|Current Status: Active PolicyStat ID: 1440738|
Authorization for Release of Information (ROI) Forms, 23-110
State laws and regulations on confidentiality of mental health, developmental disabilities, and addictive disease information, as well as other health information, govern the Department of Behavioral Health and Developmental Disabilities (DBHDD) and its facilities, as defined herein. DBHDD is also a "covered entity" as defined in, and as governed by, the Health Insurance Portability and Accountability Act of 1996 and its regulations (HIPAA).
This policy is therefore applicable to any facility or program that is a part of DBHDD, including the state office, regional offices, state operated DBHDD hospitals and any state operated community programs. All employees, agents, trainees, volunteers and contractors of DBHDD shall abide by federal and state laws and regulations regarding confidentiality, relevant DBHDD policies and procedures, and all federal laws regarding the disclosure and use of confidential and protected health information. DBHDD providers, as defined herein, who are under contract or have a letter of agreement with DBHDD through DBHDD and its Regional Offices have an independent duty to follow state confidentiality laws; if they are also covered entities under HIPAA, they have an independent duty to follow HIPAA and its regulations. If they also conduct business functions on behalf of DBHDD, they are also business associates of DBHDD and must comply with applicable provisions of the HIPAA through a Business Associate Agreement with DBHDD.
Confidential medical records and other protected health information may be requested by individuals who have received services or by other parties. Protected health information about individuals may be disclosed on the basis of a valid authorization signed by an individual who has capacity to sign, or by a person authorized by law to sign for the individual. DBHDD has an official form Authorization for Release of Information that meets the requirements of the Health Insurance Portability and Accountability Act of 1996 and its accompanying regulations (HIPAA). The official form is to be utilized when DBHDD is requesting that an individual or authorized person sign an authorization for release of information. When an individual is requesting release of information of records from a DBHDD state owned or operated facility, the official form should be utilized.
When there is a regular or frequent need for Authorization for Release of Information for a certain type of transaction, such as for the DUI Intervention Program, DBHDD can create an official authorization form that is partially completed (for instance, stating the recipient of information, the purpose of the disclosure, etc.). Staff may request that such a specific-use Authorization form be created and placed in this Policy for ease of access and use.
Authorization forms that are not official DBHDD forms included in this policy must be reviewed for compliance with HIPAA; staff should contact the hospital attorney, an attorney in the DBHDD Office of Legal Services, or the DBHDD HIPAA Privacy Officer for assistance.
Authorization - Permission by an individual or a person legally authorized to consent on the individual's behalf, to the release or use of protected health information relating to the individual.
Disclosure - The release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information. Disclosure includes the affirmative verification of another person's communication of individually identifiable health information, or the communication of any information from the record of an individual who has been identified. "Release" also means disclosure, for purposes of this policy.
Individually identifiable health information - Any information, including demographic information collected from an individual, that is (1) created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual, and identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. Individually identifiable health information contains some or all of the following identifying elements:
Protected Health Information - All individually identifiable health information (e.g., name, diagnosis, medical record number, billing information, etc.) that is transmitted or maintained by a covered entity in any form or medium, including orally. See "individually identifiable health information," above. Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA) and employment records held by DBHDD in its role as employer. Protected health information also excludes information regarding an individual who has been deceased for more than 50 years; however, such information remains confidential and private under state law and under federal laws protecting confidentiality of alcohol and drug abuse patient records, and may not be disclosed without authorization or a legal exception to confidentiality.
Provider - Organizations or persons approved to serve individuals with mental illness, developmental disabilities and/or addictive diseases, wherein those services are financially supported in whole or in part by funds authorized through DBHDD. Providers typically have a contract or letter of agreement with DBHDD. (NOTE: For purposes of this policy, the term "provider" means only those entities which have contracts, letters of agreement or other legal or funding arrangements with DBHDD. See the separate and more general definition for "health care provider" as that term is used in this policy.)
Records - Any information, whether recorded or not, received or acquired in connection with an individual's treatment or services. "Records" includes administrative and other documentation (such as incident reports) that relates to and identifies an individual, regardless of whether it is part of the individual's clinical record.
Release - See definition of "disclosure."
42 United States Code Annotated, 290dd-2
42 C.F.R. Part 2
45 C.F.R. § 164.508.
Official Code of Georgia Annotated §§ 37-3-166 (Mental Illness); Chapter 4 of Title 37; 37-4-125 (Developmental disability); Chapter 7 of Title 37; 37-7-166 (Substance Abuse)
Rules and Regulations of the Department of Human Resources, Chapter 290-4-6, "Patients' Rights"; and Chapter 290-4-9, "Clients' Rights."