COMMENT DUE DATE:
February 14, 2019
DATE:
January 15, 2019
Laura Brown Adult and Family Services 405-521-4396
Dena Thayer, Programs Administrator 405-521-4326
Nancy Kelly, Policy Specialist 405-522-6703
RE:
APA WF 19-2A
The proposed policy is Permanent . This proposal is subject to Administrative Procedures Act
It is important that you provide your comments regarding the draft copy of policy by the comment due date.Comments are directed to STO.LegalServices.Policy@okdhs.org.The proposed policy is permanent.
A public hearing is scheduled for 10:00 a.m. on February 26, 2019, at DHS, Sequoyah Memorial Office Building, 2400 N. Lincoln Boulevard, Oklahoma City, Oklahoma 73105, Room C-48.Anyone who wants to speak must sign in at the door by 10:05 a.m.
SUBJECT:CHAPTER 2. ADMINISTRATIVE COMPONENTS
Subchapter 8. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
340:2-8-1 through 2-8-14 [AMENDED]
(Reference WF 19-2A)
SUMMARY:
The proposed amendments to Chapter 2, Subchapter 8 amend the rules to:(1) add: (a) the Oklahoma Department of Human Services (DHS) as a designated hybrid entity for HIPAA; (b) definitions for covered function, health care component, health information, hybrid entity, and individually identifiable health information; (c) the definition for authorization and payment; (d) the client's right to rebut a denial of access to his or her protected health information (PHI); (e) examples of personal representatives and when a minor may act on his or her own behalf; (f) form names and numbers; and (g) rule and legal citations; (2) remove:(a) an unnecessary definition; (b) an exception to a client's right to access his or her own PHI; (c) incorrect information regarding when DHS staff may use or disclose PHI without authorization, (d) incorrect information that states a personal representative must be court-ordered; (e) an instruction to DHS staff from rules; and (f) an obsolete policy cite; (3) clarify how: (a) clients request an accounting of disclosures; (b) DHS staff complies with disclosure requests; (c) the DHS privacy officer responds to client complaints regarding improper use or disclosure of PHI; (d) clients request that DHS communicate with them by alternative means; and (e) clients request amendments to their PHI and how DHS staff responds to the requests; (4) clarify that an authorization may only be revoked in writing; (5) clarify and simplify language; and (6) update terminology and a policy citation.
PERMANENT APPROVAL:Permanent rulemaking is requested.
LEGAL AUTHORITY:Director of Human Services; Section 162 of Title 56 of the Oklahoma Statutes; and Sections 160.103, 164.103. 164.105, 164.501, 164.502, 164.508, 164.514, 164.522, 164.524. 164.526, and 164.530 of Title 45 of the Code of Federal Regulations.
Rule Impact Statement
To:Programs administrator
Legal Services - Policy
From:Patrick Klein,Director
Adult and Family Services
Date:December 14, 2018
Re:Chapter 2. ADMINISTRATIVE COMPONENTS
Subchapter 8. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
340:2-8-1 through 2-8-14 [AMENDED]
(Reference WF 19-2A)
Contact:Laura Brown 405-521-4396
A.Brief description of the purpose of the proposed rule:
Purpose.
The proposed amendments to Chapter 2, Subchapter 8 amend the rules to:(1) add: (a) the Oklahoma Department of Human Services (DHS) as a designated hybrid entity for HIPAA; (b) definitions for covered function, health care component, health information, hybrid entity, and individually identifiable health information; (c) the definition for authorization and payment; (d) the client's right to rebut a denial of access to his or her protected health information (PHI); (e) examples of personal representatives and when a minor may act on his or her own behalf; (f) form names and numbers; and (g) rule and legal citations; (2) remove:(a) an unnecessary definition; (b) an exception to a client's right to access his or her own PHI; (c) incorrect information regarding when DHS staff may use or disclose PHI without authorization, (d) incorrect information that states a personal representative must be court-ordered; (e) an instruction to DHS staff from rules; and (f) an obsolete policy cite; (3) clarify how: (a) clients request an accounting of disclosures; (b) DHS staff complies with disclosure requests; (c) the DHS privacy officer responds to client complaints regarding improper use or disclosure of PHI; (d) clients request that DHS communicate with them by alternative means; and (e) clients request amendments to their PHI and how DHS staff responds to the requests; (4) clarify that an authorization may only be revoked in writing; (5) clarify and simplify language; and (6) update terminology and a policy citation.
