2011 Health Information Portability and Accountability Act of 1996 | Medicaid

The Georgia Department of Human Services (DHS) has chosen Covered Entity status to promote simplification of information sharing within the Department.

This policy applies to all individuals who are Georgia Department of Human Services (DHS) employees, volunteers, trainees, and contractors who perform duties in conjunction with the access, distribution, dissemination, modification, and management of protected health information.

DHS administers programs and provides services that have more stringent requirements than those provided by the Privacy Rule. In the administration of such programs and provision of such services, the Department will adhere to the more stringent requirements.

Each adult AU/BG member and, if applicable, each PR must be provided with a Notice of Privacy Practices upon receipt of an application for assistance, or when he/she is added to an existing AU/BG. This includes instances in which an A/R is currently receiving benefits in another program, such as food stamps, and applies for Medicaid. The notice must be mailed to each adult who is not present for a face-to-face interview. It is preferable, but not required, that each adult sign and return his/her notice, however the case record must be documented that the notice(s) was sent.

PHI is individually identifiable health information. Examples of PHI include, but are not limited to the following:

Covered entities may use and share only the minimum amount of protected information necessary to accomplish a particular purpose.

DHS is responsible for determining the amount of PHI required per function. Upon determination of minimum necessary PHI, DHS will communicate this decision to all affected parties.

The Privacy Rule prohibits the use and disclosure of PHI for purposes not related to treatment, payment, or health care operations. The identity of a person requesting PHI and his/her authority to receive such information must be verified prior to release of PHI. Computer matches are accessed via system terminals or through personal computers connected to the system.

As a covered entity, DHS is permitted, but not required, to use and disclose PHI, without an individual’s authorization in certain situations and for specific purposes.

The following uses and disclosures do not require authorization from the individual:

The following uses and disclosures do require authorization from the individual:

Prior to the release of PHI that requires authorization, the A/R must complete and sign DHS Form 5459 (rev. 07/2016), Authorization for Release of Information.

Signed, blank Forms 5459 are not permissible and may not be obtained or used for any purpose. Form 5459 may be used to release or obtain information only if the A/R or PR has specified on the Form 5459 to whom information is to be released or from whom information is to be obtained. At the point the A/R signs Form 5459 it must be dated. Form 5459 should be used within 30 days from the date it is signed.

DHS will maintain compliance with HIPAA Privacy Rule administrative requirements including, but not limited to:

Guidelines for safeguarding PHI include, but not limited to: