Docstoc

AUTHORIZATIONS

Document Sample
AUTHORIZATIONS Powered By Docstoc
					                          Policy Memorandum 2003-34
                                           Exhibit 1


   Health Insurance Portability
     and Accountability Act
             (HIPAA)
           PRIVACY

   Use and Disclosure of
Protected Health Information
    Use And Disclosure Of
 Protected Health Information


    CHAPTER 19


 Specialized
 Government
  Functions
The tools and templates provided in CalOHI Policy and Information Memoranda have generally been authored
by HIPAA workgroups. Users should view the information presented in the context of their own organizations
and environments. Legal opinions and/or decision documentation may be needed when interpreting and/or
applying this information.




                                                                                                       2
                                                                                    Policy Memorandum 2003-34
                                                                                                     Exhibit 1

                                              TABLE OF CONTENTS


SPECIALIZED GOVERNMENT FUNCTIONS ................................................................ 7
  Permitted Uses and Disclosures .................................................................................. 7
1. MILITARY AND VETERANS ..................................................................................... 8
    Military and Veterans Activities ................................................................................ 8
  1. Armed Forces Personnel ........................................................................................ 9
    Appropriate Authorities and Purposes .................................................................... 11
    Authorized Entities ................................................................................................. 12
  2. Separation or Discharge from Military Service ...................................................... 13
  3. Benefits for Veterans ............................................................................................ 13
  4. Foreign Military Personnel .................................................................................... 14
         Foreign Nationals ............................................................................................. 15
         Foreign Nationals Overseas ............................................................................. 16
  Verification ................................................................................................................. 17
    Information Practices Act (IPA) – Military and Veterans ......................................... 18
        MAJOR CONSIDERATION: Military and Veterans Activities and the IPA. ...... 18
    Confidentiality of Medical Information Act (CMIA) – Military and Veterans ............ 18
        MAJOR CONSIDERATION: Military and Veterans’ Activities and the CMIA. .. 20
        MAJOR CONSIDERATION: Other State Laws ................................................ 20
2. NATIONAL SECURITY ............................................................................................ 21
    Permitted Disclosures ............................................................................................ 21
  Verification ................................................................................................................. 22
    IPA – National Security and Intelligence ................................................................ 22
        MAJOR CONSIDERATION: National Security and Intelligence Activities and
        the IPA .............................................................................................................. 22
    CMIA – National Security and Intelligence ............................................................. 23
        MAJOR CONSIDERATION: National Security and Intelligence Activities and
        the CMIA ........................................................................................................... 23
        DECISION POINT: National Security and Intelligence Activities ...................... 24
3. PROTECTIVE SERVICES FOR THE PRESIDENT ................................................. 25
    Protective Services for the President ..................................................................... 26
  Verification ................................................................................................................. 26
    IPA – Protective Services for the President............................................................ 27
        MAJOR CONSIDERATION: Protective Services for the President and the IPA27
    CMIA – Protective Services for the President ........................................................ 27
        MAJOR CONSIDERATION: Protective Services for the President and the CMIA28
        DECISION POINT: Protective Services for the President ................................ 28
4. MEDICAL SUITABILITY .......................................................................................... 29
    Medical Suitability Decisions .................................................................................. 29
  Verification ................................................................................................................. 32
    Information Practices Act – Medical Suitability ....................................................... 32
        MAJOR CONSIDERATION: Medical Suitability and the IPA ........................... 33
    CMIA – Medical Suitability...................................................................................... 33
        MAJOR CONSIDERATION: Medical Suitability and the CMIA ........................ 33


2
                                                                                       Policy Memorandum 2003-34
                                                                                                        Exhibit 1


        DECISION POINT: Medical Suitability ............................................................. 34
5. CORRECTIONAL INSTITUTIONS........................................................................... 35
  Permitted Uses and Disclosures ................................................................................ 35
    Disclosures............................................................................................................. 35
    Uses ....................................................................................................................... 37
  Correctional Institutions ............................................................................................. 37
  Inmates ...................................................................................................................... 38
  Notices of Privacy Practices ...................................................................................... 38
  Verification of Identity ................................................................................................ 39
  Access to PHI ............................................................................................................ 39
  Amendments to PHI .................................................................................................. 40
  Accounting of Disclosures ......................................................................................... 40
  Law Enforcement ....................................................................................................... 40
    IPA – Correctional Institutions ................................................................................ 41
        MAJOR CONSIDERATION: Correctional Institutions and the IPA ................... 41
    CMIA – Correctional Institutions ............................................................................. 41
        MAJOR CONSIDERATION: Correctional Institutions and the CMIA ............... 42
6. GOVERNMENT PROGRAMS.................................................................................. 43
  Permitted Disclosures ................................................................................................ 43
  1. Health Plans .......................................................................................................... 43
  Where two agencies administer a program jointly, they are both health plans. ......... 43
    Government Health Plans ...................................................................................... 45
  Exceptions to Government Health Care Programs .................................................... 45
  2. Covered Entities ................................................................................................... 47
  Eligibility, Enrollment and Collection of IIHI ............................................................... 47
  Verification ................................................................................................................. 48
    IPA – Government Programs ................................................................................. 49
        MAJOR CONSIDERATION: Government Programs and the IPA .................... 49
    CMIA – Government Programs .............................................................................. 49
        MAJOR CONSIDERATION: Government Programs and the CMIA ................. 50
        DECISION POINT: Government Programs...................................................... 50
        Business Associate Contracts ........................................................................... 51
OTHER REQUIREMENTS ............................................................................................ 55
  Restricted Disclosures ............................................................................................... 55
  Verification Requirements.......................................................................................... 55
  Health Oversight Activities ......................................................................................... 55
  Privacy Policies and Procedures ............................................................................... 56
DECISION POINTS....................................................................................................... 57
        National Security and Intelligence Activities ...................................................... 57
MAJOR CONSIDERATIONS ........................................................................................ 58




                                                              4
                                                                                   Policy Memorandum 2003-34
                                                                                                    Exhibit 1



SPECIALIZED GOVERNMENT FUNCTIONS ................................................................ 4
  The HIPAA Government functions Rule ...................................................................... 4
1. MILITARY AND VETERANS ..................................................................................... 5
    Military and Veterans Activities Summary ................................................................ 5
        Armed Forces Personnel .................................................................................... 6
    Appropriate Authorities and Purposes ...................................................................... 7
    Authorized Entities ................................................................................................... 8
        Separation or Discharge from Military Service .................................................... 8
        Benefits for Veterans........................................................................................... 9
        Foreign Military Personnel .................................................................................. 9
        Foreign Nationals .............................................................................................. 10
    Information Practices Act – Military and Veterans .................................................. 11
        MAJOR CONSIDERATION: Military and Veterans Activities and the IPA. ...... 11
    Confidentiality of Medical Information Act – Military and Veterans ......................... 12
        MAJOR CONSIDERATION: Military and Veterans’ Activities and the CMIA. .. 12
2. NATIONAL SECURITY AND INTELLIGENCE ACTIVITIES ................................... 13
    Permitted Disclosures ............................................................................................ 13
3. PROTECTIVE SERVICES FOR THE PRESIDENT ................................................. 14
    Permitted Disclosures ............................................................................................ 14
    Information Practices Act – National Security ........................................................ 14
        MAJOR CONSIDERATION: National Security and the IPA. ............................ 14
    Confidentiality of Medical Information Act – National Security ............................... 15
        MAJOR CONSIDERATION: National Security and the CMIA. ......................... 15
4. MEDICAL SUITABILITY .......................................................................................... 16
    Medical Suitability Decisions .................................................................................. 16
    Information Practices Act – Medical Suitability ....................................................... 18
        MAJOR CONSIDERATION: Medical Suitability and the IPA. .......................... 18
    Confidentiality of Medical Information Act – Medical Suitability .............................. 18
        MAJOR CONSIDERATION: Medical Suitability and the CMIA. ....................... 18
5. CORRECTIONAL INSTITUTIONS........................................................................... 20
    Correctional Institutions and Custodial Situations .................................................. 20
    Information Practices Act – National Security ........................................................ 21
        MAJOR CONSIDERATION: Correctional Institutions and the IPA. .................. 21
    Confidentiality of Medical Information Act – Correctional Institutions ..................... 21
        MAJOR CONSIDERATION: Correctional Institutions and the CMIA. .............. 21
6. GOVERNMENT PROGRAMS.................................................................................. 23
  Permitted Disclosures ................................................................................................ 23
  1. Health Plans ......................................................................................................... 23
    Government Programs ........................................................................................... 23
    Government Health Plans ...................................................................................... 24
    Government Programs - Not Health Plans ............................................................. 24
  2. Covered Entities ................................................................................................... 25
    Eligibility, Enrollment, and Collection of IIHI ........................................................... 25
    Information Practices Act – Government Programs ............................................... 26


                                                           5
                                                                                Policy Memorandum 2003-34
                                                                                                 Exhibit 1


      MAJOR CONSIDERATION: Government Programs and the IPA. ................... 26
   Confidentiality of Medical Information Act – Government Programs ...................... 26
      MAJOR CONSIDERATION: Government Programs and the CMIA. ................ 26
   Business Associate Contracts ................................................................................ 27
OTHER REQUIREMENTS ............................................................................................ 29
DECISION POINTS....................................................................................................... 30




                                                         6
                                                          Policy Memorandum 2003-34
                                                                           Exhibit 1




                 SPECIALIZED GOVERNMENT FUNCTIONS


Permitted Uses The Rule allows covered entities to use or disclose protected health
and Disclosures information (PHI) without the written authorization of the individual or
                without the opportunity for the individual to agree or object when the
                use or disclosure is for one of the following six specialized
                government functions:

                   1. Military and veterans activities,
                   2. National security and intelligence activities,
                   3. Protective services for the President and others,
                   4. Medical suitability determinations,
                   5. Correctional institutions and other law enforcement custodial
                      situations, or
                   6. Government programs providing public benefits. [45 C.F.R. §
                      164.512(k)(1) – (6)]


                   In its role, government undertakes functions in the broader public
                   interest, such as public health activities, law enforcement,
                   identification of deceased individuals through coroners’ offices, and
                   military activities. These public purposes sometimes outweigh an
                   individual’s privacy interest. U.S. Department of Health and Human
                   Services (DHHS) specifies the circumstances in which the balance is
                   tipped toward the public interest with respect to PHI. This Rule
                   balances privacy and other social values in permitting the use or
                   disclosure of health information without individual authorization for
                   national priority activities and activities that allow the health care
                   system to operate smoothly.




