Document Sample
hipaa_authorizations Powered By Docstoc
					HIPAA Memo to OCSE
March 14, 2005
Page 1 of 5

March 14, 2005

                                                                   Writer’s Direct Dial
                                                                     (404) 656-3391
                                                                  (FAX) (404) 463-1062


TO:            Angelo Bonito
               Project Director II, Office of Child Support Enforcement

FROM:          Mark J. Cicero
               Assistant Attorney General

RE:            Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
               Overview and Suggested Policy/Form Revisions


The purpose of this memorandum is to inform OCSE about the privacy requirements
contained within the Health Insurance Portability and Accountability Act (“HIPAA” or
“the Act”), to answer some questions about how HIPAA affects OCSE’s operations, and
to suggest changes to forms and policies in order to promote compliance with the Act.

As you may be aware, OCSE itself would not meet the definition of a “covered entity”
under the Act. However, other divisions of the Department of Human Resources clearly
are covered entities, and DHR has declared itself to be a covered entity across the board
in order to facilitate the sharing of information between its various divisions. Thus,
OCSE must consider itself a covered entity and therefore must comply with the HIPAA
regulations promulgated by the U.S. Department of Health and Human Services
March 14, 2005
Page 2 of 5

Collectively, these regulations, published at 45 C.F.R. Parts 160 and 164 are referred to
as “the Privacy Rule.” The Privacy Rule is enforced by the Office of Civil Rights
(“OCR”) within HHS. OCR has a website ( devoted to HIPAA
compliance issues, and is an excellent resource for information regarding the Privacy
Rule. Compliance with the Privacy Rule is imperative in order to avoid criminal or civil
penalties [massive fines] that may be assessed against DHR for failure to implement
these privacy requirements.

The HIPAA Privacy Rule creates national standards to protect individuals’ medical
records and other personal health information. Essentially, any health-related data which
is individually-identifiable (i.e., tied to a particular person) is deemed to be “protected
health information (PHI)” under the Privacy Rule. The Rule is intended to establish
appropriate safeguards to protect the privacy of health information by setting boundaries
on the use and release of health records by covered entities and their business associates.
Attorneys providing legal services for a covered entity would be considered “business
associates” of DHR. Be advised the Department of Law has entered into a business
associate agreement with DHR. All Special Assistants are automatically covered by this
business associate agreement. This allows DHR and its attorneys to freely share PHI
between them. However, neither OCSE nor its attorneys may use or disclose PHI to a
third party (including the courts) in any way that is inconsistent with the Privacy Rule.
This would include the sharing of PHI with a custodial parent regarding the noncustodial
parent, and vice versa.

As a social service agency, OCSE often must provide medical information to the various
Superior Courts. Further, protected health information may need to be disclosed to
opposing counsel and/or the NCP during the course of litigation or administrative
proceedings. For example, paternity cases will almost invariably require OCSE to
disclose PHI, due to the use of genetic testing. While the Privacy Rule only discusses
genetic information in the context of law enforcement identification and location efforts,
HHS has opined that PHI includes genetic information that otherwise meets the statutory
definition – in other words, when it is individually identifiable. See 65 Fed. Reg. 86261.
Genetic information is extremely personal, and it is my understanding that genetic testing
results received by the Department identify both the parents and the child by name. The
information is individually identifiable and cannot be “de-identified” without destroying
its probative value. Thus, I conclude that paternity test results will always be PHI.

Thus, a multi-faceted approach is going to be needed to ensure HIPAA compliance
throughout the child support enforcement program. In a nutshell, I recommend taking the
following steps:

    1. All applicants for services should be given a HIPAA-compliant authorization
       form to sign at the time of application for services. I will discuss the particulars
       of what an “authorization” must include below. “FormHHA” can be altered to
       suit these purposes. See below.
March 14, 2005
Page 3 of 5

    2. The authorization form must include authorization for the child or children
       involved. Again, this is discussed in more detail below.

    3. A “standing order” has been prepared for use by all of the juvenile courts
       throughout the state for all cases involving DFACS. I am drafting a similar
       standing order for use by the Superior Courts in OCSE actions. Why? Because
       the privacy rule provides an exception for disclosure of PHI when disclosure is
       required by “a court order.” See 45 C.F.R. § 164.512(e)(1)(i).

    4. All SAAGs and ADAs should consider seeking a qualified protective order
       routinely, particularly in paternity cases. This would meet the lawyer’s duty to
       limit disclosures of PHI to the minimum necessary by ensuring that all parties,
       counsel of record, and court personnel are prohibited from further disseminating
       the PHI disclosed during the proceedings. Once the process for completing the
       objectives related to authorization and standing order is complete, I will work on
       drafting a template protective order.

Once the authorization form has been created and implemented at the application stage
and the standing orders have been entered by the relevant courts, all potential disclosures
by OCSE should be covered by either mechanism (or both). The proposed standing
order is currently being drafted; I will issue it to OCSE’s central office no later than
March 25, 2005.

