2.5 Health Insurance Portability and Accountability Act (HIPAA) | CWS

Individually identifiable health information held or transmitted by DFCS or a DFCS business associate, in any form or medium (electronic, paper or oral) which relates to the past, present, or future:

PHI includes but is not limited to:

In July 2020, the Substance Abuse and Mental Health Services Administration (SAMHSA) provided updated guidance on a substance use disorder (SUD) patient’s ability to consent to the disclosure of their own information. SAMHSA acknowledged that prior regulations created barriers to SUD patients’ ability to disclose their information and coordinate benefits, care, and other services. With a goal to empower SUD patients to consent to the release and use of their PHI however they choose, consistent with statutory and regulatory protections designed to ensure the integrity of the consent process, the regulations which required written consent to disclosures of SUD patient information to name the specific individual to whom disclosure could be made were made less restrictive. Beginning August 14, 2020, the regulations allow SUD patients to include the name of an organization/entity (i.e. the Social Security Administration) or an individual to whom disclosures can be made in a valid consent to release information. With this allowance, SAMHSA hopes to facilitate information exchange while balancing effective SUD care and legitimate privacy concerns for patients seeking SUD treatment.

An individual is entitled to receive his/her own PHI. J.J. v. Ledbetter does not apply to the PHI of the parents, guardians or custodians and children in their custody (see policy 2.10 Information Management: J.J. v. Ledbetter Parent or Guardian Request for Information). When the county receives a request from the parents, guardians or custodians for their own PHI or the PHI of children in their custody, the county is solely responsible for ensuring that the request is met within the 10 day time limit. Under HIPAA, it would be inappropriate to refer the individual to a third party to retrieve their drug screens, medical records or psychological records if the records are a part of DFCS’ record. If the requested information is not contained in the DFCS case record, DFCS is not obligated to assist individuals in obtaining the information. However, DFCS must provide a letter to the individual that DFCS “does not object” to the third party disclosing the individual’s own PHI to him/her.

When an individual is suspected to be a victim of abuse, neglect, or domestic violence they, or their personal representative, should be informed that their PHI has been or may be disclosed to a government authority including a social service or protective services agency, authorized by law to receive reports, unless doing so would place the individual at risk of serious harm or it is reasonably believed that the personal representative is responsible for the abuse, neglect, or other injury. “Personal representatives,” as defined by HIPAA, are those persons who have authority, under applicable law, to make health care decisions for a patient.

DFCS has a duty to mitigate the impact of any incidents of unlawful disclosure of PHI. As soon as DFCS knows or is notified that an incident of unlawful disclosure may have occurred, the DFCS Office of General Counsel and DHS Privacy Officer should be notified immediately. The appropriate mitigation steps should be implemented at the direction of the Privacy Officer. Without delay, a Data Breach Security Incident Reporting Form must be filled out and submitted to the Privacy Officer at privacy@dhs.ga.gov.

A person or organization, other than a DFCS employee, that performs certain functions or activities on behalf of, or provides certain services to DFCS that involve the use or disclosure of PHI. Examples of business associates include, without limitation, contracted service providers, vendors, translation services (V.A.R.S.) and foster parents. Before PHI is disclosed to business associates, the business associate must have a business associate’s agreement with DHS/DFCS. The business associate agreement may be included in the contract between DFCS and that person or organization. PHI may be shared among business associates without further consent from the individual.

Demographic information connected to an individual’s PHI. Common identifiers include, but are not limited to, name, sex, address, date of birth and social security numbers. Common identifiers are protected by HIPAA only if used to identify PHI. Even if these identifiers are not used to identify PHI, confidentiality of this information must still be maintained under Georgia law.

If an individual believes their PHI record is inaccurate, they may request that the record be amended. DFCS must make reasonable efforts to comply if the PHI:

The local DFCS office must contact the DFCS OGC if a request is made to correct a DFCS created case record(s) with regard to PHI.

With the exception of disclosures made pursuant to a valid ROI, an individual may request an accounting (a list) of all disclosures of PHI made by DFCS or its business associates within the prior six years leading up to the date of the request. The local DFCS office must contact the DFCS Office of General Counsel (OGC) immediately upon receipt of any request.

The law imposes severe disciplinary measures upon DFCS and its employees, contractors or others who violate the privacy and security requirements of HIPAA. Disciplinary actions can take the form of retraining, written reprimands, terminations or dismissals. Significant civil monetary penalties may be assessed for DHS/DFCS.

All DFCS offices are required to have the poster version of the Notice of Privacy Practices exhibited in waiting areas and other appropriate public spaces. DFCS are required to complete mandatory new employee and annual HIPAA training to prevent the unlawful disclosure of PHI.