DHHS Home Page NC DHHS On-Line Manuals  
     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback

Previous PageTable of ContentsNext Page

DHHS POLICIES AND PROCEDURES

________________________________________________________________________________________________________________________

Section VIII:

Privacy and Security

Title:

Privacy Manual

Chapter:

Use and Disclosure Policies, Use and Disclosure

Current Effective Date:

2/1/16, 11/15/15, 5/1/05

Revision History:

3/16/04, 11/15/15

Original Effective Date:

4/14/03

________________________________________________________________________________________________________________________

Purpose

The final Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule controls the use and disclosure of individually identifiable health information. Generally, covered health care components may not use or disclose individually identifiable health information except in ways identified in the Privacy Rule or when required or allowed by other federal or state laws. All other uses are prohibited and barriers must be established to prevent any use and disclosure other than those permitted. ‘Use’ and ‘disclosure’ are significant terms that distinguish sharing of information within an agency (use) from releasing information outside an agency (disclosure).

DHHS agencies may not use or disclose individually identifiable health information except either:

It should be understood that throughout this policy whenever a ‘client’ is addressed, the client’s ‘personal representative’ (including a guardian) shall be treated the same as the client, when the client is unable to act for him/herself.

POLICY

The final Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule controls the use and disclosure of individually identifiable health information. Generally, covered health care components may not use or disclose individually identifiable health information except in ways identified in the Privacy Rule or when required or allowed by other federal or state laws. All other uses are prohibited and barriers must be established to prevent any use and disclosure other than those permitted. ‘Use’ and ‘disclosure’ are significant terms that distinguish sharing of information within an agency (use) from releasing information outside an agency (disclosure).

DHHS agencies may not use or disclose individually identifiable health information except either:

It should be understood that throughout this policy whenever a ‘client’ is addressed, the client’s ‘personal representative’ (including a guardian) shall be treated the same as the client, when the client is unable to act for him/herself.

HIPAA requires DHHS agencies to disclose individually identifiable health information in the following situations:

Permitted Uses and Disclosures

HIPAA permits DHHS agencies to use and disclose individually identifiable health information without a client’s written authorization for the following purposes or situations:

Agencies must rely on professional ethics and best judgment when deciding which of these permissive uses and disclosures to make.

DHHS agencies may use and disclose individually identifiable health information only with a client’s authorization for the following purposes or situations:

DHHS agencies must make reasonable efforts to use, disclose, and request only the minimum amount of individually identifiable health information needed to accomplish the intended purpose of the use, disclosure, or request for information, except for the following circumstances:

Clients may request agencies to restrict all or a portion of their individually identifiable health information from specific uses or disclosures. DHHS agencies that have agreed to such restrictions are required to use and disclose the restricted information only as agreed.

DHHS agencies that have created information that is not individually identifiable do not have to comply with the use and disclosure requirements, provided that:

DHHS agencies may disclose individually identifiable health information of clients to a business associate and may allow a business associate to create or receive a client’s individually identifiable health information on its behalf [see DHHS Privacy Policy Administrative Policies, Business Associates (Internal/External)].

DHHS agencies must use and disclose individually identifiable health information of a deceased client in the same manner as if the client were still alive. Under the HIPAA Omnibus rule, a decedent’s PHI only need be protected for a period of fifty years.

DHHS agencies must use and disclose individually identifiable health information to a personal representative of a client in the same way as the agency would to the client, with two exceptions:

DHHS agencies must make reasonable efforts to comply with requests from clients to disclose confidential communications by alternative means or methods.

Disclosures by Whistleblowers and Workforce Member Crime Victims

DHHS agencies shall not be considered in violation of use and disclosure regulations if a member of its workforce or its business associate discloses individually identifiable health information “in good faith” to a health oversight agency or attorney retained by or on behalf of the individual; or if individually identifiable health information is disclosed to law enforcement by a workforce member who is a victim of crime, abuse, neglect, or domestic.

Food and Drug Administration

DHHS agencies may use or disclose individually identifying health information to:

Communicable Diseases

DHHS agencies shall disclose individually identifiable health information regarding a client(s) who has been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, according to requirements set forth in Chapter 130A of the NC General Statutes (GS).

DHHS agencies may disclose individually identifiable health information to an employer about a client who is a member of the employer’s workforce if the employer has requested the agency conduct an evaluation relating to medical surveillance of the workplace or to evaluate the client for a work-related illness or injury. Information disclosed shall be limited to the work-related illness or injury of the client or to carry out its responsibilities for workplace medical surveillance.

