This section explains the various confidentiality provisions that staff must follow when using and disclosing client information.
45 Code of Federal Regulations, Sections 164.500 - 164.534, provides for the privacy of individually identifiable health information. Refer to 0130.005.10 “Health Insurance Portability and Accountability Act” below for the instructions on how to comply with 45 CFR Part 164.
“For the protection of applicants and recipients, all officers and employees of the State of Missouri are prohibited, except as hereinafter provided, from disclosing any information obtained by them in the discharge of their official duties relative to the identity of applicants for or recipients of benefits or the contents of any records, files, papers, and communications, except in proceedings or investigations where eligibility of an applicant to receive benefits, or the amount received or to be received by any recipient, is called into question, or for the purposes directly connected with the administration of public assistance. In any judicial proceedings except such proceeding as are directly concerned with the administration of these programs, such information obtained in the discharge of official duties relative to the identity of applicants for or recipients of benefits, and records, files, papers, communications and their contents shall be confidential and not admissible in evidence.”
“The Family Support Division shall in each county welfare office maintain monthly a report showing the name and address of all recipients certified by such county welfare office to receive old age assistance, aid to dependent children and aid to the permanently and totally disabled benefits, together with the amount paid to each recipient during the previous month, and such report and information contained therein shall be open to public inspection at all times during the regular office hours of the county welfare office; provided, however, that all information regarding applicants or recipients other than names, addresses and amounts of grant shall be considered as confidential.”
“It shall be unlawful for any person, association, firm, corporation or other agency to solicit, disclose, receive, make use of or authorize, knowingly permit, participate in or acquiesce in the use of any name or lists of names for commercial or political purposes of any nature; or for any name or list of names of recipients secured from such report in the county welfare office to be published in any manner. Anyone willfully or knowingly violating any provisions of this section shall be guilty of a misdemeanor. If the violation is by other than an individual, the penalty may be adjudged against any officer, agent, employee, servant or other person of the association, firm, corporation or other agency who committed or participated in such violation and is found guilty thereof.”
(1952) (Dictum) This statute does not forbid disclosure of the contents of old age assistance records in response to subpoena duces tecum where such contents are pertinent to a judicial inquiry. Jones v. Giannola (A.), 252 S.W. (2d)660.
Note: The programs included in the statute are AFDC, GR, MA, NC, SAB, and SP. The Family Support Division, by policy, applied the same principle of confidentiality to the BP program.
The worker must make every effort to protect the claimant's right to confidentiality.
Case material should not be discussed outside the office except in performance of regular work of the agency. It should never be discussed where there is likelihood of the discussion being overheard. Refer to 0130.005.10 for additional restrictions on the use and disclosure of medical information.
The worker must explain to the claimant or household that the case record and all the information contained in it is available to:
Example of Persons Connected with Administration and Enforcement of programs.
In a Welfare Investigation Unit inquiry regarding fraud prosecution cases, the county office will assist WIU in obtaining necessary forms and information for the prosecutor. (See Section VI, Fraud and The Welfare Investigation Unit.)
The worker must explain to the claimant or household that certain information contained in the case record may be shared. Refer to 0130.005.05.05 through 0130.005.05.20.
In obtaining collateral verification of the claimant's eligibility when appropriate as specified in the Verification section of each categorical chapter, the worker should discuss only that information which specifically relates to obtaining the necessary collateral verification and only after the collateral has been determined qualified. Do not discuss the claimant's protected health information with the collateral.
Collateral verification is defined as:
from any person, other than the claimant or member of the group:
This definition may include:
Selecting qualified collaterals involves evaluating:
Example: The claimant had recently moved to the community; residing in his/her aunt's home; on a rental basis. (S)he states they do not yet know anyone who could serve as a collateral for them. It would then become the worker's responsibility to determine if the Claimant's aunt would be a qualified collateral.
The worker would do this based upon:
In some cases, and for some eligibility factors, the worker processing the case or other members of the staff may have the necessary information and thereby serve as a collateral on the case. When this is done, the worker must follow the procedures outlined in any collateral situation.
Verification by collateral meets requirements only when the caseworker believes that the collateral has either general or specific knowledge applicable to the point in question. His/her reason for knowing may be by virtue of his/her position, e.g., a current employer who knows the client's financial and household status.
The worker must evaluate the information and the basis for the information (s)he receives from the collateral and make a decision regarding it's validity.
If authorized persons make requests through the Support Enforcement Unit (SEU) for information from case files, the caseworker must give full and prompt cooperation in providing the requested information, which is restricted to:
This information may be secured from both active and inactive case files or records. In SEU cases, authorized persons are defined as the following:
The restrictions above apply to information about the absent parent. It is permissible to provide SEU with the income and resources of the claimant if this information is needed to determine ability to repay retained child support and to determine the amount to be repaid.
