A) GENERAL RULES
The Department of Elder Affairs (DOEA), a Covered Entity, will not use or disclose Protected Health Information (PHI), except as permitted or required by HIPAA privacy regulation subpart E of Part 164 or subpart C of Part 160 and applicable state privacy laws.
Protected Health Information (abbreviated as “PHI”) is individually identifiable health information about:
- A person’s physical or mental health or condition;
- The provision of health care to a person; or
- The payment for the provision of health care to a person; and the information that identifies the person, or can reasonably be used to identify the person.
Examples of Identifiers
Identifying data (a/k/a “an identifier”) is data that could reasonably be used to identify the person. Please note that identifiers include data that directly identifies the individual, as well as any relatives, employers, or household members.
The following are examples of identifiers:
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes;
- All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, and date of death (the birth year of individuals age 90 and over is also an identifier).
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including fingerprints and voiceprints;
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic or code.
PHI Can Be in Any Form of Communication or Media
PHI includes written, electronic, and oral communications.
Past, Present and Future
PHI relates to an individual’s past, present or future health condition, health care, or the payment for health care.
Exclusions: 20 U.S.C. §1232g
Some types of health information are excluded from being considered PHI even if they can be used to identify the individual. The exclusions are:
- Education records covered by the Family Educational Rights and Privacy Act;
- Student health records (age 18 or over) maintained by a health care provider who is treating the student; and
- Employment records held by a Covered Entity in its role as employer.
Apart from the requirements of HIPAA, federal Medicaid regulations restrict the use and disclosure of information concerning Medicaid program applicants and beneficiaries to purposes directly connected with the administration of the Medicaid State Plan. These purposes include:
- Establishing eligibility;
- Determining the amount of medical assistance;
- Providing services to recipients; and,
- Conducting or assisting an investigation, prosecution, or civil or criminal proceeding relating to the administration of the Medicaid State Plan.
Information about Medicaid applicants and recipients that must be safeguarded from improper use and disclosure includes:
- Names and addresses;
- Medical services provided;
- Social and economic conditions or circumstances;
- DOEA evaluation of personal information;
- Medical data, including diagnosis and past history of disease or disability;
- Any information received for verifying income eligibility and amount of medical assistance payments; and
- Any information received in connection with the identification of legally liable third party resources.
State Law (Florida Statutes)
Older Americans Act §430.105, F.S.
Community Care for the Elderly §430.207, F.S.
Alzheimer’s Disease Initiative §430.504, F.S.
Home Care for the Elderly §430.608, F.S.
PROCEDURE FOR APPROPRIATE USE OF PHI
Employees using or disclosing Medicaid beneficiary information are required to follow the requirements of both HIPAA and Medicaid law. Regardless of HIPAA, information about Medicaid recipients may only be disclosed for purposes directly connected with administering the Medicaid State Plan.
An employee, grantee or Business Associate may disclose PHI as described in their role in the normal course of performing their job. Employees, grantees or Business Associates may use and disclose PHI to any Business Associate or agency that has an agreement with the Department of Elder Affairs to protect health information. These would include, but not be limited to, Florida Agency of Health Care Administration, Florida Department of Health, Florida Department of Children & Families, Area Agencies on Aging, United States Department of Agriculture, Centers for Medicare & Medicaid Services (CMS), formerly called the Health Care Financing Administration (HCFA), and any vendors with whom the Department maintains a Business Associate agreement
45 CFR § 164.502(a)
45 CFR § 164.501
45 CFR § 164.160.102
45 CFR § 164.514 (2)
20 U.S.C. § 1232g
20 U.S.C. § 1232g (a)(4)(B)(iv)
42 U.S.C. § 305
B) OTHER REQUIREMENTS
This policy applies to all DOEA employees, agents and Business Associates that perform duties in conjunction with the access, distribution, dissemination, modification, and management of Protected Health Information (PHI).
It is DOEA’s policy to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by establishing standards relating to uses and disclosures, and the de-identification of PHI.
DOEA has established standards relating to uses and disclosures and de-identification of PHI it creates, collects and maintains.
A checklist has been developed containing all of the PHI identifiers in the Privacy Rule to use when de-identifying data.