It should be noted with regard to OCSE obtaining protected health information from third
parties who may be covered entities, HHS has stated that an employee of a IV-D agency,
including a contract employee, who is empowered by state or federal law to enforce a
medical child support order, meets the definition of a law enforcement official. See 45
C.F.R. § 164.512(f)(1). Thus, covered entities may disclose PHI to any OCSE employee
if the request for information is accompanied by written assurances by OCSE that: (1) the
information sought is material and relevant to a legitimate law enforcement inquiry; (2)
the request is specific and limited in scope; and (3) de-identified information cannot
reasonably be used. See 45 C.F.R. § 164.512(f)(1)(ii)(C).

Note also that, subject to certain conditions, the Privacy Rule permits uses and
disclosures of PHI for litigation, whether for judicial or administrative proceedings, as set
forth at 45 C.F.R. § 164.512(e). Where a covered entity is a party to a legal proceeding,
the covered entity may use or disclose PHI for purposes of the litigation as part of its
operations. The covered entity must, however, make reasonable efforts to limit such uses
and disclosures to the minimum necessary to accomplish the intended purpose. See 45
C.F.R. §§ 164.502(b), 164.514(d).

An “authorization” as defined in the Privacy Rule is required for uses and disclosures of
PHI not specifically permitted by the rule. An authorization is a detailed document that
gives covered entities permission to use PHI for specified purposes, which are generally
other than treatment, payment, or health care operations, or to disclose PHI to a third
party specified by the individual. An authorization must specify a number of elements,
March 14, 2005
Page 4 of 5

including a description of the PHI to be used and disclosed, the person authorized to
make the use or disclosure, the person to whom the covered entity may make the
disclosure, an expiration date (or event), and, in some cases, the purpose for which the
information may be used or disclosed. See 45 C.F.R. § 164.508. One authorization form
may be utilized to authorize uses and disclosures by classes or categories of persons or
entities, without naming the particular persons or entities. See 45 C.F.R. § 164.508
(c)(1)(ii). Similarly, the rule permits the identification of classes of persons to whom the
covered entity is authorized to make a disclosure. See 45 C.F.R. § 164.508(c)(1)(iii).

As mentioned above, OCSE already has a form which may serve as the basis for an
“authorization” meeting the requirements of the rule, with some fairly extensive
modification. The form I refer to is entitled “Authorization for Disclosure of Protected
Health Information” and is apparently called “FormHHA.doc” in OCSE’s computer
system. In order to effectively cover all potential uses and disclosures of PHI by OCSE
(and its business associates), the form must be broadened significantly – most
importantly, to cover both the CP and the child or children involved in the case. I have
endeavored to make the form broad enough to also cover NCPs (they would have to sign
a separate authorization). Note that for most purposes under the Privacy Rule, a parent is
considered to be a minor child’s “personal representative” and thus may authorize the use
and disclosure of a child’s PHI. See 45 C.F.R. § 164.502(g).

Following is a list of suggested revisions to FormHHA.doc, which is attached hereto for
ease of reference. Please note that these are only preliminary suggestions and that a face-
to-face meeting to more thoroughly discuss potential revisions would be helpful.

      In the introduction paragraph, add a new sentence between current sentences two
       and three: “I am the personal representative of minor child(ren)
       _______________ and authorize disclosure of my child(ren)’s protected health
       information as set forth and described in this document.”

      Numeral 1: after the word “information” strike the remainder of the paragraph and
       replace with: “All employees of OCSE and its legal counsel (attorneys).”

      Numeral 2: After the entry for “organization” add “the judge and any employees
       or officers of the court having jurisdiction over my case.” OCSE may want to
       consider adding language which provides that disclosure may be made to
       opposing parties and their legal counsel as ordered by the court.

      Numeral 3: After the word “disclosure” in the first line, strike the remainder of
       sentence and add “any information deemed necessary by the attorney representing
       OCSE to establish: a full or partial disability preventing or limiting my
       employment; that I am a biological parent of the child or children for whom
       support enforcement services have been requested; the results of genetic paternity
       testing of either myself or my child(ren); and, the existence of special medical
       needs of my child(ren) demonstrating a need for additional medical support or
       specialized health or education services. Disclosure is also authorized as required
March 14, 2005
Page 5 of 5

       to respond to an order of a court having jurisdiction over a child support
       enforcement action brought on my child(ren)’s behalf.”

      Numeral 4: Strike in its entirety and replace with: “For evaluation by OCSE and
       the court in determining biological parentage of the child(ren), my ability to work
       and pay child support, and in determining the appropriate amount of financial
       support required for my child(ren).”

      Numeral 5: Add a new sentence at the end of this paragraph reading “However,
       should OCSE determine that my revocation of authorization prevents OCSE
       and/or the court from acting upon my request for enforcement services, I
       understand that OCSE may administratively close my case and dismiss any
       pending civil action.”

      Numeral 6: Strike in its entirety and replace with: “This authorization expires
       upon the closure of my child support case, designated as case number ________.”

I hope that this discussion of HIPAA and its impact upon OCSE has proven helpful. This
is a very complex subject, and this memorandum is not intended to discuss in detail every
possible application of the Act. I strongly recommend that all proposed HIPAA-related
policy changes be submitted to Marion Cornett for review and approval, because he is the
Department’s designated HIPAA Privacy Officer.


Attachment: FormHHA.doc.