Section 208.120(1) RSMo 1978 prohibits the disclosure of recipient information except “... for the purposes directly connected with the administration of public assistance.” This section also makes recipient information confidential and not admissible in evidence in any judicial proceedings “... except such proceedings as are directly concerned with the administration of these programs.”
While IV-A and IV-D agree that Prosecutors, Circuit Clerks, Judges, and their staff would be entitled to IV-A information pertaining to IV-D matters, IV-A staff must be certain that the request is in fact pertaining to IV-D. In order to alleviate any problems in this area, the following policy will apply.
Any request for IV-A information from Prosecutors, Circuit Clerks, Judges, or their staff pertaining to IV-D matters must be directed to the appropriate IV-D agency serving the IV-A office in question. IV-D staff will then secure the requested information from IV-A. Prosecutors, Circuit Clerks, Judges, and their staff should not contact IV-A directly as IV-A will not release any information directly to them.
Instances will still arise in which information from the IV-A office will need to be provided to the prosecutor or the court, or testimony of a Division employee will be needed so that the prosecuting attorney can prepare or litigate a IV-D matter. If the IV-D supervisor determines that IV-A can best or most cost-effectively provide this information or testimony, (s)he will contact the county IV-A director and request that the information or witness be available to the prosecuting attorney or court at the time and place specified. This will be done without the necessity of the court's issuing a subpoena or other mandate.
Disability Determination Services (DDS) process adult and children's disability claims for the Social Security Disability Insurance (SSDI) and Supplemental Security Income (SSI) programs for the Social Security Administration (SSA). SSA has implemented a new electronic process for requesting and receiving medical records that will assist applicants in receiving more timely decisions regarding their SSDI and SSI claims.
REQUESTS FOR MEDICAL RECORDS FROM DISABLITY DETERMINATION SERVICES
DDS requests for medical records on individuals are bar-coded and sent to FSD by fax or mail along with a signed HIPPA Authorization for Disclosure of Consumer Medical/Health Information (MO 650-2616) form. FSD staff can accept and respond to these requests. Medical records can be submitted to DDS by fax, mail, or electronically.
NOTE: All medical records must be sent via encrypted email. Refer to Email Encryption instructions for more information.
Whether returning medical records to DDS by fax or by mail, staff must place the bar-coded DDS letter on top of each set of the claimant's medical records or other documents sent to DDS. FSD staff submitting faxed records for DDS must send the fax to SSA's Secure Front End Capture System (FECS). All FECS server numbers are toll free. The FECS reads the bar-code from the DDS request and then transfers the records to the claimant's file.
FSD may submit medical records electronically to DDS only if the medical records are stored in an electronic file. FSD offices do not currently store medical records electronically, but FSD may have received records already stored electronically by a provider. In these situations, FSD may transmit the records electronically to DDS. Contact the Social Security Electronic Records Express Help Desk at 1-866-691-3061 or send them an email at firstname.lastname@example.org for additional information on submitting records electronically.
FSD REQUESTS FOR MEDICAL RECORDS FROM DISABILITY DETERMINATION SERVICES
FSD staff can also request records from DDS. The DDS can share the medical records if they have the requested information in their possession and after consulting with their Professional Relations Officer. There is no fee charged to request or receive these records.
NOTE: Remember to send requests for medical records via encrypted email. Refer to Email Encryption instructions for more information.
Staff may contact Professional Relations Officers at Disability Determination Services for more information about the process for requesting medical records. Refer to Appendix A for a listing of DDS Professional Relations Officer Contact Information and SSA's toll-free FECS fax numbers.
Information can be released for the administration of any Federal or federally assisted program which provides assistance in cash, in kind, or services directly to individuals on the basis of need. For example: Human Resource Agency, SSI, HUD.
When an agency under contract for the purchase of services under Title XX requests information to document eligibility for Title XX services for Income Maintenance recipients, the County Office may release the information without the written authorization of the claimant.
Refer to 0130.005.10.10 Uses and Disclosures for the privacy restrictions on protected health information.
The confidentiality requirements included in the Cooperative Agreement provide for the release of certain requested information without prior consent of the client. The information that can be shared with Vocational Rehabilitation includes records of Medicaid payments, diagnostic data, medical reports and other records that are for administrative purposes.
Refer to 0130.005.10.10 Uses and Disclosures for the privacy restrictions on protected health information.
