Welcome Policy User | Behavioral Health & Developmental Disabilities
Tutorials | | What's New

Viewing: Confidentiality and HIPAA, 23-100

Table of Contents


Current Status: Active PolicyStat ID: 2096101

Confidentiality and HIPAA, 23-100

FULL IMPLEMENTATION DATE - January 20, 2016

APPLICABILITY

State laws and regulations on confidentiality of mental health, developmental disabilities, and addictive disease information, as well as other health information, govern the Department of Behavioral Health and Developmental Disabilities (DBHDD) and its facilities, as defined herein. DBHDD is also a "covered entity" as defined in, and as governed by, the Health Insurance Portability and Accountability Act of 1996 and its regulations (HIPAA).

This policy is therefore applicable to any facility or program that is a part of DBHDD, including the state office, field offices, state operated DBHDD hospitals. All employees, agents, trainees, volunteers and contractors of DBHDD shall abide by federal and state laws and regulations regarding confidentiality, relevant DBHDD policies and procedures, and all federal laws regarding the disclosure and use of confidential and protected health information. 

DBHDD providers, as defined herein, who are under contract or have a letter of agreement with DBHDD through DBHDD and its Field Offices have an independent duty to follow state confidentiality laws; if they are also covered entities under HIPAA, they have an independent duty to follow HIPAA and its regulations. If they also conduct certain types of business functions on behalf of DBHDD, they are also business associates of DBHDD and must comply with applicable provisions of the HIPAA Privacy and Security Rules through a Business Associate Agreement with DBHDD.  Business associates must also have business associate agreements with all applicable subcontractors.

This policy and associated forms are available as resources for providers, but DBHDD makes no representation or warranty that compliance with the provisions of this policy will ensure a provider's compliance with all applicable laws and regulations. Providers should seek their own legal counsel regarding compliance with laws and regulations on the subject matter of this policy.

POLICY

The right of an individual to confidentiality and privacy of his/her health care information, including information about mental health, developmental disabilities, or addictive disease, is protected by state laws and regulations and by federal laws and regulations.  Individuals also have certain legal rights regarding their own records and information.

It is the policy of the Department of Behavioral Health and Developmental Disabilities (DBHDD) to ensure compliance with applicable state and federal laws and regulations regarding confidentiality and privacy.  These laws and regulations govern topics including but not limited to:

  • Mental health information
  • Developmental disability information
  • Addictive disease information
  • Protected health information (PHI) as defined by HIPAA
  • Rights of individuals regarding their protected health information
  • Notice of Privacy Rights
  • Disclosures of protected health information
  • Reporting of violations and breaches, and resulting sanctions
  • Complaints
  • Business Associates
  • Accounting of disclosures
  • AIDS confidential information
  • Medicare/Medicaid information
  • Open Records Act requests.

When there is a conflict between state and federal law, DBHDD shall seek legal counsel regarding the conflict.  Generally, DBHDD will follow the law which provides greater rights of the individual, or greater access by the individual to the individual's PHI, or which provides the greatest protection of confidentiality and privacy.  HIPAA does not supersede or negate more stringent federal and state laws, rules and regulations.  In the event of an apparent conflict in laws, or between the confidentiality laws regarding any specific program and the terms of this policy, the responsible employee shall seek direction from Legal Services.

Unless otherwise specifically stated, DBHDD policy and procedures regarding confidentiality do not compel or require disclosure of confidential or protected health information.  If there is an exception to the rule of confidentiality and a disclosure is allowed, such disclosure is not required unless a law, rule or regulation, or a DBHDD policy or procedure states that the disclosure is required.

DEFINITIONS

Unless a different meaning is required by the context, the terms as used in this policy and procedures and in all DBHDD policies and procedures regarding confidentiality and

HIPAA shall have the following meanings:

Accounting of disclosures – A history of when and to whom disclosures of protected health information are made for purposes other than treatment, payment, and health care operations and certain other exceptions.

Advance directive for health care – A document voluntarily executed by an individual in accordance with O.C.G.A. § 31-32-5.  A living will or a durable power of attorney for health care may be an advance directive.

