(Q) On January 30, 2003:
Re: the HIPAA privacy notice, etc. Are (will) we be required to have a version in Spanish |
(A) HIPAA doesn’t require the Notice to be translated. However, there is a requirement under Title 6 for recipients of federal financial assistance who have limited English proficiency. In addition, OCR (responsible for Privacy enforcement is expected to issue additional guidance about its expectations for translated Notices.
The Division of Healthcare Reform will assist in adapting the Notice to comply with CMS/OCR Limited English Proficiency requirements, which will include a Spanish translation. Initially it may be a more general model translation used by public agencies. Basic forms will also need to be adapted. |
On February 10, 2003, the following questions: |
(Q) What is the time frame to have all active clients review and sign acknowledgements of the HIPPAA Privacy Rule? |
(A) First time (new consumers) /next time (current consumers) they come for services beginning April 14, 2003. |
(Q) Who are considered the covered entities? |
(A) All of DMH is a covered entity, and all areas/components will comply with HIPAA Privacy Rule. While most other providers are also CEs, in addition to most 3rd party payers, some other public agencies may be "hybrid" with both Covered (e.g., the treatment or care component) and Non-Covered components. For example, some areas of DHEC (e.g. health department) and DSS (health care/treatment/case managers) are covered by HIPAA privacy while other areas are not. |
(Q) How does HIPAA law apply to our clients that are involved with other agencies such as DJJ, DSS, DDSN and etc? |
(A) See above. HIPAA Privacy Rule would apply to at least the treatment/care component of those agencies. In addition to being able to share PHI to further treatment (including case management, consultation, etc. among those types of agencies), many state agencies will also likely enter into an Memo of Understanding , among CEs to further comply with HIPAA Privacy. |
(Q) Does Minimum Necessary need to be defined by having a policy that states its implementation procedures? |
(A) As explained in the DMH Notice and Directive, even when a use or disclosure is authorized, the PHI disclosed should be limited to the Minimum Necessary to accomplish the intended purpose. The only exception to this limitation is when the entire medical record is needed for continuity of care, particularly when requested by a physician. |
(Q) How can a clinician determine when too much information is too much under minimum necessary? |
(A) No absolute guide except to determine for what purpose, e.g. what is the minimum information to support information for billing for a service? (Bill code/type of service/date of service/duration of service/provider of service, etc.) and then disclose that information only. |
(Q) What happens if a client refuses to sign acknowledgement of HIPAA Privacy Rule? |
(A) We are required to make a good faith attempt to secure written authorization that a person has been provided the opportunity to review the DMH Notice of Privacy Practices. That process may be suspended in an emergency/when consumer is incapacitated. That documentation will be on the applicable intake document and/or by rubber stamp in the medical record. If unable to secure such acknowledgement, staff are to document same (e.g. "consumer offered a copy of Notice/given a copy of Notice/refused to sign") |
(Q) Can clients inspect and have copies of physician medical assessments and clinical service notes? Is a client entitled to review third party information? If protected health information is removed from the medical records, have the rights of the client been violated? |
(A) Clients have a general right to access PHI, but not the right to access information from a third party if that information was given under promise of confidentiality and disclosure likely to reveal source (e.g. family gives info, but asks that source not be disclosed). PHI may be used or disclosed in accord with the exceptions to the Privacy Rule (e.g. for TPO purposes, Public Health, Health Care Oversight, etc.) No entry in the medical record can be removed. However, entries may be amended and/or supplemented if there is a clinical reason for doing so. This goes beyond the consumer's right to request an amendment (there may be a discovered error or omission from another source). In general (in addition to the procedure for a consumer requested an amendment), the amendment/addition is properly documented showing the original entry and the supplement, date of new entry, signature of person making entry and purpose for new entry. |
(Q) During a designated record set meeting, we share only information that has been requested by the client. If additional information is requested during the designated record set meeting, must we provide that information at that time? |
(A) A practice question. Technically, this would constitute a new request, and it may require additional time, so that it is reasonable to set up a subsequent time to make available the new info etc. However, if the additional information is readily available, probably best to take a few more minutes then to find/provide the additional info. |
(Q) Clients can request for an Accounting Log of release information. Should the Accounting Log include Treatment, Payment, and Health Care Operation type of information? |
(A) Accounting is not required for TPO purposes. |
(Q) Do we document all oral communication? What kinds of oral communication should we not document? |
(A) Generally no, exceptions would be a dictation or other oral "record", or disclosures that would included in the Accounting, such as a report of abuse and neglect to DSS. |
(Q) HIPAA used the term Satisfactory Assurances. What is satisfactory assurance? How does this term apply to employees? |
(A) Not sure of the specific reference, in general, showing a good faith effort to train, understand and protect PHI will go a long way in compliance. |
(Q) How does School Based Services apply with HIPAA Privacy Rules? Since we have contracts with the schools, would the schools be considered as a Business Associate? |
(A) Reviewing the contracts with school districts, in many instances, disclosure is for treatment, for others may be able to use an MOU. For others may need an Authorization. |
(Q) Would the minimum necessary rule apply to School-Based Services? |
(A) Minimum Necessary applies to almost all disclosures (when needed for treatment/specifically when requested by physician the main exception). First question is whether the disclosure is authorized; then if authorized, disclose the minimum necessary to satisfy the need for disclosure. |
(Q) Would authorization be needed to discuss a clients' case with school officials? |
(A) See above, probably unless pursuant to treatment or payment. |
(Q) How does TPO protect our rights? |
(A) Upon providing copy of Notice of Privacy Practices, DMH may use/disclose PHI for Treatment, Payment or Operation purposes. TPO does not protect rights; it is a class of exceptions permitting use or disclosure. |
(Q) Our psychiatrist referred a client to a medical physician for an examination. Would our psychiatrist be entitled to the results of that examination without having a release of information form? |
(A) PHI may be disclosed for most treatment purposes, including as needed among providers for consultation, referral, case management, etc. However, any non-DMH providers may have their own requirements. HIPAA Privacy creates a national floor for privacy of PHI, but providers may provide other protections, and HIPAA must be considered along with other federal and states laws that provide additional privacy protections (e.g., federal alcohol and drug, and to some extent, state laws, including those protecting DMH patient info.) Bottom-line, while we may know what HIPAA permits, we cannot always say what an outside provider may require. |
(Q) What are psychotherapy notes? |
(A) See definition in DMH Directive and Notice, especially note that it does not contain information normally shared/kept in record such as diagnosis, medication, treatment types/program, treatment plan, type/date/duration of services, progress notes, etc. |
(Q) Can Psychotherapy Notes be considered as Clinical Services Notes? |
(A) See above. |
(Q) Does HIPAA Privacy Rule specify ways to document? If not, what should be included in the documentation |
(A) Generally no, unless specific to a patient right, e.g. Authorization, accounting, etc. Otherwise, document in accord with applicable professional/licensing/QA/QI, accreditation and other standards. |
(Q) Under the Protected Health Information what are the covered entities when authorization is not needed? |
(A) See Directive and Notice for disclosures permitted without Authorization (e.g. for TPO purposes). |
(Q) What are some of the things that will put us at risk when it comes to maintaining documentation? |
(A) Use/disclosure PHI only when permitted per Directive and Notice. For specific Security requirements, that info will follow in a few months. |
(Q) If a client is at her doctor's office and her physician calls for information, can we release the information without having authorization from the client? Is this an example of "treatment" under the Protected Health Information? |
(A) Yes. Yes. |
(Q) How would the fines and penalties be determined? Can an employee be fined separate from the agency involving the same fine? |
