Module 13 - DHS Privacy Training - Part 1B

Protecting Client DataHIPAA, HITECH and PIPAPart 1B

When You Can Use or Disclose InformationRelease of Information (ROI). This term is used to explain when DHS can disclose PHI. For example, you can always disclose when PHI will be used for the following purposes:

Treatment - The provisions, coordination, or management of health care and related services.Payment - Activities undertaken to reimburse for health care.Operations - Functions such as quality assessment and improvement activities.

2014 DHS IT Security & Privacy Training2

TPO DisclosuresDo not require any documentationMay be made without accounting for the disclosure2014 DHS IT Security & Privacy Training3

Permissible DisclosuresIf disclosure is not TPO, you may not need an Authorization to Disclose if the disclosure is a permissible disclosure found at Section 164.512 of the Privacy Standards.Examples include: mandatory state laws, information required to be reported for public health purposes, child abuse reporting. If you are not sure, then obtain a signed Authorization to Disclose using DHS form 4000. The Authorization to Disclose can be found on DHS Share under Forms.

2014 DHS IT Security & Privacy Training4

4(ROI): DHS Form 4000 Is A Valid Authorization If you cannot use the Form 4000 for some reason, be certain the authorization is HIPAA compliant by ensuring it contains: Client/Patient name and date of birth.Name of the individual or agency authorized to make the requested disclosure.Name of the person or organization to whom the disclosure is to be made.Purpose of the disclosure.Specific description of the type and amount of information to be released. 2014 DHS IT Security & Privacy Training5

Valid Authorization Continued.For more information on the form you can use to obtain a valid authorization, use the Authorization to Disclose DHS form 4000 that can be found on DHS Share here:http://dhsshare/DHS%20Forms/Forms/AllItems.aspx

2014 DHS IT Security & Privacy Training6

ROI: Identify Verification Prior to releasing PHI for a permissible purpose, you must determine if the requester is a valid recipient of the PHI. Ask the requester to provide you with enough information to identify the client including the name, DOB, address, and SSN.

Provide only the minimum necessary information in order to safeguard the PHI.2014 DHS IT Security & Privacy Training7

ROI: You May Disclose to Personal Representatives or Guardians ifThe client is an incapacitated adult who is 18 years of age or older;

A minor and you have a Letter of Guardianship from the court naming the requester as Guardian; or

You have reasonable basis to believe the person is the parent of a minor child after verifying this by obtaining sufficient information, i.e. the childs SSN.2014 DHS IT Security & Privacy Training8

Example ScenarioYou receive a call at work from an individual that wants to discuss medical information of a client and states that he/she is the Legal Guardian of a client. May you discuss the PHI of the client with this individual?

2014 DHS IT Security & Privacy Training9

Yes!!But, before you disclose the information, you need to obtain a copy of the Letters of Guardianship authorizing the individual to access the medical information and records being requested.

2014 DHS IT Security & Privacy Training10

10ROI: Disclosures to Family MembersYou may disclose to family members:If the client is present and alert and the client decides.That is, if the client does not object or you can reasonably infer that the client would not object.If the client is incapable of making his/her wishes known. For example, in an emergency circumstance, using your professional judgment, you can determine it would be in the clients best interest. For example, you may discuss an incapacitated clients condition with family members over the phone.

2014 DHS IT Security & Privacy Training11

ROI: Divorced Parents & Step-ParentsUnless the parental rights of the client have been terminated, either parent may have access to the records.

When in doubt, consult the divorce decree or contact the physical custodian and ask if the other parent is allowed to see the records. If he/she declines, ask to see the supporting documents.

Unless the step-parent is a legal guardian and has the guardianship papers to verify it, no access to the health records may be permitted.

2014 DHS IT Security & Privacy Training12

ROI: Foster ParentsFoster parents of a client contact DHS and want to know if they can obtain information on the child they have in their care.

Can DHS disclose the information?

2014 DHS IT Security & Privacy Training13

Yes!Yes, the foster parents can obtain information on the child or children in their care, but the foster parents cannot receive information on the parents, guardians or any siblings not in their custody.

2014 DHS IT Security & Privacy Training14

ROI: Deceased ClientsDHS can disclose information about a deceased client to the executor of the estate or someone who is legally authorized to act on behalf of the deceased individual or his/her estate.

DHS may disclose information about a deceased client to a health care provider who is treating a surviving relative for treatment purposes.

DHS may disclose information about a deceased individual to the coroner as required by Arkansas law. 2014 DHS IT Security & Privacy Training15

ROI: Requester Seeks Client Presence at FacilityClients have a right to opt in or out of a facility directory. Therefore, if a request is made to determine if someone is present at your facility or health care setting, and the client is not listed in the Facility Directory, you may not confirm or deny the clients presence until you obtain the clients authorization to do so.

2014 DHS IT Security & Privacy Training16