                                         7
                                                         Policy Memorandum 2003-34
                                                                          Exhibit 1


                       1. MILITARY AND VETERANS
Military and   The Rule allowscovers the use and disclose following types of
Veterans       disclosures of PHI related to military functions and personnel as
Activities     follows::
Summary         PHI of Armed Forces personnel for activities deemed necessary by
                   the appropriate military command authorities to assure proper
                   execution of thepurpose of executing military mission,
                  PHI of a member of the Armed Forcespersonnel leaving military
                   service for purposes of benefits determination,
                  PHI of veterans for purposes of providing benefits, and
                  PHI of foreign military personnel may be disclosed to their military
                   command. [45 C.F.R. 164.512(k)(1)]

               The military health care system differs from that of the health care
               system of society in general. The special nature of military service is
               reflected in the separate body of law and regulations governing all
               aspects of military life, including a separate uniform code of military
               justice. This is one of the enumerated powers of Congress; make laws
               for military. [U.S. Constitution, Article 1, Section 8, Clause 14]

               The military health care system, like other federal and civilian health
               care systems, provides medical care and treatment to its beneficiary
               population. However, it also serves the critical national defense
               purpose of ensuring that the Armed Forces are in a state of medical
               readiness to permit the discharge of those responsibilities as directed
               by the National Command Authority. The health and well being of
               military members is key and essential to this purpose. This is true
               whether such personnel are serving in the continental United States or
               overseas, or whether such service is combat-related or not.

               In all environments, the Armed Forces must be assured that its
               personnel are medically qualified to perform their responsibilities. This
               is critical as each person performs a vital service upon which others
               must rely in executing a specified defense requirement. Unqualified
               personnel not only jeopardize the possible success of an assignment
               or operation, but they pose an undue risk to others. To assure that
               such persons are medically fit, health information is provided to proper
               command authorities for medical screening and other purposes so that
               determinations may be made regarding the ability of personnel to
               perform assigned duties.




                                        8
                                                    Policy Memorandum 2003-34
                                                                     Exhibit 1



                  For example, health information is provided regarding:
                     A pilot receiving medication that may affect alertness,
                     An Armed Forces member with an intolerance for a vaccine
                      necessary for deployment to certain geographical areas,
                     Any significant medical or psychological changes in a
                      military member who is a member of the Nuclear Weapons
                      Personnel Reliability Program,
                     A military recruit or member with an illness or injury which
                      disqualifies him or her from military service, or
                     Compliance with controlled substance policies.

            The military and Coast Guard obtain such information from their own
            health care systems, as well as from other agencies that provide
            healthcare to service members. One agency is the Department of
            Transportation (Homeland Security), which is responsible for the
            United States Coast Guard. Other federal agencies may provide
            medical care to members of the Armed Forces.
               For example, the Department of State provides such care to
               military attachès and Marine security personnel assigned to
               embassies and consulates overseas. The Department of Veterans
               Affairs provides care in certain areas of the country or in cases
               involving specialized services.

            Other health care providers could also provide information.
                For example, when a private sector physician treats an Armed
                Services member injured in an accident.
            The military comprises a unique subset of society and the members of
            the Armed Forces do not have the same freedoms as do other
            civilians.



1. Armed    Covered entities may use and disclose the PHI of individuals who are
Forces      Armed Forces personnel for activities deemed necessary by the
Personnel   appropriate military command authorities to assure the proper
            execution of the military mission.




                                   9
                                                        Policy Memorandum 2003-34
                                                                         Exhibit 1


               This use and disclosure is permitted only if the appropriate military
               authority has published a notice in the Federal Register identifying:
                   The appropriate military command authorities, and
                   The purpose for which the PHI may be used or disclosed. [45
                      C.F.R. § 164.512(k)(1)(i)(A), (B)]


Appropriate    The Department of Defense issued a notice detailing the appropriate
Authorities    military command authorities and the purposes covered entities may
and Purposes   use or disclose PHI.

               The appropriate military command authorities include:
                   All Commanders who exercise authority over an individual who
                     is a member of the Armed Forces, or
                         o Another person designated by a Commander to receive
                            PHI.
                   The Secretary of the Defense,
                   The Secretary of the Military Department
                   The Secretary of Homeland Security, or
                   Any official delegated authority by a Secretary listed above.

               The purposes for which PHI may be used or disclosed include:
                   To determine the members fitness for duty, including but not
                     limited to the member’s compliance with standards and all
                     activities under:
                         o Department of Defense Physical Fitness and Body Fat
                             Program,
                         o Physical Disability Evaluation,
                         o Nuclear Weapons Personnel Reliability Program, or
                         o Similar requirements
                     To determine the member’s fitness compliance with any actions
                      required to perform:
                         o Mission,
                         o Assignment,
                         o Order, or
                         o Duty.
                     To carry out activities under the Joint Medical Surveillance
                     To report casualties in any military operation or activity in
                      accordance with applicable military regulations or procedures,
                      and


                                      10
                                                       Policy Memorandum 2003-34
                                                                        Exhibit 1


                    To carry out any other activity necessary to the proper
                     execution of the mission of the Armed Forces.
               [Federal Register, Volume 68, Number 68, Wednesday, April 9, 2003,
               Notices, Page 17358]



Appropriate    The Department of Defense has issued a notice detailing the
Authorities    appropriate military command authorities who will deem the activities
and Purposes   necessary to trigger release of PHI and the purposes for which
               covered entities may use or disclose PHI.

               The appropriate military command authorities include:
                   All Commanders who exercise authority over an individual who
                     is a member of the Armed Forces, or
                   Another person designated by a Commander to receive PHI,
                   The Secretary of the Defense,
                   The Secretary of the Military Security,
                   The Secretary of Homeland Security, or
                   Any official delegated authority by a Secretary listed above.

               The purposes for which PHI may be used or disclosed include:
                   To determine the members’ fitness for duty, including but not
                     limited to the member’s compliance with standards and all
                     activities under:
                      The Department of Defense Physical Fitness and Body Fat
                         Program,
                      The Physical Disability Evaluation,
                      The Nuclear Weapons Personnel Reliability Program, or
                      Similar requirements.
                   To determine the member’s fitness compliance with any actions
                     required to perform:
                      Mission,
                      Assignment,
                      Order, or
                      Duty.
                   To carry out activities under the Joint Medical Surveillance.




                                      11
                                                      Policy Memorandum 2003-34
                                                                       Exhibit 1



                   To report casualties in any military operation or activity in
                    accordance with applicable military regulations or procedures.
                   To carry out any other activity necessary to the proper
                    execution of the mission of the Armed Forces. [Federal
                    Register, Volume 68, Number 68, Wednesday, April 9, 2003,
                    Notices, Page 17358]



Authorized   Those authorized to use or disclose PHI to the Department of Defense
Entities     or Department of Transportation (Homeland Security) without
             individual authorization for activities deemed necessary by appropriate
             military command authorities to assure the proper execution of the
             military mission include health care providers and health plans of
             the:
                  Department of Defense,
                  Department of Transportation (Homeland Security),
                  Department of State,
                  U.S. Department of Veterans Affairs, or
                  Any other person or entity providing health care to Armed
                     Forces personnel.

             For a disclosure to be permitted without authorization, the following
             information must be identified:
                  The appropriate military command authorities,
                  The circumstances in which use or disclosure without individual
                    authorization would be required, and
                  The activities for which such use or disclosure would occur to
                    assure proper execution of the military mission.

             The Rule does not confer authority on the Department of Defense or
             the Department of Transportation (Homeland Security) to enact rules
             that would permit use or disclosure of health information that is
             restricted or controlled by other statutory authority.




                                    12
                                                            Policy Memorandum 2003-34
                                                                             Exhibit 1




2. Separation     A The Rule permits covered entities that are a component of the
or Discharge      Departments of Defense or the Department of Transportation
from Military     (Homeland Security) may to disclose to the Department of Veterans
Service           Affairs the PHI of an individual who is a member of the Armed
                  Forces upon the separation or discharge of the individual from
                  military service. The disclosure must be for the purpose of a
                  determination by the Department of Veterans Affairs of the
                  Department of Veterans Affairs determining the individual’s eligibility
                  for, or entitlement to benefits under laws administered by the
                  Secretary of Veterans Affairs. [45 C.F.R. § 164.512(k)(1)(ii)]



3. Benefits for   A covered entity that is a component of the Department of Veterans
Veterans          Affairs may use and disclose PHI to other components of the
                  Department that perform the following functions under the laws
                  administered by the Secretary of Veterans Affairs:
                     1. Determine eligibility for benefits, or
                     2. Determine entitlement to benefits, or
                     3. Provide Benefits.
                  [45 CFR §164.512(k)(1)(iii)]Covered entities may disclose PHI within
                  the U.S. Department of Veterans Affairs, in addition to disclosures
                  from the Departments of Defense and Transportation (Homeland
                  Security) to the U.S. Department of Veterans Affairs.