AIDS confidential information – Information which permits identification of an individual and discloses that the individual;

  • Has been diagnosed as having Acquired Immunodeficiency Syndrome (AIDS) or AIDS Related Complex (ARC)
  • Has been or is being treated for AIDS
  • Has been determined to be infected with any type of Human Immunodeficiency Virus (HIV) as defined in Georgia law
  • Has submitted to an HIV test
  • Has had a positive OR a negative result from an HIV test
  • Has sought and received counseling regarding AIDS, OR
  • Has been determined to be a person at risk of being infected with AIDS.

Authorization – Permission by an individual or a person legally authorized to consent on the individual's behalf, to the release or use of protected health information relating to the individual. The various types of Authorization for Release of Information (ROI) forms are available in this policy: Authorization for Release of Information (ROI) Forms, 23-110.

Breach – The acquisition, access, use or disclosure of protected health information in a manner not permitted by HIPAA or this policy which compromises the security or privacy of the protected health information.  See additional details at "Reporting and Notification of Breaches of Confidentiality, 23-102."

Business associate – A person or entity who is not a member of DBHDD's workforce and who:

  1. On behalf of DBHDD, creates, receives, maintains or transmits protected health information for a function regulated under HIPAA, including but not limited to claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; patient safety activities as defined in this policy; billing; benefit management; practice management and repricing. 
  2. Provides legal, actuarial, accounting, consulting, data aggregation, management, accreditation, or financial services to or for DBHDD, which services involve the disclosure of PHI by DBHDD or from another business associate of DBHDD, to the business associate. 
  3. A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI to DBHDD and that requires access on a routine basis to such PHI. 
  4. A person that offers a personal health record to one or more individuals on behalf of DBHDD.
  5. A subcontractor that creates, receives, maintains or transmits PHI on behalf of a business associate. .

Chief Medical Officer –The physician with overall responsibility for treatment or habilitation services at a facility or a physician appointed in writing as the designee of such chief medical officer.

Clinical record – A written record pertaining to an individual, including all medical records, progress notes, charts, admission and discharge data, and all other information recorded by a facility or other entities responsible for an individual's care and treatment or habilitation, and pertaining to the individual's hospitalization and treatment or habilitation. Such other information as may be required by rules and regulations of DBHDD shall also be included.  The clinical record may be maintained electronically.

Confidential – The property that data or information is private and is not made available or disclosed to persons who are not authorized to access such data or information.

Confirmed positive HIV test – The results of at least two separate types of HIV tests, both of which indicate the presence of HIV.

Court – In the case of an individual who is 17 years of age or older, the probate court for the county of residence of the individual or the county in which such individual is found, and, in the case of an individual who is under the age of 17 years, the juvenile court for the county of residence of the individual or the county in which such individual is found.

Covered entity – A health care provider, health plan, or health care clearinghouse that transmits any health information in electronic form in connection with a HIPAA transaction; DBHDD is a covered entity.

De-identified information – Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.

Department – The Georgia Department of Behavioral Health and Developmental Disabilities (DBHDD), including its duly authorized agents and designees.

Designated record set – A group of records maintained by or for DBHDD that is used, in whole or in part, by or for DBHDD to make decisions about an individual, including but not limited to the individual's clinical and billing records.

Determined to be infected with HIV – Having a confirmed positive HIV test or having been clinically diagnosed as having AIDS.

Diagnosis (with regard to alcohol or drug abuse) – Any reference to an individual's alcohol or drug abuse or to a condition which is identified as having been caused by that abuse which is made for the purpose of treatment or referral for treatment.

Direct treatment relationship – A treatment or service relationship between an individual and a health care provider that is not an indirect treatment relationship.  In an indirect treatment relationship, the health care provider delivers health care to the individual based on the order of another health care provider and the health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly to another health care provider, who provides the services or products or reports to the individual.

Disclosure – The release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.  Disclosure includes the affirmative verification of another person's communication of individually identifiable health information, or the communication of any information from the record of an individual who has been identified.  "Release" also means disclosure, for purposes of this policy.

Facility – Any hospital, community mental health center, or other facility that is state owned or state operated and is utilized for the diagnosis, care, treatment, or hospitalization or services of individuals for mental illness, developmental disability or addictive disease.

Guardian – A person appointed by written court order to be legally responsible for the person of an adult or of a minor. The individual for whom a guardian is appointed is known as the "ward."  Whenever "individual" is used in confidentiality and HIPAA policies and procedures, a guardian is entitled to exercise the individual's rights on behalf of the individual (ward).  "Guardian" as used in this policy does not include a conservator or a guardian of property alone.