Strategic Plan Impact. The proposed amendments achieve DHSgoals by continuously improving systems and processes and improving communication with clients and staff.
Substantive changes.
Subchapter 8. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
Oklahoma Administrative Code (OAC) 340:2-8-1 is amended to:(1) add DHS as a designated hybrid entity for HIPAA and legal citations; and (2) update terminology and a policy citation.
OAC 340:2-8-2 is amended to:(1) add definitions for covered function, health care component, health information, hybrid entity, and individually identifiable health information; (2) add to the definition for authorization and payment; (3) add legal citations; (4) remove an unnecessary definition; and (5) update terminology.
OAC 340:2-8-3 and 340:2-8-8 are amended to update terminology.
OAC 340:2-8-4 is amended to:(1) remove an exception to a client's right to access his or her own PHI; (2) add the client's right to rebut a denial of access to his or her PHI; (3) clarify how:(a) clients request an accounting of disclosures; (b) DHS staff complies with disclosure requests; (c) the DHS privacy officer responds to client complaints regarding improper use or disclosure of PHI; (d) clients request that DHS communicate with them by alternative means; and (e) clients request amendments to their PHI and how DHS responds to the requests; (4) add form names and numbers; (5) update terminology; and (6) add legal citations.
OAC 340:2-8-5, 340:2-8-12, and 340:2-8-14 are amended to:(1) update terminology; and (2) add legal citations.
OAC 340:2-8-6 is amended to:(1) remove incorrect information regarding when DHS staff may use or disclose PHI without authorization; (2) update terminology; and (3) add a legal citation.
OAC 340:2-8-7 is amended to:(1) remove incorrect information that states a personal representative must be court-ordered; (2) clarify that an authorization may only be revoked in writing; and (3) add a legal citation.
OAC 340:2-8-9 is amended to:(1) add examples of personal representatives and when a minor may act on his or her own behalf; and (2) update terminology.
OAC 340:2-8-10 is amended to:(1) simplify language; (2) update terminology; and (3) add a legal citation.
OAC 340:2-8-11 is amended to:(1) update terminology; (2) add a legal and rule citation; (3) remove an obsolete policy citation; and (4) add a form name and number.
OAC 340:2-8-13 is amended to:(1) simplify language; (2) remove an instruction to DHS staff from rules; and (3) add a legal citation.
Reasons.
The proposed amendments are amended to:(1) clarify and simplify rules for clients, DHS staff, and the public; (2) remove unnecessary, incorrect, or obsolete information; (3) add more definitions of HIPAA terms, the client's right to rebut a denial of access to his or her PHI, examples of personal representatives, when a minor can act on his or her own behalf, forms used for HIPAA, and legal citations to enhance understanding of DHS HIPAA rules; and (4) update terminology.
Repercussions.If the proposed amendments are not implemented, clients and the public may not clearly understand DHS HIPAA rules and DHS staff may misapply the rules.
Legal authority. Director of Human Services; Section 162 of Title 56 of the Oklahoma Statutes; and Sections 160.103, 164.103. 164.105, 164.501, 164.502, 164.508, 164.514, 164.522, 164.524. 164.526, and 164.530 of Title 45 of the Code of Federal Regulations.
Permanent rulemaking approval is requested.
B.A description of the classes of persons who most likely will be affected by the proposed rule, including classes that will bear the costs of the proposed rule, and any information on cost impacts received by the Agency from any private or public entities:The classes of persons most likely to be affected by the proposed amendments are DHS clients and staff.The affected classes of persons will bear no costs associated with implementation of the rules.
C.A description of the classes of persons who will benefit from the proposed rule:The classes of persons who will benefit are DHS clients and staff.
D.A description of the probable economic impact of the proposed rule upon the affected classes of persons or political subdivisions, including a listing of all fee changes and, whenever possible, a separate justification for each fee change:The proposed amendments do not have an economic impact on the affected entities.There are no fee changes associated with the revised rules.