An applicant's or recipient's Medicaid number may be released to a provider without the applicant or recipient's written consent. This procedure is allowed in Section 1902 (a) (19) of the Social Security Act. The Act requires that a State plan for medical assistance must ensure that “eligibility for care and services under the plan will be determined, and such care and service will be provided, in a manner consistent with simplicity of administration and the best interest of the recipients”. This procedure does not permit the disclosure of lists of names and addresses of Medicaid beneficiaries.
Refer to 0130.005.10.10 Uses and Disclosures for the privacy restrictions on protected health information.
When requests for information are received from sources other than those already identified at 0130.005.05, the worker cannot release any information, except for the information on the Income Maintenance Payroll, without the consent of the claimant.
Other sources could include governmental authorities, the courts (if subpoena is involved refer to 0130.005.05.25), law enforcement officials, service agencies, private individuals or businesses.
If the signed authorization does not accompany a request, the claimant should be informed of the request and permission obtained to meet the request.
If there is a written request by a responsible member of the household, its currently authorized representative or a person acting in its behalf, to review materials in the Income Maintenance case record, the agency shall make this information available to the household during normal business hours. The agency may decide to screen material it considers confidential, as it deems necessary, if criminal prosecution is pending. However, it should be noted, confidential information not provided to the household or its representative, if requested by them, shall not be considered in a hearing's decision.
If the requested information is protected health information, refer to 130.005.10.25 Client's Right to Access Their Health Information on File in FSD Record“. This section provides instructions on the types of information that are not accessible to the client and the procedures that an individual must follow to request copies of medical information.
If the person's representative requests information that is protected health information, review 0130.005.10.40 Who May Exercise Privacy Rights and Personal Representatives. This section explains who may act as the client's personal representative and discuses the situations in which staff cannot share information with the personal representative.
Income Maintenance payrolls are open for public inspection during normal work hours.
Listings of pending applications, closed cases or rejected applications are not open for public inspection.
Section 570.145, RSMo, Financial exploitation of the elderly and disabled, penalty—definitions, defines financial exploitation of the elderly and disabled as a crime. It is an unlawful under §570.145 RSMo to fail to remit to a licensed nursing facility the MO HealthNet eligible participant's money owed to the facility (their surplus amount.)
The Family Support Division (FSD) is allowed to release records regarding the income or assets of a resident of a licensed nursing facility to prosecuting or circuit attorneys who are investigating or prosecuting an offense of financial exploitation against an elderly or disabled person. The request must be made in writing. The financial records are the only information that can be released. The records regarding the income and assets of a nursing facility resident must not be released to other law enforcement.
When subpoena is issued for a case record or for an employee of the Family Support Division to appear in court, the following procedure should be followed:
When the subpoena is for a case record, the County Director or designated representative will appear at the hearing with the record.
When the subpoena is issued for a worker, the worker will appear at the hearing.
When questioned, the employee should explain to the Court that (s)he has been instructed not to disclose contents of the case record or information obtained in the course of his/her work as a representative of the Family Support Division, and a copy of the law should be given to the Judge so that he may read the following sentence from Section 208.120:
“In any judicial proceedings except such proceedings as are directly concerned with the administration of these programs, such information obtained in the discharge of official duties related to the identity of applicants for or recipients of benefits, and records, files, papers, communications and their contents shall be confidential and not admissible in evidence.”
When the subpoena involves the program not included in the statute (BP), the employee should explain to the Court that the Family Support Division has, by policy, applied the same principle of confidentiality to all programs administered by the agency.
If the Court then instructs the employee to testify, he must do so.
Attention is called to Section 491.130, RSMo: “A witness shall not be compelled to attend, as such in a civil suit, at a greater distance than forty miles from his place of legal residence, unless his legal fees for traveling, in going to and returning from the place of trial, and the day's attendance, are paid or tendered to him at the time of summoning such witness.”
When an employee of the Family Support Division is requested or subpoenaed to testify in Court in alleged client fraud proceedings, the employee will appear and will provide any information requested as the result of the fraudulent act. The confidentiality portion of Section 208.120 does not apply, since this type of proceeding is within the exceptions to disclosure. It is considered as part of the administration of the Income Maintenance Programs.
The Health Insurance Portability and Accountability Act (HIPAA) protects individuals' medical records and other protected health information (PHI). This federal law provides further requirements and restrictions in addition to the other confidentiality provisions beginning at 0130.005.00.
With certain exceptions, PHI refers to any individually identifiable health information. This includes information that identifies or can be used to identify the individual, information about physical or mental health, and payments for medical care. To be PHI, it must include medical information and a personal identifier. PHI includes but is not limited to:
The major provisions of HIPAA provide for:
With regard to individually identifiable health information, use means the sharing, examination, utilization, employment, or analysis of the information within DSS. Disclosure means the release, transfer, provision of access to, or divulging information outside of DSS.
