FULL IMPLEMENTATION DATE - NOVEMBER 10, 2015
The Department of Behavioral Health and Development Disabilities (DBHDD) is a "covered entity" as defined in, and as governed by, the Health Insurance Portability and Accountability Act of 1996 and its regulations (HIPAA).
This policy is therefore applicable to any facility or program that is a part of DBHDD, including the state office, field offices, state operated DBHDD hospitals.
This policy and associated forms are available as resources for providers, but DBHDD makes no representation or warranty that compliance with the provisions of this policy will ensure a provider's compliance with all applicable laws and regulations. Providers should seek their own legal counsel regarding compliance with laws and regulations on the subject matter of this policy.
It is the policy of DBHDD to provide adequate notice to individuals of the uses and disclosures of protected health information (PHI) it may make, and of the individual's rights and DBHDD's duties regarding PHI, by providing a Notice of Privacy Practices to persons seeking or receiving services. DBHDD shall document its compliance with the notice requirements by retaining copies of the notices it issues. DBHDD shall not require individuals to waive their rights as provided in the Notice as a condition of treatment, payment or eligibility for benefits.
All defined terms used in this policy shall have the same meaning as defined in the Department of Behavioral Health and Developmental Disabilities' policy Confidentiality and HIPAA, 23-100.
- All individuals seeking or receiving services are entitled to written notice of the privacy practices of the Department of Behavioral Health and Developmental Disabilities (DBHDD). DBHDD will ensure that a copy of the Notice of Privacy Practices (Attachment A) is provided to individuals, parents or court-appointed custodians of minor individuals, and guardians of individuals who are seeking, applying for, or receiving services from DBHDD. A copy may also be provided to the health care agent named in an individual's advance directive if the advance directive is in effect and authorizes the health care agent to act in the individual's behalf regarding the services provided.
- The DBHDD Notice of Privacy Practices is a public document. A blank copy of the Notice of Privacy Practices may be provided to any person who requests it. In providing the blank form, DBHDD staff may not confirm or deny that any individual is applying for, is receiving, or has received services from or funded by DBHDD, but may provide the Notice as a public document.
- The Notice must be in plain language and must include:
- A header stating, "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY";
- Information regarding uses and disclosures of PHI for treatment, payment, and health care operations;
- A description of other purposes for which DBHDD can use or disclose PHI without the individual's written authorization;
- A statement informing an individual of his/her privacy rights regarding his/her PHI; .
- DBHDD's responsibilities under the Privacy Rule;
- A description of any federal or state laws or regulations that may apply in addition to, or instead of, HIPAA regulations;
- How to file complaints with the provider, DBHDD, or the Secretary of Health and Human Services;
- Name or title and phone number of the designated contact for more information on DBHDD's privacy practices; and
- Effective date of the Notice.
- All content required by HIPAA regulations.
- The Notice of Privacy Practices (Attachment A) must be used, without alteration of the substantive content, by DBHDD state-owned or state-operated facilities or programs. The facility or program may add its name and address and the contact information for the designated contact person at the facility or program who can provide information on privacy practices.
- Individuals must be given the Notice of Privacy Practices on the date of first service delivery, including services delivered electronically, or in an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.
- If the first service to an individual is delivered electronically, DBHDD must provide electronic notice automatically and contemporaneously in response to the individual's first request for service.
- The Notice of Privacy Practices may be provided to an individual by e-mail, if the individual agrees to receive it by e-mail and that agreement has not been withdrawn. If DBHDD knows that the e-mail transmission has failed, it must provide a paper copy of the notice to the individual. Provision of the notice by e-mail will satisfy the requirement of this policy to provide the Notice of Privacy Practices to the individual, when the e-mail is timely provided.
- The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice upon request.
- DBHDD must make good faith efforts to obtain a written acknowledgment of receipt of the Notice of Privacy Practices, even when it is given electronically. This acknowledgment may be made by the individual, parent or court-appointed custodian (for minor individuals) or guardian of the person of an individual, or by the healthcare agent in named in the individual's advance directive, when applicable. In the event the individual, parent or court-appointed custodian, or guardian or healthcare agent (when applicable) declines to provide such an acknowledgment, the effort to obtain it and the reason why acknowledgment was not obtained, should be documented. A copy of the Notice of Privacy Practices (signed if possible) will be kept in the individual's clinical or other service record.
- Every individual, and his/her parent, court-appointed custodian, or guardian, or healthcare agent if applicable, is entitled to a copy of the Notice of Privacy Practices upon request.
- DBHDD facilities, including field offices, must ensure that the Notice of Privacy Practices is posted at all times in a prominent location where it is reasonable to expect individuals who are seeking or receiving services to be able to read the Notice. Additional copies must be available for distribution upon request.
- DBHDD will post the Notice of Privacy Practices upon its website and make the Notice available electronically through its website.
- DBHDD will promptly revise and re-distribute and post its Notice of Privacy Practices whenever there is a material change to uses and disclosures, the individual's rights, DBHDD's legal duties, or other privacy practices stated in the Notice.
- Distribution shall include DBHDD staff, field offices, state-owned or state operated facilities, and individuals. Notice must be provided to individuals within 60 days of a material revision to the Notice.
- Distribution to providers for their information about DBHDD privacy practices shall be through publication in the Provider Manual or its updates.
- DBHDD may make a change in a privacy practice described in the Notice of Privacy Practices effective for PHI existing before the effective date of the Notice, if DBHDD has included in the Notice a statement reserving its right to make such a change in its privacy practices.
- DBHDD shall not require individuals to waive their rights as provided in the Notice of Privacy Practices as a condition of treatment, payment or eligibility for benefits.
45 C.F.R §§ 164.520, 164.530
Confidentiality and HIPAA, 23-100
Reporting and Notification of Breaches of Confidentiality, 23-102
Confidentiality and HIPAA Privacy Complaints, 23-103
Sanctions Related to Confidentiality and HIPAA, 23-104
Rights of Individuals regarding their Protected Health Information, 23-105
Disclosures of Confidential and Protected Health Information, 23-106
Confidentiality and HIPAA Practices Involving Business Associates, 23-107