E.The probable costs and benefits to the Agency and to any other agency of the implementation and enforcement of the proposed rule, the source of revenue to be used for implementation and enforcement of the proposed rule and any anticipated effect on state revenues, including a projected net loss or gain in such revenues if it can be projected by the Agency:The probable cost to DHS includes the cost of printing and distributing the rules, which is estimated to be less than $20.The proposed amendments will result in enhanced delivery of services for clients.
F.A determination whether implementation of the proposed rule will have an impact on any political subdivisions or require their cooperation in implementing or enforcing the rule:The proposed amendments do not have an economic impact on any political subdivision, nor will the cooperation of any political subdivisions be required in implementation or enforcement of the rules.
G.A determination whether implementation of the proposed rule will have an adverse economic effect on small business as provided by the Oklahoma Small Business Regulatory Flexibility Act:There are no anticipated adverse effects on small business as provided by the Oklahoma Small Business Regulatory Flexibility Act.
H.An explanation of the measures the Agency has taken to minimize compliance costs and a determination whether there are less costly or nonregulatory methods or less intrusive methods for achieving the purpose of the proposed rule:There are no less costly or non-regulatory methods or less intrusive methods for achieving the purpose of the proposed amendments.
I.A determination of the effect of the proposed rule on the public health, safety, and environment and, if the proposed rule is designed to reduce significant risks to the public health, safety, and environment, an explanation of the nature of the risk and to what extent the proposed rule will reduce the risk:Implementation of the proposed amendments are intended to help DHS clients and staff more clearly understand their rights and responsibilities regarding PHI.
J.A determination of any detrimental effect on the public health, safety, and environment if the proposed rule is not implemented: If the proposed amendmentsare not implemented, DHS clients and staff may not understand their PHI rights and responsibilities as clearly.
K.The date the rule impact statement was prepared and, if modified, the date modified:Prepared May 23, 2018; modified December 14, 2018.
SUBCHAPTER 8. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
340:2-8-1. Legal basis,and purpose, and hybrid designation
Issued 8-21-03Revised 9-16-19
(a) Part 160, Sections 160.101 through 160.552, and Subparts A, Sections 164.102 through 164.106, and E, Sections 164.500 through 164.534 of Part 164 of Title 45 of the Code of Federal Regulations (C.F.R.) constitute the Health Insurance Portability and Accountability Act (HIPAA)Privacy Rule, whichthat provides protection for the privacy of health information.
(b) The purpose of this Subchapter is to describe the Oklahoma Department of Human Services (OKDHS)(DHS) privacy policies contained in the HIPAA Privacy Rule.OKDHSDHS privacy policies are intended to:
(1) protect clients' medical records and other personal health information;
(2) give clients more control over their protected health information (PHI);
(3) set boundaries on the use and disclosure of PHI; and
(4) hold violators accountable.
(c) Employees who violate OKDHSDHS privacy policies are disciplined,in accordance with DHS:2-1-7(g)(2)(A)per DHS:2-1-7(i)(2)(A) and may be subject to sanctions set forth by the Department of Health and Human Services.
(d) DHS is designated as a HIPAA hybrid entity.
(1) DHS is a single legal entity comprised of several components, some of which provide HIPAA-covered functions.Therefore, DHS is a hybrid entity that provides both HIPAA-covered and non-covered functions as part of its business operations.
(2) DHS Developmental Disabilities Services, the ADvantage Administration Unit, Office of Inspector General, and Adult and Family Services are designated by DHS as covered components of the hybrid entity, per Section 164.105(a)(2)(iii)(C) of Title 45 of the C.F.R.All other DHS components are not HIPAA-covered.
340:2-8-2. Definitions
Issued 8-21-03Revised 9-16-19
The following words and terms, when used in this Subchapter shall have the following meanings, unless the context clearly indicates otherwise:
"Authorization" means, per Section 164.508(c) of Title 45 of the Code of Federal Regulations (45 C.F.R. § 164.508(c)), a document that contains:
(A) a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
(A)(B) the name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
(B)(C) the name or other specific identification of the person(s), or class of persons, to whom the Oklahoma Department of Human Services (OKDHS)DHS may make the requested use or disclosure;
(C)(D) a description of each purpose of the requested use or disclosure.The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or, elects not to, provide, a statement of the purpose;
(D)(E) an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.The statement "end of the research study," "none," or similar language is sufficient ifwhen the authorization is for a use or disclosure of protected health information (PHI) for research, including for the creation and maintenance of a research database or research repository;
(E)(F) the individual's signature of the individual and date.IfWhen the authorization is signed by athe individual's personal representative of the individual, a description of the representative's authority to act for the individual must also be provided; and
(F)(G) the individual's right to revoke the authorization in writing.
