2054 Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Georgia State Seal

Georgia Division of Aging Services
Administrative Manual

Chapter:

2050 Basic Considerations for Recipients of Services

Effective Date:

08/16/2022

Section Title:

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Reviewed or Updated in:

MT 2023-01

Section Number:

2054

Previous Update:

MT 2017-01

Summary Statement

The Division of Aging Services (DAS) complies with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, including its rules regarding security and privacy of confidential health information.

Basic Considerations

HIPAA was enacted by Congress to provide group and individual insurance reform, introduce tax-related health care provisions, control healthcare fraud and abuse, and to ensure improvement in healthcare systems.

Covered Entity Status

The Georgia Department of Human Services (DHS) has chosen Covered Entity status to promote simplification of information sharing within the department.

Who Must Comply

This policy applies to all individuals who are DHS employees, volunteers, trainees, and contractors who perform duties in conjunction with the access, collection and recording, distribution, dissemination, modification, and management of Protected Health Information (PHI).

DHS and DAS administer programs and provide services that have more stringent requirements than those provided by the Privacy Rule. In the administration of programs and services with more stringent rules, the Department and Division will adhere to the more stringent requirements.

Business Associate Agreement

HIPAA requires that covered entities notify business associates and contractors of their status as a covered entity and the requirement to adopt and implement standards and procedures for handling PHI. Additionally, business associates must be notified that they must comply with applicable provisions of the Privacy Rule.

The DHS/DAS contract with AAAs includes business associate requirements. Refer to the contract for the exact language of the Business Associate Agreement that DHS/DAS has with each AAA. Each AAA is then required to have similar language with each subcontractor who handles PHI, as all such subcontractors are also bound under HIPAA.

AAAs must maintain up-to-date lists of all volunteers, staff and other individuals who, because of their work or volunteering with OAA services have access to PHI and/or PII. The list of DDS authorized users can be pulled from DDS, but there are others who are provided PHI and/or PII outside of/who do not use DDS. DHS/DAS has developed a method to assist AAAs in maintaining the list of those individuals outside of the DDS for contract compliance.

Examples of persons who must be on this list:

  • Evidence Based Program volunteer leader

    • Typically has access to Name, Diagnosis (self identified) other information on program forms

  • Home Delivered Meal driver

    • Typically has access to Name, address and knowledge that to participate, the client/individual is home-bound

Examples of persons who may not be required on the list:

  • Bingo leader at a senior center

    • May not have any information about participants, except maybe a name

  • Volunteer lawn care and gardener at a senior center

    • May not have any client information

Note that the above examples are not all inclusive.

Training

Appointing authorities must ensure and document that all DAS employees complete HIPAA training as part of new employee orientation.

Penalties for Noncompliance

HIPAA provides for both civil and criminal penalties for covered entities that misuse PHI.

Privacy Rule

The Privacy Rule, effective April 14, 2003, ensures privacy protection by limiting the ways that Protected Health Information (PHI) can be used and released.

Notice of Privacy Practices (NPP)

Staff in all programs will give Form 5460, Notice of Privacy Practices, to all clients at the initial contact. Refer to Appendix D Form 5460. It is preferable, but not required, that the client sign and return his/her notice. The case record must be documented that the notice was given.

Exceptions:

  • Guardianship staff are not required to provide the NPP to persons under guardianship; they would be the recipient of the NPP by other entities.

  • Information and referral

PHI

PHI is individually identifiable protected health information. Examples of PHI include, but are not limited to the following:

  • Demographic information, such as name, age, gender

  • Health status information

  • Prescription drug information

  • Prior existing conditions

  • Name (full or last name and initial)

  • All geographical identifies smaller than a state, with exceptions

  • Dates (other than year) directly related to an individual (includes date of birth)

  • Phone numbers

  • Fax numbers

  • Email addresses

  • Social Security numbers

  • Medical record numbers (Medicare number, Medicaid number, etc.)

  • Health insurance beneficiary numbers

  • Account numbers

  • Certificate/license numbers

  • Vehicle identifiers (including serial numbers and license plate numbers)

  • Device identifiers and serial numbers

  • Web Uniform Resource Locators (URLs)

  • Internet Protocol (IP) address numbers

  • Biometric identifiers, including finger, retinal and voice prints

  • Full face photographic images and any comparable images

  • Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

PHI may be in electronic, paper-based or oral form.