An individual's medical records such as hospital and doctor reports and medical claims are confidential. Release of these medical records requires a signed authorization from the claimant or the claimant's personal representative in order for FSD to receive these records. Staff uses a form such as the IM-60 to get the authorization for the release of protected information. In some instances, the claimant may give the records to staff. How staff uses or discloses this information determines whether further authorization from the client is needed.
In general, HIPAA covers health plans, health care clearinghouses, and health care providers. Health plans include the Medicaid program. For the most part, HIPAA allows covered entities such as the Department of Social Services, including FSD, to use or disclose PHI for purposes of treatment, payment or health care operation without requiring the client's authorization. Using PHI to determine Medicaid eligibility falls within treatment, payment or health care operations.
No further authorization from the client is required if staff uses the information to establish Medicaid eligibility. Such purposes include determining disability, pregnancy, blindness, need for emergency care (Medicaid for illegal aliens), medical insurance premiums, incurred medical expenses, and uninsured status for the MC+ under the Children's Health Initiative or the Breast Cervical Cancer Treatment Medical Assistance Program.
Releasing the minimum necessary PHI to a Medicaid provider to allow the provider to charge for provided services (see first bullet under 0130.005.10.05 Minimum Necessary above) requires no further authorization from the client.
If staff uses the PHI to determine eligibility for a DSS program, no further authorization from the client is required. Examples include but are not limited to:
If staff needs to disclose PHI for a non-Medicaid purpose, a DSS Authorization for Disclosure of Health Information form may be needed.
No authorization is required to disclose information when all of the following are met:
An example is when staff refers a Temporary Assistance claimant to the state Workforce Development or shares information with Disability Determinations. Although no authorization is required, such disclosures are subject to certain tracking or reporting requirements as identified in 0130.005.10.30 Accounting for Disclosures of Protected Health Information.
If no exception is met above, an authorization is required. The following is an example when the form is required:
Staff gets PHI to determine Permanent and Total Disability and an exemption from the Temporary Assistance job requirements. The client has severe financial, medical, and housing problems. Staff calls a private charitable organization and advises the organization of the client's financial problems to include the immediate need for medication to treat diabetes. Disclosure of the medical information (diabetes information) to the organization violates HIPAA unless the client completed the DSS Authorization for Disclosure of Health Information form. In this example, staff should have obtained the client's authorization or withheld the PHI.
In this example, an option to avoid disclosure issues would be to address a letter to the client and give it to him and her. Let the letter confirm that the client needs assistance.
The above releases marked with an asterisk (*) are subject to the tracking requirements found in 0130.005.10.30 Accounting for Disclosures of Protected Health Information.
Staff must also obtain an authorization for any use or disclosure of psychotherapy notes except for program operations such as Medicaid determinations or when used by FSD in defending itself in litigation or other legal proceedings brought by the client.
Clients have the right to request specific restrictions on the use or disclosure of PHI. Claimants must file this request in writing. Staff must send the completed request to the FSD privacy officer. The privacy officer will then determine whether to accept or deny the request.
Clients must indicate their request for restriction by using the DSS Request for Restriction of Information form. The form must be completed, signed and dated by the client or his or her personal representative.
The FSD Privacy Officer must receive the written request and determine whether it will be approved. The privacy officer will provide staff and the client with the final decision.
If the client wants to terminate the approved restriction, have the client to complete a Request for Restriction of Information form and to indicate the request for termination of the restriction. Send the request to the FSD privacy officer. After a client has terminated the restriction, the privacy officer will sign and date the form, and return a copy to staff for implementation.
A client or the claimant's personal representative who believes his or her health records are incomplete or incorrect may request an amendment or correction of the health records.
Do not consider information learned during the regular course of business to be an amendment. Examples include when a client provides the name of a new treating physician.
Additions to the file are not amendments.
For minor discrepancies such as typing errors, misspelled names, wrong dates, etc., staff may correct the entry by drawing a single line through the error, adding a note that explains the error, dating it, initialing it, and by making the correction as close as possible to the original entry in the record.
All other requests for amendment of PHI must be in writing and include the reason to support the amendment. The request should include any documentation that explains or verifies the incorrect or incomplete PHI that the client is requesting to amend.
Have the client complete the DSS Request for Amendment/Correction of Protected Health Information form. The decision whether to grant the request must be approved or denied within 60 days. Based on the client's request and information provided, determine whether to amend the PHI. Staff cannot approve the amendment if:
If staff believes that the request should be denied, immediately forward the form to the FSD Privacy Officer who will then forward it to the DSS Privacy Officer. Include the reason to deny the amendment and any documentation that explains or verifies the incorrect or incomplete PHI that the client is requesting to amend.
