Ala. Admin. Code r. 660-1-6-.14

Current through Register Vol. 43, No. 1, October 31, 2024
Section 660-1-6-.14 - HIPAA Privacy Policy
(1) General: "HIPAA" stands for the Health Insurance Portability and Accountability Act (Public Law 104-191), a federal law passed in 1996 to reform health insurance in the United States. The HIPAA Privacy Rule-finalized as federal regulations ( 45 C.F.R. Parts 160 and 164) on August 14, 2002 - ensures that personal medical information shared with doctors, hospitals, and others who provide and pay for healthcare is protected. It is the first ever comprehensive federal protection guideline for the privacy of health information. Basically, the HIPAA Privacy Rule does the following:
(a) Imposes new restrictions on the use and disclosure of personal health information,
(b) Gives clients greater access to their medical records, and
(c) Gives clients greater protection of the medical records. This Notice of Privacy Practices describes how the Department of Human Resources uses and discloses an individual's "protected health information" (PHI) to arrange treatment, payment, or health care operations; for other purposes that are permitted or required by law; and the individual's rights to access and control his or her "protected health information".
(2) Business Associate Agreements:
(a) The HIPAA Privacy Rule requires the Department to enter into business associate agreements governing the use and disclosure of PHI in situations where the Department shares PHI with the business associate. A "business associate" is one who:
(i) Works on behalf of the department to perform or assist in performing or participates in performing a function or activity that involves the use or disclosure of individually identifiable PHI, including:
(a) Claims processing or administration;
(b) Data analysis, processing, or administration;
(c) Utilization review;
(d) Quality assurance;
(e) Billing;
(f) Benefit management;
(h) Practice management;
(i) Re-pricing; or
(j) Any other function or activity regulated by the HIPAA Privacy Rule; or
(ii) Performs a service, such as legal, accounting, or financial services, for a covered entity "where the provision of the service involves the disclosure of individually identifiable health information," including:
(a) Legal services;
(b) Actuarial services;
(c) Accounting services;
(d) Consulting services;
(e) Data aggregation services;
(f) Administrative services;
(g) Accreditation services; or
(h) Financial services.
(3) How the agency may use and disclose health information about individuals:
(a) The Department of Human Resources may use and disclose health information about an individual to arrange treatment (such as sending health information about the individual to home health agencies, physicians, or other specialists as part of a referral); to obtain payment for treatment (such as sending billing information to Medicaid). The agency may also use or disclose, as needed, an individual's protected health information in order to support the business activities of the agency. These activities include, but are not limited to, quality assessment activities, training of agency staff, licensing, and conducting or arranging for other business activities.
(b) Subject to certain requirements and as required by law, the agency may use and disclose health information about an individual without prior authorization for any of the following purposes: public health; law enforcement; legal proceedings; abuse, neglect, exploitation reporting; health oversight audits or inspections; research studies; coroner or medical examiner; funeral arrangements and organ donation; criminal; emergencies; in response to valid judicial or administrative orders or subpoenas; and where necessary to prevent or lessen criminal activity which poses a risk or imminent threat to the health or safety of a person or the public.
(c) The agency may use and disclose health information to government agencies, such as the Social Security Administration and the Veterans Administration, for government benefit eligibility purposes.
(d) The agency may also contact an individual for an appointment reminder by phone or mail. The agency may also tell the individual about or recommend possible treatment alternatives, health-related benefits, or services that might be of interest to that individual.
(e) The agency may also use or disclose health information if an individual is an inmate of a youth services, detention, or correctional facility and that individual's "protected health information" is needed in the course of providing care to the individual.
(f) The agency may use or disclose health information about an individual to a parent, other family member, friend, caregiver, or other individuals who are involved in that individual's health care. If the individual is unable to agree or object to such disclosure, the agency may use or disclose such information as necessary if it determines that it will protect the individual's interest based on the professional judgment of agency staff.
(g) The agency may use or disclose an individual's "protected health information" in an emergency treatment situation if, in the professional judgment of agency staff, the use or disclosure is in the individual's best interest. If so, the agency will disclose only the "protected health information" that is directly relevant to the person's involvement with the individual's health care.
(h) In any other situation not covered by the above, the agency will ask for an individual's written authorization before using or disclosing health information about that individual. If the individual chooses to authorize the use or disclosure, he or she can later revoke that authorization by notifying the agency in writing of his or her decision.
(4) Individuals' rights regarding their health information:
