay and the date the request will be concluded.

    If a copying charge is imposed, it will be the same that FSD uses to reimburse medical providers. FSD cannot charge any search or retrieval fees.

0130.005.10.60 Departmental Policy on HIPAA

The Department of Social Services Administrative Manual, Records and Records Management, section provides the departmental policy on HIPAA. View this section via the DSS Intranet site. Click the Human Resource Center link, then the DSS Administrative Manual, then go to chapter five, Records and Records Management, and select Protecting Health Information.

0130.010.00 CUSTOMER SERVICE COMPLAINTS AND COMMENTS

The Eligibility Specialist has primary responsibility for providing the information necessary to resolve complaints received from the claimant, his/her representative, or other concerned persons. Each complaint should be handled in a courteous manner.

The Eligibility Specialist can minimize claimant dissatisfaction by:

  1. Carefully explaining why information is requested, how it is used and why each action is required at the time of:
  2. Giving the claimant time to absorb and understand each action;
  3. Avoiding any methods or manners which may appear to overwhelm the claimant.
  4. Immediately attempting to resolve the complaint, with the individual.

0130.010.05 Handling Complaints From Claimant or His/Her Representative

If the Eligibility Specialist receives a complaint from the claimant or his/her representative, the Eligibility Specialist must:

  1. Review the complaint promptly and:
  2. Forward this information as well as case record to the immediate supervisor, prior to scheduled conference with the complainant.
  3. Understand that the customer has the opportunity to discuss their complaint with the Eligibility Specialist Supervisor at any time.

The immediate supervisor will:

  1. Review the case record regarding the complaint issues; and
  2. Prepare for and schedule a conference with the Eligibility Specialist.

The Eligibility Specialist and the supervisor jointly decide upon the action to be taken.

The Eligibility Specialist will complete any necessary follow-up action, i.e.:

0130.010.10 Handling Complaints from Sources Other Than the Claimant or his/her Representative

If the Eligibility Specialist receives a complaint from a person other than the claimant or his/her representative, the Eligibility Specialist must:

  1. Review the complaint promptly;
  2. Advise the complainant that:
  3. Record information regarding receipt of complaint, nature of the complaint and all steps taken to resolve problem area(s). (This includes supervisory conference and decision(s) reached.) The ES will make a complete, clear, and concise comment on EUMEMROL.

Note: The Eligibility Specialist will be expected to use logical judgment when evaluating the validity of the complaint and in deciding what information is recorded in the case record (i.e., if someone calls in a complaint about the claimant's personal or moral habits which do not affect eligibility and refuses to give their name).

0130.010.15 Resolution of Complaints

The Eligibility Specialist has primary responsibility for providing the information necessary to resolve complaints received from the claimant, his/her representative or other concerned persons.

The Eligibility Specialist may receive the complaint directly. The Eligibility Specialist may be able to resolve the problem immediately through discussion with the complainant. If the Eligibility Specialist resolves the problem the fact that a complaint was made and the nature of the complaint should be discussed with the immediate supervisor. If the Eligibility Specialist cannot satisfy the complainant immediately, the complaint should be discussed with the immediate supervisor before any action is taken.

Each complaint should be reviewed by the person who receives the complaint and routed through the first line supervisor to the Eligibility Specialist responsible for the case. The Eligibility Specialist, in consultation with his/her immediate supervisor, will decide what action is necessary and will take that action. This decision should then be routed back to the person who received the complaint. It is this person's responsibility to reply to the complainant.

0130.010.15.15 When Complaints cannot be resolved at the local office level

If the claimant is not satisfied with the resolution of their issue, and/or they wish to file a written report of their complaint, provide them with the Customer Service Form (FSD-4).

Receiving Customer Submissions

  1. The FSD-4 Customer Service Form provides Family Support Division (FSD) customers with a consistent process to submit a comment, complaint, or compliment and receive administrative resolution and/or response.

    NOTE: Customers may use the FSD-4 Customer Service Form to submit a comment, complaint, or compliment for any Family Support Division service.

    FSD will address complaints and attempt to resolve concerns regarding customer service and benefit case actions.

  2. FSD field offices will provide the FSD-4 Customer Service Form to all customers requesting to make a written statement. The form is also available on the agency website: http://dssweb/fsd/policyprocedure/formsmanual/pdf/fsd-4-customer-service.exe.
    • If a customer wishes to submit a complaint or make a written statement or comment, staff will advise the customer of the availability of the FSD-4 Customer Service Form on the internet, and promptly provide or mail a copy of the form to the customer, if requested.