                  A covered entity that is a component of the U.S. Department of
                  Veterans Affairs may use and disclose PHI to other components of the
                  Department that perform the following functions under the laws
                  administered by the Secretary of Veterans Affairs:
                     1. Determine eligibility for benefits,
                     2. Determine entitlement to benefits, or
                     4.3.      Provide benefits. [45 C.F.R. §164.512(k)(1)(iii)]
                  Veteran’s health care programs are defined as “health plans”. [45
                  C.F.R. § 164.103 (definition of health plan) & 38 U.S.C. chapter 17]

                  The Department of Defense routinely transfers an individual’s entire
                  military service record, including PHI, to the U.S. Department of
                  Veterans Affairs upon completion of his/her military service. This
                  process takes place so the file may be retrieved quickly if the individual
                  or his/her dependents apply for veterans’ benefits. This practice was
                  initiated in an effort to expedite veterans’ benefits eligibility
                  determinations by ensuring timely access to complete, accurate


                                          13
                                                        Policy Memorandum 2003-34
                                                                         Exhibit 1


             information on the veteran’s military service. It is know as the transfer
             program.

             The transfer program was established based on recommendations by
             Congress, veterans groups, and veterans, and has existed for many
             years with no objections to or problems associated with the program.
             In addition, an analogous program exists where the Department of
             Transportation (Homeland Security) transfers records to the U.S.
             Department of Veterans Affairs with respect to the United States Coast
             Guard personnel. The PHI disclosed and used is for a limited purpose
             that directly benefits the individuals.


             The Rule permits the U.S. Department of Veterans Affairs and its
             components to use PHI without individual authorization when
             determining eligibility for or entitlement to benefits or providing benefits
             under laws administered by the Secretary of Veterans Affairs. The
             Veterans Administration is comprised of two separate components:
                1. The Veterans Health Administration – operates health care
                    facilities, and
                2. The Veterans Benefits Administration – operates the veterans
                    disability program.

             The close integration of the operations of the two components would
             make requiring individual authorizations before transferring PHI
             particularly disruptive. Further, the Veterans Health Administration
             transfers medical information on a much larger scale than most other
             covered entities, and requiring individual authorization for transfers
             among components could compromise the Department of Veterans
             Affairs’ ability to fulfill its statutory mandates.

             However, the U.S. Department of Veterans Affairs may not share such
             information with other agencies without an authorization.



4. Foreign   Covered entities may use and disclose to the appropriate foreign
Military     military authority the PHI of individuals who are foreign military
Personnel    personnel for the same purposes for which uses and disclosures are
             permitted for U.S. Armed Forces personnel. [45 C.F.R. §
             164.512(k)(1)(iv)]




                                     14
                                                     Policy Memorandum 2003-34
                                                                      Exhibit 1


            The Department of Defense, as well as other Federal agencies,
            provides medical care to foreign military and diplomatic personnel, as
            well as their dependents. Such care is provided pursuant to statutory
            authority [e.g., 10 U.S.C. 2549] or international agreement. The care
            may be delivered either in the United States or overseas. In addition,
            where health care is provided in the United States, it may be furnished
            by non-government providers when government delivered care is not
            available or the beneficiary elects to obtain private as opposed to
            government health care. NOTE: HIPAA does not provide a special
            permitted disclosure for foreign diplomatic personnel and their
            dependents; their PHI is subject to the Rule. NOTE: HIPAA does not
            provide a special permitted disclosure for foreign diplomatic personnel
            and their dependents; their PHI is subject to the rule.

               Examples include:
               1. Foreign military personnel being trained, or assigned to United
                  States military organizations in the United States, who receive
                  care from either government or private health care providers,
               2. The Department of Defense operated medical clinic which
                  provides care to all allied military personnel assigned to the
                  North Atlantic Treaty Organization Headquarters in Brussels,
                  Belgium, or
               3. The Department of State, which also is engaged in arranging
                  health care for foreign military personnel and their families,
                  could also have legitimate needs for the information concerning
                  the health services involved.



Foreign     The Rule does not apply to health care provided by the Department
Nationals   of Defense or any other federal or nongovernmental agency to
            overseas foreign national beneficiaries. This means that any health
            information created when providing health care to this population
            would not be PHI and therefore not covered by the Rule. [45 C.F.R.
            § 164.500(c)]




                                   15
                                                     Policy Memorandum 2003-34
                                                                      Exhibit 1


Foreign     The Department of Defense, as well as other federal agencies and
Nationals   United States based non-governmental organizations, also provide
Overseas    health care to foreign nationals overseas incident to United States
            sponsored missions or operations. Such health care is provided under
            federal statute, international agreement, international organization
            sponsorship, or incident to military operations (including humanitarian
            and peacekeeping operations). The Department of Defense, or any
            other federal agency or non-governmental entity acting on its behalf, is
            not subject to HIPAA when it provides health care in another country
            to foreign national beneficiaries. [45 C.F.R. § 164.500(c)]

               Examples include:
                The Department of Defense provides general health care to
                  local populations incident to military deployment,
                  The Department of Defense provides health care to captured
                   and detained personnel as a consequence of overseas combat
                   operations, or [Such care is mandated by international
                   agreement, i.e., the Geneva Conventions.]




                                   16
                                                         Policy Memorandum 2003-34
                                                                          Exhibit 1



                     Federal agencies and non-governmental organizations provide
                      health care services as part of organized disaster relief or other
                      humanitarian programs around the world.

               In these situations, the Rule could have the unintended effect of
               impeding such activities, by interfering with military command
               authorities’ ability to obtain PHI on prisoners of war, refugees, or
               detainees for whom they are responsible under international law. In
               these situations, the Privacy Rule could have the unintended effect of
               interfering with military command authorities’ ability to obtain PHI on
               prisoners of war, refugees, or detainees for whom they are responsible
               under international law




Verification   The covered entity is required to verify the authority of the person
               representing the appropriate military command and may rely on
               reasonable assurance from that person as to the purpose for the
               request. Covered entities are required to verify the identity of the
               official representing the Department of Veterans Affairs and their
               authority for the request of the PHI. [45 C.F.R. § 164.514(h)]




                                       17
                                                             Policy Memorandum 2003-34
                                                                              Exhibit 1


                                        State Law



Information       The IPA allows State agencies to disclose personal information in
Practices Act     specific circumstances without an authorization. The circumstances
(IPA) –           listed do not specifically address military or veterans activities. [Civil
Military and      Code §§ 1798.24(a) & (u); 1798.24a, & 1798.24b] However, the IPA
Veterans          allows disclosures of personal information:
                   As required by law to a government entity, [Civil Code § 1798.24(f)]
                   In the ordinary course of performing their official duties, [Civil Code
                       § 1798.24(d)]
                   To perform constitutional or statutory duties, or [Civil Code §
                       1798.24(e)]
                   In circumstances which affect the health or safety of an individual.
                       [Civil Code § 1798.24(i)]


                  MAJOR CONSIDERATION: Military and Veterans Activities and
                  the IPA.
                  The IPA provisions that allow for disclosures in the course of
                  performance of official duties or to perform constitutional or statutory
                  duties are preempted by HIPAA. Therefore, State agencies that
                  disclose PHI for purposes of military or veterans’ activities may only
                  make those disclosures if they are required by law to a government
                  entity, or affect the health or safety of an individual, or with an
                  authorization. You should consult with your legal counsel to
                  determine what other State or federal laws or regulations may be
                  utilized to allow for these disclosures.




Confidentiality   The CMIA allows health plans, providers and contractors to disclose
of Medical        PHI in certain circumstances without an authorization. The
Information       circumstances listed do not specifically address military or veterans
Act (CMIA) –      activities. [California Civil Code §§ 56.10(a), (b), (c)] However, the
Military and      CMIA allows for disclosures:
Veterans               As required by law, or [Civil Code § 56.10(b)(9)]
                       Employment related health care services. [Civil Code §
                          56.10(c)(8)]




                                          18
     Policy Memorandum 2003-34
                      Exhibit 1




19
                                           Policy Memorandum 2003-34
                                                            Exhibit 1




MAJOR CONSIDERATION: Military and Veterans’ Activities and
the CMIA.
The CMIA provisions allowing disclosure of PHI for employment-
related health care services is partially preempted. The subsection
that allows for employment-related disclosures relevant in a lawsuit,
arbitration, grievance or other claim or challenge is not preempted.
Therefore, providers and plans may be able to make disclosures
concerning military and veterans services to the extent that the
disclosures are required by another law or by an employer. You
should consult with your legal counsel to determine what other
State or federal laws or regulations may be utilized to disclose this
information before you disclose PHI related to military or veterans’
activities.


DECISION POINT: Military and Veterans’ Activities
Will you disclose PHI for military or veterans’ activities?
You will need to determine if your organization discloses PHI for
military or veteran’s purposes. If you do, you will need to determine
how you will verify the identity of the requester, the authority, and the
purpose for which the PHI is intended. You will need to establish a
procedure to assure that the information provided by the requester
meets the Rule requirements. This will become part of your Privacy
Policies and Procedures.


MAJOR CONSIDERATION: Other State Laws
California State law exists governing the State veterans affairs
programs and the State armed forces. Covered entities that are or
disclose to one of these programs will need to consider those State
laws and regulations.