The privacy officer may request an extension of 30 days by notifying the client in writing. If the amendment request is denied, the privacy officer notifies the client and staff, and explains the reason for the denial and provides other information.
The individual has the right to submit a written statement disagreeing with the denial of all or part of a requested amendment and the basis for the disagreement. Submit the written statement to the privacy officer. The departmental privacy officer may prepare a written rebuttal to the statement of disagreement and send it to the client and staff.
If the client has submitted a statement of disagreement and the request for amendment was denied, staff must identify the PHI that is the subject of the disputed amendment. If staff discloses the disputed information, they must also include with the disclosure the client's statement of disagreement, the denial of the request for amendment, and the privacy officer's rebuttal statement if any, or an accurate summary of the information.
If the person has not submitted a written statement of disagreement, the individual may request that staff includes the request and the letter of denial with any subsequent disclosure of PHI.
Under HIPAA, clients have a right to look at their files with the exceptions listed below. Have the client complete the DSS Request for Individual's Access to Protected Health Information. Provide access unless the PHI concerns:
If staff provides the access, send a copy of the DSS Request for Individual's Access to Their Protected Health Information to the FSD privacy officer.
Do NOT give the claimant the requested PHI. Immediately forward to the FSD privacy officer a copy of the information that the client is requesting and the DSS Request for Individual's Access to Their Protected Health Information form. Advise the Privacy Officer if one or more of the reasons for denial apply and which one(s). Use an IOC, letter or memorandum to provide the Privacy Officer with any information or recommendations that may assist the officer in reviewing the request.
The privacy officer will determine whether to approve or deny the request. If the request is denied, the privacy officer will notify the claimant and staff of the decision.
If FSD denies access, in whole or in part, to PHI, the privacy officer may provide or instruct staff to provide:
Claimants have a right to request a review if the denial is based on one of the following reasons:
The DSS Request for Individual's Access to Protected Health Information form notifies the client of the denial and how to appeal the decision. An IM-87, Application for State Hearing is not used.
The Departmental Privacy Officer will then designate a licensed health care professional to review the denial. The designated licensed health care professional who did not participate in the original decision to deny access shall review the record and the request for access to the client's record.
When information is provided, it must be provided in a designated record set. A designated record set is all PHI contained in the client's file. For example, copy the requested PHI that is maintained in the client's medical file used by the Medical Review Team to determine Permanent and Total Disability. If the requested information is in more than one section (for example, the hospital discharge summary is in the MRT medical file and the hospital bill is with the income or budget section), this becomes the designated record set.
The privacy officer may provide a summary or explanation of the requested PHI if:
If the requested information is maintained electronically and the client requests an electronic or faxed copy, accommodate the request if possible and explain the risk to security of the information when transmitted as requested. If the information is downloaded to a computer disk, the consumer may be charged a reasonable amount for the disk and mailing. If the information is not available in the format requested, produce a hard copy document or other format agreed upon by the client.
Provide the access requested in a timely manner, and arrange for a time and place for the client to inspect the PHI or obtain copies, unless access by another method has been requested by the client and agreed to by staff.
If staff or the privacy officer is providing access, certain time frames exist. The individual must be allowed to inspect or obtain a copy of his or her PHI no later than 30 days after staff gets the request (60 days if the information is not maintained or accessible to FSD on-site). The deadline may be extended up to 30 days if the individual gets a written statement of the reasons for the delay and the date staff or the privacy officer will fulfill the request.
The PHI of a deceased consumer may only be released to the personal representative or executor of the estate.
Staff must account for all disclosures of PHI upon the client's request unless exempted below. The client may request an accounting of disclosures made by FSD six years before the date the client requests the accounting. Staff is not required to account for disclosures that occurred before April 14, 2003. This includes paper copies, faxes, electronic transmissions, and verbal releases. However, no tracking or accounting is required in the following exceptions:
These are some examples of disclosures that must be accounted for and documented on the DSS Disclosure Tracking Log:
Use the DSS tracking disclosure screen to record all disclosures unless excluded in 0130.005.10.30, number 1, a through i. Access this screen by going to the DSS Intranet. Staff MUST update this screen upon the disclosure. The screen captures information about what was disclosed, who received the PHI, the authority of the person to receive the PHI, the purpose of request, a brief description of the PHI released and other information. Print a copy of the updated screen, and file it next to the Change of Status Summary form. Keep the printout and disclosed information for six years from the date of the disclosure.
Claimants use the DSS Request for an Accounting of Disclosures to request an accounting. Upon receipt of this form, immediately send it to the Department of Social Services Privacy officer. If staff has other information that may be helpful to the Privacy Officer, include it with the disclosed PHI.
