4010.0.0
REQUEST AMENDMENT OF PROTECTED HEALTH INFORMATION
4010.1.0
Purpose
To insure Department of Human Services (DHS) compliance with
the Health Insurance Portability and Accountability Act (HIPAA) Privacy
Regulations regarding a patient's right to request an amendment or correction
to their protected health information.
4010.2.0
Authority
HIPAA Standards for Privacy of Individually Identifiable Health
Information 45 CFR Part 164 Section 164.526 Amendment of protected health
information. To issue instructions to all DHS offices, facilities, programs and
workforce members ("entities") regarding the Department's obligations relating
to the implementation of HIPAA, 42 U.S.C. §§ 1320d-1329d-8, and
regulations promulgated hereunder, 45 CFR Parts 160 and 164.
4010.3.0
Applicability
This rule applies to all DHS employees. DHS offices,
facilities, programs and workforce members are directed to follow all
applicable policies and procedures found in the HIPAA Policies and Procedures
Manual. Failure to comply with this rule and its reference documents may result
in disciplinary sanctions as defined in DHS 1084, Employee Discipline.
4010.4.0
Definitions
4010.4.1
Protected Health Information (PHI) - individually identifiable
information relating to past, present or future physical or mental health or
condition of an individual, provision of health care to an individual, or the
past, present or future payment for health care provided to an
individual.
4010.4.2
Workforce Members - employees, volunteers, trainees, and other
persons whose conduct, in the performance of work for DHS, its offices,
programs or facilities, is under the direct control of DHS, regardless of
whether they are paid by the entity.
4010.5.0
Procedures
4010.5.1 These procedures are in addition to
procedures set out in other rules or implemented by the Office of
Administrative Services (OAS).
4010.5.2 Patient requests for amendment of
protected health information shall be made in writing to the covered entity and
clearly identify the information to be amended, as well as the reasons for the
amendment. These requirements are detailed in the Notice of Privacy
Practices.
4010.5.3 Requests may be
denied if the material requested to be amended:
A. Was not created by DHS, unless the
originator is no longer available to act on the request
B. Is not part of the individual's health
record
C. Is not accessible to the
individual because federal and state law do not permit it
D. Is accurate and complete
4010.5.4 DHS must act on the
individual's request for amendment no later than 60 days after receipt of the
amendment. DHS may have a one-time extension of 30 days for processing the
amendment if the individual is given a written statement of the reason for the
delay, and the date by which the amendment request will be processed.
4010.6.0
Amendment Request is
Granted
If the request is granted, after review and approval by the
individual responsible for the entry to be amended, DHS must:
A. Insert the amendment or provide a link to
the amendment at the site of the information that is the subject of the request
for amendment
B. Inform the
individual that the amendment is accepted
C. Obtain the individual's identification of
and agreement to have DHS notify the relevant persons with whom the amendment
needs to be shared
D. Within a
reasonable time frame, make reasonable efforts to provide the amendment to
persons identified by the individual, and persons, including business
associates, that DHS knows have the protected health information that is the
subject of the amendment and that may have relied on or could foreseeably rely
on the information to the detriment of the individual
4010.7.0
Amendment Request is
Denied
4010.7.1 If the
request is denied, DHS must provide the individual with a timely written denial
in plain language that contains:
A. The basis
for the denial (see section 4010.5.3 above)
B. The individual's right to submit a written
statement disagreeing with the denial and how the individual may file such a
statement
C. A statement that if
the individual does not submit a statement of disagreement, the individual may
request that DHS provide the individual's request for amendment and the denial
with any future disclosures of the protected health information that was the
subject of the request
D. A
description of how the individual may complain to DHS or the Secretary of
Health and Human Services
E. The
name or title, and the telephone number of the designated contact person who
handles complaints for DHS
4010.7.2 DHS must permit the individual to
submit to DHS, a written statement disagreeing with the denial of all or part
of the requested amendment and the basis of such agreement. DHS may reasonably
limit the length of a statement of disagreement.
4010.7.3 DHS may prepare a written rebuttal
to the individual's statement of disagreement. Whenever such a rebuttal is
prepared, DHS must provide a copy to the individual who submitted the statement
of disagreement.
4010.7.4 DHS must,
as appropriate, identify the record of protected health information that is the
subject of the disputed amendment and append or otherwise link the individual's
request for amendment, DHS denial of the request, the individual's statement of
disagreement, if any, and DHS's rebuttal, if any.