"Covered function" means, per 45 C.F.R. § 164.103, a covered entity function of which the performance makes the entity a health plan, health care provider, or health care clearinghouse.Determination of SoonerCare (Medicaid) eligibility and coverage are DHS-covered functions.
"Disclosure" means, per 45 C.F.R. § 160.103, the PHI release to another entity or individual.
"Health care component" means, per 45 C.F.R. § 164.103, a component or combination of components of a hybrid entity designated by a hybrid entity, per 45 C.F.R. § 164.105(a)(2)(iii)(D).
"Health care operations" means, per 45 C.F.R. § 164.501, certain administrative, financial, legal, and quality improvement activities that are necessary to run the organization and to support thean organization's core functions of treatment and payment functions.Some common activities include quality assessment activities, case management, care coordination, and fraud and abuse investigations.
"Health information" means, per 45 C.F.R. § 160.103, any information including genetic information, whether verbalized or recorded in any form or medium that:
(A) is created or received by a health care plan, health care provider, health care clearinghouse, public health authority, employer, life insurer, or school or university; and
(B) relates to the past, present, or future:
(i) physical or mental health or condition of an individual;
(ii) provision of health care to an individual; or
(iii) payment for the provision of health care to an individual.
"Hybrid entity" means, per 45 C.F.R. § 164.103, a single legal entity:
(A) that is a covered entity;
(B) whose business activities include both covered- and non-covered functions; and
(C) that designates health care components, per 45 C.F.R. § 164.105(a)(2)(iii)(D).
"Individually identifiable health information" means, per 45 C.F.R. § 160.103, information that is a subset of health information, including demographic information collected from an individual, and:
(A) is created or received by a health plan, health care provider, health care clearinghouse, or employer;
(B) relates to the past, present, or future:
(i) physical or mental health or condition of an individual;
(ii) provision of health care to an individual; or
(iii) payment for the provision of health care to an individual; and
(C) identifies the individual or there is a reasonable basis to believe the information can be used to identify him or her.
"Payment" means, per 45 C.F.R. § 164.501, the various activities ofundertaken by a:
(A) health plan or health care providersprovider to obtain payment or be reimbursedprovide reimbursement for their services.Some common activities include determining eligibility for a plan, adjudicating claims, risk adjustments, billing and collecting activities, medical necessity reviews, and utilization reviewsthe provision of health care; or
(B) health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan, except as prohibited, per 45 C.F.R. § 164.502(a)(5)(i).
"Personal representative" means, per 45 C.F.R. § 164.502, an individual, who:
(A) is a parent, legal guardian, or legal custodian appointed by a court;
(B) has the authority to act on behalf of a deceased individual or his or her estate;
(C) has beenis given authority to act on behalf of an individual with regard to health care through a power of attorney, medical directive, or guardianship; or
(D) has beenis designated by an adult as his or her personal representative with regard to health care.A personal representative is treated the same as the client is treated.
"Privacy notice" means, per 45 C.F.R. § 164.520(b), a form that notifies an individual:
(A) how DHS handles his or her health information is handled by OKDHS; and
(B) what his or her rights are regarding PHIprotected health information.
"Protected health information (PHI)" means, per 45 C.F.R. § 160.103, any health-related information that is used to individually identify a person by virtue of its containing one or more individual identifiers, such as name, Social Security number, telephonephone number, case number, or postal zipZip code, and applies to information transmitted or maintained in any form or medium, including electronic, paper, or oralverbal.
"Treatment" means, per 45 C.F.R. § 164.501, the provision, coordination, or management of health care and related services.This includes consultation between health care providers regarding a client or the referral of a client from one health care provider to another.
"Treatment, payment, operations (TPO)" means routine uses and disclosures of PHI.