- Protected Health Information (PHI) is all individually identifiable health information (IIHI) transmitted or maintained by a Covered Entity,
- Individually Identifiable Health Information (IIHI) contains some or all of the following elements:
- All address information regardless of form Protected Health Information (PHI) excludes IIHI in education records.
- E-Mail Addresses
- Dates (except year)
- Social Security Number
- Medical Record Numbers
- Health Plan Beneficiary Numbers
- Account Numbers
- Certificate Numbers
- License Numbers
- Device Identifiers
- IP Addresses
- Facial Photographs
- Biometric Identifiers, including fingerprints and voiceprints
- The initial three digits of the zip code, unless the geographic unit formed by combining all zip codes with the initial three digits contains more than 20,000 people or the initial three digits of all geographic units with fewer than 20,000 people is changed to 000.
- Any other unique identifying number, characteristic, or code.
The Covered Entity cannot actually have knowledge that the above information could be used alone or in combination with other information to identify the individual.
PHI will be re-identified for DOEA use or disclosure. Acceptable methods are redacting paper information, deleting electronic fields or locking aspects of files or database from viewing.
Violations must be reported to the DOEA Privacy Officer, Office of the General Counsel.
Prior to any disclosure of PHI, DOEA employees must:
- Verify the identity of a person requesting PHI, and the authority of the person to have access to the PHI (if the identity of the person is not known to the employee); and
- Obtain any documentation, statements, or representations (whether oral or written) from the person requesting the PHI, when required as a condition of the disclosure.
Employees must follow the verification procedures of their individual work unit, which must, at minimum, comply with the above requirements of law.
Requests from legislators about a constituent’s PHI must be forwarded to the HIPAA Administrator.
Requests from public officials (law enforcement, etc.) concerning PHI should be forwarded to the Privacy Officer, Office of the General Counsel.
If an employee is uncertain whether a person has the authority to request PHI, or whether the person’s identity is adequately verified, the employee should consult with his or her supervisor, the Privacy Officer, Office of the General Counsel, or the HIPAA Administrator.
45 CFR § 164.514
- C) DISCLOSURES FOR WHICH AN AUTHORIZATION IS REQUIRED
DOEA, as a Covered Entity, will obtain authorization to use or disclose Protected Health Information (PHI) for purposes other than treatment, payment or health care operations.
Authorizations For Uses And Disclosures
- General rule
Except as otherwise permitted or required by HIPAA, DOEA, as a Covered Entity, may not use or disclose Protected Health Information (PHI) without a valid authorization.
When DOEA obtains or receives a valid authorization for its use or disclosure of Protected Health Information (PHI), such use or disclosure must be consistent with such authorization.
- Psychotherapy Notes
DOEA must obtain an authorization for any use or disclosure of psychotherapy notes, except for:
- Use by the originator of the psychotherapy notes for treatment;
- Use or disclosure by DOEA to defend itself in a legal action or other proceeding brought by the individual;
- Use or disclosure by the Secretary of HHS in the course of an investigation or compliance review of DOEA
- Use or disclosure required by law; or
- Use or disclosure to a health oversight agency for oversight activities.
DOEA, as a covered, entity must obtain an authorization for any use or disclosure of Protected Health Information (PHI) for marketing, except if the communication is in the form of:
- A face-to-face communication made by a Covered Entity to an individual; or
- A promotional gift of nominal value provided by the covered entity. If the marketing involves direct or indirect remuneration to the Covered Entity from a third party, the authorization must state that such remuneration is involved.
Employees shall obtain an authorization from the individual for any use or disclosure of psychotherapy notes for reasons other than listed above. If an employee is uncertain whether a particular use or disclosure of psychotherapy notes is permitted under a certain situation, the employee should consult with his or her supervisor or the Privacy Officer, General Counsel, or HIPAA Administrator prior to use or disclosure.
Implementation Specifications: General Requirements
(1) Valid authorizations
A valid authorization must be written in plain language, and include:
- A description of the PHI to be used or disclosed in a specific and meaningful fashion;
- The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
- The name or other specific identification of the person(s), or class of persons, to whom DOEA may make the requested use or disclosure;
- A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose;
- An expiration date or an expiration event that relates to the individual or the purpose of the disclosure. The statement, “end of the research study,” “none,” or similar language is sufficient if the authorization is for the use or disclosure of PHI for research;
- The signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must be provided.