(a) Right to inspect and copy health information: The client has the right to inspect and copy his/her PHI. This means the client may inspect and obtain a copy of PHI contained in the record, including medical and billing records. Under federal law, however, the client may not inspect or copy the following records: psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding; such as a child or adult abuse investigation, and PHI subject to law that prohibits access to PHI. DHR may deny a client access to PHI without providing an opportunity for review if the PHI relates to any of the above or if the PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably expected to reveal the source of the information. Depending on the circumstances, a decision to deny access may be reviewable on the request of the client. There are state laws that make DHR records confidential and not subject to public disclosure. Code of Ala. 1975, §§28-2-6(8) (all benefit and service records), 26-14-8(c) (child abuse/neglect records) 38-9-6(e) (adult protective service records), and 38-7-13 (child care licensing/approval records). In most cases, therefore, PHI in DHR records is not available for inspection. Food Stamp client records which contain PHI are open to inspection by the client.
(b) Right to request restrictions: Clients have the right to request a restriction of their PHI. This means the client may ask DHR staff not to use or disclose any PHI for the purposes of treatment, payment, or healthcare operations. The client may also request that any part of his/her PHI not be disclosed to family members or friends who may be involved in his/her care or for notification purposes as described in the Notice of Privacy Practices. DHR staff are not required to agree to a restriction that the client may request. If DHR staff believe it is in the client's best interest to permit use and disclosure of the client's PHI, the PHI shall not be restricted. If DHR staff do agree to the requested restriction, PHI may not be used or disclosed in violation of that restriction unless it is needed to provide emergency treatment.
(c) Right to receive confidential communications: The client has the right to request that confidential communications from the agency be sent by alternative means or to an alternative location. DHR staff shall accommodate reasonable requests. DHR staff may also condition this accommodation by asking the client for information as to how payment will be handled or specification of an alternative address or other method of contact. DHR staff will not request an explanation from the client as to the basis for the request. Such requests must be made in writing to the Civil Rights and Equal Employment Partnership.
(d) Right to amend health care information: The client has the right to request that DHR amend PHI. The client may request an amendment of PHI in the DHR case record. In certain cases, DHR staff may deny a client's request for an amendment. If DHR staff deny the request for amendment, the client has the right to file a statement of disagreement with the agency. The agency may then prepare a rebuttal to the client's statement and provide the client with a copy of any such rebuttal.
(e) Right to an accounting: The client has the right to receive an accounting of certain disclosures, if any, DHR staff has made of the client's PHI. This right applies to disclosures for purposes other than treatment, payment, or healthcare operations as described in DHR's Notice of Privacy Practices. The right to receive an accounting excludes disclosures DHR staff may have made to the client, for a client directory or list, to family members or friends involved in the client's care, or for notification purposes. The client has the right to receive specific information regarding any such disclosures that occur after April 14, 2003. The client may request a shorter timeframe. The right to receive this information is subject to the exceptions, restrictions, and limitations allowed by law. DHR staff may not release such information if it would violate the law, interfere with an agency investigation, or be detrimental to case planning or program objectives.
(f) Right to a copy of privacy policy. The client has the right to obtain paper copies of the DHR Privacy Notice, privacy policy, and Administrative Letter No. 7020 upon request. The Privacy Notice, privacy policy, and Administrative Letter No. 7020 will be available on DHR's web site, www.dhr.state.al.us.
(g) The agency must act on a request to inspect and copy PHI within thirty (30) days after receipt of a request (60 days if not on site, 90 days if written reasons for delay are given). The agency must act upon a request for restriction, to receive confidential communications, to amend health information or for an accounting of disclosures within sixty (60) days after receipt of the request (90 days if written reasons for delay are given) by granting or denying the request, in whole or in part, in writing. DHR may charge the client for the cost of copying, postage, and preparation of any explanation or summary of PHI released at the rate of 25 cents per page plus the salary rate of the staff labor spent on the production. A denial shall contain (1) the basis for the denial; (2) statements that the person mayrequest a review and may file a complaint with DHR's Civil Rights and Equal Employment Partnership or the federal DHHS/OCR.
(h) In any other situation not covered by this notice, the agency will ask for an individual's written authorization before using or disclosing health information about that individual. If the individual chooses to authorize the use or disclosure, he or she can later revoke that authorization by notifying the agency in writing of his or her decision.
(5) Complaints:
(a) If an individual is concerned that his or her privacy rights may have been violated or disagrees with a decision the agency has made about access to that individual's information, the individual may contact the agency at this address: Civil Rights and Equal Employment Partnership, State of Alabama Department of Human Resources, P.O. Box 304000, Montgomery, Alabama 36130-4000, or telephone at (334) 242-1550.
(b) Finally, an individual may send a written complaint to the U.S. Department of Health & Human Services, Office of Civil Rights, 61 Forsyth Street, Suite 31370, Atlanta, GA 30301.
(c) Under no circumstances will an individual be penalized or retaliated against for filing a complaint.

Author: James E. Long

Ala. Admin. Code r. 660-1-6-.14

Emergency rule effective April 11, 2003. New Rule: Filed July 7, 2003; effective August 11, 2003.

Statutory Authority: Public Law 104-191; 45 C.F.R. Parts 160 and 164.