Health and Human Services (HHS) – The federal government department that has overall responsibility for implementing HIPAA.

Health care – Care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:

  1. Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and
  2. Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

Health care agent – A person appointed by an individual to act for and on behalf of an individual, as set forth in an advance directive for health care executed by the individual.

Health Care Operations – Any of the following activities of DBHDD: 

  1. Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities as defined in 42 C.F.R. section 3.20; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and individuals with information about treatment alternatives; and related functions that do not include treatment; 
  2. Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
  3. Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; 
  4. Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating DBHDD, including formulary development and administration, development or improvement of methods of payment or coverage policies; and 
  5. Business management and general administrative activities of DBHDD, including, but not limited to: 
    1. Management activities relating to implementation of and compliance with the requirements of HIPAA; 
    2. Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that PHI is not disclosed to such policy holder, plan sponsor, or customer. 
    3. Resolution of internal grievances; 
    4. The sale, transfer, merger, or consolidation of all or part of DBHDD with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and 
    5. Creating de-identified health information or a limited data set, and fundraising for the benefit of DBHDD.

Health care provider – A provider of health care services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.  NOTE:  For purposes of this policy, the term "health care provider"  follows the definition in HIPAA and refers to all health care providers generally.  This term is not limited to those providers who have contracts, letters of agreement, or other legal or funding arrangements with DBHDD.  See the separate definition of "provider" in this policy.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) – Public Law 104-191– A Federal law that governs the use, access, and disclosure of protected health information (see definition) regarding individuals. HIPAA gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care consumers, health care providers, payers, and employers; to specify the types of measures required to protect the security and privacy of personally identifiable health care information; and to specify requirements for reporting breaches of HIPAA to HHS and others. As defined in DBHDD confidentiality and HIPAA policies and procedures, HIPAA refers to the federal act and also to related federal regulations known as the Privacy Rule, the Security Rule, and regulations implementing the "Health Information Technology for Economic and Clinical Health Act" ("HITECH Act"), located at 45 CFR Parts 160, 162, and 164.

Health Plan – An individual or group plan that provides, or pays the cost of, medical care. 

  1. Health plan includes the following, singly or in combination: 
    1. A group health plan;
    2. A health insurance issuer;
    3. An HMO;
    4. Part A or Part B of the Medicare program;
    5. The Medicaid program;
    6. The Voluntary Prescription Drug Benefit Program under Medicare Part D;
    7. An issuer of a Medicare supplemental policy;
    8. An issuer of a long-term care policy, excluding a nursing home fixed indemnity policy;
    9. An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers;
    10. The health care program for uniformed military services;
    11. The veterans health care program under 38 U.S.C. chapter 17;
    12. The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS); 
    13. The Indian Health Service program;
    14. The Federal Employees Health Benefits Program;
    15. The Medicare Advantage program;
    16. The Medicare+Choice program;
    17. A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals; 
    18. Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care. 
  2. Health plan excludes: 
    1. Policies and plans for coverage of accident, disability income, liability and supplementary coverage, workers' compensation, automobile medical payments, credit-only insurance, coverage for on-site medical clinics, any similar policies where medical care benefits are secondary to other insurance benefits; and 
    2. A government-funded program (other than one listed in paragraph (1)(i)–(xvi) of this definition): 
      1. Whose principal purpose is other than providing, or paying the cost of, health care; or 
      2. Whose principal activity is: 
        • The direct provision of health care to persons; or 
        • The making of grants to fund the direct provision of health care to persons.

Individual – Any person who is seeking, applying for, currently receiving, or formerly received treatment or services from DBHDD or any of its state operated facilities or programs or providers, for mental illness, developmental disability, or addictive disease or co-occurring combinations thereof.  For purposes of this Policy, "individual" means the person who is the subject of protected health information.

Individually identifiable health information – Any information, including demographic information collected from an individual, that is (1) created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual, and identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.  Individually identifiable health information contains some or all of the following identifying elements:

  • Name
  • All address information
  • Zip codes
  • E-mail addresses
  • Dates (except year) directly related to an individual, including dates of birth, admission, discharge, death
  • Age, if over 89 years
  • Telephone numbers
  • Fax numbers
  • Social Security number
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate numbers
  • License numbers
  • Device identifiers
  • URLs
  • IP addresses
  • Facial photographs
  • Biometric identifiers
  • Any other unique identifying number, characteristic, or code

Limited data set – Protected health information that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:

  1. Names;
  2. Postal address information, other than town or city, state, and zip code;
  3. Telephone numbers;
  4. Fax numbers;
  5. Electronic mail addresses;
  6. Social security numbers;
  7. Medical record numbers;
  8. Health plan beneficiary numbers;
  9. Account numbers;
  10. Certificate/license numbers;
  11. Vehicle identifiers and serial numbers, including license plate numbers;
  12. Device identifiers and serial numbers;
  13. Web Universal Resource Locators (URLs);
  14. Internet Protocol (IP) address numbers;
  15. Biometric identifiers, including finger and voice prints; and
  16. Full face photographic images and any comparable images.

Minimum necessary – When using or disclosing protected health information or when requesting protected health information, the process of making reasonable effort to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.

Notice of Privacy Practice – A notice of the uses and disclosures of PHI that may be made by DBHDD, and of the individual's rights and DBHDD's duties regarding the individual's protected health information.

Person at risk of being infected with HIV – Any person who may have already come in contact with or who may in the future be reasonably expected to come in contact with the body fluids of an HIV infected person.

Person legally authorized to sign – A person authorized by law to give authorization for release of an individual's protected health information.  These persons include: for minors, the parent, the court-appointed guardian or the court-appointed custodian; for adults, the court-appointed guardian of the person, if any. An individual may give his/her agent in an advance directive the authority to sign for release of the individual's protected health information, except for alcohol or drug information.

Privacy – HIPAA regulations protect an individual's right to the privacy or confidentiality  of his/her health care information to keep it from falling into the hands of people who are not legally authorized to obtain it. The HIPAA privacy regulations require health care providers to obtain a signed authorization to disclose PHI, unless otherwise authorized by applicable law or regulation.

Privacy Coordinator – The individual designated by a state hospital or Field Office with responsibility for obtaining and maintaining a working knowledge of DBHDD's confidentiality and security policies and procedures, to respond to confidentiality and HIPAA-related inquiries arising within the hospital or region, provide information regarding the complaint process, participate in  the reporting process, and maintain adequate documentation of these activities.

Privacy Officer – The individual designated by DBHDD with responsibility for obtaining and maintaining a working knowledge of the HIPAA Privacy Rule and, as applicable, the Security Rule. The Privacy Officer is responsible for the development and implementation of Department's confidentiality and privacy policies and procedures.  The Privacy Officer responds to confidentiality and HIPAA-related inquiries arising within DBHDD, provides information regarding the complaint process and reporting process, and maintains adequate documentation of these activities.  The Privacy Officer also has responsibility for coordination of Privacy Coordinators and for overseeing certain Privacy Rule reporting.

Privacy Rule – Standards for Privacy of Individually Identifiable Health Information, which implement the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) at 45 C.F.R. parts 160 and 164.

Privileged – Protected by law from unauthorized disclosure.  Privilege gives the legal right to an individual to prevent disclosure of communications between the individual and his/her: psychiatrist, licensed psychologist, or between an individual and his/her licensed clinical social worker, clinical nurse specialist in psychiatric/mental health, licensed professional counselor or licensed marriage and family counselor during psychotherapy.

Protected Health Information (PHI) –  All individually identifiable health information (e.g., name, diagnosis, medical record number, billing information, etc.) that is transmitted or maintained by a covered entity in any form or medium, including orally.  See "individually identifiable health information," above.  Protected health information excludes education records covered by the Family Educational Rights and Privacy Act (FERPA) and employment records held by DBHDD in its role as employer.  Protected health information also excludes information regarding an individual who has been deceased for more than 50 years; however, such information remains confidential and private under state law and under federal laws protecting confidentiality of alcohol and drug abuse patient records, and may not be disclosed without authorization or a legal exception to confidentiality.

Provider – Organizations or persons approved to serve individuals with mental illness, developmental disabilities and/or addictive diseases, wherein those services are financially supported in whole or in part by funds authorized through DBHDD.  Providers typically have a contract or letter of agreement with DBHDD.  (NOTE:  For purposes of this policy, the term "provider" means only those entities which have contracts, letters of agreement or other legal or funding arrangements with DBHDD.  See the separate and more general definition for "health care provider" as that term is used in this policy.)

Psychotherapy notes – Notes recorded in any medium by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual's clinical record.  Psychotherapy notes excludes medication and prescription monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.