"Use" means, with respect to PHI, per 45 C.F.R. § 160.103, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
340:2-8-3. Training
Issued 8-21-03Revised 9-16-19
Oklahoma Department of Human Services (OKDHS)(DHS) offers two forms ofonline training modules regarding the Health Insurance Portability and Accountability (HIPAA) Privacy Rule and how the regulations relate to specific job functions.Every OKDHSDHS employee whose job function is affected by the Privacy Rule is required to complete an available training course.¢ 1
INSTRUCTIONS TO STAFF 340:2-8-3
Issued 8-21-03Revised 9-16-19
1.Each division within the Oklahoma Department of Human Services (OKDHS)(DHS) establishes its own internal procedure for ensuring all new employees are trained regarding the Health Insurance Portability and Accountability Act (HIPAA)Privacy Rule.
(1) Web-based.
(A) A web-based training for DHS employees is available at all times and easily utilized by employeesat assigned duty stations with Internet access at the workstation.
(B) Specific instructions for the web-based training can be found at: http://s99web01/prfs_familysupport/hipaa/Training%20page.htm.
(2) Video.
(A) A video is available for employees who do not have access to the Internet.A handbook accompanies the video training product.
(B) Videos and handbooks are available by contacting the HIPAA coordinator in the Family Support Services Division.Two web-based trainings are provided for DHS employees on the InfoNet under the Employee Information tab/Employee-Focused Services/Training.On the Training page, the employee selects DHS Learning Management System (LMS).After logging into LMS, the employee clicks on the training titled 'HIPAA Privacy' and/or 'HIPAA and Information Security.''HIPAA Privacy' must be viewed by all employees within 30-calendar days of his or her enter on duty date and 'HIPAA and Information Security' must be viewed by new supervisors within 30-calendar days of appointment.
340:2-8-4. Client privacy rights to access personal health information (PHI)
Issued 8-21-03Revised 9-16-19
(a) Oklahoma Department of Human Services (OKDHS)(DHS) clients, per Section 164.524 of Title 45 of the Code of Federal Regulations (45 C.F.R. § 164.524), have the right to:
(1) access, inspect, and obtain a copy of their own protected health information (PHI) in OKDHSDHS files or records consistent with federal and state law, except for:
(A) psychotherapy notes that are not specifically released by the originator of the notes; and
(B) information compiled for use in civil, criminal, or administrative proceedings; and
(C) information that OKDHS believes can cause harm to the client or to any other person.For this exception, clients have the right to have the decision reviewed by a licensed health care professional or other designated staff not directly involved in making the original denial decision;¢ 1
(2) rebut a denial of access to their PHI by requesting a review in writing to the DHS privacy officer.When a client requests a review, the DHS privacy officer promptly acts on his or her request and arranges for the review;
(2)(3) receive an accounting of disclosures OKDHS hasDHS made of their PHI for up to six years prior to the requesting date, except forby completing Form 13HI004E, Request for Accounting of Disclosures.This does not include disclosures made for the purposes of treatment, payment, or health care operations activities or of PHI previously authorized by the client for use or disclosure.After receiving Form 13HI004E, DHS staff completes and sends Form 13HI005E, Accounting of Disclosures, to the client within 60-calendar days of receiving the request; and¢21
(3)(4) submit complaints if they believe or suspect that OKDHS hasDHS improperly used or disclosed their PHI.When a client or his or her personal representative submits a complaint, per Oklahoma Administrative Code 340:2-8-9, DHS staff gives the client the DHS privacy officer's name and phone number.The privacy officer:¢32
(A) reviews the complaint;
(B) makes a decision regarding the complaint;
(C) documents the decision; and
(D) informs the client of the decision in writing.