                        20
                                                         Policy Memorandum 2003-34
                                                                          Exhibit 1


      2. NATIONAL SECURITY AND INTELLIGENCE ACTIVITIES
Permitted     Covered entities may disclose PHI to authorized federal officials for the
Disclosures   conduct of lawful intelligence, counter intelligence, and other national
Permitted     security activities. . [Authorized [Authorized by the National Security
Disclosures   Act (50 U.S.C. 401, et seq.)., the and the implementing authority (e.g.,
              Executive Order 12333 & ) & 45 C.F.R. § 164.512(k)(2)]

              This provision addresses the special circumstances of the national
              intelligence community. The preservation of national security depends
              to a large degree on the health and well being of intelligence
              personnel. To determine fitness for duty, including eligibility for a
              security clearance, these agencies must have continued access to the
              complete health records of their employees. To ensure continued
              fitness for duty, it is critical that these agencies have access to the
              entire medical record on a continuing basis.

              This provision does not provide new authority for intelligence or
              national security officials to acquire health information they
              otherwise would not be able to obtain. It does not confer new
              authority for intelligence or national security activities. Rather,
              the activities permissible under this section are limited to those
              authorized under current law and regulations.

              DHHS believes that because intelligence/national security activities
              are discrete functions serving a different purpose, they should be
              treated consistently but separately under the Rule. The Rule does not
              require or compel a health plan or a covered health provider to
              disclose PHI. Rather, it allows covered entities to disclose information
              for intelligence and national security, only to authorized federal officials
              conducting these activities when authorized by law. The Rule leaves
              intact the existing State Department regulations that strictly limit the
              disclosure of health information pertaining to employees.

              The term “intelligence community” is defined to include:
                  Office of the Director of Central Intelligence,
                  Office of the Deputy Director of Central Intelligence,
                  National Intelligence Council,
                  The Central Intelligence Agency,
                  National Security Agency,
                  Defense Intelligence Agency,
                  National Imagery and Mapping Agency,
                  National Reconnaissance Office,


                                      21
                                                           Policy Memorandum 2003-34
                                                                            Exhibit 1



                       Department of Defense offices that collect certain national
                        intelligence,
                       Intelligence elements of the Army, Navy, Air Force, Marines,
                        Federal Bureau of Investigation, Department of Treasury, and
                        Department of Energy,
                       Department of State Bureau of Intelligence and Research, and
                       Other departments designated by the President or jointly
                        designated by Director of Central Intelligence and the Agency.
                        [Section 4 of the National Security Act, 50 U.S.C. 401a]



Verification     Covered entities are required to verify the identity and authority of the
                 federal official. They may reasonably rely on the representation of
                 such person that the request is for lawful national security. [45 C.F.R.
                 § 164.514(h)]


                                      State Law

IPA – National   The IPA allows State agencies to disclose personal information in
Security and     specific circumstances without an authorization. The circumstances
Intelligence     listed do not specifically address national security or intelligence
                 activities. [Civil Code §§ 1798.24(a) & (u); 1798.24a, & 1798.24b]
                 However, the IPA allows disclosures of personal information:
                  As required by law to a government entity, [Civil Code § 1798.24(f)]
                  In the ordinary course of performing their official duties, [Civil Code
                      § 1798.24(d)]
                  To perform constitutional or statutory duties, or [Civil Code §
                      1798.24(e)]
                  In circumstances which affect the health or safety of an individual.
                      [Civil Code § 1798.24(i)]


                 MAJOR CONSIDERATION: National Security and Intelligence
                 Activities and the IPA
                 The IPA provisions that allow for disclosures in the course of
                 performance of official duties or to perform constitutional or statutory
                 duties are preempted by HIPAA. Therefore, State agencies that
                 disclose PHI for purposes of national security and intelligence activities
                 may only make those disclosures if they are required by law to a



                                         22
                                                        Policy Memorandum 2003-34
                                                                         Exhibit 1


               government entity, or affect the health or safety of an individual, or
               with an authorization. You should consult with your legal counsel to
               determine what other State or federal laws or regulations may be
               utilized to allow for these disclosures.




CMIA –         The CMIA allows health plans, providers and contractors to disclose
National       PHI in certain circumstances without an authorization. The
Security and   circumstances listed do not specifically address national security or
Intelligence   intelligence activities. [California Civil Code §§ 56.10(a), (b), (c)]
               Finally, the provision that requires covered entities to preserve the
               confidentiality of medical records does not mention these situations.
               [California Civil Code § 56.101] However, the CMIA allows for
               disclosures:
                    As required by law, or [Civil Code § 56.10(b)(9)]
                    Employment related health care services. [Civil Code §
                       56.10(c)(8)]




               MAJOR CONSIDERATION: National Security and Intelligence
               Activities and the CMIA
               The CMIA provisions allowing disclosure of PHI for employment-
               related health care services is partially preempted. The subsection
               that allows for employment-related disclosures relevant in a lawsuit,
               arbitration, grievance or other claim or challenge is not preempted.
               Also, providers and plans may be able to make disclosures concerning
               national security and intelligence activities to the extent that the
               disclosures are required by another law or with an authorization. You
               should consult with your legal counsel to determine what other
               State or federal laws or regulations may be utilized to disclose this
               information before you disclose PHI related to military or veterans’
               activities.




                                      23
                                         Policy Memorandum 2003-34
                                                          Exhibit 1




DECISION POINT: National Security and Intelligence Activities
Will you disclose PHI for national security and intelligence activities?
You will need to determine if your organization discloses PHI for
national security and intelligence purposes. If you do, you will need to
determine how you will verify the identity of the requester, the
authority, and the purpose for which the PHI is intended. You will
need to establish a procedure to assure that the information provided
by the requester meets the Rule requirements. This will become part
of your Privacy Policies and Procedures.




                       24
                             Policy Memorandum 2003-34
                                              Exhibit 1


3. PROTECTIVE SERVICES FOR THE PRESIDENT




                  25
                                                            Policy Memorandum 2003-34
                                                                             Exhibit 1


               3. PROTECTIVE SERVICES FOR THE PRESIDENT
Permitted        Covered entities may disclose PHI to authorized federal officials for the
Disclosures      provision of protective services to: [45 C.F.R. § 164.512(k)(3)]
Protective            The President or other persons, [18 U.S.C. 3056]
Services for          Foreign heads of state or other persons, or [22 U.S.C. 2709
the                      (a)(3)]
President             Conduct investigations. [18. U.S.C. 871 and 879]

                 The Rule does not confer new authority for protective services for the
                 president and others. Rather, the activities permissible under this
                 section are limited to those authorized under current laws and
                 regulations. The provision regarding protective services pertains only to
                 those persons who are the subjects of legitimate investigations for
                 threatening or otherwise exhibiting an inappropriate direction of interest
                 toward those under United State Secret Service protection.

                 DHHS believes that because presidential and other protective service
                 activities are discrete functions serving a unique purpose, they should
                 be treated consistently but separately under the Rule. The Rule does
                 not require or compel a health plan or a covered health provider to
                 disclose PHI. Rather, it allows covered entities to disclose information
                 for protective services to the President and others. Disclosure may be
                 made only to authorized federal officials conducting these activities
                 when authorized by law.



Verification     Covered entities are required to verify the identity and authority of the
                 federal official. They may reasonably rely on the representation of such
                 person that the request is for lawful protective services. [45 C.F.R. §
                 164.514(h)]




                                          26
                                                          Policy Memorandum 2003-34
                                                                           Exhibit 1


                                     State Law

IPA –           The IPA allows State agencies to disclose personal information in
Protective      specific circumstances without an authorization. The circumstances
Services for    listed do not specifically address protective services for the president
the President   and others. [California Civil Code §§ 1798.24(a) to (u); 1798.24a,
                1798.24b] However, the IPA allows disclosures of personal
                information:
                  As required by law to a government entity to a government entity.,
                     [Civil Code § 1798.24(f)]
                  In the ordinary course of the performance of their official duties,
                     [Civil Code § 1798.24(d)]
                  To perform constitutional or statutory duties, or [Civil Code §
                     1798.24(e)]
                  In circumstances which affect the health or safety of an individual.
                     [Civil Code § 1798.24(i)]


                MAJOR CONSIDERATION: Protective Services for the President
                and the IPA
                The IPA provisions that allow for disclosures in the course of
                performance of official duties or to perform constitutional or statutory
                duties are preempted by HIPAA. Therefore, State agencies that
                disclose PHI for purposes of protective services for the President and
                others may only make those disclosures if they are required by law to
                another government entity, or affect the health or safety of an
                individual, or with an authorization.. You should consult with your
                legal counsel to determine what other State or federal laws or
                regulations may be utilized to allow for these disclosures.




CMIA –          The CMIA allows health plans, providers and contractors to disclose
Protective      PHI in certain circumstances without an authorization. The
Services for    circumstances listed do not specifically address protective services for
the President   the president and others. [California Civil Code §§ 56.10(a), (b), (c)]
                However, the CMIA allows for disclosures:
                     As required by law, or [Civil Code § 56.10(b)(9)]
                     Employment-related health care services. [Civil Code §
                       56.10(c)(8)]




                                        27
                                         Policy Memorandum 2003-34
                                                          Exhibit 1



MAJOR CONSIDERATION: Protective Services for the President
and the CMIA
The CMIA provision allowing disclosure of PHI for employment-related
health care services is partially preempted. The subsection that allows
for employer-related disclosures relevant in a lawsuit, arbitration,
grievance or other claim or challenge is not preempted. Therefore,
providers and plans may be able to make disclosures for protective
services to the president and others to the extent that the disclosures
are required by another law. You should consult with your legal
counsel to determine what other State or federal laws or regulations
may be utilized to disclose this information.