The privacy officer must provide an accounting no later than 60 days after the request. The deadline can be extended up to 30 days. The first accounting is without charge to the individual in any 12-month period.
Individuals have a right to receive the DSS “Notice of Privacy Practices Regarding your Protected Health Information” form. Staff must provide the notice at the initial application and whenever a client requests the form. County offices must make the notice available so an individual can request and obtain a copy. Offices must also post the notice in a clear and prominent location.
Staff must provide the Notice of Privacy Practices to individuals effective April 14, 2003 and then thereafter by:
HIPAA establishes procedures on when material revisions occur and the frequency on when clients must be notified of the availability of the notices. Staff will be notified how FSD will comply with these requirements.
The privacy notice will also be posted on the DSS internet web site.
A client for the most part exercises his or her own privacy rights. However, some persons may be legally or otherwise incapable of applying their privacy rights. Moreover, an individual may authorize another person to act on his or her behalf. In general, treat the personal representative as the individual unless a restriction occurs.
Examples of an adult's or emancipated minor's personal representatives include a person who has a health care power of attorney, is a court appointed legal guardian, or has a general power of attorney or power of attorney that includes a health care decision clause.
Usually the parent not the unemancipated minor has the right to receive a minor's PHI. Exceptions to the unemancipated minor parent's exercising privacy rights concern when the law allows a minor to consent to the treatment, a court or other law allows a person other than the parent to make treatment decisions for the minor, or the parent agrees to a confidential arrangement between a physician and the minor.
Do not treat the person as the individual's personal representative if:
Under certain circumstances, HIPAA permits disclosures “. . . to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person's involvement with the individual's care or payment related to the individual's health care.” Before disclosing information to one of these persons, staff must:
Give the client an opportunity to object to disclosure, and the client does not object; OR
EXAMPLE: A MO HealthNet participant is the ward of a public administrator. Staff contacts the public administrator’s office and speaks to a staff member working for the public administrator about the case.
PHI of a deceased client is protected by HIPAA. However, consider the person with the legal authority to act on behalf of the deceased client or the deceased client's estate to be the personal representative e. g., an executor of the estate.
Staff must ensure that PHI is not improperly released. To avoid this, verify the requestor's identity. Ensure that the person has the proper authority to obtain the PHI. If the client is unknown to the FSD employee who is releasing the information, require the client to verify his or her identity
Examples of written verification that may verify identity and purpose of the request include proof of government status (a badge, identification card, etc.), a request on government letterhead, a copy of conservator/guardian's court appointment, an order from the Probate Court, and correspondence from a medical facility.
For telephone calls, staff may have to call the party back. Before returning the call, verify the number through the phone directory e.g., verifying the pharmacy's telephone number when staff receives a call to confirm Medicaid eligibility on a client who needs to fill a prescription.
If staff has questions about the request, call the client to confirm that the contact or request for information is for Medicaid purposes and release is acceptable with the client.
Staff must protect the privacy of individually identifiable health information, must recognize the importance of such confidentiality provisions, and affirmatively acknowledge those guidelines.
Supervisors must inform employees of their obligations with respect to PHI in accordance with DSS/FSD policy. All employees are required to receive HIPAA training appropriate to their respective job duties. All employees must read and affirm an understanding of the DSS Administrative Manual on HIPAA.
Training includes one or more of the following: reading and affirming an understanding of the HIPAA policy in the DSS Administrative Manual, taking the DSS HIPAA training presentation, reading the FSD policy, completing a Take 45 Training Session, receiving training during new employee orientation, and receiving on-going training as deemed necessary by supervisory staff.
The receipt of HIPAA training shall become a part of the employee's personnel record.
Volunteers who work in FSD offices must review the DSS Administrative Manual and the DSS training on HIPAA and sign an acknowledgement that they have reviewed those provisions, just as a regular employee would.
HIPAA provides the following civil and criminal penalties for the misuse of PHI.
DSS has a Privacy Officer to oversee all ongoing activities related to HIPAA compliance. The address for the Privacy Officer is: Division of Legal Services, P. O. Box 1527, Jefferson City, Missouri 65102-1527, (phone: 573-751-3229), (fax: 573-526-1484), (text: 1-800-735-2966), and (voice 1-800-735-2466).
The Family Support Division also has a privacy officer to address issues and questions that staff may have about HIPAA. The FSD privacy officer works with the DSS privacy officer to maintain departmental privacy efforts. Send HIPAA related policy questions through normal supervisory channels to State Office, Income Maintenance, Program and Policy, attention: IM Privacy Officer, P.O. Box 88, Jefferson City, MO 65103.