(b) Clients may ask OKDHSDHS to take specific actions regarding the use or disclosure of their PHI, per 45 C.F.R. § 164.522, and OKDHSDHS may either approve or deny the request.Specifically, clients have the right to request that DHS:
(1) that OKDHS restrict uses and disclosures of their PHI to those activities related tofor treatment, payment, and operations, unless the restriction adversely affects the quality of the client's care or prevents OKDHS from making or obtaining payment for services;¢43
(2) to receive information from OKDHSprovide information by alternative means, such as email,mail, e-mail, fax, mail, or telephone,phone, or at alternative locations by completing Form 13HI006E, Request for Alternative Means of Communication.DHS terminates the agreement to communicate by alternative means, when:¢ 4
(A) the client agrees to or requests termination; or
(B) DHS is unable to contact the client by the method requested or at the designated location; and¢ 5
(3) that OKDHS amend their PHI, per 45 C.F.R. § 164.526 by completing Form 13HI007E, Request for Amendment of Protected Health Information.¢65
(A) When DHS grants the amendment, DHS staff:¢ 6
(i) makes the appropriate amendment to the client's PHI;
(ii) provides timely notice to the client that the amendment was accepted; and
(iii) seeks the client's agreement to notify other relevant persons or agencies with whom DHS has cause to share the amended information.
(B) DHS denies the client's request for amendment, when the information:
(i) did not originate from DHS, unless the client provides a reasonable basis to believe that the originator of such information is no longer available to act on the requested amendment; or
(ii) is accurate and complete.
(C) When DHS staff denies the amendment, a written denial is sent to the client explaining the reason for the denial within 60-calendar days of the request for an amendment.The denial explains the client's right to submit a written statement disagreeing with the denial and how to file the statement.When the client files a statement disagreeing with the denial, DHS staff has the right to complete a written rebuttal to the client's statement and sends a copy of the rebuttal to the client.¢ 7
(c) Clients have the right to receive Form HIPPA-113HI001E, Privacy Notice.¢78
INSTRUCTIONS TO STAFF 340:2-8-4
Revised 8-21-03Revised 9-16-19
1.(a) The client may rebut the denial to the suspected harmful information by requesting a review in writing.
(b) All requests for review are made to the Oklahoma Department of Human Services (OKDHS) privacy officer who promptly acts on the requests and arranges for the review.
2.(a) This right does not apply to disclosures made prior to April 14, 2003.
(b) The accounting includes only protected health information (PHI) not previously authorized by the client for use or disclosure.
(c) The client makes the request by completing Form HIPAA-4, Request for Accounting of Disclosures.
(d) OKDHS completes Form HIPAA-5, Accounting of Disclosures, and issues to the client within 60 days of receiving the request.A copy is keptCopies of Form 13HI004E, Request for Accounting of Disclosures, and Form 13HI005E, Accounting of Disclosures, are imaged or filed in the client's filecase record for at least six years.
32.If a client asks to file a complaint regarding the use or disclosure of PHI, he or she is given the name and phone number of the privacy officer. See OAC 340:2-8-9.The privacy officer:
(1) reviews all complaints;
(2) makes a decision regarding the complaint;
(3) documents the decision;
(4) informs the client of the decision in writing; and
(5) forwardsimages or files copies of the decision and all pertinent documentation toin the case filerecord.
43.(a)OKDHSOklahoma Department of Human Services (DHS) staff documents the client's request, and the reasons for granting or denying the request in the client's filecase record.DHS staff forwards the request to the privacy officer who decides whether to accept or deny the request.
(b) The client may request termination of the agreement, either orally or in writing.Documentation of termination is filed in the client's file and kept for six years.
54.(a) A client completesDHS staff images or files Form HIPAA-613HI006E, Request for Alternate Means of Communication, which is kept in the client's filecase record.The information is kept for six years.
(b) The agreement to communicate by alternate means or location is terminated by OKDHS if:
(1) the client agrees to or requests termination; or
(2) OKDHS is unable to contact the client at the designated location or by the method requested.
(c) Documentation of termination is kept in the client's file for six years.
65.(a) A client usesDHS staff images or files Form HIPAA-713HI007E, Request for Amendment of Protected Health Information, which is reviewed by the OKDHS staff involved in the client's carecase record.
(b) OKDHS denies the client's request for amendment if the information:
(1) was not originated by OKDHS, unless the client provides a reasonable basis to believe that the originator of such information is no longer available to act on the requested amendment; or
(2) is accurate and complete.
(c) A written denial explaining the reason is sent within 60 days of the request for an amendment.The denial explains the client's right to submit a written statement disagreeing with the denial and how to file such a statement. If the client files such a statement, OKDHS:
(1) enters the written statement into the client's file; and
(2) has the right to enter a written rebuttal of the client's statement, which is placed in the client's file and also sent to the client.