Client rights provided by the HIPAA Privacy Rule require agencies to disclose individually identifiable health information to the client who is the subject of the information, unless an agency has a compelling reason not to do so.

The HIPAA Privacy Rule requires agencies to disclose individually identifiable health information to the HHS Secretary, when requested, to determine compliance with the HIPAA Privacy Rule. Agencies are required to maintain proper records, and upon request of HHS, to submit compliance reports in such time and manner as determined by the HHS Secretary.

During an investigation or compliance review, DHHS agencies must cooperate with HHS and the DHHS Privacy Officer shall be notified of such investigation or compliance review.

Variations in requirements specific to disclosure to the Secretary of US HHS include the following:

DHHS agencies shall use and disclose individually identifiable health information without client authorization only as permitted or required in this policy, or as required by other federal or state laws and regulations. Whenever North Carolina General Statutes and other federal regulations are more stringent than the HIPAA privacy rules, the more stringent requirement prevails.

Although client authorization is not required by law or regulation in the following circumstances, each agency should exercise professional judgment in determining whether to seek client involvement when using or disclosing that client’s confidential information.

Treatment Purposes

Individually identifiable health information may be used (i.e., shared among designated staff) within a covered health care component to carry out treatment activities. DHHS agencies may use a client’s individually identifiable health information for its own treatment purposes, including coordination and management of health care services for clients.

Individually identifiable health information may be disclosed (e.g., shared with other health care providers or human service agencies) outside a covered health care component to carry out treatment coordination and management between providers and for referrals to other health care providers for treatment purposes.


Payment Purposes

Individually identifiable health information may be used (i.e., shared among designated staff) within a covered health care component for payment purposes such as determining or fulfilling the agency’s responsibility for coverage and provision of benefits under a health plan; or to obtain or provide reimbursement for the provision of health care.

Individually identifiable health information may be disclosed (e.g., shared with other payers, health care providers, or business associates) outside a covered health care component to carry out payment functions such as eligibility, billing, claims adjustment, and other collection activities.


Health Care Operations

Individually identifiable health information may be used (i.e., shared among designated staff) within a covered health care component for health care operation purposes such as conducting quality assessment and improvement activities, business planning and development, business management and administrative activities, student training, and credentialing.

Individually identifiable health information may be disclosed (i.e., shared with entities) outside a covered health care component to carry out health care operation functions such as accreditation, licensure, conducting or arranging for medical review, auditing, or legal services that are necessary to run the agency and to support the core functions of health care treatment and payment.

DHHS agencies may use or disclose individually identifiable health information in certain circumstances, but agencies must allow clients the opportunity to agree, object, or restrict certain uses or disclosures of their individually identifiable health information, in advance of the agency’s use or disclosure. Such information must be documented in the client’s health record.

The following circumstances require agencies to provide clients with the opportunity to agree or object to the use or disclosure of their individually identifiable health information:

1. Facility Directory/Emergency Situations

Notification/Involvement with Family/Others

In situations where individually identifiable health information of a client is being disclosed to a family member, other relative, or close personal friend of the client and the client is present, the agency must obtain the client’s agreement, provide the client with an opportunity to agree or object to the disclosure, or determine, based on the circumstances and using professional judgment, that the client would not object prior to the disclosure. If the client is not present or is incapacitated and cannot agree or object, the agency must use professional judgment to determine what is in the best interest of the client. In such instances, agencies must limit the information being disclosed to that which is directly relevant to the situation.

NOTE:

Chapter 122C of the NC General Statutes define specific circumstances and conditions when confidential information can be disclosed to family/others by MH/DD/SAS facilities. These facilities shall develop procedures consistent with NC state law.

Disaster Relief

Use or disclosure of individually identifiable health information for disaster relief purposes (e.g., flood, hurricane, terrorism) must be determined based on professional judgment, taking into account the best interest of the client, and the determination that the requirements do not interfere with the ability to respond to the emergency circumstances.

DHHS agencies may use or disclose individually identifiable health information without written authorization and without an opportunity for the client to agree, object, or restrict certain uses or disclosures of their individually identifiable health information in specific circumstances.

Required by Law

DHHS agencies may use and disclose individually identifiable health information to the extent that such use or disclosure is required by law, and the use or disclosure complies with and is limited to the relevant requirements of such law. Legal mandates requiring use or disclosure of individually identifying health information may be based upon federal or state statutes/regulations, board of health rules, court orders, and subpoenas issued by a court or other similar judicial or administrative body.

