5029 Protection and Disclosure of Information

Georgia State Seal

Georgia Division of Aging Services
Access to Services Manual

Chapter:

5000 Aging and Disability Resource Connection (ADRC)

Effective Date:

Section Title:

Protection and Disclosure of Information

Reviewed or Updated in:

MT 2019-01

Section Number:

5029

Previous Update:

Overview

AAAs will develop and implement policies that assure that staff will not disclose information by name about a consumer without the informed consent, either written or verbal, of the older person, or by his/her authorized representative.

Requirements

  1. If a consumer gives verbal consent for information to be shared, staff shall maintain documentation of same in the DAS Data System, showing date and specific purpose for consent being given.

  2. Staff shall discuss each instance of disclosure with the consumer and document each in the prescribed manner.

  3. Staff shall discuss each instance of disclosure with the consumer and document each in the prescribed manner.

  4. Staff shall not communicate to others the identity of inquirers, their requests and the information provided to others, unless:

    1. A report of information is required by law (reporting suspected incidents of abuse, neglect or exploitation of an adult or child);

    2. Careful consideration indicates the presence of risk or serious harm to the inquirer or another person, and then communication may only be to those who must be informed in order to reduce harm or risk (reports to DAS Adult Protective Services Central Intake); or

    3. The inquirer has given explicit permission for the information to be disclosed to another person or entity. The consumer must specify what information may be given and to whom.

  5. Staff will protect inquirers’ privacy and dignity by avoiding non-essential discussion of the individuals’ circumstances and situations. This does not restrict professional discussion about services provided or planned for the individual or on-site observation and monitoring of ADRC staff activities conducted by Division staff.

  6. Area Agencies will develop and use agreement forms that staff, volunteers, and others with access to confidential information will sign to document their intent to comply. ADRC staff who have not received HIPAA training and signed an agreement form will not be permitted access to the DAS Data System. Signed copies are maintained in individual staff personnel records.

  7. Staff will use the DAS Data System Alert Notes to communicate with DAS regarding constituency issues to minimize HIPAA protected information disclosure.

HIPAA

The DHS Division of Aging Services is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), and subject to its regulations, including the Privacy Rule. The following definitions are used:

  1. Protected Health Information. The Area Agencies, as contractors of the Division, also are regulated by the Act and Privacy Rule, which protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."

  2. Individually identifiable health information is information, including demographic data, that relates to:

    1. The individual’s past, present or future physical or mental health or condition,

    2. The provision of health care to the individual, or

    3. The past, present, or future payment for the provision of health care to the individual,

    4. And that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

  3. Area Agencies shall develop any necessary policies, procedures and protocols to guide staff in the proper handling, storage, data entry and sharing of protected health information and individually identifiable health information with which they come into contact through the intake and screening process, to assure HIPAA compliance.