DECISION POINT: Protective Services for the President
Will you disclose PHI for national security and intelligence activities?
You will need to determine if your organization discloses PHI for
protective services for the president and others. If you do, you will
need to determine how you will verify the identity of the requester, the
authority, and the purpose for which the PHI is intended. You will
need to establish a procedure to assure that the information provided
by the requester meets the Rule’s requirements. This will become part
of your Privacy Policies and Procedures.




                       28
                                                        Policy Memorandum 2003-34
                                                                         Exhibit 1


                        4. MEDICAL SUITABILITY
Medical       Covered entities that are a component of the Department of State may
Suitability   use PHI to make medical suitability determinations. Covered entities
Decisions     may also disclose whether or not the individual was determined to be
              medically suitable to the officials in the Department of State who need
              access to such information for the following purposes: [45 CFR §
              164.512(k)(4)(i) – (iii)]

                 1. For the purpose of a required security clearance,, [Executive
                    Orders 10450 and 12698],
                 2. As needed to determine worldwide availability or availability for
                    mandatory service abroad, or, or [sections 101(a)(4) and 504 of
                    the Foreign Service Act],
                 3. For a family to accompany a Foreign Service member abroad..
                    [§ [section 101(b) (5) and 904 of the Foreign Service Act].
                    [45 C.F.R. § 164.512(k)(4)(i) – (iii)]

              The Rule does not confer authority on the Department of State to
              disclose such information that it did not previously possess. Nothing
              prevents a covered entity from requiring an individual to provide an
              authorization before releasing PHI for purposes of obtaining a security
              clearance. The disclosure of the information is limited to that needed
              to determine whether the individual should be granted a security
              clearance or whether a Foreign Service member and his/her family
              members should be posted to a certain overseas assignment.

              The Foreign Service Act states that the purpose of the Foreign Service
              is to serve effectively the interests of the United States and provide the
              highest caliber of representation in the conduct of foreign affairs. The
              Department of State has established a health care program to promote
              and maintain the physical and mental health of members of the
              Service and that of other government employees serving abroad, as
              well as accompanying family members. The Department of State
              provides health care services to thousands of Foreign Service officers,
              other government employees and their families serving abroad, many
              of who are frequently changing posts or assignments.

              Worldwide availability for service is a criterion for entrance into the
              Foreign Service. Applicants with conditional offers of employment
              must undergo medical clearance examinations to establish their
              physical fitness to serve in the Foreign Service on a worldwide basis
              before entering the Service. Employees and accompanying family
              members also must be medically cleared before being given


                                      29
                                          Policy Memorandum 2003-34
                                                           Exhibit 1


assignments overseas, to preclude assignments to posts where
existing medical conditions would be exacerbated or where resources
to support an existing medical condition are inadequate.

The Department of State uses PHI gained through its role as a health
care provider to fulfill the following additional responsibilities:
 Making medical clearance and fitness decisions,
   Making other types of determinations requiring medical information
    (such as fitness for duty or eligibility for disability retirement of
    Foreign Service members),
   Determining whether to immediately evacuate an individual for
    evaluation or treatment, or
   Determining whether to allow an employee or family member to
    remain in a position or at a post abroad.

An individual’s record may include medical information provided to the
Department of State by outside healthcare providers (with the
individual’s authorization), PHI about treatment provided or paid for by
the Department of State, and medical information collected from non-
treatment processes such as the clearance process.

    Examples of situations in which the Department of State is not
    required to obtain authorization under this Rule include:
    1. Applicants to the Foreign Service for medical clearance
       determinations of physical fitness to serve in the Foreign
       Service on a worldwide basis, including:
        Medical and mental conditions limiting the ability of the
           individual to serve abroad,
        Conformance to occupational physical standards, and
        Suitability.
    2. Members of the Foreign Service and other United States
       Government employees assigned to serve abroad under Chief
       of Mission authority for:
          Medical clearance determinations for assignment to posts
           abroad, including:
             Medical and mental conditions limiting such assignment;
              conformance to occupational physical standards,
             Continued fitness for duty, suitability, and
             Continuation of service at post (including decisions on
              curtailment),
          Separation medical examinations; and
           Determinations of eligibility of members of the Foreign


                        30
                                Policy Memorandum 2003-34
                                                 Exhibit 1


Service for disability retirement.




             31
                                                          Policy Memorandum 2003-34
                                                                           Exhibit 1



                   3. Eligible Family members of Foreign Service or other United
                      States government employees, for medical clearance
                      determinations like those described above to:
                          Permit such family members to accompany employees to
                           posts abroad on government orders, or
                          Make determinations regarding family members remaining
                           at the post, and separation medical examinations.



Verification    Covered entities are required to verify the identity and authority of the
                federal Department of State officials. [45 C.F.R. § 164.514(h)]



                                     State Law

Information     The IPA allows State agencies to disclose personal information in
Practices Act   specific circumstances without an authorization. The circumstances
– Medical       listed do not specifically address medical suitability. [California Civil
Suitability     Code §§ 1798.24(a) to (u); 1798.24a, 1798.24b] However, the IPA
                allows disclosures of personal information:
                  As required by law to a government entity. [Civil Code §
                     1798.24(f)]
                  In the ordinary course of the performance of their official duties, or
                     [Civil Code § 1798.24(d)]
                  To perform constitutional or statutory duties, or [Civil Code §
                     1798.24(e)]
                  In circumstances which affect the health or safety of an individual.
                     [Civil Code § 1798.24(i)]




                                        32
                                                         Policy Memorandum 2003-34
                                                                          Exhibit 1




              MAJOR CONSIDERATION: Medical Suitability and the IPA
              The IPA provisions that allow for disclosures in the course of
              performance of official duties or to perform constitutional or statutory
              duties are preempted by HIPAA. Therefore, State agencies that
              disclose PHI for purposes of medical suitability may only make those
              disclosures if they are required by law, affect the health or safety of an
              individual, or with an authorization. You should consult with your
              legal counsel to determine what other State or federal laws or
              regulations may be utilized to allow for these disclosures.




CMIA –        The CMIA allows health plans, providers and contractors to disclose
Medical       PHI in certain circumstances without an authorization. The
Suitability   circumstances listed do not specifically address medical suitability.
              [California Civil Code §§ 56.10(a), (b), (c)] Finally, the provision that
              requires covered entities to preserve the confidentiality of medical
              records does not mention these situations. [California Civil Code §
              56.101] However, the CMIA allows for disclosures:
                   As required by law, or [Civil Code § 56.10(b)(9)]
                   Employment related health care services. [Civil Code §
                     56.10(c)(8)



              MAJOR CONSIDERATION: Medical Suitability and the CMIA
              The CMIA provisions allowing disclosure of PHI for employment-
              related health care is partially preempted. Disclosures for medical
              suitability may be allowed under the CMIA provisions that relate to
              employers treatment of medical information of employees, depending
              on the situation and to the extent the provisions are not preempted by
              HIPAA.
              The subsection that allows for employment-related disclosures
              relevant in a lawsuit, arbitration, grievance or other claim or challenge
              is not preempted. Providers and plans may be able to make
              disclosures for medical suitability purposes to the extent that the
              disclosures are required by another law. You should consult with
              your legal counsel to determine what other State or federal laws or
              regulations may be utilized to disclose this information.




                                      33
                                        Policy Memorandum 2003-34
                                                         Exhibit 1


DECISION POINT: Medical Suitability
Will you disclose PHI for medical suitability activities?
You will need to determine if your organization discloses PHI for
medical suitability purposes. If you do, you will need to determine how
you will verify the identity of the requester, the authority, and the
purpose for which the PHI is intended. You will need to establish a
procedure to assure that the information provided by the requester
meets the Rule requirements. This will become part of your Privacy
Policies and Procedures.




                       34
                                                            Policy Memorandum 2003-34
                                                                             Exhibit 1


                    5. CORRECTIONAL INSTITUTIONS
Permitted       Covered entities may disclose PHI without authorization to correctional
Uses and        institutions about inmates in certain circumstances. A covered entity
DisclosuresPe   may disclose to a correctional institution or a law enforcement official
rmitted Uses    having lawful custody of an inmate or other individual the PHI about the
and             inmate or other individual, if the correctional institution or law
Disclosures     enforcement official represents that the PHI is necessary for:

Disclosures     1. The provision of health care to such individuals,
                2. The health and safety of such individuals or other inmates,
                3. The health and safety of the officers, employees, or others at the
                   correctional institution,
                4. The health and safety of such individuals, officers, or other persons
                   responsible for the transporting or transfer of inmates from one
                   institution, facility or setting to another,
Disclosures     5. Law enforcement on the premises of the correctional institution, and
                6. The administration and maintenance of the safety, security, and
                   good order of the correctional institution. [45 C.F.R. §
                   164.512(k)(5)(i)(A) – (F)]
                7.6.

Uses            A covered entity that is a correctional institution may use PHI of
                individuals who are inmates for any purpose for which such PHI may
                be disclosed.


Correctional    Any penal or correctional facility, jail, reformatory, detention center,
Institution     work farm, halfway house, or residential community program center
                    Operated by, or under contract to, the United States, a state, a
                       territory, political subdivision of a State or territory, or an Indian
                       tribe, and
                    For the confinement or rehabilitation of persons charged with
                       or convicted of a criminal offense or other persons held in
                       lawful custody.