Reasonable cause – An act or omission in which DBHDD or its business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated the HIPAA Privacy Rule or Security Rule, but in which DBHDD or the business associate did not act with willful neglect.

Records – Any information, whether recorded or not, received or acquired in connection with an individual's treatment or services.  "Records" includes administrative and other documentation (such as incident reports) that relates to and identifies an individual, regardless of whether it is part of the individual's clinical record.

Record holder – The health care provider of treatment or services that maintains records or clinical records.

Release – See definition of "disclosure."

Representatives – The person or persons designated under Title 37 of the Georgia Code to receive certain notices and, unless objected to by the individual, to consult with the facility regarding the individual's individualized plan and treatment under such plan.

Security Officer – The individual designated by DBHDD with responsibility for obtaining and maintaining a working knowledge of the HIPAA Security Rule and, as appropriate, the Department's confidentiality and security policies and procedures.  The Security Officer is responsible for the development and implementation of the security policies and procedures required by the HIPAA Security Rule. The Security Officer responds to inquiries regarding the Security Rule arising within the Department, provides information regarding the security complaint process and reporting process, and maintains adequate documentation of these activities.  With the Privacy Officer, the Security Officer works with the Privacy Coordinators on and is responsible for certain Security Rule related reporting.

State - The State of Georgia.

Workforce – Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for DBHDD or its business associate, is under the direct control of DBHDD or the business associate (as applicable), whether or not they are paid by DBHDD or the business associate (as applicable).   