(A) Office of Civil rights/feds determine HIPAA penalty. DMH determines employee discipline. May also create private cause of action (private law suit). Both agency and employee are exposed to liability. |
(Q) Can you be fined under state and federal laws? How would you determine whether a state or federal law has been violated? |
(A) Yes, see above. |
(Q) Can an employee lose his/her job because of failure to comply with HIPAA laws? |
(A) Yes, see above. |
(Q) What rights do employees have under HIPAA? |
(A) As a recipient of health care services from a covered entity (when we go to see our own doctor), we have the same rights as a DMH consumer of DMH services. |
(Q) Must there be a policy written to cover Business Associates? Additional statements or language about HIPAA Privacy Rule added to the Memorandum of Agreement (MOA), would that suffice the agreement for HIPAA Privacy Rule? How long do we have to include this statement or the HIPAA language in all business contracts? |
(A) DMH will provide a model BA agreement. |
(Q) Are the janitorial services business associates |
(A) A BAA would probably not be needed, as the service was not for services that require/involve PHI disclosure by DMH to the contractor and any unintended/inadvertent "disclosure" in the course of the contractor's services would be "incidental":
A business associate contract is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of protected health information, [i.e., the use/disclosure of PHI by DMH/MHC to contractor is not needed for contractor to provide the service to DMH/MHC] and where any access to protected health information by such persons would be incidental, if at all. Generally, janitorial services that clean the offices or facilities of a covered entity are not business associates because the work they perform for covered entities does not involve the use or disclosure of protected health information, and any disclosure of protected health information to janitorial personnel that occurs in the performance of their duties (such as may occur while emptying trash cans) is limited in nature, occurs as a by-product of their janitorial duties, and could not be reasonably prevented. Such disclosures are incidental and permitted by the HIPAA Privacy Rule. |
(Q) On February 14, 2003:
Advice on how to deal with the variety of sticky issues related to clubhouses? One example: Field trips may involve identification of participants as clients of DMH, thereby providing the public with some knowledge of the health status of the person they observe-- our client. Staff at restaurants may know that the mental health center is footing the bill and that the people at the table are clients. The list of examples is endless. Is this merely incidental exposure and nothing to worry about? Should we try to forge agreements with each store etc..... making them business associates? Should we have clients sign releases informing them of the possible exposure? |
(A) Not business associates. If you ever have an activities type consent/agreement etc. similar to what a school has parents to sign (and you might not need one) could just add a statement that the consumer realizes that he/she may be recognized or identified as a consumer/patient/client of DMH/MHC. |
On February 20, 2003, the following questions: |
(Q) If a client has already received a Notice and they leave [services] and come back, do we have to provide another Notice? |
(A) No, as long as you can demonstrate that one is already on file. |
(Q) If we've received federal grant money for A & D services, then are we required to meet the more restrictive requirements for A & D services under Part 2? |
(A) Probably. Particularly if you've advertised yourself as an A & D Treatment Program, then you probably have to meet the more restrictive requirements. |
On February 25, 2003, the following questions: |
(Q) When we send out information, do we need to stamp each page with a statement like the one that is currently in the Privacy Practices Directive (Notice Prohibiting Redisclosure)? |
(A) Best to use the Notice in Directive as a cover sheet. |
(Q) Can we re-disclose information given to us from other DMH agencies if requested by the client or another DMH agency? |
(A) Generally yes, but better practice to have each individual area release its own info and as applicable, including on its accounting log. |
(Q) Can we re-disclose information given to us by any State agency to another State agency, just not-re-disclose information given to us by a private setting? |
(A) Generally yes. The specifics are important in making this determination. |
(Q) If we provide a summary to the client instead of the records, what is the charge for this? |
(A) Depends on cost to our labor costs to compile, type it up, postage, etc. |
(Q) What will we charge if a client requests an accounting of disclosures? |
(A) See Notice. |
(Q) When releasing information, exactly which disclosures have to be logged on the Accounting Log? |
(A) Unless a listed exemption, must be logged. |
(Q) Did you place an area for the address to be documented on the Authorization form? |
(A) Yes, see the model attached to the Directive. |
(Q) Do we have to log instances of incidental PHI disclosure? |
(A) No |
(Q) Do we have to log disclosures to Business Associates? |
(A) Yes |
(Q) Will I be able to order the forms that are in the Privacy Directive from Diana Spann or will they need to be copied at the center level? |
(A) Order applicable forms, including the Notice Brochure, through Forms Management, Diana Spann. |
(Q) Can you e-mail me the privacy notice regarding subpoenas form? |
(A) See model attached to Directive posted on the Intranet and HIPAA Web site. |
(Q) When e-mailing client's names, should we type their entire first name, last initial and their CID#? |
(A) Unless absolutely necessary to carry out the job function, it is not recommended that you use identifying information including CID#. |
(Q) Do e-mails that contain client information have to have the disclaimer statement attached to them? |
(A) Yes. That statement is included in the Directive Appendix. |
(Q) I also attached the form that can be used just to document the address or to request information for TPO purposes. It is a very simple form. Let me know what you think. It could be printed on half-sheets like the M-450 C. |
(A) The Authorization attached to the Directive should be used for such purposes. |
(Q) How many Notice brochures should be kept on site? |
(A) The DMH Notice brochure must be offered/given to each DMH Consumer. The Notice also serves as a guide for DMH staff in following the new DMH Privacy Practices Directive. Each DMH inpatient facility, mental health center and other applicable component must keep an ample supply on site. Each inpatient facility and MHC must individually order through DMH Forms Management. See the ordering instructions provided on the SCDMH Intranet Homepage and/or elsewhere on the SCDMH HIPAA website. |
On February 26, 2003 the following questions: |
(Q) Can you describe what kind of Business Associate agreements SCDMH will have to have? |
(A) Under HIPAA Privacy regs,164.504, after April 14, we must have a Business Associate Agreement with some entities that we contract with. We have another year to amend current agreements, but all new applicable agreements will require a BAA.
The regs include agreements where we are required to provide Protected Health Information ("PHI" e.g., patient medical and billing information) to the contractor, so that the contractor can provide the contracted service to us. However, they do not include agreements where the disclosure of PHI may be incidental (such as janitorial, maintenance, etc.) where contractor may be in an area where he/she could see PHI, but we do not provide it as part of the contracted work. They also do not include any treatment or care contract such as with a doctor, nurse, hospital, CRCF, Homeshare or other treatment or care provider.
If you have a question about whether or not a business relationship you have will require a BAA, you can contact Alan Powell in Legal Services. |
(Q) What are some examples of disclosures that would be on the log, since all other disclosures seem to be captured under the "DMH Information Uses/Disclosures, After Your Opportunity to Review the Notice and Object and/or Uses/Disclosures, Without Your Opportunity to Object or Limit Use or Disclosure" Sections of the Directive.
Would this be when authorization has been given? |
(A) Examples: Mandatory reporting of abuse and neglect, reporting to DHEC of a contagious disease, reporting Medicaid fraud to HHS. Disclosures to Consumer and pursuant to Authorization to not have to be logged. |
(Q) The Directive appears “narrower” than the Notice when it comes to logging disclosures; and the Notice being broader, when it comes to "without opportunity to object." Would a court ordered disclosure be an example of a disclosure to be logged? DSS child abuse reporting? |
(A) “Opportunity to object and request restrictions" is the full phrase, but shortened sometimes to just "request restrictions", as the only specific thing that you may need to record or act on, i.e., you don't consider/act on an objection, but you do with a request for restriction. . .and as noted some use/disclosures you can't request a restriction on. |
(Q) We have a several year old agreement for SCDC to haul off material for shredding. We pay them to do this through an IDT. There is no contract or other written agreement covering this, however.