                Other persons held in lawful custody includes:
                    Juvenile offenders and adjudicated delinquents;
                    Aliens detained awaiting deportation;
                    Persons committed in a Mental Institution through the criminal
                      justice system;
                    Witnesses; and
                    Others awaiting charges or trial.


                                         35
                                                        Policy Memorandum 2003-34
                                                                         Exhibit 1



              [45 C.F.R. § 164.502 definition of correctional institution & 45 C.F.R. §
              164.512 (k)(5)]


Inmate        A person incarcerated in or otherwise confined to a correctional
              institution. [45 C.F.R. § 164.501 definition of inmate]


Law           An official of any agency or authority of the United States or a political
Enforcement   subdivision (i.e., State, County, etc.) thereof who is empowered to:
Official         1. Investigate or conduct an inquiry into a potential violation of law;
                     or
                 2. Prosecute or otherwise conduct a criminal, civil, or
                     administrative proceeding arising from an alleged violation of
                     law.

              [45 C.F.R. §§ 164.501 definition of law enforcement official &
              164.512(f)]


              Covered entities are permitted to release PHI to correctional
              institutions about:
                   Inmates of a correctional facility,
                   Individuals in similar institutions designed for the confinement or
                      rehabilitation of criminal offenders, and
                   Persons who are in transitional homes and other facilities in
                      which they are required by law to remain for correctional
                      reasons and from which they are not allowed to leave. (See
                      definition of an inmate, on page 25.)

                     For example, this permitted disclosure is intended to allow a
                     prison’s doctor to disclose to a van driver transporting a criminal
                     that the individual is a diabetic and frequently has seizures, as
                     well as information about the appropriate action to take if the
                     individual has a seizure during his/her transportation.




                                      36
                                                         Policy Memorandum 2003-34
                                                                          Exhibit 1



               Covered entities are allowed to disclose PHI as necessary for the
               administration and maintenance of the safety, security, and good order
               of the correctional institution. Covered entities that provide services to
               inmates under contract to correctional institutions must treat PHI about
               inmates in accordance with this Rule and are permitted to use and
               disclose such information in the same manner as the correctional
               institutions are as permitted.



Uses           Covered entities that are a correctional institutions may use PHI of
               individuals who are inmates for any purpose for which such PHI may
               be disclosed. [45 C.F.R. § 164.512(k)(5)]



Correctional   A correctional institution includes any:
Institutions       Penal or correctional facility,
                   Jail,
                   Reformatory,
                   Detention center,
                   Work farm,
                   Halfway house,
                   Residential community program center, or
                   Similar institution designed for the confinement or rehabilitation
                      of criminal offenders.
               Which are:
                   Operated by, or under contract to:
                          o The United States,
                          o A state,
                          o A territory,
                          o A political subdivision of a state or territory, or
                          o An Indian tribe, and
                   For the confinement or rehabilitation of persons charged with or
                      convicted of a criminal offense or other persons held in lawful
                      custody.
               Other persons held in lawful custody includes:
                   Juvenile offenders,
                   Adjudicated delinquents,


                                       37
                                                        Policy Memorandum 2003-34
                                                                         Exhibit 1



                   Aliens detained awaiting deportation,
                   Persons committed in a mental institution through the criminal
                    justice system,
                   Witnesses, and
                   Others awaiting charges or trial. [45 C.F.R. § 164.501
                    (definition of correctional institution)]



Inmates      An inmate includes any person incarcerated in or otherwise confined
             to a correctional institution. [45 C.F.R. § 164.501 (definition of inmate)]

             The permitted disclosure for correctional activities only applies to
             individuals who are incarcerated in correctional facilities that are part
             of the criminal justice system, or in the lawful custody of a law
             enforcement official. To the extent an individual who is in community
             custody is confined, this permitted disclosure applies.

             The permitted disclosure for correctional activities does not apply to:
                  Individuals who are detained for no criminal reasons,
                  Individuals in psychiatric institutions for treatment purposes
                      only, who are not there due to a crime or under mandate from
                      the criminal justice system, or
                  Individuals in pretrial release, probation, or on parole.
             These persons are not considered to be incarcerated in a correctional
             facility. When an individual is released from a correctional facility, they
             have the same privacy rights that apply to all other individuals under
             the Rule. [45 C.F.R. § 164.512(k)(5)(iii)]




Notices of   Inmates do not have the right to a Notice of Privacy Practices. A
Privacy      correctional institution that is a covered entity is not required to
Practices    produce a notice. No person, including a current or former inmate, has
             the right to notice of such a covered entity’s privacy practices.

             For more information about notices of privacy practices, see
             Administration of HIPAA, Chapter 3, Notices of Privacy Practices, on
             the CalOHI website at: CalOHI - Privacy - General Privacy.




                                     38
                                                             Policy Memorandum 2003-34
                                                                              Exhibit 1



Verification of   Covered entities are required to verify the identity, authority and
Identity          purpose of requestors of PHI with the presentation of an agency
                  identification badge, other official credentials, or other proof of
                  government status. Covered entities are allowed to disclose PHI
                  about inmates if the correctional institution or law enforcement official
                  represents the PHI is necessary for the appropriate purposes. A
                  covered entity may reasonably rely on the representation of such
                  public officials.

                  For more information about verification of identity and authority, see
                  Use and Disclosure of PHI, Chapter 6, Verification of Identity, on the
                  CalOHI website at: CalOHI - Privacy - Use and Disclosure.



Access to PHI     Covered entities that are correctional institutions or covered health
                  care providers acting under the direction of correctional institutions
                  may deny an inmate’s request for a copy of PHI if obtaining a copy
                  would jeopardize:
                   The health, safety, security, custody, or rehabilitation of the
                     individual or other inmates, or
                   The safety of any officer, employee, or other person at the
                     correctional institution or responsible for transporting the inmate.

                  The above grounds for denial are restricted to an inmate’s request to
                  obtain a copy of his/her PHI. If an inmate requests inspection of the
                  PHI, the request must be granted unless one of the grounds for denial
                  applies. The purpose of this exception, and the reasons for the
                  exception are to give the correctional institution the ability to maintain
                  order in these facilities and among inmates without denying an inmate
                  the right to review his/her PHI. [45 C.F.R. § 164.524]

                  For more information about access to PHI and reasons for denial of
                  access, see CalOHI Policy Memorandum 2003-22, Access Process,
                  on the CalOHI website at: CalOHI Privacy - Access and Individual
                  Rights.




                                          39
                                                         Policy Memorandum 2003-34
                                                                          Exhibit 1



Amendments      Covered entities may deny an inmate’s request for an amendment, if it
to PHI          is determined that the PHI or records subject to the request would not
                be available for inspection (because access was denied). Covered
                entities would be required to accept a request for an amendment to an
                inmate’s PHI or record if the inmate could otherwise inspect his/her
                PHI under the Rule.

                For more information about amendments to PHI and reasons for
                denial, see CalOHI Policy Memorandum 2003-22, Access Process, on
                the CalOHI website at: CalOHI Privacy - Access and Individual Rights.



Accounting of   Covered entities are not required to account for disclosures of PHI to
Disclosures     correctional institutions. [45 C.F.R. § 164.512(k)(5) & 164.528]

                For more information about accounting of disclosures, see CalOHI
                Policy Memorandum 2003-28, Use and Disclosure of PHI, Chapter 28,
                Accounting of Disclosures, on the CalOHI website at: CalOHI - Privacy
                - Use and Disclosure.



Law             Another permitted disclosure covered entities are allowed to utilize is
Enforcement     for law enforcement purposes. Covered entities may disclose PHI if
                they believe in good faith the disclosure is necessary for law
                enforcement authorities to identify and apprehend an individual where
                it appears from all circumstances the individual has escaped from a
                correctional institution or from lawful custody. [45 C.F.R. §
                164.512(j)(ii)(B)]

                For more information about disclosures for law enforcement purposes,
                see Use and Disclosure of PHI, Chapter 14, Law Enforcement, on the
                CalOHI website at: CalOHI - Privacy - Use and Disclosure.




                                       40
                                                         Policy Memorandum 2003-34
                                                                          Exhibit 1


                                    State Law

IPA –          The IPA allows State agencies to disclose personal information in
Correctional   specific circumstances without an authorization. The circumstances
Institutions   listed do not address correctional institutions. [California Civil Code §§
               1798.24(a) to (u); 1798.24a, 1798.24b] However, the IPA allows
               disclosures of personal information:
                 As required by law. [Civil Code § 1798.24(f)]
                 In the ordinary course of the performance of their official duties, or
                    [Civil Code § 1798.24(d)]
                 To perform constitutional or statutory duties. [Civil Code §
                    1798.24(e)]
                 In circumstances which affect the health or safety of an individual.
                    [Civil Code § 1798.24(i)]



               MAJOR CONSIDERATION: Correctional Institutions and the IPA
               The IPA provisions that allow for disclosures in the course of
               performance of official duties or to perform constitutional or statutory
               duties are preempted by HIPAA. Therefore, State agencies (e.g.,
               State hospitals, veterans’ hospitals, etc.) that disclose PHI to
               correctional institutions may only make those disclosures if they are
               required by law or affect the health or safety of an individual. You
               should consult with your legal counsel to determine what other
               State or federal laws or regulations may be utilized to allow for these
               disclosures.