PROCEDURES

  1. DBHDD shall implement policies and procedures that are designed to comply with confidentiality laws and HIPAA.  Policies and procedures shall be reasonably designed and take into account the size and type of activities that relate to PHI undertaken by DBHDD.  
  2. DBHDD shall document confidentiality and HIPAA privacy policies and procedures, either in writing or in electronic form.  Any change to a policy or procedure shall be documented.  In addition to policies and procedures, any correspondence or other documents required to be created or maintained by DBHDD under such policies and procedures shall be maintained in writing or electronically for six years, or longer if required under other applicable laws, regulations or policies.
  3. It is the policy of DBHDD that all information about individuals, whether oral or written and regardless of the form or location in which it is maintained, is confidential and may be disclosed only in accordance with applicable state and federal laws and regulations.  DBHDD shall not confirm or deny whether an individual is receiving or has received services, unless such disclosure is authorized in writing by a valid authorization signed by the individual or authorized by applicable law.
  4. DBHDD shall maintain a clinical record for each individual.  When disclosure is allowed, the original clinical record may be examined only under supervision by designated staff of the facility, at the facility which maintains custody of the record, at reasonable times as determined by the facility.  The original clinical record shall not be removed from the facility unless authorized by an attorney in the Office of the Attorney General or specially appointed assistant attorney general representing DBHDD.  The clinical record shall not be a public record.
  5. DBHDD shall establish standards relating to uses and disclosures, and de-identification and re-identification of PHI it creates, collects and maintains.
  6. Any disclosure authorized by law or any unauthorized disclosure of confidential or privileged information about an individual or communications shall not in any way abridge or destroy the confidential or privileged character of the information disclosed, except for the purpose for which such authorized disclosure is made. Any person making a disclosure authorized by state law shall not be liable under state law to the individual or any other person.
  7. DBHDD shall have administrative, technical and physical safeguards to protect the privacy of PHI.  DBHDD must reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
  8. DBHDD shall provide adequate notice to individuals of the uses and disclosures of PHI it may make by providing a Notice of Privacy Practices (Attachment A of Notice of Privacy Practice, 23-101) to persons seeking or receiving services. DBHDD shall document its compliance with the notice requirements by retaining copies of the notices it issues and by maintaining a policy regarding the Notice of Privacy Practices (Notice of Privacy Practice, 23-101). DBHDD shall not require individuals to waive their rights as provided in the notice as a condition of treatment, payment or eligibility for benefits.
  9. DBHDD will establish and implement minimum necessary requirements for uses and disclosures of PHI.  DBHDD shall make reasonable efforts to limit PHI used, disclosed or requested from another covered entity to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
  10. DBHDD shall obtain a written Authorization for Release Of Information (Attachment A of Authorization for Release of Information (ROI) Forms, 23-110), from an individual before using or disclosing PHI relating to the individual for any purpose not otherwise permitted or allowed by confidentiality laws or HIPAA.  DBHDD shall maintain policies and procedures governing the form of authorization for release of information, and the procedures for making authorized disclosures.
  11. DBHDD shall maintain policies and procedures to protect the confidentiality of alcohol and drug abuse information as governed by federal law and regulations.  It is the policy of DBHDD that an individual with alcohol or drug abuse records is entitled to protections of the confidentiality of such information that are more stringent than the protections provided by HIPAA or by state law.  Records pertaining to alcohol abuse or drug abuse may be produced in response to a court order issued by a court of competent jurisdiction pursuant to a full and fair show cause hearing, except for matters privileged under the laws of this state.  Records pertaining to alcohol abuse or drug abuse shall not be produced in response to a subpoena alone.  Records which are produced according to the individual's authorization must bear notice to the recipient concerning restrictions on further use or disclosure by the recipient.
  12. DBHDD shall maintain policies and procedures to protect the confidentiality of AIDS confidential information, as that term is defined by law, including but not limited to procedures for making authorized disclosures in accordance with applicable laws.
  13. DBHDD shall have a method to allow individuals to exercise their right to request that DBHDD amend PHI or a record about the individual in a designated record set used in whole or in part to make decisions about the individual, for as long as DBHDD maintains the PHI in the designated record set.
  14. DBHDD shall maintain policies and procedures to permit an individual to request a restriction of disclosures.  DBHDD is not required to agree with the restriction except as required in Rights of Individuals Regarding Their Confidential and Protected Health Information, 23-105.
  15. DBHDD shall establish policies and procedures for an individual to access and inspect his/her PHI in a designated record set for as long as DBHDD maintains the PHI in the designated record set.  DBHDD shall provide for exceptions limiting an individual's access to his/her PHI under certain circumstances when the individual is currently an inpatient of a facility.
  16. DBHDD shall keep an accounting of when and to whom disclosures of PHI are made for purposes other than treatment, payment and health care operations, and shall be able to give an accounting of those disclosures to an individual, if requested.  
  17. DBHDD shall maintain policies and procedures:
    1. for representatives of individuals, as defined in Title 37 of the Georgia Code, to be named by individuals or by DBHDD;
    2. for certain required disclosures to representatives; and
    3. for certain disclosures to and consultation with representatives, unless the individual objects.
  18. DBHDD shall obtain from its business associates reasonable assurances that they will appropriately safeguard PHI disclosed by DBHDD and that agents, employees and subcontractors of the business associates agree to the same conditions applicable to the business associates with respect to such information.  DBHDD shall include HIPAA compliance requirements in contracts, other written agreements and expressions of understanding, with business associates to whom DBHDD discloses PHI.
  19. DBHDD shall mitigate, to the extent practicable, any harmful effect known to DBHDD of a use or disclosure of PHI in violation of its policies and procedures or the requirements of HIPAA, by DBHDD or a business associate. 
  20. DBHDD shall develop and communicate to individuals a process for filing complaints about the department's privacy and security policies and procedures or its compliance with its policies and procedures or with the Privacy or Security Rule. Such process shall include expectations regarding cooperation with investigations regarding complaints and for reporting as required for compliance reviews. The individual shall not be required to utilize these complaint procedures in lieu of other available legal remedies. DBHDD will maintain documentation of all complaints received, and of their disposition, if any.
  21. DBHDD shall have policies and procedures documented so that employees are aware of what actions are prohibited and punishable.  Such policies and procedures shall provide for sanctions that comply with the HIPAA standard for sanctions against members of DBHDD's workforce who fail to comply with its privacy policies and procedures. Appropriate sanctions shall be imposed for violations of DBHDD's privacy policies and procedures, or related protocols, standards or directives. DBHDD policies and procedures shall provide appropriate protection for whistleblowers.  Sanctions that may be imposed by DBHDD are cumulative of those that may be imposed by statute or regulation.
