HIPAA Memo to OCSE March 14, 2005 Page 1 of 5 March 14, 2005 Writer’s Direct Dial (404) 656-3391 (FAX) (404) 463-1062 MEMORANDUM TO: Angelo Bonito Project Director II, Office of Child Support Enforcement FROM: Mark J. Cicero Assistant Attorney General RE: Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Overview and Suggested Policy/Form Revisions ___________________________________________________________________ The purpose of this memorandum is to inform OCSE about the privacy requirements contained within the Health Insurance Portability and Accountability Act (“HIPAA” or “the Act”), to answer some questions about how HIPAA affects OCSE’s operations, and to suggest changes to forms and policies in order to promote compliance with the Act. As you may be aware, OCSE itself would not meet the definition of a “covered entity” under the Act. However, other divisions of the Department of Human Resources clearly are covered entities, and DHR has declared itself to be a covered entity across the board in order to facilitate the sharing of information between its various divisions. Thus, OCSE must consider itself a covered entity and therefore must comply with the HIPAA regulations promulgated by the U.S. Department of Health and Human Services (“HHS”). HIPAA Memo to OCSE March 14, 2005 Page 2 of 5 Collectively, these regulations, published at 45 C.F.R. Parts 160 and 164 are referred to as “the Privacy Rule.” The Privacy Rule is enforced by the Office of Civil Rights (“OCR”) within HHS. OCR has a website (www.hhs.gov/ocr/hipaa/) devoted to HIPAA compliance issues, and is an excellent resource for information regarding the Privacy Rule. Compliance with the Privacy Rule is imperative in order to avoid criminal or civil penalties [massive fines] that may be assessed against DHR for failure to implement these privacy requirements. The HIPAA Privacy Rule creates national standards to protect individuals’ medical records and other personal health information. Essentially, any health-related data which is individually-identifiable (i.e., tied to a particular person) is deemed to be “protected health information (PHI)” under the Privacy Rule. The Rule is intended to establish appropriate safeguards to protect the privacy of health information by setting boundaries on the use and release of health records by covered entities and their business associates. Attorneys providing legal services for a covered entity would be considered “business associates” of DHR. Be advised the Department of Law has entered into a business associate agreement with DHR. All Special Assistants are automatically covered by this business associate agreement. This allows DHR and its attorneys to freely share PHI between them. However, neither OCSE nor its attorneys may use or disclose PHI to a third party (including the courts) in any way that is inconsistent with the Privacy Rule. This would include the sharing of PHI with a custodial parent regarding the noncustodial parent, and vice versa. As a social service agency, OCSE often must provide medical information to the various Superior Courts. Further, protected health information may need to be disclosed to opposing counsel and/or the NCP during the course of litigation or administrative proceedings. For example, paternity cases will almost invariably require OCSE to disclose PHI, due to the use of genetic testing. While the Privacy Rule only discusses genetic information in the context of law enforcement identification and location efforts, HHS has opined that PHI includes genetic information that otherwise meets the statutory definition – in other words, when it is individually identifiable. See 65 Fed. Reg. 86261. Genetic information is extremely personal, and it is my understanding that genetic testing results received by the Department identify both the parents and the child by name. The information is individually identifiable and cannot be “de-identified” without destroying its probative value. Thus, I conclude that paternity test results will always be PHI. Thus, a multi-faceted approach is going to be needed to ensure HIPAA compliance throughout the child support enforcement program. In a nutshell, I recommend taking the following steps: 1. All applicants for services should be given a HIPAA-compliant authorization form to sign at the time of application for services. I will discuss the particulars of what an “authorization” must include below. “FormHHA” can be altered to suit these purposes. See below. HIPAA Memo to OCSE March 14, 2005 Page 3 of 5 2. The authorization form must include authorization for the child or children involved. Again, this is discussed in more detail below. 3. A “standing order” has been prepared for use by all of the juvenile courts throughout the state for all cases involving DFACS. I am drafting a similar standing order for use by the Superior Courts in OCSE actions. Why? Because the privacy rule provides an exception for disclosure of PHI when disclosure is required by “a court order.” See 45 C.F.R. § 164.512(e)(1)(i). 4. All SAAGs and ADAs should consider seeking a qualified protective order routinely, particularly in paternity cases. This would meet the lawyer’s duty to limit disclosures of PHI to the minimum necessary by ensuring that all parties, counsel of record, and court personnel are prohibited from further disseminating the PHI disclosed during the proceedings. Once the process for completing the objectives related to authorization and standing order is complete, I will work on drafting a template protective order. Once the authorization form has been created and implemented at the application stage and the standing orders have been entered by the relevant courts, all potential disclosures by OCSE should be covered by either mechanism (or both). The proposed standing order is currently being drafted; I will issue it to OCSE’s central office no later than March 25, 2005. It should be noted with regard to OCSE obtaining protected health information from third parties who may be covered