Do we need to have a written agreement to cover privacy? Would it be a "Business Associate" agreement? I have trouble thinking of state agencies as business associates. I am assuming this is not part of "operations.” |
(A) Will likely need an MOU.
|
On March 3, 2003, the following questions: |
(Q) Will authorizations be valid until they are revoked or will they have an expiration date? I believe CARF requires that the expiration date does not exceed one year. |
(A) SCDMH Authorization form has a one year max, or an earlier condition or event if stated in the Authorization.
|
(Q) As Homeshare providers are not considered a member of the SCDMH workforce and do not provide a service that a DMH employee would or could be providing, do they need to take the HIPAA test? |
(A) As Homeshare providers do not provide a service normally provided by a DMH employee, and are not incorporated in our workforce in providing DMH public mental health services, they would not be required to complete the formal "workforce" HIPAA training. |
(Q) Can we continue to use RE: C-107 Consent to Treat and M-450D Release of information?
|
(A) Both are in current stock in Forms Supply (several dozen pads of each), but have been revised for use beginning April 14.
If you plan to attach an acknowledgment of receipt of Notice (by label, etc.) to the existing Consent form for a new Consumer, instead of using the revised C-107, you may use the current form with the attachment, until the current stock runs out.
You may continue to rely upon a current M-450D signed before April 14, until that release expires or is revoked by the Consumer (i.e., it is otherwise valid past April 14). If there is a significant advantage to using the current form rather than the replacement "Authorization", you may want to try and secure authorization on a current M-450-D before April 14.
If the client is notified of the right to, and does provide, a written disagreement to our denial of a Consumer's request for amendment, the Consumer may also request that future disclosures of the disputed PHI include the request and the denial. Regardless of whether we agree to that request or not, the Consumer always has the right to make a privacy practices complaint to DMH and/or HHS as noted in the Notice and Directive. |
On March 11, 2003, the following questions: |
(Q) I need to communicate via e-mail quite a bit about specific consumers. We are able to do this, are we not, if we attach a confidentiality statement? Could you give me that phrasing? |
(A) The Directive has a "Security" attachment which gives some copy/fax/e-mail guides, including a recommended privacy statement. The attachment also notes the preference to de-identity information unless specific names, etc. are necessary for the understanding and use of the information (especially as may be needed for Treatment) contained in the communication. Even if permitted under an exception (e.g. for DMH Operation purposes) only disclose minimum necessary to accomplish the needed purpose and when practical, refer to Consumer by general description/circumstance "43 yr. old male broke his wrist last night at BPH" "Franklin G. referral to Voc Rehab." etc. Bottom-line, even when PHI may be disclosed and even with a privacy notice statement, we should still try to limit the PHI to the minimum necessary to accomplish the purpose for disclosure. Again, with the caveat that in furthering Treatment, specific, detailed, extensive information is often needed. |
(Q) The Privacy Practices Directive will suggest that faxes and e-mail transmissions that contain Protected Health Information include a statement similar to the following. Other than using it as an e-mail "signature", is there a simple way to have it attached to all DMH Groupwise messages? |
(A) The overall advice remains to not send PHI in ordinary messages back and forth within DMH (de-identify info, etc). For internal e-mails, Groupwise has no way of globally sending out a confidentiality statement with every e-mail. Therefore, individuals who must ID the Consumer in their internal e-mails, must use the signature route which is a user setting and must be done on an individual basis. However, for e-mails using the internet, SCDMH intends to set up an automatic statement for everything going out of DMH. Until this is completed, use the individual signature setting for internet e-mails. |
(Q) On March 20, 2003, now that we have finalized forms with form numbers attached, I took the purchase request to our procurement officer this morning for quantities of all required. Their concern was the normal turn around time in ordering forms may exceed the period before April 14. Have you gained assurance from forms control that they will expedite these HIPAA orders? |
(A) Please contact Diana Spann in Forms Management. If you are unable to receive what you need in time, note that you can copy from the Directive which has them attached or down load and print from electronic version of Directive (hard copy or electronic version on intranet site).
Complete an S-13 & S-14 for Rev. C-107, Rev. M-132, Rev. M-450D These forms will be available to user on: 4/4/03 if the user’s requests are here we will ship to them on 4/8/03 exactly what they are requesting. (These three forms are stock items which will be available to all users on 4/4/03). Now, the M451, M-452, M-453 & PR-11 must be ordered on the MS-11. All users may request these (4) forms today and we will print them now. Just forward an MS-11 to Forms Mgt. today. (Turnaround time is seven business days). |
On March 26, 2003, the following questions: |
(Q) Is it necessary to post the Notice so that it is laid out like a poster? |
(A) No. |
(Q) When will it be posted on the website? |
(A) The Notice is already available on the Intranet site. It will be posted on the Internet before April 14, 2003. |
(Q) Describe the general ways PHI is used. |
(A) Treatment and Payment: Age, name, social security number, etc.; diagnosis, kind of treatment provided, to make referrals to other providers, case management, consultation, etc.
Operations: Will share with other DMH staff who need to know and use that info; will share outside DMH for those who need to use/know that info (insurance companies, other medical providers, Medicaid/Medicare, etc.). |
(Q) When Central Office Admin staff are on-call and take a call from a consumer, how will be provide Notice? We will be sharing information about them with the Center. |
(A) Providing Notice is not required. This would not be considered the first contact with the client for purposes of requiring acknowledgement of Notice of Privacy under HIPP. A contact that would be considered treatment, however, would require the client receiving a Notice. |
(Q) Sending PHI over the internet does that fall under the Privacy deadline 4-14-03 or the security deadline 4-21-05? |
(A) Both. Under Privacy, the Notice rules apply because any info that identifies a consumer in any form, electronic, written, oral, is PHI. Under Privacy, then, you'd have to ask the usual questions about the e-mail that you'd ask about any PHI: Is it for TPO? Does it require authorization or is disclosure of that info otherwise permitted in the Notice without authorization? Is the info sent the minimum necessary? ETC.
And then there is Security that requires us to ask other kinds of questions. Is the e-mail "techno-secure" in that the Department has taken reasonable precautions to protect it? From a behavioral perspective, can others see/read the e-mail who shouldn’t have access to that information?