Examples of uses or disclosures required by law include the following:

Procedural requirements for disclosures required by law include the following:

Public Health Activities

There are specific laws that require information related to public health activities to be disclosed so those laws would fall under the “required by law” provisions noted in the corresponding section above. There are also some laws that permit information related to public health activities to be used or disclosed. DHHS agencies may disclose individually identifiable health information related to public health activities to a public health authority when such uses or disclosures are permitted under the law for:

Public health authorities may include the following organizations and individuals:

In addition to public health authorities, DHHS agencies may also disclose individually identifiable health information to an official of a foreign government agency that is acting in collaboration with a public health authority if the public health authority directs the agency to make such disclosure.

For example, if the CDC is collaborating with public health officials in Canada while investigating a disease outbreak, a NC DHHS agency could disclose protected health information to a Canadian government agency if directed to do so by the CDC.

Examples of uses or disclosures permitted for public health purposes for the “prevention and control of disease, injury, and disability; and communicable disease notification” include the following:

Child Abuse and Neglect Reporting

Under North Carolina law, any person or institution who has cause to suspect that any juvenile is abused, neglected, or dependent, or has died as the result of maltreatment must make a report to the department of social services in the county where the child lives or is found (NCGS 7B-301).

FDA-regulated Product or Activity Monitoring

Agencies must disclose individually identifiable health information to the FDA when required to do so as related to the quality, safety, or effectiveness of such FDA-regulated products or activities. Agencies must ensure staff are aware of such requirements and shall develop a process for ensuring the reporting is handled according to agency requirements. Staff must be knowledgeable of such requirement and assured that the disclosure is not in violation of the agency’s privacy policies and procedures.

Work-Related Illness or Injury Monitoring and Workplace Medical Surveillance

DHHS physicians, medical facilities, and laboratories are required to report to the Department all cases of specified serious and preventable occupational injuries that occur while working on a farm, as well as specified serious and preventable occupational diseases and illnesses which result from exposure to a health hazard in the workplace. DHHS agencies shall ensure procedures are in place to report required injuries, diseases, and illnesses.

DHHS agencies shall develop procedures regarding disclosures for “public health activities that may be made to an employer” about an individual who is a member of the employer’s workforce or an individual who is receiving health care at the request of the employer in the following circumstances:

The individually identifiable health information disclosed must directly relate to the above circumstances. DHHS agencies must provide the individual with a written notice that such information is disclosed to an employer, for public health activity purposes.

Procedural requirements for disclosures for “public health activities” include the following:

Adult Abuse and/or Neglect Reporting

Under North Carolina law (Article 6, Chapter 108A), any person having reasonable cause to believe that a disabled adult is in need of protective services must make a report to the director of social services.

In making such disclosure, agency staff shall promptly inform the client, in the exercise of professional judgment, that such a report has been or will be made, except if a qualified professional believes informing the client would place the client at risk of serious harm; or if it is determined by agency staff that informing a client’s personal representative would not be in the best interest of the client.

Procedural requirements for disclosure when reporting “adult abuse and/or neglect” include the following:

Health Oversight Activities

DHHS agencies may disclose individually identifiable health information to a health oversight agency for health oversight activities authorized by law, including audits, investigations, inspections, licensure, or disciplinary actions, legal proceedings or actions, or other activities necessary for appropriate oversight of:

Judicial and Administrative Proceedings

DHHS agencies may disclose individually identifiable health information for judicial or administrative proceedings, as required by NC General Statutes, when the use or disclosure is made in response to a(n):

All disclosures made in judicial and administrative proceedings shall be made only after the identity and authority of any person requesting such disclosure has been verified, and the requisite documentation required for the disclosure has been obtained. A subpoena alone is not sufficient reason for disclosing confidential information. Both a subpoena and a court order must be issued to compel disclosure.

Law Enforcement Purposes

DHHS agencies shall develop procedures that ensure staff is knowledgeable about disclosures that may be made for law enforcement purposes. Agencies may disclose individually identifiable health information without client authorization for the following law enforcement purposes as applicable:

A subpoena alone is not sufficient reason for disclosing confidential information. Both a subpoena and a court order must be issued to compel disclosure.

Agencies may also disclose limited information for identification and location purposes when requested by a law enforcement official f for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. Only the following information may be disclosed:

NOTE:There may be federal or state laws that are more restrictive than the requirements in this policy in which case the more restrictive would apply.