4010.7.5 If the individual has submitted the
statement of disagreement, DHS must include the material appended or an
accurate summary of such information with any subsequent disclosure of the
protected health information to which the disagreement relates.
4010.7.6 If the individual has not submitted
a written statement of disagreement, DHS must include the individual's request
for amendment and its denial, or an accurate summary of such information, with
any subsequent disclosure of protected health information only if the
individual has requested such action.
4010.7.7 When a subsequent disclosure is made
using a standard transaction that does not permit the additional material to be
included, DHS must separately transmit the material required.
4010.7.8 A covered entity that is informed by
DHS of an amendment to an individual's protected health information must amend
the protected health information in written or electronic form.
4010.7.9 DHS must document the titles for the
persons or offices responsible for receiving and processing requests for
amendments.
4010.8.0
Additional Considerations of Amendments From Other Covered
Entities
When a provider receives notification from another health care
provider or health plan that a patient's protected health information has been
amended, the receiving provider:
A.
Must ensure that the amendment is appended to the patient's health
record
B. Will inform its business
associates that may use or rely on the patient's protected health information
of the amendment (as agreed to in the business associate contract) so that they
may make the necessary revisions based on the amendment
4010.9.0
Originating Section/Department
Contact
*ffice of Chief Counsel Donaghey Plaza South P. O. Box 1437,
Slot S260 Little Rock, AR 72203-1437 Telephone: (501) 682-8934
4011.0.0
ACCOUNTING FOR
DISCLOSURES OF PROTECTED HEALTH INFORMATION
4011.1.0
Purpose
To establish Health Information Portability and Accountability
Act (HIPAA) compliant policies and procedures for tracking and accounting for
disclosures of Protected Health Information (PHI).
4011.2.0
Policy
4011.2.1 Pursuant to
45 CFR
164.528, Department of Human Services (DHS)
clients (and their legal representatives) have a right to request an accounting
of PHI disclosures that DHS has made for a period of up to six years previous
to the date of request. It is DHS policy that all disclosures of client PHI
(subject to accounting and tracking) will be recorded on the Protected Health
Information (PHI) Tracking Sheet, Form DHS-4002, and entered into the PHI
Disclosure Tracking system for retrieval.
4011.2.2 Upon receipt of a request for an
accounting of PHI disclosures, DHS will have a maximum of 60 calendar days to
compile the accounting of disclosures and respond to the client request. If DHS
is unable to comply with the client's request for an accounting of PHI
disclosures within 60 calendar days, DHS may make a one-time extension of the
time frame for response by 30 calendar days.
4011.2.3 The accounting of PHI disclosures
must include:
A. The date of the
disclosure.
B. The name, and
address if known, of the person or entity that received the disclosed
PHI.
C. A brief description of the
information disclosed.
D. A brief
statement of the purpose of the disclosure that reasonably informs the client
of the basis for the disclosure, or, in lieu of such statement, a copy of the
client's written request for the accounting of disclosures.
4011.3.0
Disclosures
subject to tracking and accounting include:
4011.3.1
Abuse
Reports. PHI provided (other than protective services staff who
respond to such reports) pursuant to mandatory abuse reporting laws to an
entity authorized by law to receive abuse reports.
4011.3.2
Audit
Review. PHI provided from a client record in relation to an audit
or review of a provider or contractor.
4011.3.3
Health and
Safety. PHI provided to avert a serious
threat to the health and/or safety of a person or persons.
4011.3.4
Licensee/Provider. PHI provided from a client record
in relation to licensing, regulation or certification of a provider or licensee
involved with the provision of care or services to the client.
4011.3.5
Legal
Proceedings. PHI ordered to be disclosed pursuant to a court
order.
4011.3.6
Law
Enforcement Official/Court Order. PHI provided to a
law-enforcement official pursuant to a court order.
4011.3.7
Law Enforcement or Other
Official/Deceased. PHI concerning a deceased client provided to
law-enforcement official, medical examiner or other official for the purpose of
identifying a deceased person, determining the cause of death, or for other
reasons authorized by law.
4011.3.8
Law Enforcement Official/Warrant. To the extent
permitted by law, PHI provided to a law-enforcement official concerning a
fleeing felon or client subject to an arrest warrant.
4011.3.9
Public Health
Official. PHI provided to a public health official for the
reporting of disease or injury or for the conduct of a public health study or
investigation.
4011.3.10
Public Record. PHI disclosed pursuant to a Public
Record request without the client's authorization.