Review the Directive, specifically Appendix "Security" for some general guidelines. |
(Q) Is the HIPAA Training Module 2 mandatory for all employees? |
(A) No. HIPAA Learning Module II is only required for employees who routinely disclose PHI outside of SCDMH and/or outside of their assigned work site, unit or office, or who otherwise need more privacy training than is provided by Module I in order to do their SCDMH job. |
(Q) Do we need authorization to respond to a request for last known address/location information from DSS? |
(A) Depends on for what purpose, if related to treatment/care OK, if related to law enforcement (e.g., abuse neglect/locate fugitive/victim, etc.) maybe, etc. Legal Services is working on a MOU with other agencies, with first signor likely to be DSS that would permit greater exchange. |
(Q) Do we still need to seek patient's authorization on M-450 I prior to providing information to health insurance company to support claim for reimbursement? |
(A) HIPAA and the DMH Privacy Practices permit disclosure for Payment purposes without a signed authorization. However, we will continue to use M-450I (at least for the immediate future, and in its current form) because of the need to have Consumer sign assignment of benefits to us, and at the same time get signed authorization to share PHI for Payment purposes. . .even though not needed for HIPAA. We anticipate further developments in this area after April 14 when we’ve had a chance to see how this plays out. |
(Q) According to the learning materials, we may disclose PHI for TPO only after we have provided client with notice of our privacy practices (on or after April 14). Scenario: Client's case was closed here Jan 1, 2003 and has not been seen here since. On May 1, 2003, primary care MD contacts the Center needing information about previous treatment. Request is obviously for Treatment but not an emergency. Can we release information without consent since we have not had the opportunity to provide client with our privacy practices notice? Pathlore info says "no" but that doesn't make sense to me |
(A) Absent emergency, and until individual is given a copy of notice, next time he/she comes in MHC, signed Authorization is needed. Yes, it is one of the awkward scenarios in phasing in HIPAA, but over time will become rarer, as Notice will have been provided starting 4-14. |
(Q) Designated Record Set at bottom of 4th panel on brochure. I know it includes any DMH records. Does it also include records we may have from private MD or hospital, schools, DSS, DJJ, etc. if related to TP? Would it not include letter from family, Housing Authority, social security, etc. unless it is related to TP? |
(A) Not sure if all the stuff listed is in the medical or payment record (i.e. the Designated Record Set.). Consumer Access to own PHI in a Designated Record Set generally includes anything that we have in medical or payment records, including copies from outside provider, etc. As a practical matter, may note that we only have copies, which may not be up to date or accurate and best to refer to originator of record. However, except as noted below, we do not have the right to deny access just because the info is from outside DMH. Exceptions to Consumer access: disclosures of information provided from a non treatment third party if third party asked that not disclose/would ID informant and disclosure would ID the informant (e.g. family member); when licensed health profess. determines imminent risk of serious harm consumer/others; Psychotherapy Notes; |
(Q) Accounting Log: What are some examples of disclosures that we must log? Those listed would be ok for disclosure or with an authorization. |
(A) Accounting Log general includes disclosures that we must make (see 3rd Panel "Uses/Disclosures Without Right. . .") and Business Associate disclosures. Some entries may be withheld if interfere with law enforcement/HHS enforcement activity. See prior e-mail to listserve. |
(Q) I thought we were not required to log disclosures listed under the section of the privacy notice as "Some Specific Uses/Disclosures After You Have The Opportunity..." For example, I was under the impression that TPO did not have to be logged. Isn't reporting of abuse/neglect under this section along w/ Public Health, protecting the president, etc. I thought only disclosures other than these had to be logged. I'm unclear when the disclosures listed in this section should or should not be logged (?) |
(A) The section "Some Specific Uses/Disclosures After You Have The Opportunity..." pertains to types of disclosures that the Consumer may request a restriction, including requesting a restriction on a TPO disclosure. While there is no correlation between this section and Accounting, Accounting does not include disclosures for TPO purposes. The next section "Uses/Disclosures Without Right to Object/Request Restrictions". . .") list disclosures that the Consumer has no right to request a disclosure. Those listed disclosures are normally logged in the Accounting Log, e.g. "Public Health/Health Oversight" reporting of abuse/neglect, and/or Medicare/Medicaid Fraud/Abuse. Note that HIPAA regs treat child abuse reporting a little differently than adult reporting and the latter may also involve HSS/law enforcement Medicare/Medicaid fraud investigation. Although logged in Accounting, if requested by law enforce/HSS entity, we may withhold those accounting entries, when providing log to Consumer, if entity states it would interfere with its enforcement activities. |
(Q) CAF staff, when they suspect child abuse or neglect will make a report to DSS and document it in the record. Apparently, they often (usually?) do not inform the client/family that they have made this report. Question: if the family requests to inspect or copy the record, can the documentation of the DSS abuse report be excluded? A CAF physician stated, "When we write it in the record it is with the expectation that it will remain confidential.” |
(A) Regardless of whether the entry is in the chart, reporting of abuse or neglect is to be logged as a disclosure in the Accounting Log. A Consumer has the presumed right to a copy of the Accounting Log. In the instance of CAF, as a 16 yr old has the capacity to consent to treatment in this state (see DMH Consent Directive), a juvenile age 16 or 17 asserts the privacy rights pertaining to his/her PHI. So, a 16/17 year old is the one with authority to assert privacy rights (e.g. access to own PHI, copy of Accounting), not the parent. If law enforcement/HHS notifies us that disclosure of an entry in Accounting Log would interfere with an investigation, then we withhold information about that entry.
As far as expectation of confidentiality, HIPAA creates expanded Consumer rights pertaining to a Consumer's greater control over his/her information, so the presumption is that the Consumer has access, absent a specific exception, such as an investigation noted above/notice from law enforcement; where a licensed health care professional determines that access to PHI is reasonably likely to endanger Consumer or others, etc. |
(Q) Will we be able to page clients? |
(A) Using the public address system, clients can be paged without providing any distinction that would make them identifiable as clients. Electronic pagers that transmit text information that contains PHI should be treated like e-mail and, therefore, only minimum necessary transmitted. |
(Q) On March 31, 2003, when we collect money from consumers for copying records/PHI under their HIPAA rights, do we send the money to DMH Downtown Accounts Receivable or to the Center level? |
(A) The money collected should remain at the Center level and reflected as a reduced expenditure for the Center, the most likely place is copier costs. |
On April 1, 2003, the following questions: |
(Q) Is it going to create a problem because the address for filing complaints on the DMH Notice of Privacy Practices is not the same as the one published in the Federal Register? |
(A) No. DMH printed its Notice of Privacy Practices using the address provided by federal officials. However, sometime after this, the Federal Register was printed and a different address was published. DMH staff contacted the Office of Civil Rights and was advised that complaints received at the incorrect address would be rerouted by their office to the correct address, although the receipt might be delayed. |
(Q) Can we respond to requests from DSS for the client’s last known address/location information from DSS? |
(A) This depends on for the purpose. If the request is related to treatment/care, then it is OK to release the information. If the request is related to law enforcement (e.g., abuse neglect/locate fugitive/victim, etc.), then it would depend on the circumstances. |
(Q) Do we still need to seek patient's authorization on M-450 I prior to providing information to a health insurance company to support claim for reimbursement? |
(A) HIPAA and the DMH Privacy Practices permit disclosure for Payment purposes without a signed authorization. However, we will continue to use M-450I (at least for the immediate future, and in its current form) because of the need to have Consumer sign assignment of benefits to us, and at the same time get signed authorization to share PHI for Payment purposes. . .even though not needed for HIPAA. |
On April 14, 2003, the following questions: |
(Q) Is it possible to develop a “blanket” authorization form which could be used by all Covered Entities? |
(A) As with most things HIPAA, each Covered Entity is responsible for developing its own privacy practices and its own applicable forms, including the entity's Authorization form meeting not only HIPAA requirements, but also requirements specific to the respective agency/entity, type of information to be disclosed, and any prohibition on redisclosure of information provided by an Authorization.
Further, the entity releasing the information pursuant to an Authorization is required to keep the original, and provide for and (as applicable) honor, written revocation of the signed Authorization, with applicable notice to others relying on that Authorization. Therefore, it is difficult to have a two way Authorization, binding two parties to mutual exchange of information from different covered entities and monitor and act on a revocation. |
(Q) What section of the "medical record" the new forms should reside? Is there a "universally-accepted" response to this? |
(A) Centers and Facilities can determine how best to organize the new forms in the medical records. Currently, there is no universally accepted response. However, the following guidelines are recommended:
1) Accounting Log (M453) - On top in the correspondence section of the record. Since it is a log of what information has been shared.
2) Letter Request to Amend (M452) - Correspondence section since it is a letter coming into the center.