(d) If the amendment request is granted, OKDHS must:
(1) make the appropriate amendment to the PHI, and document the amendment in the client's file;
(2) provide timely notice to the client that the amendment has been accepted; and
(3) seek the client's agreement to notify other relevant persons or agencies with whom OKDHS has cause to share the amended information.
6.When the amendment is granted, DHS staff documents the amendment in the client's case record.
7.When the client files a statement disagreeing with the denial, DHS staff images or files the written statement in the client's case record.When DHS staff completes a written rebuttal, he or she images or files the rebuttal in the client's case record.
78.(a) OKDHSDHS posts a copy of Form HIPAA-113HI001E, Privacy Notice, for public viewing at each worksite and on the OKDHSDHS website.A copy is given to any clientclients upon request.
(b) OKDHSDHS staff who provideproviding clients with direct health care treatment or services,for clients give Form HIPAA-113HI001E to each client no later than the date of first-service delivery after April 14, 2003, and, except in an emergency treatment situation, obtain the client's written acknowledgement of receipt of the notice, except in emergency treatment situations, by having the client sign Form HIPAA-213HI002E, Privacy Notice Acknowledgment.
(c) TheDHS staff images or files the signed Form HIPAA-2 is kept13HI002E in the client's filecase record.IfWhen DHS staff makes a good faith effort was made to have the client sign Form HIPAA-2 signed13HI002E, but the clienthe or she refuses, OKDHSDHS staff documents the circumstances on the formForm 13HI002E and places itimages or files it in the client's filehis or her case record.
340:2-8-5. Privacy officer
Issued 8-21-03Revised 9-16-19
(a) The Oklahoma Department of Human Services (OKDHS) has(DHS) designated a privacy officer to perform the required functions,as specified in the Health Insurance Portability and Accountability Act (HIPAA) Privacy Ruleper Section 164.530 of Title 45 of the Code of Federal Regulations.The contact information is:Oklahoma Department of Human Services, Privacy Officer, P.O.PO Box 5302525352, Oklahoma City, OK 73152Oklahoma 73125.
(b) The privacy officer is responsible for:
(1) the development and implementation of OKDHSdeveloping and implementing DHS privacy policiespolicy;
(2) making decisions regarding the use and or disclosure of protected health information (PHI) when requested for the purpose of:
(A) judicial and administrative proceedings;
(B) law enforcement investigations;
(C) research; and
(D) marketing;
(3) reviewing a denial for a client's access to his or her own PHI for reasons indicated in OACOklahoma Administrative Code 340:2-8-4(a)(1)(C), and taking appropriate action following the review;
(4) receiving complaints regarding the use or disclosure of PHI from external and internal sources, and taking the appropriate action following the review;¢ 1
(5) ensuring proper business associate agreements contain the appropriate language and provisions as required by the Privacy Rule; and
(6) receiving complaints regarding business associate activities or practices, and taking appropriate action following the review.¢ 2
INSTRUCTIONS TO STAFF 340:2-8-5
Issued 8-21-03Revised 9-16-19
1.(a) The privacy officer reviews all complaints, makes a decision regarding the appropriate action, documents the decision, informs the client, and forwards copies of all documentations; which are kept into the client's filecase record.The documentation must be kept for six years.
(b) If it is determinedWhen the privacy officer determines that an inappropriate use or disclosure has occurred, the Oklahoma Department of Human Services (OKDHS) will take(DHS) staff takes all practicable steps to mitigate the harmful effects.The type of mitigation that occurs will beis based on the facts and circumstances of each case.
2.(a) The privacy officer sends a letter to the business associate requesting review of the circumstances related to the alleged conduct.OKDHSand requires a response from the business associate to respond within ten10-business days.
(b) IfWhen the facts known to OKDHSDHS indicate a violation of the business associate agreement, the privacy officer sends a letter outlining required remediation in order for the business associate to attain contract compliance.
(c) IfWhen contract compliance cannot be attained, OKDHSDHS must terminate the contract ifwhen feasible.IfWhen termination is not feasible, the privacy officer reports the problem to the United States Department of Health and Human Services, Office for Civil Rights.