- A statement of the individual’s right to revoke the authorization in writing, the exceptions to the right to revoke, and a description of how the individual may revoke the authorization;
- A statement of the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization; and
- A statement of the potential for the information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer protected by the Privacy Rule. An official DOEA Authorization form is available for use by employees.
(2) Defective authorizations
An authorization is not valid if the document submitted has any of the following defects:
- The expiration date has passed or the expiration is known by DOEA to have occurred;
- The authorization has not been filled out completely with respect to any material elements;
- The authorization is known by DOEA to have been revoked;
- The authorization is a compound authorization or a conditional authorization (except as set forth below); or,
- Any of the material information in the authorization is known by DOEA to be false.
- If an invalid form is received, a DOEA approved form is to be provided by the requestor.
(3) Compound authorizations
An authorization for use or disclosure of PHI may not be combined with any other document, except:
- An authorization for the use or disclosure of PHI for a research study may be combined with any other type of written permission for the same research study;
- An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes; and,
- An authorization may be combined with another authorization, except when DOEA has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of one of the authorizations.
(4) Prohibition on conditioning of authorizations
DOEA may not condition the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization by an individual, except under certain circumstances permitted by law.
(5) Revocation of authorizations
An individual may revoke an authorization at any time, provided that the revocation is in writing, except to the extent that the DOEA has taken action in reliance upon the authorization (a revocation cannot be retroactive).
DOEA must document and retain any signed authorizations in the client file for no less than six (6) years.
If DOEA seeks an authorization from an individual for a use or disclosure of PHI DOEA must provide the individual with a copy of the signed authorization.
Authorizations should be filled out using the Authorization for Use and Disclosure of Health Information Form. See Appendix: Forms. DOEA can accept a written authorization that is not submitted on the DOEA’s authorization form, provided that the authorization complies with the above requirements of law. In general, employees should encourage the use of the authorization form. If an employee is uncertain whether an authorization is valid, the employee should consult with his or her supervisor, the HIPAA Administrator, or the Privacy Officer, General Counsel.
DOEA employees shall not use or disclose PHI unless the use or disclosure is either:
- authorized by law, or
- authorized by the individual in the written format and containing the information required above.
Each individual work unit shall document and retain signed authorizations in the case files for no less than six (6) years.
45 CFR § 164.512
D) DISCLOSURE FOR WHICH AN AUTHORIZATION OR OPPORTUNITY TO AGREE OR OBJECT IS NOT REQUIRED
DOEA, a Covered Entity, may use or disclose Protected Health Information (PHI) without the written consent or authorization of the individual in the following circumstances:
- Uses and disclosures required by law
- Uses and disclosures for public health activities
- Disclosures about victims of abuse, neglect, or domestic violence
- Uses and disclosures for health oversight activities including the Long Term Care (LTC) Ombudsman
- Disclosures for judicial and administrative proceedings
- Disclosures for law enforcement purposes
- Uses and disclosures about decedents
- Uses and disclosures for cadaveric organ, eye, or tissue donation purposes
- Uses and disclosures for research purposes, with an approved agreement
- Uses and disclosures to avert a serious threat to health or safety
- Uses and disclosures for specialized government functions, including monitoring
- Disclosures for workers’ compensation
The regulations provide methods by which these uses and disclosures may be conducted. These uses and disclosures are limited and are outlined in detail in the regulations. The regulations give considerations to entities acting in good faith to protect the privacy rights of individuals when disclosing PHI for these purposes.
45 CFR § 164.512
E) DISCLOSURE REQUIRING AN OPPORTUNITY FOR THE INDIVIDUAL TO AGREE OR TO OBJECT
PHI may be disclosed by DOEA without the consent or authorization when used for facilities directories or update family members and individuals involved in the individuals care.
Individuals must be informed in advance of the use or disclosure and must be given the opportunity to prohibit or restrict certain disclosures of PHI.
45 CFR § 164.510