Clients have the right to make a complaint about any policy or procedure used by staff to comply with HIPAA. Refer a person who wants to file a complaint about HIPAA compliance to the DSS Complaint Officer. Use the same address and phone numbers for the DSS Privacy Officer. Advise the individual that he or she may be required to file a written complaint.
Persons may file a complaint with the Secretary of the Department of Health and Human Services if they believe that the department (to include the division) is not complying with HIPAA. Clients can contact/write them at 200 Independence Avenue, S. W. Washington, DC 2020l or call them at 1877-696-6775. Individuals may complain to the Office of Civil Rights by calling 866-627-7748 or 886-788-4989 TTY.
Do not intimate, threaten or coerce, discriminate, or take other retaliatory actions against a person for exercising his or her HIPAA rights or for participating in a HIPAA established process.
Staff must lessen any harmful effect that is known to staff of the use or disclosure of PHI that violates the HIPAA privacy provisions. It is DSS policy that staff will take appropriate action to prevent further inappropriate uses or disclosures and pursue any feasible actions to lessen the harmful effects of any such violations. Staff should contact the FSD privacy officer for instructions if mitigation is necessary.
The Privacy Officer may impose copying or other reproduction costs. The client's agreement to any costs is confirmed by the person's checking the appropriate box in the “Request for Individual's Access to Their Protected Health Information” form.
The request is processed in the format requested i.e. microfiche, computer disk, etc, if possible, and in a timely consistent manner according to established timeframes but not more than 30 days after receipt of the request. If the record cannot be accessed within the 30 days, the timeframe may be extended once for no more than an additional 30 days with notification in writing from the privacy officer to the individual outlining reasons for the delay and the date the request will be concluded.
If a copying charge is imposed, it will be the same that FSD uses to reimburse medical providers. FSD cannot charge any search or retrieval fees.
The Department of Social Services Administrative Manual, Records and Records Management, section provides the departmental policy on HIPAA. View this section via the DSS Intranet site. Click the Human Resource Center link, then the DSS Administrative Manual, then go to chapter five, Records and Records Management, and select Protecting Health Information.
The Eligibility Specialist has primary responsibility for providing the information necessary to resolve complaints received from the claimant, his/her representative, or other concerned persons. Each complaint should be handled in a courteous manner.
The Eligibility Specialist can minimize claimant dissatisfaction by:
If the Eligibility Specialist receives a complaint from the claimant or his/her representative, the Eligibility Specialist must:
The immediate supervisor will:
The Eligibility Specialist and the supervisor jointly decide upon the action to be taken.
The Eligibility Specialist will complete any necessary follow-up action, i.e.:
If the Eligibility Specialist receives a complaint from a person other than the claimant or his/her representative, the Eligibility Specialist must:
Note: The Eligibility Specialist will be expected to use logical judgment when evaluating the validity of the complaint and in deciding what information is recorded in the case record (i.e., if someone calls in a complaint about the claimant's personal or moral habits which do not affect eligibility and refuses to give their name).
The Eligibility Specialist has primary responsibility for providing the information necessary to resolve complaints received from the claimant, his/her representative or other concerned persons.
The Eligibility Specialist may receive the complaint directly. The Eligibility Specialist may be able to resolve the problem immediately through discussion with the complainant. If the Eligibility Specialist resolves the problem the fact that a complaint was made and the nature of the complaint should be discussed with the immediate supervisor. If the Eligibility Specialist cannot satisfy the complainant immediately, the complaint should be discussed with the immediate supervisor before any action is taken.
Each complaint should be reviewed by the person who receives the complaint and routed through the first line supervisor to the Eligibility Specialist responsible for the case. The Eligibility Specialist, in consultation with his/her immediate supervisor, will decide what action is necessary and will take that action. This decision should then be routed back to the person who received the complaint. It is this person's responsibility to reply to the complainant.
If the claimant is not satisfied with the resolution of their issue, and/or they wish to file a written report of their complaint, provide them with the Customer Service Form (FSD-4).
The FSD-4 Customer Service Form provides Family Support Division (FSD) customers with a consistent process to submit a comment, complaint, or compliment and receive administrative resolution and/or response.
NOTE: Customers may use the FSD-4 Customer Service Form to submit a comment, complaint, or compliment for any Family Support Division service.
FSD will address complaints and attempt to resolve concerns regarding customer service and benefit case actions.
Clients have the right to make a complaint about any policy or procedure used by staff to comply with the Health Insurance Portability and Accountability Act. Refer to 0130.005.10.55 for the HIPAA complaint provisions. Refer a person who wants to file a complaint to the DSS Complaint Officer. Advise the individual that the he or she may be required to file a written complaint.
