 |
||
|
Frequently asked questions
Access Q. If a client wants to view or have a copy of medical records that we secured from a third party, are we permitted by HIPAA to let them view or copy those records?A. Clients generally have the right to see information that is used to make decisions about them. There are some exceptions. If the record contains information from someone other than a health care provider (a family member for example) under the promise of confidentiality, then that information should be excluded. If the record contains information from a health care provider (a psychiatrist for example) it is not protected from disclosure, unless it is marked or stamped "do not disclose" or some similar language. Federal privacy regulations allow an exception if a health care professional determines it may be harmful to the client. In this circumstance, DHS has concluded that documentation that says not to disclose something can be interpreted as potentially dangerous to the client. The client may choose to go directly to the health care provider, who is in a better position to determine if the information is appropriate to be disclosed. Authenticating Telephone Callers Q. What are the most effective ways to authenticate a telephone callerwho is asking for confidential information about a DHS client?A. Please note that no guidelines for authenticating callers are foolproof. The DHS Client Advocacy Services Unit (CASU) in the Office of Medical Assistance Programs (OMAP) models their techniques after those used by banks and credit card companies. The system requires the caller to provide a minimum set of essential elements of information that an authorized client representative would know.
Faxing Forms Q. In the past we have faxed an Authorization for Use and Disclosure of Information form (release of information) to a record holder when we need to speak to them about a client, or when we need to request HIV verification. Will we still be able to fax these release forms under HIPAA?A. Yes. Neither HIPAA nor DHS policies require programs to have a client's "original" signature. However. a fax is a vulnerable medium. There are a couple of actions you must take when preparing the fax:
Medical Records Q. What is the legal amount allowed to be charged for the copying of medical records for patients who request to have their records.A. House bill 2305 A-Engrossed proposes to limit the charges a health care provider or state health plan can charge clients for copying requested Protected Health Information to no more than $25 for 10 or fewer pages and no more than 25 cents for each additional page. Postal and actual costs of preparing may be included in the charge currently. DHS OAR states the department may impose a reasonable cost-based fee. Notice of Privacy Practices Q. There seems to still be confusion regarding the exchange of client information within DHS. What is the best practice for us to follow?A. DHS Policy #AS-100-003 (3.b.i) cited below, gives you the direction needed regarding internal communication within DHS. 3. Exceptions where limited uses or disclosures are allowed without authorization, to the extent not prohibited or otherwise limited by federal or state requirements applicable to the program or activity.Back to topb. Internal communication within DHS is permitted without individual authorization, in compliance with the DHS Policy AS-100-04, "Minimum Necessary Information."i. Alcohol and drug, mental health, and vocational rehabilitation records' disclosure may be limited to particular program areas named on the authorization form. If such a limitation is noted on the authorization form, disclosure is limited to the parties named. Re-disclosure Q. Are there any specific restrictions in HIPAA on re-disclosing material based on who created it?A. HIPAA is considered the floor not the ceiling for privacy issues. While HIPAA passively allows redisclosure to other covered entities, other state and federal laws are more restrictive when it comes to redisclosure. Alcohol and drug, mental health, vocational rehabilitation, HIV and genetics information is more strictly protected, and these regulations take precedence. When it comes to patient access, in a scenario where DHS has documentation from another entity and it is stamped “do not redisclose” we’ve interpreted that to mean that the individual who created the materials feels it would be harmful and that the client must go directly to the source/creator to access the material. Restricting Access Q. A client has requested that information about them be restricted and not disclosed to anyone within DHS. Do I have to honor this request?A. Clients have a right to request restriction of their information. DHS does not have to honor that restriction, except for alcohol and drug treatment, and vocational rehabilitation clients. It is recommended that DHS staff do not grant restrictions except for the two special population groups identified above or in some exceptional circumstance. There is some increased liability if we agree to a restriction and do not take steps to ensure the information is not accessible to the restricted parties. Threat to Health or Safety Q: There are times when we need to disclose client information without authorization in a threat to health or safety situation. Are there rules or policies that support that action?A: Yes, AND you must also know if there are other state or federal laws that apply to your area of responsibility and the records you keep. HIPAA 45 CFR 164.512(c)(1) HIPAA does not impose a duty to warn on covered entities but it does allow them to disclose protected health information if they believe it is necessary to prevent or lessen a serious or imminent threat to the health or safety of a person. 42 CFR Part 2 (federal alcohol/drug confidentiality rule) does not contain an explicit authorization to make “duty to warn” notification, but it does state, “Therefore, if a program feels it is important to report a threat to someone’s health or safety, it must do so anonymously, or in a way that does not disclose that the person making the threat is a patient in the program or has a drug or alcohol problem, or obtain a court order if time allows.” DHS Policy AS-100-003: "3. Exceptions where limited uses or disclosures are allowed without authorization, to the extent not prohibited or otherwise limited by federal or state requirements applicable to the program or activity: o. To avert a serious threat to health or safety, DHS may disclose individual information without authorization if:Back to topi. DHS believes in good faith that the information is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and |
||