3) Letter Request to Inspect (M451) – Same as #2. |
(Q) Is it necessary for the parent of a minor to sign a form M-450I? |
(A) While after providing opportunity to review our privacy practices (see NPP brochure) and request restrictions, we may share info as needed for TPO (here payment). We do need parent (of minor) to sign assignment of benefits (not specifically a privacy issue, but a billing/payment one). |
On April 24, 2003, the following questions: |
(Q) Insurance has been getting calls from other DMH Centers and some outside providers asking if a patient has signed a privacy statement. Does insurance need a copy of the patient’s privacy statement so they will know if they can disclose information? |
(A) The fundamental requirement for HIPAA is that you provide an opportunity for the patient to review DMH's privacy practices (which is done when you attempt to give them the privacy brochure) and as applicable request a restriction. We are required to make a "good faith attempt" to get the patient’s signed acknowledgement of that opportunity/receipt of our NPP as explained in the Privacy Practices Directive, if we are unable to get such acknowledgement then so note on the signature line (e.g. "refuse to sign"). Once we have followed this procedure, DMH may disclose information in the course of TPO (Treatment, Payment and Operations see definitions in Notice and Directive). If patient requests a restriction (and if the patient has the right to request the type of restriction, see NPP and Directive) and if we agree to the restriction (we determine it is practicable and will not compromise treatment) then we are bound to that restriction. In addition, insurance will still be using the M450I which would provide additional authority as well as consent for assignment of benefits. |
(Q) Can local providers/centers/
facilities adapt and use various "model" forms included in the Appendix to the Privacy Practices Directive # 837-03? And how might the Local Privacy Officer be involved/"sign-off", etc. on the adaptation/use of such forms? |
(A) The model forms are as follows, which as noted in the Directive should be "substantially similar" to the model (no change to content, mainly add applicable names/addresses/phone/program/office/specifics facts related to issue, etc.):
MODEL NOTICE OF PRIVACY LAW
MODEL NOTICE PROHIBITING RE-DISCLOSURE
MODEL REPLY TO REQUEST TO INSPECT AND/OR COPY
MODEL REPLY TO REQUEST TO AMEND
MODEL REPLY TO REQUEST OF ACCOUNTING LOG
Only the above forms may be adapted for local use. The other forms attached to the Directive are official DMH forms (with assigned number and ordered in quantity from DMH Forms Management).
The Local Privacy Officer should review/approve (no special procedure) the local adaptation of the "model" forms. If you wish, you could by memo to your staff "pre-approve" a local version of the model, as long as the only change to the model is to insert the applicable staff/consumer's name, address, program, office, phone/fax number, etc. If there is any other change/addition to the form, it is recommended that the Local Privacy Officer review/approve the form individually. The State DMH Privacy Officer usually would not need to review/approve such forms, but is available if there are questions/significant changes to the model.
Changes to the official DMH forms (the non "model" forms) must be reviewed and approved by the Local Privacy Officer and by the State DMH Privacy Officer. These forms will likely also require routing through DMH Forms Management for approval and printing. |
(Q) Pls provide guidance regarding staff sharing PHI with other DMH employees/components and outside of DMH, with or without Authorization. |
(A) In most instances, DMH employees may share PHI with other DMH employees, when that PHI is needed (at least the "minimum necessary") for the applicable DMH employee to do his/her DMH job (i.e., needed for DMH "Operations", see Notice of Privacy Practices and Directive). Further, in many instances, the PHI may also be disclosed because it is needed for "Treatment" and/or "Payment" purposes (see Notice and Directive). DMH is, at least for HIPAA Privacy and state law purposes, one entity, and PHI may be shared among DMH entities (inpatient, outpatient, administrative) as needed for Treatment, Payment and/or Operation purposes. In such instances, no written Authorization is required.
For disclosures outside DMH or any other HIPAA covered entity, note that HIPAA permits PHI disclosures outside the entity as needed for Treatment and/or for Payment purposes (see Notice and Directive). However, also note that individual, non-DMH entities may have adopted stricter requirements. For instances, a local medical provider may have adopted its own privacy practice that it will not release PHI without written Authorization, even when HIPAA permits disclosure without one. Further, a specific provider's Authorization may be more restrictive than required by HIPAA and/or contain greater patient rights/control or PHI.
However, as each HIPAA covered entity must develop its own privacy practices, to include not only HIPAA requirements, but also other laws applicable to its information and consider its own privacy practices (which may be more restrictive and/or give more individual rights) their Authorization may be very specific and they will not honor a generic Authorization. Further, the applicable entity releasing information based upon an Authorization must be able to document the receipt of a copy of the Authorization by the individual, monitor its use, and as applicable, document and act on a written revocation from the individual.
Of course we have no way of knowing what the non-DMH practices are, or if the outside entity would accept the generic authorization, or how/who tracks the respective authorization, including any future revocation. At the very least, as specific Authorizations from other entities are identified by local staff, we may be able to enter into an agreement with other non-DMH entities to accept each other's Authorization. |
On May 1, 2003, the following questions: |
(Q) We serve minors through our School-Based programs. Often it is difficult if not impossible to receive requested communications from parents / guardians. What is the DMH stance if despite our best, repeated and documented efforts, clinicians are unable to obtain a signed acknowledgement of receipt of Notice of Privacy Practices. May we continue to serve the child without facing unwarranted liability? |
(A) HIPAA requires only that we make a good faith attempt to get written acknowledgement of receipt of NPP. When, as you note we try (send by mail to address on file, etc.) but get no response/refusal to sign/otherwise unable to get such written acknowledgement, when NPP was provided, it is recommended that you note on the line used for signature, and no lengthy documentation is needed. We may then use/disclose PHI per our Privacy Practice (see NPP and Directive). |
(Q) Are we able to offer advice to consumers about their privacy rights under HIPAA? |
(A) No DMH employee can provide legal advice to a DMH consumer. If a consumer believes that he has an employment dispute, or any other issue related to this employment, etc. that has not been resolved through the employer, including any available administrative procedure/remedy, the consumer may want to seek legal counsel. If a consumer has an issue concerning his or her PHI privacy as may be protected by HIPAA, he or she should ask the applicable Privacy Officer for the HIPAA Covered Entity, for the name of the person and procedure for making a privacy complaint through that entity and/or through HHS. However, note that employment records are normally not considered as PHI under HIPAA Privacy. |
(Q) Can local offices have a Privacy Officer? |
(A) Each Center and Facility has a single Privacy Officer. Even so, there may be a need to have other similar (unofficial) designees for specific programs, due to special issues common to a particular population (Deaf Services, CAF, TLC, etc.). This is OK, although the Privacy Officer will remain as the designated Center/Facility point of contact. |
(Q) Do we have to get an Authorization from a client to release information to SSA for eligibility determinations? |
(A) The most recent (2003) version of Social Security Form SSA-827, "AUTHORIZATION TO DISCLOSE INFORMATION TO SOCIAL SECURITY ADMINISTRATION (SSA)", meets the HIAA Privacy Rule requirements. This most recent version from SS is identified by number in the lower left portion of the form: "Form SSA-827 (2-2003)". A completed and signed form, or photocopy/fax may be accepted by any DMH component, and relied upon as authorization to disclose applicable PHI to SS (or as applicable VR or other entity acting on behalf of SS) related to a SS disability claim or as otherwise described in the form itself. If you have an older version signed before April 14, 2003, and you are unable to get a new authorization (either DMH Authorization or this 2003 version of the SSA-827), or if staff have questions about a particular form, seek assistance from your Privacy Officer, and your Privacy Officer can seek assistance from the State DMH Privacy Officer, as needed. |
On May 5, 2003, the following questions: |
(Q) Can staff contact the State DMH Privacy Officer with questions? |
(A) The State DMH Privacy Officer is always available to assist any staff member. However, for practical reasons, first, for Privacy/HIAA issues and questions, please refer local staff to their Local Privacy Officer (each CMHC/DMH inpatient facility has one). As applicable, staff should also review the Notice and Directive on DMH Privacy Practices. If there are remaining questions, the State DMH Privacy Officer is available to review with the applicable Local Privacy Officer. |
(Q) Please explain why a DMH Authorization might not be acceptable for use by non-DMH Covered Entities. |
(A) HIPAA permits PHI disclosures outside the covered entity as needed for Treatment/Payment purposes (see DMH Notice and Directive), without written Authorization. However, a specific covered entity may have adopted stricter requirements, including requiring Authorization when a disclosure is otherwise permitted by HIPAA. Further, a specific provider's Authorization may be more restrictive than required by HIPAA and/or contain greater patient rights/control or PHI.
