Library: Policy

340:2-8-1. Legal basis, purpose, and hybrid designation

Revised 9-16-19

(a) Part 160, Sections 160.101 through 160.552, and Subparts A, Sections 164.102 through 164.106, and E, Sections 164.500 through 164.534 of Part 164 of Title 45 of the Code of Federal Regulations (C.F.R.) constitute the Health Insurance Portability and Accountability Act (HIPAA)Privacy Rule that provides protection for the privacy of health information.

(b) The purpose of this Subchapter is to describe the Oklahoma Department of Human Services (DHS) privacy policies contained in the HIPAA Privacy Rule.DHS privacy policies are intended to:

(1) protect clients' medical records and other personal health information;

(2) give clients more control over their protected health information (PHI);

(3) set boundaries on the use and disclosure of PHI; and

(4) hold violators accountable.

(c) Employees who violate DHS privacy policies are disciplined, per DHS:2-1-7(i)(2)(A) and may be subject to sanctions set forth by the Department of Health and Human Services.

(d) DHS is designated as a HIPAA hybrid entity.

(1) DHS is a single legal entity comprised of several components, some of which provide HIPAA-covered functions.Therefore, DHS is a hybrid entity that provides both HIPAA-covered and non-covered functions as part of its business operations.

(2) DHS Developmental Disabilities Services, the ADvantage Administration Unit, Office of Inspector General, and Adult and Family Services are designated by DHS as covered components of the hybrid entity, per Section 164.105(a)(2)(iii)(C) of Title 45 of the C.F.R.All other DHS components are not HIPAA-covered.