Persons may also file a complaint with the Secretary of the Department of Health and Human Services if they believe that the department to include the division is not complying with HIPAA. Clients can contact write them at 200 Independence Avenue, S. W. Washington, DC 2020l or call them at 1877-696-6775. Individuals may complain to the Office of Civil Rights by calling 866-627-7748 or 886-788-4989 TTY.
42 CFR 435.923 and 13 CSR 40-2.015 provides rules governing the limitations of powers and authority of authorized representatives.
At the time of application or at any other time, an applicant/participant may elect to appoint an authorized representative to:
The applicant/participant may use an authorized representative to perform only the following:
NOTE: Do not release participant information to another person until a valid designation of authorized representative, including HIPAA notification has been signed and received by the Division. This does not apply to a request for release of participant information from the participant’s attorney, spouse, attorney-in-fact, guardian, conservator, or court appointed public administrator.
The appointment of an authorized representative does not preclude FSD staff from contact with the applicant/participant as needed to conduct the business of the agency with regard to the application, review, or other agency action.
NOTE: For applications/cases in Family Assistance Management Information System (FAMIS), upon receipt of a completed IM-6, IM-6AR, IM-6ARO or other designation form add Authorized Representative information on the Representative List screen (AUTHREP/FMJ1) and Representative Detail screen (FMJG).
For applications/cases in Missouri Eligibility Determination and Enrollment System (MEDES), upon receipt of a completed IM-6AR, IM-6ARO or other designation form add a comment to the client’s Person Page, under Notes. List the authorized representatives name, address and telephone number as well as the date the IM-6AR, IM-6ARO or other designation form was signed and received (at this time the authorized representative evidence is not functioning in MEDES so manual notices must be sent to the authorized representative).
NOTE: If there is conflicting information or instructions from more than one authorized representative, the FSD must consult with the applicant/participant and/or the authorized representatives to resolve the conflict.
EXCEPTION: When the applicant/participant is represented by an attorney the FSD will consult with the attorney before consulting with the applicant/participant if conflicting information is received.
Do NOT require an IM-6AR or other authorized representative designation form when the applicant/participant is represented by:
NOTE: Attorneys who do not file a written entry of appearance, but wish to act on an applicant/participant’s behalf must provide other appropriate documentation of their capacity as representative.
The authorized representative must not:
An appointment of authorized representative is only valid with the DSS. It does not permit an authorized representative to represent or appear for the applicant/participant in any court of law in the State of Missouri.
An authorized representative represents the applicant/participant who signs, or whose legal guardian/conservator or attorney in fact, signs on their behalf, the Appointment of Authorized Representative (IM6-AR) form. The authorized representative may only make application for the applicant who has appointed the individual to act as their authorized representative. If an applicant and the applicant's spouse apply for MO HealthNet benefits and only the applicant appoints an authorized representative, do not share the spouse's information with the applicant's authorized representative.
The second parent or spouse is not required to appoint an authorized representative(s). However, if a second parent or a spouse requests to appoint an authorized representative, the second parent or spouse:
EXAMPLE: If Mrs. A appoints an authorized representative but her husband, Mr. A, does not, the authorized representative can only make application for Mrs. A, and only receive eligibility information and eligibility notices on Mrs. A.
Mr. A. does not have to appoint an authorized representative. If Mr. A does not appoint an authorized representative, and he wants to apply for benefits, he will have to sign an application form. If Mr. A does not appoint an authorized representative and does not want to apply for benefits, the authorized representative must provide information about both Mr. and Mrs. A to complete the eligibility determination.
FAMIS forms and notices contain information on all members in the eligibility unit. When an eligibility unit contains a second parent or spouse who did not name an authorized representative, it is necessary to provide manual forms and notices, such as the Approval Notice form (IM-32), or Notice of Case Action form (IM-33) to the authorized representative for the applicant/participant. The manual forms and notices must only contain information about the applicant/participant who signed the IM6-AR.
Once the signed Appointment of Authorized Representative (IM-6AR) form is received, FSD shall consider the authorization to remain in effect until:
At reapplication, review the previous authorized representative information in FAMIS or MEDES with the applicant to determine if the appointment is still valid. If it is not valid, obtain a signed IM-6ARR. (See below).
The Appointment of Authorized Representative may be revoked at any time.
NOTE: Upon receipt of a completed IM-6ARR or signed and dated written statement requesting revocation, update the Authorized Representative information on the Representative List screen (AUTHREP/FMJ1) and Representative Detail screen (FMJG) in FAMIS.
In MEDES, on the client’s Person Page under Notes make a comment of the receipt of the IM-6ARR. The comment should include the date the IM-6ARR is signed and received and that the applicant/participant has revoked the privileges of the authorized representative.