PII

PII is Personally Identifiable Information and is defined in O.C.G.A § 10-1-911(6) and includes:

An individual’s first name or first initial and last name in combination with any one of the following data elements, when either the name or the data elements are not encrypted or redacted:

  • Social security number

  • Driver’s license number or state identification card number

  • Account number, credit card number, or debit card number, if such number could be used without additional identifying information, access codes or passwords

  • Account passwords or personal identification numbers or other access codes

  • Any of the above when not in connection with the individual’s first name or first initial and last name, if the information compromised would be sufficient to perform or attempt to perform identity theft

The term “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Minimum Necessary

Covered entities and their business associates must follow the Privacy Rules of HIPAA including only disclosing PHI to authorized individuals for appropriate uses and even then may use and share only the minimum amount of protected information necessary to accomplish a particular authorized purpose.

Use and Disclosure

The Privacy Rule prohibits the use and disclosure of PHI for purposes not related to treatment, payment or health care operations.

The identity of a person requesting PHI and his/her authority to receive such information must be verified prior to release of PHI.

As a covered entity, DHS is permitted, but not required, to use and disclose PHI, without an individual’s authorization in certain situations and for specific purposes; although the law may require notification to the individual after such disclosure was made.

The following uses and disclosures do not require authorization from the individual:

  • Treatment, payment, and health care operations

  • Public health agencies activities

  • Health oversight and regulatory agency activities

  • Judicial proceedings and law enforcement investigations

  • Healthcare fraud investigations

  • Emergency situations

  • Deidentified information (information deidentified in compliance with HIPAA federal regulations)

The following uses and disclosures do require authorization from the individual:

  • Third party disclosures

  • Marketing and fund-raising activities

  • Non-health related affiliates

  • Underwriting or risk rating activities

  • Employment determinations

  • Sale, rental, or barter of PHI

  • Psychotherapy records other than psychotherapy notes

Form 5459

Prior to the release of PHI that requires authorization, the client or guardian must complete and sign DHS Form 5459, Authorization for Release of Information. Refer to Appendix D of this manual for the current version of Form 5459.

Form 5459 may be used to release or obtain information only if the client, legal guardian, or appropriate authorized representative has specified on Form 5459 to whom information is to be released or from whom information is to be obtained. At the point the Form is signed, it must be dated. The form should be signed, dated and specifically checked to indicate the time frame for which the release form will be valid.

If a third party attempts to access records based upon a Power of Attorney or other document, review with the Associate General Counsel before processing the request

Administrative Requirements

DHS and DAS will maintain compliance with the HIPAA Privacy Rule administrative requirements including, but not limited to:

  • Designation of a privacy officer who is responsible for the development, implementation and maintenance of privacy policies and procedures. DHS has appointed a DHS Privacy Officer for the entire department. Refer to Section 1010 of this manual

  • Development, implementation, and documentation of timely and effective privacy training

  • Development, maintenance, and enforcement of complaint procedures

  • Enforcement of appropriate sanctions for failure to comply with HIPAA regulations.

Security Rule

The HIPAA Security Rule ensures the security of PHI by specifying how PHI is stored, transmitted, and accessed.

PHI Safeguarding Practices

Guidelines for safeguarding PHI include, but are not limited to the following:

  • PHI will be discussed with the client or representative only in private areas

  • PHI will be discussed with staff members on a need-to-know basis, and in non-public areas only

  • Telephone calls regarding PHI will be held in areas in which the conversation cannot be overheard

  • Computer monitors will be positioned in a way that does not permit observation

  • Computer passwords will not be shared and will be recorded only in secure locations

  • PHI will be disclosed only by those staff members authorized to do so

  • Access to fax machines will be limited to authorized staff

  • Case records, mail, documentation, and other materials containing PHI will be maintained in locked or otherwise secure locations away from the general public

  • Staff members will wear appropriate agency-issued identification at all times during business hours and while on official business.

  • PHI will be discarded in appropriate secure containers.

Administrative Requirements

DHS and DAS will maintain compliance with the HIPAA Security Rule administrative requirements including, but not limited to:

  • Development and enforcement of information access control. Refer to Section 1060 of this manual

  • Completion of internal security audits

  • Enforcement of physical safeguards including workstation/office guidelines

  • Enforcement of appropriate sanctions for failure to comply with HIPAA regulations

  • Development, implementation, and documentation of security awareness training.

References

Additional HIPAA information is available at the following website:

www.hhs.gov/ocr/hipaa

Additional Security and Confidentiality policies and procedures on ODIS include:

MAN 5600, Sections 1010,1060, 2053 (DAS Admin)
MAN 5100A, Section 500 (LTCO)
MAN5300, Section 202.4 (HCBS)
MAN 5500, Chapter 2 (APS)
MAN 5800, Section 1003 (PGO)

MAN 1900, Information Security Policies (DHS)