Responding to a Submission

  1. As directed on the form, customers will submit the FSD-4 Customer Service Form to the FSD Customer Relations Unit. If a FSD office directly receives an FSD-4 Customer Service Form, the office will scan and email by the next business day to: fsd.cru@dss.mo.gov and shred original after confirmation that scan was received.
  2. Receipt of the FSD-4 Customer Service Form will be documented and distributed to the appropriate person for review.
  3. Upon receiving the FSD-4 Customer Service Form, the Customer Relations Unit will:
    1. For complaints:
      1. Compile documentation relating to the complaint;
      2. Investigate and research the complaint;
      3. Complete a summary of his/her findings; and
      4. Provide an appropriate response to the customer.
    2. For comments and compliments:
      1. Investigate and/or review the submission;
      2. Take appropriate action, if necessary; and
      3. Provide an appropriate response to the customer
      4. Employee compliments will be forwarded to the employee and their immediate Supervisor. The Supervisor will document the compliment on the employee's performance log.
    3. Track and maintain documentation on all FSD-4 Customer Service Form submissions. Tracking will allow FSD managers to identify customer service trends.
    4. Identified customer service trends may require the development of a plan for improvement. Development of these plans will be assigned, reviewed, and approved by the Director's Designated Principal Assistant, Deputy Director or his/her designee.

0130.010.20 Complaint Concerns Protected Health Information

Clients have the right to make a complaint about any policy or procedure used by staff to comply with the Health Insurance Portability and Accountability Act. Refer to 0130.005.10.55 for the HIPAA complaint provisions. Refer a person who wants to file a complaint to the DSS Complaint Officer. Advise the individual that the he or she may be required to file a written complaint.

Persons may also file a complaint with the Secretary of the Department of Health and Human Services if they believe that the department to include the division is not complying with HIPAA. Clients can contact write them at 200 Independence Avenue, S. W. Washington, DC 2020l or call them at 1877-696-6775. Individuals may complain to the Office of Civil Rights by calling 866-627-7748 or 886-788-4989 TTY.

0130.020.00 AUTHORIZED REPRESENTATIVE(S) FOR MO HEALTHNET

IM#91 November 21, 2012

0130.020.05 Legal Basis

IM#33 April 20, 2015

42 CFR 435.923 and 13 CSR 40-2.015 provides rules governing the limitations of powers and authority of authorized representatives.

0130.020.10 Appointment of an Authorized Representative

IM#010 January 09, 2018, IM#33 April 20, 2015

At the time of application or at any other time, an applicant/participant may elect to appoint an authorized representative to:

The applicant/participant may use an authorized representative to perform only the following:

The appointment of an authorized representative does not preclude FSD staff from contact with the applicant/participant as needed to conduct the business of the agency with regard to the application, review, or other agency action.

An applicant/participant:

Do NOT require an IM-6AR or other authorized representative designation form when the applicant/participant is represented by:

The authorized representative must not:

An appointment of authorized representative is only valid with the DSS. It does not permit an authorized representative to represent or appear for the applicant/participant in any court of law in the State of Missouri.

0130.020.15 Appointment of an Authorized Representative when there is a Spouse or Second Parent in the Eligibility Unit

IM#33 April 20, 2015

An authorized representative represents the applicant/participant who signs, or whose legal guardian/conservator or attorney in fact, signs on their behalf, the Appointment of Authorized Representative (IM6-AR) form. The authorized representative may only make application for the applicant who has appointed the individual to act as their authorized representative. If an applicant and the applicant's spouse apply for MO HealthNet benefits and only the applicant appoints an authorized representative, do not share the spouse's information with the applicant's authorized representative.

The second parent or spouse is not required to appoint an authorized representative(s). However, if a second parent or a spouse requests to appoint an authorized representative, the second parent or spouse:

FAMIS forms and notices contain information on all members in the eligibility unit. When an eligibility unit contains a second parent or spouse who did not name an authorized representative, it is necessary to provide manual forms and notices, such as the Approval Notice form (IM-32), or Notice of Case Action form (IM-33) to the authorized representative for the applicant/participant. The manual forms and notices must only contain information about the applicant/participant who signed the IM6-AR.

0130.030.00 DURATION OF APPOINTMENT OF REPRESENTATIVE

IM#33 April 20, 2015

Once the signed Appointment of Authorized Representative (IM-6AR) form is received, FSD shall consider the authorization to remain in effect until:

At reapplication, review the previous authorized representative information in FAMIS or MEDES with the applicant to determine if the appointment is still valid. If it is not valid, obtain a signed IM-6ARR. (See below).

0130.040.00 AUTHORIZED REPRESENTATIVE REVOCATION

IM#33 April 20, 2015

The Appointment of Authorized Representative may be revoked at any time.