As each HIPAA covered entity must develop its own privacy practices, to include not only HIPAA requirements, but also other law applicable to its information and consider its own privacy practices (which may be more restrictive and/or give more individual rights) their Authorization may be very specific and they will not honor a generic Authorization. Further, the applicable entity releasing information based upon an Authorization must be able to document the receipt of a copy of the Authorization by the individual, monitor its use, and as applicable, document and act on a written revocation from the individual. |
On May 8, 2003, the following questions: |
(Q) The release of information form is only to release information, not ascertain information. The revised form is not user friendly because it is cumbersome to get someone to send them their form, have the client sign it and then return it to the place they are requesting information from. The old form was better because it allowed information to be sent or request information from a particular agency or person using only a single form. Can you provide me some feedback on the revised form? Are there some legal reasons why we changed the form (HIPAA)? |
(A) While it is the case that the M-450 form was changed to meet some of relatively minor changes required by HIPAA, most of the changes are semantic in nature.
While it is also the case that the old form not only authorizes the named DMH facility/center to disclose information, but also "requests" that they do so, it's apparent from the new form that the person completing it intends that the authorized information to be furnished to the person or entity they name in the form. It isn’t clear why the absence of the word "request" in the new form would make any difference in how DMH facilities and Centers respond when they receive a completed "Authorization to Disclose" from how they used to respond when they received a "Request for and Authorization to Release."
It sounds like you are stating that you could use the old form when making multiple requests for medical records but can't use the new form in a similar manner. However, both forms allow the individual to make one request for medical records from all DMH facilities and centers or to specify one or more particular centers or facilities. You could have used one of the blanks on the old form to write in the name of a non-DMH provider, and that would be more incongruous using the new form because it references "SCDMH Protected Health Information" in the title, but both forms were really only intended to authorize the disclosure of DMH medical records. |
(Q) Should we require janitorial, equipment, etc. type contracts to have a BBA, included in bids and contracts? |
(A): A BAA is not required if the service involves treatment. Further, a BAA is not required when the contracted services do not require that we provide and/or that the vendor use PHI in order to provide the contracted services. In such instances, access to protected health information by such persons would be incidental, if at all. Generally, janitorial, maintenance, etc. contractors are not Business Associates because the work they perform does not require that we provide access to PHI, and/or that the vendor use PHI in order to provide the contracted service. Any disclosure of PHI that occurs in the performance of their duties (e.g., emptying trash, cleaning offices, repairing light fixture, etc.) is limited in nature, occurs as a by-product of the contract service and could not be reasonably prevented. Such disclosures are "incidental" and permitted by the HIPAA Privacy Rule. |
On May 14, 2003, the following questions: |
(Q) It is my understanding that DMH is considered a covered entity which would include both the inpatient and outpatient pieces. If a consumer has been offered the opportunity to sign the privacy statement at the Center or at the Facility (which they would have been upon admission) it is not necessary to offer them a second privacy notice at the pharmacy? |
(A) All DMH is considered as one covered entity, all DMH has the same Privacy Practices (e.g., directive and Notice of Privacy Practices) therefore providing the opportunity to review our Privacy Practices (e.g. offering a copy of the Notice of Privacy Practices brochure, and attempting to secure written acknowledgement) is only required once, at the first/next time the person comes for our services after April 14, 2003. |
(Q) When a patient visits a doctor's office in the private sector, they are given info and sign confirmation for HIPPA. If they are given prescriptions they visit a local pharmacy and are also given info/asked to sign something related to HIPPA. I know that patients that are admitted to a DMH inpatient facility receive info about HIPPA and that the same info is covered at the community MHC's. Does the pharmacy need to have a separate HIPPA document since we are the same agency, or do we need to do something separate? |
(A) No separate HIPAA document beyond the SCDMH Notice of Privacy Practices is required.
|
(Q) We received a Business Associate Contract from one of the "providers" of nursing home care for some of our consumers. Under HIPAA requirements, they are requesting we sign this agreement with them. We also have MOA's with a number of "community care facilities" in various counties. Do they fall under some State guidelines that remedy this or, under HIPAA; must we contract with them individually? |
(A) Assuming that the contract/agreement/relationship with the nursing home/CRCF involves treatment, then no BAA is required. A BAA carries some baggage, for both parties, but especially for the Covered Entity, so it is not recommended that you enter into one if not required. In some instances, entities are also attempting to pass through HIPAA related costs to us via the BAA. However, if the entity insists on having us sign (assuming that the entity is the HIPAA "Covered Entity" and we are the "Business Associate") send a copy to the State Privacy Officer for review. If a BAA is signed, send a copy to the Division of Contracts in CO Admin for their files. |
(Q) What is the DMH “message” to legislators concerning the privacy of consumer healthcare info under HIPAA? |
(A) "There are new federal privacy regulations (HIPAA), effective April 14, 2003 which impose requirements on state agencies that either pay for or provide health care services, including DMH. The regulations dictate how state agency employees can legally communicate with Legislators and staff as well as employees of other agencies.
While legislators and other officials may communicate with DMH staff about constituent service issues, DMH staff may not respond in any way that includes individually identifiable healthcare information, unless the constituent has signed an authorization to disclose the information and the authorization is first provided to DMH. You should have your constituent complete an authorization form ('Authorization to Disclose SCDMH Protected Health Information' http://dmhhome/hipaa/authdisclose.pdf ).
You may also download a copy of other covered State agencies authorization forms at www.hipaa.state.sc.us/disclose.htm.
To facilitate service to your constituents:
Prior to requesting Protected Health Information from DMH:
1. Have your constituent complete the DMH authorization to disclose form.
2. Fax or send the authorization to disclose form along with the request for information to DMH.
3. You must provide the authorization before any specific information about the individual can be provided to you by DMH." |
(Q) Where can I get copies of other covered state agencies’ authorization forms? |
(A) You can find a copy of an agency's authorization form(s) at www.hipaa.state.sc.us/disclose.htm. |
On May 20, 2003, the following questions: |
(Q) Please look into what can be done to bring the regulation which requires state agencies to charge the fee outlined in our HIPAA directive in line with SC Law which states $15.00 for search and retrieval, $.65 for pages 1-30 and $.50 for pages 31 +. Sales tax and actual postage additional. SC Law 44-115-80 and 44-7-325 - Retrieval and Copy Fees. |
(A) The DMH regs need changing. However, regulatory change is a lengthy and tedious process and may require public hearing. There is still not a consensus among state agencies as to the public costs of copying such records.
SECTION 44-115-80 states maximum fees that a physician may charge for search and duplication of records.
SECTION 44-7-325 states maximum fees that a facility may charge for search and duplication of records. . . no fee may be charged for records copied at the request of a health care provider or for records sent to a health care provider at the request of the patient for the purpose of continuing medical
care. . ." |
On May 29, 2003, the following questions: |
(Q) What does "portability of insurance” mean? |
(A) "Portability" refers to the ability for an employee with a health care plan to be able to "carry" his/her insurance from one employer/job to another. See DMH intranet HIPAA site for more general info. For DMH privacy purposes the "Accountability" (first "A" in HIPAA) is the most important. |
On June 9, 2003, the following questions: |
(Q) We have had some difficulty getting PHI from another Center. Do we need authorization to get PHI from other DMH entities? |
(A) For HIPAA and most other purposes, DMH is one statewide entity/healthcare system and DMH records (inpatient, outpatient, hospital, center, clinic, etc.) are considered as one source/record for Protected Health Information. In most instances, DMH employees may share PHI with other DMH employees, when that PHI is needed (at least the "minimum necessary") for the applicable DMH employee to do his/her DMH job (i.e., needed for DMH "Operations", see Notice of Privacy Practices and Directive). Further, in many instances, the PHI may also be disclosed because it is needed for "Treatment" and/or "Payment" purposes (see Notice and Directive). Often when needed for treatment or care of a DMH consumer, within DMH statewide, both exceptions apply. Review with applicable staff that DMH is one entity (at least for HIPAA Privacy, Federal A&D law, all entities are within DMH "administrative control"). State law pertains to DMH patient records and, as one entity, PHI may be shared among DMH entities (inpatient, outpatient, administrative) as needed for Treatment, Payment and/or Operation purposes. In such instances, no written Authorization is required and therefore no copy to another DMH entity is needed. While a specific DMH entity may want something to show intra DMH disclosures, HIPAA does not require such an accounting for disclosures for TPO purposes or by authorization. |
(Q) What is the DMH policy for charging for record copies under HIPAA? |
(A) Charges for Copying and Other Expenses Related to Copying and Access to PHI.