Procedural requirements for disclosures for “law enforcement purposes” detailed in this section include the following:

Victims of a Crime

DHHS agencies may disclose individually identifiable health information in response to a law enforcement official’s request for such information about a client who is, or is suspected to be, a victim of a crime if:

Crime on Premises

DHHS agencies may disclose individually identifiable health information to a law enforcement official when the agency believes a crime (or threat of crime) has been committed on the premises or against agency staff. However, information disclosed must be limited to the circumstances and client status, including last known name and address.

Reporting Crime in Emergencies

If staff in a DHHS agency provides emergency health care in response to a medical emergency off site, the agency may disclose individually identifiable health information to law enforcement officials if such disclosure appears necessary to alert law enforcement to:

If the agency believes that the medical emergency off site is the result of abuse or neglect of the individual in need of emergency health care, the agency must first use professional judgment to determine if disclosure of individually identifiable health information is in the best interest of the individual.

Avert Serious Threat to Health or Safety

Agencies may use and disclose individually identifiable health information to avert a serious threat to health and safety whenever such use or disclosure is consistent with laws and ethical standards and the agency believes it is necessary to:

Information disclosed shall be limited to the client’s statement and the following identifying information:

Unless otherwise prohibited by state or federal law, agencies may use or disclose individually identifiable health information for specialized government functions, as long as the identity of the individual representing such function is verified. Functions include:

Procedural requirements for disclosures for “specialized government functions” include the following:

Agencies may use or disclose individually identifiable health information as authorized by, and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs established by law that provide benefits for work-related injuries or illness without regard to fault.

Personal Representative

A personal representative is any adult who has decision-making capacity and who is willing to act on behalf of a client regarding the use and disclosure of the client’s individually identifiable health information. This would include an individual who has authority, by law or by agreement from the client receiving treatment, to act in the place of the client such as spouse, adult children, parents, legal guardians, or properly appointed agents (e.g., an individual who has been given a medical power of attorney). Procedures must be developed that address when a personal representative is required and the responsibilities of the agency when communicating with a personal representative. Procedures must also include communication requirements if the client is an un-emancipated minor or if the client has been abused, neglected, or has been in an endangerment situation and there is some question about the personal representative’s involvement in the care of the client.

Client Photographs

Agencies that take photographs of clients for identification purposes must obtain the client’s consent prior to photographing. Photographs of clients may not be displayed in the facility or released outside of the agency without client authorization. Agencies may develop their own consent forms allowing the photograph(s) to be taken, but if there is a need to disclose the photograph(s), authorization must be obtained prior to disclosure.

Psychotherapy Notes

Psychotherapy notes are notations that capture a therapist’s impressions about a client and contain details of conversations during a private counseling session or a group, joint, or family counseling session. Such notes are considered the therapist’s personal notes and are not maintained in the client’s health record, but are maintained separately by the therapist.

In most cases, including disclosure to another health care provider for treatment, payment or health care operations, psychotherapy notes can only be released with client authorization. However, authorization for the use or disclosure of psychotherapy notes is not required in the following circumstances:

A client’s right to request access to his/her health care records does not apply to psychotherapy notes maintained by a psychotherapist. The client’s psychotherapist or physician must use professional judgment in determining whether a client should have access to psychotherapy notes.

Verification

DHHS agencies must obtain proper identification of all individuals, including clients, prior to allowing access to confidential information.

Agencies must establish and implement written procedures that are reasonably designed to verify the identity and authority of the requestor where the agency does not know the person requesting the information. Knowledge of a person may take the form of:

Where documentation, statements, or representations, whether oral or written, from the individual requesting individually identifiable health information is a condition of disclosure, the agency must obtain such documentation or representations prior to disclosing the requested information.

When the person requesting individually identifying health information is a public official, or a person acting on behalf of a public official, the following procedures may be followed:

Verification of the authority of a public official or a person acting on behalf of a public official may be managed in the following manner:

Agencies are required to verify the identity of anyone who is acting on behalf of a client or who is assisting in an individual’s care before disclosing individually identifying health information. The client must identify anyone whom the client has authorized to receive the client’s individually identifiable health information.


Incidental to an Otherwise Permitted Use and Disclosure

Certain incidental uses and disclosures are permitted if they occur as a by-product of another permissible or required use or disclosure.

Such use and disclosures must be considered secondary in nature that cannot reasonably be prevented, are limited in nature, and occurs as a result of another use or disclosure that is permitted by the HIPAA Privacy Rule. For example, if a client is in an examining room and overhears a doctor talking to another client about his treatment, this would constitute incidental access to the health information being discussed.

For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.

Previous PageTop Of PageNext Page



 


     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback