The Department of Elder Affairs (DOEA), having been determined to be a covered entity by virtue of its case management activity and its joint administration of the Medicaid program, will comply with the responsibilities of covered entities as set forth by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
PROCEDURE
DOEA will:
(a) Provide records and compliance reports.
(b) Cooperate with complaint investigations and compliance reviews.
(c) Permit access to information:
- Permit access by the Secretary of Health & Human Services (HHS) during normal business hours to its facility’s books, records, accounts and other sources of information, including Protected Health Information (PHI), that are pertinent to ascertaining HIPAA compliance.
- If any information required is in the exclusive possession of another agency, institution, or person and the Covered Entity is refused that information, the covered entity must so certify and set forth what efforts it has made to obtain the information.
- Protected Health Information (PHI) obtained by the Secretary in connection with an investigation or compliance review will not be disclosed by the Secretary, except if necessary for ascertaining or enforcing compliance with the applicable requirements of Part 160 or subpart E of part 164 of the HIPAA Privacy Regulation.
All documentation of compliance with HIPAA Privacy standards will be maintained for six (6) years.
Reference:
45 CFR §160.310