As permitted by this Directive, PHI may be disclosed by photocopy or fax. A fee to cover costs of reproducing may be charged and collected in advance of providing copies in accord with DMH Regulation 87-4(D): "The first fifteen copies will be provided at no charge; beginning with the sixteenth copy, there will be a fee of twenty cents per page. If a request is made for records which are not readily available, the Department may determine a reasonable hourly rate for the expense of searching for and securing such records. The Department may also require a reasonable deposit for such anticipated expense from the person making the request prior to searching for or making copies of the records. "
The above reflects DMH regulations under S.C. law. Although there might have been another rate in place, (e.g., .50 per page, etc.), the above applies. |
On June 11, 2003, the following questions: |
(Q) We [Center] had a mother of two children who were seen here several years ago and she wanted copies of their records. Both children are now adults. In order for her to get those records she would need the signatures of both children on a release as well as complete the required form. Is that correct?
The DDSN authorization form we received does not include all the basic elements needed for a valid Authorization under the HIPAA privacy regulations. Specifically it does not include: statement of right to revoke in writing, exceptions to right to revoke and how to notify all sources (not just DDSN) that may have disclosed info; statement that information may be redisclosed by recipient and no longer protected; section pertaining to statement of a personal representative's authority, if signed by a personal representative on behalf of subject of information. |
(A) Yes, assuming that mother is not guardian of the adult children or otherwise their caregiver, each adult child must sign our new M-450D Authorization to permit disclosure of the child's records to mom. If mom asserts some other authority other than “momship,” then you need to contact the State Privacy Officer to discuss the specific circumstances.
However, as permitted under HIPAA and by DMH Privacy Practices, DMH information may be disclosed without Authorization if the information is needed for treatment or care, including as needed for consultation, referral, etc. with an outside provider. So, as long as the need is related to accessing treatment or care to/through DDSN, then disclosure of DMH information is permitted without Authorization. |
On June 19, 2003, the following questions: |
(Q) Clinician receives a letter from local DSS...DSS has not been able to contact adult who is in protective custody of DSS and who is our consumer...they want, from clinician, client's diagnosis, plan of treatment, Center’s role in consumer's care. DSS attaches State Law re disclosure of info to DSS. Under HIPPA, do we routinely release this info; does HIPPA take precedent over the State law; if we release without consumer's authorization, is this something that we log? |
(A) Under these facts (DSS has custody of a vulnerable adult), DSS would be the "personal representative" (as defined in HIPAA Privacy Rules) of the consumer. Therefore, DSS could have the same access to PHI as the consumer, and arguably, assert any other right under HIPAA Privacy Rule. There is another exception with overlapping authority to disclose PHI: If DSS needs the info to provide/coordinate the consumer's treatment or care. In addition, if state or federal law requires disclosure, HIPAA Privacy Rule permits disclosure. For this last exception, you would need to log a disclosure "required by law." However, in the first two instances, the disclosures do not have to be logged. |
On June 24, 2003, the following questions: |
(Q) Some entities, in dealing with other covered entities, use a statement to describe their “Covered Entity” status under HIPAA. Can you provide a similar statement for DMH use? |
(A) "The South Carolina Department of Mental Health, through its statewide inpatient and outpatient facilities, including local community mental health centers, and central and local administrative offices, is a "covered entity" as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). SCDMH hereby certifies that it is in compliance with, and will comply with, all applicable HIPAA Privacy Rule requirements as well as other applicable federal and state laws protecting the privacy of SCDMH patient information. A copy of the current SCDMH Privacy Practices may be found at: http://www.state.sc.us/dmh/noticepp.htm. For further information pertaining to SCDMH Privacy Practices, contact the local Privacy Officer, at the applicable SCDMH inpatient or outpatient facility."
The following affirmation/statement may be used (free standing, in MOAs, contracts, etc.,) in lieu of a Business Associate Agreement, when a BAA is not really applicable (e.g., share info needed for treatment of a person served by DMH and another provider), or otherwise when asked for written assurance that DMH will comply with applicable HIPAA Privacy Rule requirements.
Note that this statement could be used in lieu of a BBA or when a BBA is not applicable or used in contracts, MOAs, etc. However, this statement is not meant to serve in the place of a BBA when such an agreement is necessary. |
(Q) When we refer a DMH patient to an outside provider, do we tell that outside provider to bill the patient and can we provide the patient's address to that outside provider?" |
(A) It is recommended that DMH staff not make any recommendation to an outside provider about billing or not billing the patient, only that without a contract to pay for such services, DMH is not obligated to pay for the outside provider services.
In a DMH treatment referral, our ability to share PHI, which includes a patient's address, under both state and federal law, absent signed authorization from the patient, is primarily based upon the need for treatment, including as needed for treatment referral, coordination, consultation with an outside provider. While HIPAA permits sharing as needed for treatment and billing/payment/operational activities of the outside entity providing treatment, our state law would usually limit that disclosure to PHI:
1) Needed to carry out a DMH function (which includes PHI needed for access to outside treatment/care); and/or
2) Needed to cooperate with another agency, including county entity, such as a local hospital or clinic; and/or
3) Disclosure "furthering the welfare" of the patient/patient's family
One or more of the above exceptions permitting disclosure, would permit disclosing the patient's address, as long as the address and other PHI is needed to fulfill the purpose of the disclosure (e.g. for treatment). It is assumed that a provider that we refer a DMH patient to would need the patient's address for a number of treatment related purposes (e.g. medical/medication/equipment alerts, errors, notices, aftercare, etc.) However, the exceptions would normally not permit DMH directly disclosing PHI to an entity that we did not refer the patient to for treatment. Although DMH may have properly disclosed PHI for the initial referral to Provider #1 who in turn needed to refer, and properly provide the same PHI, to Provider #2 (e.g. a lab).
When we decide about the scope of info shared (including patient address), it is recommended that you review the method by which the PHI is shared, including the 'PATIENT REFERRAL INFORMATION" form. |
On July 7, 2003, the following questions: |
(Q) Is there a problem with other state agencies sharing information intended to assist in qualifying our consumers for Medicaid eligibility? In particular, our entitlement specialist is having problems with county DSS who appears reluctant to share information formerly exchanged openly. Does this fall under ability to exchange information for payment purposes? |
(A) Disclosures about Medicaid eligibility determination or Medicaid coverage falls under the payment exception. The HIPAA Privacy Rule permits state Medicaid agencies to disclose protected health information, for payment purposes. To the extent that protected health information is disclosed for payment purposes, reasonable efforts should be made to limit that information to that which is the minimum necessary for the payment purpose/activity.
Under HIPAA Privacy Rule, 45 CFR 164.501, [emphasis added] "payment" is defined as:
"(1) The activities undertaken by: . . . (ii) A covered health care provider or health plan to obtain or provide reimbursement for the provision of health care; and (2) The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to: (i) Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims; . . ."