  22. DBHDD hospital staff with access codes to the hospital's Electronic Medical Record (AVTAR) may only access an individual's medical record and associated protected health information if such access is necessary in the performance of their direct care of the patient, or otherwise required to perform their job duties/assignment. Any other reason for accessing or reviewing a patient's PHI is not authorized and subject to disciplinary actions.
  23. Neither DBHDD or its employees, workforce members, or agents, shall intimidate, threaten, coerce, harass, discriminate against, or take other retaliatory action against any individual or other person for:
    1. The individual's exercising any right established, or for participation in any process provided for, by DBHDD policies and procedures regarding confidentiality and HIPAA;
    2. Filing a complaint regarding DBHDD policies or procedures or compliance with such policies or procedures;
    3. Testifying, assisting, or participating in an investigation, compliance review, proceeding, or administrative hearing regarding violations of HIPAA;
    4. Opposing any act or practice made unlawful by HIPAA regulations, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of protected health information that violates HIPAA regulations, state law confidentiality, or federal regulations on confidentiality of alcohol and drug abuse records.
  24. DBHDD facilities have custody of a variety of types of records, such as incident reports and other administrative records, which may contain confidential or protected health information about an individual.  It is the policy of DBHDD to protect confidential and protected health information according to law.  When such information is in records that are requested under the Georgia Open Records Act, in administrative hearings, in lawsuits, or by any other lawful means, it will not be disclosed unless authorized by the individual or other person authorized to disclose, or as required by law.
  25. DBHDD shall train all current and newly hired members of its workforce on its privacy policies and procedures as necessary and appropriate for them to carry out their functions within DBHDD, according to a training plan for HIPAA awareness.  Newly hired persons shall be trained within a reasonable time after being hired.  If the functions of workplace members are materially affected by a change in DBHDD policies, training will be provided within a reasonable time after such change in policy.
  26. DBHDD shall designate a Privacy Officer who shall be responsible for receiving complaints and for providing privacy practice information.  The Privacy Officer shall maintain an adequate working knowledge of state confidentiality laws, federal regulations on confidentiality of alcohol and drug abuse patient records, the HIPAA Privacy Rule and, as applicable, the Security Rule. The Privacy Officer shall develop and implement DBHDD's privacy policies and procedures. The Privacy Officer shall respond to HIPAA related inquiries arising within DBHDD, provide information regarding the complaint process and maintain adequate documentation of these activities. The Privacy Officer shall coordinate the activities of the Privacy Coordinators, and shall oversee Privacy Rule breach reporting to HHS. The Privacy Officer shall submit reports of privacy related activities periodically to the Commissioner of the Department upon request.
  27. DBHDD shall designate a Security Officer who shall be responsible for receiving complaints regarding security and to provide Security Rule information.  The Security Officer shall obtain and maintain an adequate working knowledge of state confidentiality laws, federal regulations on confidentiality of alcohol and drug abuse patient records, the HIPAA Security Rule and , as applicable, the Privacy Rule. The Security Officer shall develop and implement DBHDD's security policies and procedures, respond to Security Rule related inquiries arising within DBHDD, provide information regarding the security complaint process and maintain adequate documentation of these activities.  The Security Officer shall work with the Privacy Officer and as necessary the Privacy Coordinators to ensure Security Rule breach reporting to HHS. The Security Officer shall submit reports of security related activities periodically to the Commissioner of the Department upon request.
  28. The Privacy Officer and Security Officer shall work jointly and coordinate on appropriate policies, procedures, reports and projects as applicable.
  29. DBHDD may appoint Privacy Coordinators at the field, hospital or other administrative level, who are responsible for receiving complaints and reports of alleged violations. Privacy Coordinators are informed of and assist as appropriate with Human Rights Committee complaints regarding confidentiality, privacy and security.   Privacy Coordinators shall obtain and maintain a working knowledge of DBHDD's privacy and security policies and procedures and of confidentiality laws and HIPAA.  Privacy Coordinators must submit reports as required to the Privacy Officer and Security Officer, and assist with or facilitate investigation of alleged privacy and security violations. Privacy Coordinators shall serve as liaisons between the Privacy Officer or Security Officer and their facility or region, to assist in awareness of confidentiality, privacy and security requirements and matters.
  30. DBHDD shall maintain policies and procedures regarding reporting of violations of confidentiality rights and HIPAA.  Employees shall report known or alleged violations of DBHDD privacy and security policies and procedures to their supervisor, to the facility's Human Rights Committee as applicable, or to the Privacy Coordinator. A report should be made immediately if the situation requires immediate action to protect the welfare or safety of the individual, but in any event no later than five (5) business days after becoming aware of the alleged violation. The supervisor or Human Rights Committee shall report to the Privacy Officer, and additionally to the Security Officer as appropriate. Violation reports shall be in writing for documentation purposes. For required contents of violation reports, see Reporting and Notification of Breaches of Confidentiality, 23-102.
  31. DBHDD shall maintain policies and procedures regarding identification of breaches of HIPAA and reporting of breaches.  Privacy Coordinators, in consultation with the Privacy Officer and/or the Office of Legal Services, shall determine whether violations also constitute breaches and ensure that notifications are made, as required by the HITECH Act and HIPAA, to the individual, the Secretary of HHS, and when required, to the news media.
  32. DBHDD shall allow authorized revisions of confidentiality and HIPAA policies and procedures in response to changes in administrative, operating or programmatic requirements.  The DBHDD Privacy Officer must approve any and all revisions.
  33. DBHDD shall adopt supplemental internal privacy policies and procedures where necessary to meet the requirements of specific programs, activities, or federal or state laws and regulations.  Such policies and procedures shall conform to those of the Department, confidentiality laws and HIPAA, and are subject to review by the DBHDD Privacy Officer.
  34. DBHDD shall examine and revise its confidentiality and HIPAA policies and procedures on an ongoing basis and as necessary to satisfy requirements of confidentiality laws and HIPAA.  Policy changes based on changes in applicable laws and regulations shall be made promptly.
  35. DBHDD maintains policies and procedures regarding its activities which may address confidentiality or disclosures that are a part of such activity.  The provisions of this policy apply generally to those policies and procedures unless specifically stated otherwise in such policies.  Questions regarding policy applicability or interpretation should be sent to the Office of Legal Services.  Such policies and activities include, but are not limited to:
    1. Research involving human subjects
    2. Reporting of abuse, neglect, or exploitation
    3. Required reporting of diseases or injuries
    4. Required reporting of criminal conduct
    5. Protection and Advocacy under federal regulations; and
    6. Advance Directives.

