CFOP 60-17 STATE OF FLORIDA DEPARTMENT OF CF OPERATING PROCEDURE CHILDREN AND FAMILIES NO. 60-17 TALLAHASSEE, August 1, 2003 Chapter 3 HIPAA PRIVACY MONITORING REQUIREMENTS CONTENTS 3-1. Purpose... 3-1 3-2. Scope... 3-1 3-3. References... 3-1 3-4. Definition of Terms... 3-1 3-5. General... 3-2 3-6. Policy... 3-2 3-7. Monitoring Process... 3-3 This operating procedure supercedes CFOP 60-17, Chapter 3, dated February 1, 2003 OPR: OSHRC DISTRIBUTION: A 1-i
Chapter 3 HIPAA PRIVACY MONITORING REQUIREMENTS 3-1. Purpose. This operating procedure establishes a uniform process for monitoring activities; and reviewing the compliance of Department programs to ensure the privacy of individually identifiable health information as required by the Health Insurance Portability and Accountability Act (HIPAA). 3-2. Scope. This operating procedure applies to all employees of the Department of Children and Families who are responsible for monitoring the Department s compliance with the Privacy Rule. 3-3. References. a. Health Insurance Portability and Accountability Act of 1996 (HIPAA). b. Title 45 C.F.R., Subparts 160, 162 and 164, Security and Privacy of Individually Identifiable Health Information. 3-4. Definition of Terms. a. Business Associate (BA). The person or entity who, on behalf of the Department and other than in the capacity of an employee, performs or assists in the performance of a function or activity that involves the use or disclosure of PHI; or who provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services. b. Health Information. Any information, whether oral or recorded in any form or medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and, (2) relates to past, present or future physical or mental health or condition of an individual; the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual including prescriptions. c. Protected Health Information (PHI). Individually identifiable information relating to past, present or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual. d. Treatment, Payment and Health Care Operations (TPO). Includes all of the following: (1) Treatment means the provision, coordination, or management of health care and related services, consultation between providers relating to an individual, or referral of an individual to another provider for health care. (2) Payment means activities undertaken by a provider or health plan to obtain or provide reimbursement for health care, including determinations of eligibility or coverage, billing, collections activities, medical necessity determinations, and utilization review. (3) Health Care Operations includes functions such as quality assessment and improvement activities, case management and care coordination, reviewing competence or qualifications of health care professionals, conducting training programs, licensing and credentialing activities, conducting or arranging for medical review, legal services and auditing functions, business planning and development, and general business and administrative activities. 3-1
3-5. General. a. HIPAA establishes in law the basic principle that an individual's medical records belong to that individual and, with certain exceptions, cannot be used or disclosed without the explicit permission of that individual. The Act gives individuals the right to an explanation of their privacy rights by health care providers, the right to see their medical records, to request corrections to these records, to control the release of information from their records and the right to documented explanations of disclosures by entities who may have access to this information. b. 45 C.F.R., Part 160.310, requires that the Department, as a covered entity, keep and provide records and compliance reports, in such time and manner and containing such information, as the Secretary of the Department of Health and Human Services (HHS) may determine to be necessary to enable the Secretary to ascertain whether the Department has complied and is complying with the requirements of the regulations, to include complaint investigations and compliance reviews. (1) Access shall be provided during normal business hours to the Department's facilities, books, records, accounts, and other sources of information, including PHI, that are pertinent to ascertaining compliance with the regulations. If the Secretary of HHS determines that critical circumstances exist, access shall be permitted at any time, without notice. (2) If any of the information required for an HHS investigation or compliance review is in the exclusive possession of another agency, a Business Associate, institution, or person that fails or refuses to furnish the information, the Department must so certify and set forth all of the efforts undertaken to obtain the required information. 3-6. Policy. a. HIPAA requires the Department to assure the privacy and confidentiality of protected personal health information of clients and patients. Department employees and volunteers shall not permit the unauthorized disclosure of protected health information except as permitted or required by law. b. District and Region Administrators are responsible for ensuring that programs and Business Associates have documented privacy procedures in place that: (1) provide adequate notice to individuals of their rights and the procedures for exercising their rights with respect to protected health information about them in accordance with CFOP 60-17, Chapters 1 and 2; information; (2) enable individuals to exercise the right of access to his or her own protected health (3) give individuals an accurate accounting of all disclosures of protected health information as long as the information is maintained by the program or provider, except for disclosures made: (a) to carry out TPO; (b) to individuals of PHI about themselves; (c) for the facility directory or to persons involved in the individual s care or other notification purposes; 3-2
(d) for national security or intelligence purposes; (e) to correctional institutions or law enforcement officials; (f) prior to the compliance date for the covered entity; and (g) pursuant to an authorization. (4) enable individuals to request amendment or correction of protected health information, to determine whether the request should be granted or denied, and to disseminate amendments or corrections to its business partners and others to whom erroneous information has been disclosed, including the amendment of information in all appropriate designated record sets maintained by the covered entity and its business partners. c. District and Region Administrators are responsible for ensuring that programs and Business Associates have administrative safeguards, physical safeguards and technical safeguards (security procedures/processes) in place that ensure the confidentiality, integrity and availability of all electronic PHI the district/region creates, receives, maintains or transmits; protects against any reasonably anticipated threats or hazards to the security or integrity of such information; and protect against any reasonably anticipated uses or disclosures of such information that are not permitted under the security rule. 3-7. Monitoring Process. a. Compliance with the policies and processes contained in all Chapters of CFOP 60-17 will be monitored. Notice is further given by including language in each procedure as follows: The Privacy Officer will collect and analyze information from districts and institutions during the month of April of each year, beginning in April of 2004,to determine compliance with this procedure. b. The Privacy Officer shall begin to collect information on compliance in April of 2003. c. District Compliance Officers shall provide the results of their monitoring activities to the Privacy Officer using a prescribed format or tool to be determined by the Privacy Officer on an annual basis beginning in April of 2004. d. The Privacy Officer shall analyze results and provide feedback to the District or Region Compliance Officer for distribution to District and Regional Administrators. e. The District or Region Administrator is accountable for taking any remedial action(s) required to be in compliance, and for reporting the measures that have been taken to the Privacy Officer upon receipt of the results. 3-3
BY DIRECTION OF THE SECRETARY: WALTER R. COOK, SPHR Human Resources Director This revision incorporates the compliance monitoring process required by the HIPAA Privacy Act 3-4