4011.3.11
Research.
PHI provided for research purposes using a waiver of authorization provided by
an Institutional Review Board (IRB).
4011.4.0
Disclosures not subject to
tracking and accounting include:
4011.4.1
Disclosures for
Treatment Payment and Operations (TPO).
A. Treatment - the provision, coordination,
or management of health care and related services, consultation between
providers relating to an individual, or referral of an individual to another
provider for health care.
B.
Payment - activities undertaken to obtain or provide reimbursement for health
care, including determinations of eligibility or coverage, billing, collection
activities, medical necessity determinations and utilization review.
C. Operations - functions such as quality
assessment and improvement activities, reviewing competence or qualifications
of health care professionals, conducting or arranging for medical review, legal
services and auditing functions, business planning and development, and general
business and administrative activities.
4011.4.2
Disclosures to the
Client.
4011.4.3
Disclosures made pursuant to a valid authorization of the
client.
4011.4.4
Disclosures or uses made subject to the client's opportunity to
object including:
A. Use to
maintain a facility directory and disclosures from the directory to clergy and
persons who ask for the individual by name.
B. Use and disclosure to persons involved
with the client's care, payment for services, or for notification of general
condition or death to persons responsible for the care of the client.
C. Disclosures for disaster relief
purposes.
4011.4.5
Use and disclosures for national security and intelligence
activities.
4011.4.6
Use and disclosures to correctional institutions and other law
enforcement custodial situations.
4011.4.7
Disclosure as part of a
limited data set which excludes direct identifiers for research, public health,
or health care operations. Refer to DHS Policy 4009 for specific
guidance.
4011.4.8
Disclosures, which occurred prior to the effective date of HIPAA
Privacy requirements.
PROCEDURES
4011.5.0
Requests for Accounting of PHI
Disclosures
Clients (or their legal representatives) may make their
requests in-person, by letter, by facsimile or orally by phone. A request for
an accounting of PHI disclosures must identify the record holder and the period
of time covered by the request. When a request for an accounting is
received:
A. The DHS staff member
receiving the request for an accounting must document the identity of the
requestor by identification badge, driver's license, written statement of
identity on agency letterhead, or similar proof. When an oral request is
received in person or by phone, DHS will confirm the request with a written
statement describing the request and obtain a client signature for
authentication.
B. When the request
for accounting is documented and accepted, the client will be provided an
acknowledgement statement indicating when he can expect to receive an
accounting. Form DHS 4009 will be used for this purpose.
C. The client's health record will be
reviewed to determine if PHI disclosures have occurred during the time period
covered by the client's request. This will be accomplished through manual
review of the Protected Health Information (PHI) Tracking Sheet, DHS-4002, or
inquiry to the PHI Disclosure Tracking system. If accounting of disclosures
cannot be completed within 60 days of the request, the client will be notified
using form DHS-4011.
D. When a list
of disclosures has been compiled, form DHS-4010 will be completed and the form
and list of disclosures will be forwarded to the client.
E. If the client has any questions concerning
the content of the accounting, he/she will be referred to the DHS Privacy
Official at:
Arkansas Department of Human Services
DHS Privacy Official
P.O. Box 1437 Mail Slot S201
Little Rock, Arkansas 72203-1437
Phone: 501-682-8650
Email: mailto:Privacyofficial@mail.state.ar.us
Phone 501-582-8920, TDD 501-682-8933 or Fax 501-682-8884
F. Client requests for accountings
of PHI disclosures will be filed in the client's health record and maintained
for a period of 6 years from the date the request is completed.
4011.6.0
Any questions
concerning DHS Policy Number 4011 should be directed to:
DHS Office of Chief Counsel Post Office Box 1437/Slot S260
Little Rock, Arkansas 72203-1437 Telephone: (501) 682-8934
ARKANSAS DEPARTMENT OF HUMAN SERVICES Amendment of
Health Record Request Form
(For use by DHS clients asking for amendment of their
records.)
Click here
to view image
Click here
to view image
ARKANSAS DEPARTMENT OF HUMAN SERVICES
Protected Health Care Disclosure Accounting
Acknowledgement
Click here
to view image
ARKANSAS DEPARTMENT OF HUMAN SERVICES
Protected Health Care Disclosure Accounting Response
Click here
to view image
ARKANSAS DEPARTMENT OF HUMAN SERVICES
Protected Health Care Disclosure Accounting Delay
Click here
to view image