LEGAL REFERENCES

42 United States Code Annotated, 290dd-2

42 CFR Part 2

45 CFR Parts 160 and 164, 160.310; 164.308; 164.316; 164. 514(d)(3); 164.530.

Official Code of Georgia Annotated 24-12-20 and 24-12-21; 31-9-22.1; 31-32-1 et seq.;  37-1-1; 37-2-2; Chapter 3 of Title 37; 37-3-166 (Mental Illness); Chapter 4 of Title 37; 37-4-125 (Developmental disability); Chapter 7 of Title 37; 37-7-166 (Substance Abuse); 50-18-72.

Rules and Regulations of the Department of Human Resources, Chapter 290-4-6, "Patients' Rights"; and Chapter 290-4-9, "Clients' Rights."

REFERENCE MATERIALS

SAMHSA and the Office of the National Coordinator (ONC) for Health Information Technology Frequently Asked Questions (FAQs) for Applying the Substance Abuse Confidentiality Regulations to the Health Information Exchange (HIE).

RELATED POLICIES

Authorization for Release of Information (ROI) Forms, 23-110

Notice of Privacy Practice, 23-101

Reporting and Notification of Breaches of Confidentiality, 23-102

Confidentiality and HIPAA Privacy Complaints, 23-103

Sanctions Related to Confidentiality and HIPAA, 23-104

Rights of Individuals regarding their Protected Health Information, 23-105

Disclosures of Confidential and Protected Health Information, 23-106

Confidentiality and HIPAA Practices Involving Business Associates, 23-107

Search word: Photo

Attachments:

Approval Signatures

Approver Date
Anne Akili, Psy.D.: Policy Director 1/19/2016
Betty Bentley Watson: Privacy Officer 1/19/2016
Anne Akili, Psy.D.: Policy Director 1/15/2016
Older Version Approval Signatures
Approver Date
Anne Akili, Psy.D.: Policy Director 1/19/2016
Betty Bentley Watson: Privacy Officer 1/19/2016
Anne Akili, Psy.D.: Policy Director 1/15/2016
Older Version Approval Signatures
Joetta Prost, Ph.D.: DBHDD Policy Director 4/17/2015
Joetta Prost, Ph.D.: DBHDD Policy Director 9/20/2013
Betty Bentley Watson: Privacy Officer 9/18/2013
Joetta Prost, Ph.D.: DBHDD Policy Director 9/18/2013
Joetta Prost, Ph.D.: DBHDD Policy Director 5/24/2012
Joetta Prost, Ph.D.: DBHDD Policy Director 5/23/2012
Joetta Prost, Ph.D.: DBHDD Policy Director 10/11/2011