And under 45 CFR 164.502 (a) (1) (iii) PHI may be disclosed ". . . to carry out treatment, payment, or health care operations, except with respect to psychotherapy notes;" |
(Q) Need assistance obtaining information from a DSS/DHHS office concerning the status of Medicaid eligibility on our clients. Since the HIPPA laws have started, I have tried to either find out why a client’s Medicaid has stopped or to find out the status of an application and I was told that I wouldn't be able to get this information without a written consent form. Sometimes it is difficult to get a signed consent form because the parents may not be involved with the treatment or the parents may not be aware (so they claim) that the Medicaid has terminated. In the past, I was able to contact DSS/HHHS and was told why the Medicaid was terminated and then I would do the paperwork to get benefits reinstated. However, recently, I am told that no info would be given out. |
(A) See previous answer. |
(Q) Before HIPAA, I was able to sign the Partner for Healthy Children's application when a child was out of the home for over 30 days. Since HIPAA privacy, I’ve been told that I could no longer do this. |
(A) See previous answer. |
On July 17, 2003, the following questions: |
(Q) Staff hired before 4/14 signed the SCDMH Privacy Practices acknowledgment form as a "separate" document. Staff hired after 4/14 have signed an acknowledgment form provided by our personnel officer which acknowledges receipt of the SCDMH directives: privacy, contraband, and abuse. Is this acknowledgment form sufficient or should new staff sign the same (more detailed) acknowledgment form that other staff signed before 4/14?
AND
(2) The SCDMH Privacy Practices Acknowledgment forms signed by staff employed on before 4/14 were sent to Columbia to be filed in our "SCDMH" personnel files.
For employees that are hired after 4/14, is their acknowledgment form filed in their local employee file or should they also be sent to Cola to be filed in their SCDMH employee files? |
(A) Per DIRECTIVE NO. 837-03: "Each DMH employee, volunteer or other person (e.g., contract physician) incorporated in the DMH workforce ("workforce member" or "staff") and officials, must sign acknowledgement of receipt of, and agreement to comply with this Directive. The signed statement must be kept in the applicable personnel or other official folder. . ."
Do both acknowledgements address above (receipt of Privacy Practices Directive 837-03 and agree to comply? If they both include the core elements of receipt and agree to comply, then also check with HRM as to what they are accepting to put in the employee's file.
|
On July 21, 2003, the following questions: |
(Q) We received a Records Custodian Affidavit with a release of information request today. Is it OK to complete this under HIPAA?
|
(A) OK to sign the notarized affidavit as to the records disclosed, this is assuming that you have received a valid authorization for the disclosure of the noted PHI. This type of affidavit often permits, absent objection from opposing counsel, the admission of the records as evidence, without your staff having to go to a hearing and be sworn in to make the statements contained in the affidavit (e.g.,"I am responsible for the MHC/facility medical records, these are records kept by the MHC/facility in the normal course of business, these are true and accurate copies of those records, made at or near the time of the treatment, service or event noted in the record".) |
(Q) Are we required to sign an BBA with an A & D Program? |
(A) A Business Associate Agreement is not required when the relationship between the DMH component and the other entity is one of treatment, including treatment referral, consultation, and coordination between the DMH component and the other entity. It is important to note that the covered entity named in the BAA (the other entity asking us to sign a BAA) must monitor the BAA and maintain an accounting log of all disclosures to the business associate (the DMH component); the named covered entity must secure access, amendments and logs requested by individuals pertaining to their own PHI, not only from its own records, but also through its business associates; and under certain conditions named in the BAA, may be required to terminate the BAA, but as a practical matter be unable to end the foundation treatment referral, consultation and coordination relationship with the business associate. Lastly, a federally supported A&D program may also be required to maintain a Qualified Service Organization Agreement (which has similar, but different requirements than a BAA).
In providing assurances as to HIPAA compliance (since both entities are HIPAA covered entities, and a BAA is likely not required) that you might consider, instead of a BAA, offering to sign a statement similar to the following to show our compliance with HIPAA Privacy Rule as a covered entity:
"The South Carolina Department of Mental Health, through its statewide inpatient and outpatient facilities, including local community mental health centers, and central and local administrative offices, is a "covered entity" as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). SCDMH hereby certifies that it is in compliance with, and will comply with, all applicable HIPAA Privacy Rule requirements as well as other applicable federal and state laws protecting the privacy of SCDMH patient information. A copy of the current SCDMH Privacy Practices may be found at: www.state.sc.us/dmh/noticepp.htm. For further information pertaining to SCDMH Privacy Practices, contact the local Privacy Officer, at the applicable SCDMH inpatient or outpatient facility." |
On July 23, 2003, the following questions: |
(Q) May we disclose PHI to the S. C. Medical Board? |
(A) We may disclose PHI to S.C. health care licensing boards (e.g. Board of Medical Examiners, Social Worker Board, Nursing Board, etc.) under the "Health Oversight" exception to the HIPAA Privacy Rule. This disclosure is also permitted by state law in "cooperating with another agency" (such boards are under SC Dpt. of Labor, Licensing and Regulation "LLR".) Often the applicable board will issue a subpoena for the information to be provided to the Board and/or to an investigator for the Board, describing what type of information is needed and for what purpose. Otherwise, the Board/investigator should provide a formal written request for the information describing the information type and purpose for the disclosure (e.g., investigate a complaint made against a DMH employee as a health care professional licensed by the Board.) While "minimum necessary" limitations apply to such disclosures, we may rely upon the public agency to let us know what information is necessary for it to perform its health oversight function. When copies of PHI are given to the Board/investigator, attach your notice prohibiting redisclosure. See the Privacy Practices Directive Appendix for a model: http://dmhhome/hipaa/appendixc.doc.
For future reference, the "health oversight" exception includes activities of a state or federal agency authorized to oversee: health plans; health care providers; health care and health care delivery; resolution of health care consumer complaints; pharmaceuticals, medical products, medical devices and dietary supplements; analysis of health care costs, quality, delivery, access and insurance coverage for health oversight purposes. This exception would apply to many public agencies when they are involved in the above activities including DHEC, HHS, Labor, CDC, NIH, FDA, SAMHSA, OSHA, etc. As noted above, state law also permits this type of disclosure as necessary to cooperate with a public agency. However, this exception does not include private accrediting groups such as CARF and JCAHO. For disclosures to those entities, absent written authorization from each applicable consumer, we must enter into a Business Associate Agreement with the accrediting group.
Note that unless you have also secured written authorization (not required for a health oversight disclosure), you must log the disclosure (i.e., disclosures made by written authorization do not have to be logged). |
On August 7, 2003, the following questions: |
(Q) Is there a state definition for mental health records and/or psychotherapy notes. |
(A) There is no SC Law definition of psychotherapy notes, and the HIPAA definition would normally be applied to a narrow type of record. There is no single state law definition of "mental health records." However, specific records are protected by different statutes, due to: type of record, type of provider holding the record or license of the person holding the record and would include the following types of records: identifying a patient or former patient of DMH; identifying a person for whom commitment has been sought; identifying a person committed under probate court; confidences of a communication between a patent and counselor pertaining to mental illness or an emotional condition; psychological testing, etc. |
(Q) Are we able to disclose to Probation and Parole that a client is still in one of our facilities? |
(A) It depends. There would have to be a law enforcement exception such as locating a fugitive (e.g., broke conditions of Probation). However, also note that a condition of Probation often is that the person consent to disclose info (from provider) to Probation and/or the general sessions order may include an order for disclosure of info to Probation Officer. This information could also be disclosed by law enforcement by warrant/subpoena, etc.
Based on the circumstances, if we had been notified from PPP that a person is thought to be in our facility and is subject to arrest or other law enforcement detainer, we may notify law enforcement/Probation that the person is about to be released from our custody without an authorization. For example, if the person has violated conditions of probation, then their may be a warrant out for their arrest, or otherwise law enforcement is trying to locate a fugitive, etc. and calls us to put the named person on a "detainer" list to notify local law enforcement before the person is discharged, so law enforcement can arrest/take custody at time of discharge. |
On Sept. 9, 2003, the following questions: |
(Q) On September 9, 2003: There is no requirement for an annual update of the on-line HIPAA modules, correct? |
(A) Correct.
|
To print a copy of the Health and Human Services Office for Civil Rights "FAQs, Standards for Privacy of Individually Identifiable Health Information," go to http://www.hhs.gov/ocr/hipaa/finalmaster.html. |