CMIA –         The CMIA allows health plans, providers and contractors to disclose
Correctional   PHI in certain circumstances without an authorization. The
Institutions   circumstances listed do not specifically address correctional
               institutions. [California Civil Code §§ 56.10(a), (b), (c)] Finally, the
               provision that requires covered entities to preserve the confidentiality
               of medical records does not mention these situations. [California Civil
               Code § 56.101] However, the CMIA allows for disclosures:
                    As required by law, or [Civil Code § 56.10(b)(9)]




                                       41
                                          Policy Memorandum 2003-34
                                                           Exhibit 1




MAJOR CONSIDERATION: Correctional Institutions and the
CMIA
Providers and plans may be able to make disclosures to correctional
institutions only to the extent that the disclosures are required by
another law. You should consult with your legal counsel to
determine what other State or federal laws or regulations may be
utilized to disclose this information.



MAJOR CONSIDERATION: State Correctional Laws
California State law exists governing the state correctional system and
local confinement programs. Covered entities that are or disclose to
one of these programs will need to consider those State laws, State
regulations and local ordinances.



DECISION POINT: Corrections and Lawful Custody
Will you disclose PHI to a correctional institution? Will you use PHI in
a correctional institution?
You will need to determine if your organization uses or discloses PHI
for correctional institutional purposes. If you do, you will need to
determine how you will verify the identity of the requester, the
authority, and the purpose for which the PHI is intended. You will
need to establish a procedure to assure that the information provided
by the requester meets the Rule requirements. This will become part
of your Privacy Policies and Procedures.
You will need to determine if you will use the law enforcement
permitted disclosures for some of your correctional institution
situations. If so, you will need to determine what procedures will be
necessary to utilize this provision.




                        42
                                                        Policy Memorandum 2003-34
                                                                         Exhibit 1


                      6. GOVERNMENT PROGRAMS
Permitted      Covered entities that are government programs may disclose without
Disclosures    authorization in two specific situations. The two situations are
               described in detail, for certain purposes.

1. 1. Health   A health plan, that is a government program providing public benefits,
Plans          may disclose PHI relating to eligibility for or enrollment in the health
               plan to another agency (covered or uncovered) administering a
               government program providing public benefits, if:
                The sharing of eligibility or enrollment information among such
                  government agencies is required or expressly authorized by statute
                  or regulation; or
                  The maintenance of such information in a single or combined data
                   system accessible to all such government agencies is required or
                   expressly authorized by a statute or regulation. [45 C.F.R. §
                   164.512(k)(6)(i)]


Government     The Rule does not apply to all government programs.
Programs       “Government programs providing public benefits” refers to
               programs offering benefits to specified members of the public
               and not to programs that offer benefits only to employees or
               retirees of government agencies.

               Where a public program meets the definition of health plan, the
               government agency that administers the program is the covered entity.

               Where two agencies administer a program jointly, they are both
               health plans.

                      For example, both the Health Care Financing Administration
                      and the insurers that offer a Medicare+Choice plan are “health
                      plans” with respect to Medicare beneficiaries.


               The Rule does not apply to all government programs. “Government
               programs providing public benefits” refers to programs offering
               benefits to specified members of the public and not to programs that
               offer benefits only to employees or retirees of government agencies.

               The Rule does not intend to upset the determination where another
               public entity has established the balance between the need for
               efficient administration of public programs and public funds and the



                                      43
                                          Policy Memorandum 2003-34
                                                           Exhibit 1


individuals’ privacy interests; and allows information sharing for these
limited purposes. In some cases, the covered entity first collects or
creates the information disclosed to these systems. The Rule does
not prohibit these disclosures.

       For example, the Social Security Act requires a variety of public
       programs including the Social Security program, state Medicaid
       programs, the food stamp program, certain unemployment
       compensation programs, and others, to participate in a joint
       income and eligibility verification system. The Social Security
       Administration is required to provide information to certain state
       vocational rehabilitation programs for eligibility purposes.

This permitted disclosure does not authorize sharing of information for
claims determinations or ongoing administration of the public
programs. It is limited to agencies and activities described above. An
agency that does not administer a program, but which provides
services for such a program is not a covered entity by virtue of
providing such services. Whether the agency is a business associate
of the covered entity depends on whether its functions for the covered
entity meet the definition of a business associate.




                        44
                                                         Policy Memorandum 2003-34
                                                                          Exhibit 1


Government      HIPAA defines a health plan to include an individual plan or group
Health Plans    health plan that provides, or pays the cost of medical care. It includes
                the component of the government agency that administers the
                program. Church plans and government plans are included to the
                extent that they fall into one or more of the listed categories.
                Government health plans that fall into the listed categories are:
                    The Medicare Program, Parts A or B under Title XVIII,
                    The Medicaid Program, under Title XIX,
                    An issuer of Medicare supplemental policies,
                    The health care program for active military personnel,
                    The federal veterans health care program,
                    The Civil Health and Medical Program of the Uniformed
                       Services (CHAMPUS),
                    The Indian Health Services Program under the Indian Health
                       Care Improvement Act,
                    Federal Employees Health Benefits Program,
                    An approved State child care plan under Title XIX that provides
                       benefits for child health assistance, and
                    The Medicare+Choice program.



Exceptions to   Government funded programs that are not health plans include:
Government      1. Programs that do not have as their principal purpose the providing
Health Care        or paying for the cost of health care, but do provide or pay for
Programs           health care services. This includes programs such as:
                     Special Supplemental Nutrition Program for Women, Infants,
                        and Children (WIC) and
                     The Food Stamp Program that provide nutritional services.

                2. Programs providing or paying for the cost of health care:
                    Disability income insurance,
                    Workers’ compensation or similar insurance,
                    If offered as a separate insurance policy – Medicare
                      supplemental health insurance and supplemental coverage
                      provided to coverage under a group health plan, or
                    Employee Retirement Income Security Act (ERISA) plans.


                3. Programs that have as their principal purpose providing health


                                       45
                                     Policy Memorandum 2003-34
                                                      Exhibit 1


care, either directly or by grant, but the provision of services is
through grants to fund the direct provision of health care to
persons. These include programs such as:
 The Ryan White Comprehensive AIDS Resources Emergency
    Act,
 Government-funded health centers and immunization programs,
 The program of health care services for individuals detained by
    the Immigration and Naturalization Service (INS) that provides
    health care directly, or
 The federal Family Planning under Title X of the Public Health
    Services Act.




                   46
                                                          Policy Memorandum 2003-34
                                                                           Exhibit 1



2. Covered       Covered entities that are government agencies administering a
Entities         government program providing public benefits may disclose PHI
                 relating to the program to other covered entities that are
                 government agencies administering a government program providing
                 public benefits if:
                    The programs serve the same or similar populations, and
                    The disclosure of PHI is necessary to:
                     o Coordinate the covered functions of such programs, or
                     o Improve administration and management relating to the
                       covered functions of such programs. [45 C.F.R. §
                       164.512(k)(6)(ii)]

                 Covered entities that are government programs providing public
                 benefits serving the same or similar populations are permitted to share
                 PHI for the purposes of:
                  Coordinating covered functions of the programs, and
                  General management and administration relating to the covered
                    function of the programs.

                 Often similar government health programs are administered by
                 different government agencies.
                        For example, in some states the Medicaid program and the
                        State Children’s Health Insurance Program are administered by
                        different agencies, although they serve similar populations.
                        Many states coordinate eligibility for these two programs, and
                        sometimes offer services through the same delivery systems
                        and contracts.

                 This permitted disclosure allows covered entities administering these
                 programs to share PHI of program participants to coordinate
                 enrollment and services, and to generally improve the health care
                 operations of the programs. However, it does not authorize the
                 agencies to use or disclose the PHI that is shared for other purposes
                 not allowed by this permitted disclosure.



Eligibility,     A covered entity that is a government agency administering a
Enrollment       government program providing public benefits may disclose PHI
and Collection   relating to the program to another covered entity that is a
of IIHI          government agency administering a government program providing


                                        47
                                                         Policy Memorandum 2003-34
                                                                          Exhibit 1


               public benefits if:
2. Covered        The programs serve the same or similar populations and
Entities
                  The disclosure of PHI is necessary to:
                   o Coordinate the covered functions of such programs or
               Improve administration and management relating to the covered
               functions of such programs. [45 CFR § 164.512(k)(6)(ii)]Government
               agencies that determine eligibility and enroll individuals into
               government programs that provide public benefits such as Medi-Cal
               (Medicaid) are not considered to be health plans or business
               associates of health plans. No business associate agreement is
               required:
                   Where eligibility and enrollment determinations are made by an
                      agency for the government health plan administering the plan,
                      or
                   Where PHI is collected and used to determine enrollment or
                      eligibility by an agency other than the government agency
                      administering the plan.


               DHHS notes that in certain instances eligibility for or enrollment in a
               health plan that is a government program providing public benefits,
               such as Medicaid, is determined by an agency other than the agency
               that administers the program. Also, the individually identifiable health
               information used to determine enrollment or eligibility in such a health
               plan is collected by an agency other than the agency that administers
               the health plan. DHHS does not consider an agency that is not
               otherwise a covered entity, such as a local welfare agency, to be a
               covered entity because it determines eligibility or enrollment or collects
               enrollment information as authorized by law.