entities, HHS has stated that an employee of a IV-D agency, including a contract employee, who is empowered by state or federal law to enforce a medical child support order, meets the definition of a law enforcement official. See 45 C.F.R. § 164.512(f)(1). Thus, covered entities may disclose PHI to any OCSE employee if the request for information is accompanied by written assurances by OCSE that: (1) the information sought is material and relevant to a legitimate law enforcement inquiry; (2) the request is specific and limited in scope; and (3) de-identified information cannot reasonably be used. See 45 C.F.R. § 164.512(f)(1)(ii)(C). Note also that, subject to certain conditions, the Privacy Rule permits uses and disclosures of PHI for litigation, whether for judicial or administrative proceedings, as set forth at 45 C.F.R. § 164.512(e). Where a covered entity is a party to a legal proceeding, the covered entity may use or disclose PHI for purposes of the litigation as part of its operations. The covered entity must, however, make reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose. See 45 C.F.R. §§ 164.502(b), 164.514(d). An “authorization” as defined in the Privacy Rule is required for uses and disclosures of PHI not specifically permitted by the rule. An authorization is a detailed document that gives covered entities permission to use PHI for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose PHI to a third party specified by the individual. An authorization must specify a number of elements, HIPAA Memo to OCSE March 14, 2005 Page 4 of 5 including a description of the PHI to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date (or event), and, in some cases, the purpose for which the information may be used or disclosed. See 45 C.F.R. § 164.508. One authorization form may be utilized to authorize uses and disclosures by classes or categories of persons or entities, without naming the particular persons or entities. See 45 C.F.R. § 164.508 (c)(1)(ii). Similarly, the rule permits the identification of classes of persons to whom the covered entity is authorized to make a disclosure. See 45 C.F.R. § 164.508(c)(1)(iii). As mentioned above, OCSE already has a form which may serve as the basis for an “authorization” meeting the requirements of the rule, with some fairly extensive modification. The form I refer to is entitled “Authorization for Disclosure of Protected Health Information” and is apparently called “FormHHA.doc” in OCSE’s computer system. In order to effectively cover all potential uses and disclosures of PHI by OCSE (and its business associates), the form must be broadened significantly – most importantly, to cover both the CP and the child or children involved in the case. I have endeavored to make the form broad enough to also cover NCPs (they would have to sign a separate authorization). Note that for most purposes under the Privacy Rule, a parent is considered to be a minor child’s “personal representative” and thus may authorize the use and disclosure of a child’s PHI. See 45 C.F.R. § 164.502(g). Following is a list of suggested revisions to FormHHA.doc, which is attached hereto for ease of reference. Please note that these are only preliminary suggestions and that a face- to-face meeting to more thoroughly discuss potential revisions would be helpful. In the introduction paragraph, add a new sentence between current sentences two and three: “I am the personal representative of minor child(ren) _______________ and authorize disclosure of my child(ren)’s protected health information as set forth and described in this document.” Numeral 1: after the word “information” strike the remainder of the paragraph and replace with: “All employees of OCSE and its legal counsel (attorneys).” Numeral 2: After the entry for “organization” add “the judge and any employees or officers of the court having jurisdiction over my case.” OCSE may want to consider adding language which provides that disclosure may be made to opposing parties and their legal counsel as ordered by the court. Numeral 3: After the word “disclosure” in the first line, strike the remainder of sentence and add “any information deemed necessary by the attorney representing OCSE to establish: a full or partial disability preventing or limiting my employment; that I am a biological parent of the child or children for whom support enforcement services have been requested; the results of genetic paternity testing of either myself or my child(ren); and, the existence of special medical needs of my child(ren) demonstrating a need for additional medical support or specialized health or education services. Disclosure is also authorized as required HIPAA Memo to OCSE March 14, 2005 Page 5 of 5 to respond to an order of a court having jurisdiction over a child support enforcement action brought on my child(ren)’s behalf.” Numeral 4: Strike in its entirety and replace with: “For evaluation by OCSE and the court in determining biological parentage of the child(ren), my ability to work and pay child support, and in determining the appropriate amount of financial support required for my child(ren).” Numeral 5: Add a new sentence at the end of this paragraph reading “However, should OCSE determine that my revocation of authorization prevents OCSE and/or the court from acting upon my request for enforcement services, I understand that OCSE may administratively close my case and dismiss any pending civil action.” Numeral 6: Strike in its entirety and replace with: “This authorization expires upon the closure of my child support case, designated as case number ________.” I hope that this discussion of HIPAA and its impact upon OCSE has proven helpful. This is a very complex subject, and this memorandum is not intended to discuss in detail every possible application of the Act. I strongly recommend that all proposed HIPAA-related policy changes be submitted to Marion Cornett for review and approval, because he is the Department’s designated HIPAA Privacy Officer. MJC Attachment: FormHHA.doc.