Verification   Covered entities must verify the identity and authority of the requestor
               for such information. [45 C.F.R. § 164.514(h)]




                                       48
                                                       Policy Memorandum 2003-34
                                                                        Exhibit 1


                                  State Law

IPA –        The IPA allows State agencies to disclose personal information in
Government   specific circumstances. The circumstances listed do not specifically
Programs     address government programs. [California Civil Code §§ 1798.24(a)
             through (u); 1798.24a, 1798.24b] However, the IPA allows disclosures
             of personal information:
               As required by law to a government agency, [Civil Code §
                 1798.24(f)]
               In the ordinary course of the performance of their official duties,
                 [Civil Code § 1798.24(d)]
               To perform constitutional or statutory duties, or [Civil Code §
                 1798.24(e)]
               In circumstances which affect the health or safety of an individual.
                 [Civil Code § 1798.24(i)]



             MAJOR CONSIDERATION: Government Programs and the IPA
             The IPA provisions that allow for disclosures in the course of
             performance of official duties or to perform constitutional or statutory
             duties are preempted by HIPAA. Therefore, State agencies that
             disclose PHI for purposes of government programs may only make
             those disclosures if they are required by law, affect the health or safety
             of an individual, or with an authorization. It is likely that many
             disclosures between government agencies are required by law or
             affect their health and safety. However, you should consult with your
             legal counsel to determine what other State or federal laws or
             regulations may be utilized to allow for these disclosures.




CMIA –       The CMIA allows health plans, providers and contractors to disclose
Government   PHI in certain circumstances. The circumstances listed do not
Programs     specifically address government programs. [California Civil Code §§
             56.10(a), (b), (c)] However, the CMIA allows for disclosures
             specifically required by law. [Civil Code § 56.10(b)(9)]




                                     49
                                        Policy Memorandum 2003-34
                                                         Exhibit 1




MAJOR CONSIDERATION: Government Programs and the CMIA
Providers and plans may be able to make disclosures to government
programs to the extent that the disclosures are required by another
law. It is likely that many disclosures between government agencies
are required by law. However, unless the disclosure is specifically
required by law, covered entities may not make the disclosure. You
should consult with your legal counsel to determine what other
State or federal laws or regulations may be utilized to disclose this
information.


DECISION POINT: Government Programs
Will you disclose PHI to or for government programs?
You will need to determine if your organization uses or discloses PHI
for government program purposes. If you do, you will need to
determine how you will verify the identity of the requester, the
authority, and the purpose for which the PHI is intended. You will
need to establish a procedure to assure that the information provided
by the requester meets the Rule requirements. This will become part
of your Privacy Policies and Procedures.




                       50
                                                      Policy Memorandum 2003-34
                                                                       Exhibit 1


Business    Government agencies that disclose information to another agency under
Associate   the Rule are not required to have business associate agreements with
Contracts   those agencies. DHHS made an exemption to the business associate
            agreement requirements for government agencies that by law cannot
            enter into contracts with one another or that operate under other legal
            requirements incompatible with some aspects of the required contractual
            assurances. In some cases, the law requires another agency to
            determine the eligibility or enrollment in a covered health plan. In such
            cases, information is generally shared across a number of government
            programs to determine eligibility, and often jointly maintained. DHHS
            made an exemption to the business associate agreement requirement
            for government agencies that by law cannot enter into contracts with
            one another or that operate under other legal requirements incompatible
            with some aspects of the required contractual assurances. In some
            cases, the law requires another agency to determine the eligibility or
            enrollment in a covered health plan. In such cases, information is
            generally shared across a number of government programs to determine
            eligibility, and often jointly maintained.




            Several method other than a business associate contract will satisfy the
            business associate agreement requirement:

                  When a government agency is a business associate to another
                   government agency, DHHS permits memoranda of understanding
                   between the agencies, if the memoranda accomplish each of the
                   objectives of the business associate contract, or

                   DHHS recognizes that the relationship of government agencies
                   are often organized as a matter of law, and it is not always
                   feasible for one agency to contract with another for all the
                   business associate purposes. They also recognize that it is
                   incorrect to view one government agency as acting on behalf of
                   the other government agency when under law each agency may
                   be acting to fulfill a statutory mission. Some agencies may not be
                   able to include the right to terminate the arrangement because
                   the relationship is established under law. In these instances, the
                   government agency would need to report know violations of the
                   memorandum to the Secretary.

                  Where other law contains requirements applicable to the
                   business associate that accomplish each of the objectives of the



                                     51
                                   Policy Memorandum 2003-34
                                                    Exhibit 1


business associate contract.

DHHS recognizes that covered entities may not be able to
impose the requirements of the business associate agreements
directly on person acting as their business associates. They also
recognize that one government agency acting as a business
associate of another government agency may also have the legal
authority to establish a business associate relationship with the
other government agency. They recognize that other laws may
be sufficient to substitute for a business associate contract.




                  52
                                                           Policy Memorandum 2003-34
                                                                            Exhibit 1


                            OTHER REQUIREMENTS
Relationship    Covered entities may use or disclosure PHI as permitted by and in
to Other        accordance with any of the permitted disclosures regardless of
Permitted       whether that use or disclosure fails to meet the requirements for use or
Disclosures     disclosure under a different use or disclosure or elsewhere in the
                Privacy Rule.

                  For example, no business associate contract is required when:
                     A health plan that is a government program provides public
                      benefits, such as SCHIP and Medicaid,
                                                  and
                     Eligibility for, or enrollment in, the health plan is determined by
                      an agency other than the agency administering the health plan,
                                                   or
                     The PHI used to determine enrollment or eligibility in the health
                      plan is collected by an agency other than the agency
                      administering the health plan, and the joint activities are
                      authorized by law.

               For more information about requirements for Business Associate
               Agreements, see CalOHI Privacy Policy Memorandum 2002-25,
               Business Associates, on the CalOHI webpage at: CalOHI - Privacy -
               General Privacy.

               Several methods other than a business associate contract will satisfy
               the business associate agreement requirement:

                         Where a government agency is a business associate to
                          another government agency, DHHS permits a memorandum
                          of understanding between the agencies, if the memorandum
                          accomplishes each of the objectives of the business associate
                          contract, or

                         Where other law contains requirements applicable to the
                          business associate that accomplish each of the objectives of
                          the business associate contract.


               DHHS recognizes the relationship of government agencies is often
               organized as a matter of law, and it is not always feasible for one
               agency to contract with another for all the business associate purposes.
               They also recognize that it is incorrect to view one government agency


                                         53
                                         Policy Memorandum 2003-34
                                                          Exhibit 1


as acting on behalf of the other government agency when under law
each agency may be acting to fulfill a statutory mission. Some agencies
may not be able to include the right to terminate the arrangement when
the relationship is established under law. In these instances, the
government agency would need to report known violations of the
memorandum to the Secretary.




                        54
                                                          Policy Memorandum 2003-34
                                                                           Exhibit 1


                           OTHER REQUIREMENTS

Restricted     HIPAA allows individuals the right to request restrictions of disclosures
Disclosures    of PHI. However, the right does not apply to uses or disclosures
               allowed for specialized government functions. [45 C.F.R. § 164.512(k)
               & 164.522]

               For more information about restricted disclosures, see Chapter 24,
               Restricted Disclosures, Use and Disclosure of PHI, on the CalOHI
               website at: CalOHI - Privacy - Use and Disclosure.



Verification Covered entities must comply with the verification requirements when
Requirements making disclosures as indicated in each subsection of this Chapter. [45
             C.F.R. § 164.514(h)]

                For more information about verification requirements, see Chapter 6,
                Verification of Identity, Use and Disclosures of PHI, which may be
                found on the CalOHI webpage at: CalOHI - Privacy - Use and
                Disclosure.



Health         Covered entities are permitted to disclose PHI to health oversight
Oversight      agencies for oversight activities authorized by law for the oversight of
Activities     government benefit programs for which health information is relevant to
               beneficiary eligibility or for government regulatory programs. Use or
               disclosure of this information is limited to the PHI necessary for
               determining compliance with program standards. [45 C.F.R. §
               164.512(d)]

               For more information about health oversight activities and government
               functions, see Chapter 12, Health Oversight Activities, Use and
               Disclosure of PHI, on the CalOHI website at: CalOHI - Privacy - Use and
               Disclosure.




                                        55
                                                          Policy Memorandum 2003-34
                                                                           Exhibit 1



Privacy        Covered entities are required to address in their Privacy Policies and
Policies and   Procedures disclosures related to specialized government functions.
Procedures     [45 C.F.R. § 164.530(i)]

               For more information about Privacy Policies and Procedures, see
               Chapter 4, Administration of HIPAA, on the CalOHI website at: CalOHI -
               Privacy - General Privacy.




                                        56
                                                                Policy Memorandum 2003-34
                                                                                 Exhibit 1


                                    DECISION POINTS




                     COMPLETED




                                 COMPLETED
                      PERCENT
IIMPACTS



           STARTED
  ISSUE



             DATE




                                   DATE
                                                             ITEM DESCRIPTION



                                             Military and Veterans’ Activities
                                             National Security and Intelligence Activities
                                             Protective Services for the President
                                             Medical Suitability
                                             Corrections and Lawful Custody
                                             Government Programs




                                              57
                                                                  Policy Memorandum 2003-34
                                                                                   Exhibit 1



                                 MAJOR CONSIDERATIONS



                     COMPLETED




                                   COMPLETED
                      PERCENT
IIMPACTS



           STARTED
  ISSUE



             DATE




                                     DATE
                                                              ITEM DESCRIPTION



                                               Military and Veterans Activities and the IPA
                                               Military and Veterans’ Activities and the CMIA
                                               Other Military and Veterans State Laws
                                               National Security and Intelligence Activities and
                                               the IPA
                                               National Security and Intelligence Activities and
                                               the CMIA
                                               Protective Services for the President and the
                                               IPA
                                               Protective Services for the President and the
                                               CMIA
                                               Medical Suitability and the IPA
                                               Medical Suitability and the CMIA
                                               Correctional Institutions and the IPA
                                               Correctional Institutions and the CMIA
                                               State Correctional Laws
                                               Government Programs and the IPA
                                               Government Programs and the CMIA




                                                58

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:10
posted:8/1/2012
language:English
pages:58