340:2-8-6. Uses and disclosures without authorization
Issued 8-21-03Revised 9-16-19
Unless prohibited or limited by federal or state laws, per Section 164.512 of Title 45 of the Code of Federal Regulations, Oklahoma Department of Human Services (OKDHS)(DHS) staff may use or disclose protected health information (PHI) without written authorization,for the circumstances explained inper (1) through (11) of this Section.¢ 1
(1) Individual access.OKDHSDHS staff may disclose information to individuals who have requestedrequest disclosure of their own PHI,in accordance with OACper Oklahoma Administrative Code 340:2-8-4(a)(1).
(2) Required by law.OKDHSDHS staff may use or disclose PHI without authorization ifwhen the law requires such disclosure and the use or disclosure complies with, and is limited to, the relevant requirements of such law.¢12
(3) Treatment, payment, or health care operations.OKDHSDHS staff may use or disclose PHI without authorization:
(A) for its own treatment, payment, or health care operations; or
(B) to another covered entity or health care provider for the payment activities of the entity that receives the PHI;
(C) to another covered entity for the health care activities of that entity, if:
(i) both that entity and OKDHS have or have had a relationship with the individual who is the subject of the PHI; and
(ii) the PHI pertains to such relationship.
(4) Psychotherapy notes.OKDHSDHS staff may use or disclose psychotherapy notes generated by OKDHSDHS:
(A) in training programs where students, trainees, or practitioners in mental health services learn, under supervision, to practice or improve their skills;
(B) when a health oversight agency uses or discloses in connection with oversight of the originator of the notes; or
(C) to the extent authorized under state law to defend OKDHSDHS in a legal action or other proceeding brought by thean individual.
(5) Public health activities.OKDHSDHS staff may disclose an individual's PHI to appropriate entities or persons for governmental public health activities and purposes, including, but not limited to, a:
(A) governmental, public-health authority that is authorized by law to collect or receive the PHI for the purpose of preventing or controlling disease, injury, or disability.This includes reporting vital events, such as:
(i) birth or deathbirths and deaths; or
(ii) abuse or neglect of a vulnerable adult;
(B) governmental, public health authority, or other appropriate government authority, that is authorized by law to receive report of child abuse or neglect reports; or
(C) person who may have been exposed to a communicable disease, or may be at risk of contracting or spreading a disease or condition, if OKDHSwhen DHS is authorized by law to notify such person as necessary in conducting a public health intervention or investigation.
(6) Health oversight activities.OKDHSDHS staff may disclose PHI for health oversight activities authorized by law, including audits; civil, criminal, or administrative investigations, prosecutions, or actions; licensing or disciplinary actions; SoonerCare (Medicaid) fraud; or other activities necessary for oversight.
(7) Judicial and administrative proceedings.Unless prohibited by applicable federal and state law, OKDHSDHS staff may disclose PHI for judicial or administrative proceedings as required by law, in response to ana court order of a court, a subpoena, a discovery request, or other lawful process.
(8) Law enforcement purposes.OKDHSDHS staff discloses PHI only when required by federal or state laws.
(9) Deceased persons.OKDHSDHS staff discloses PHI to a coroner or medical examiner only when required by federal or state laws.
(10) Organ or tissue donation.IfWhen a client is an organ donor, OKDHSDHS staff may disclose PHI to an entity that participates in transplantation activities.
(11) To avert a serious threat to health or safety.OKDHSDHS staff discloses PHI,ifwhen:
(A) OKDHShe or she believes in good faith that the PHI is necessary to prevent or lessen a serious or imminent threat to the health or safety of a person or the public; and
(B) the report is disclosed to a person(s) reasonably able to prevent or lessen thea serious or imminent threat to the health or safety of a person or the public, including to the target of the threat.
INSTRUCTIONS TO STAFF 340:2-8-6
Issued 8-21-03Revised 9-16-19
1.When Oklahoma Department of Human Services (DHS) staff is in doubt about using or disclosing protected health information without authorization, he or she contacts the DHS privacy officer for guidance.
12.The Child Support Enforcement Division (CSED)Services sends a National Medical Support Notice (NMSN) to employers and insurers to enforce the provision of health care coverage for children of noncustodial parents who are required to provide health care coverage through an employment-related group health plan pursuant to a child support order, per Section 303.32 of Title 45 of the Code of Federal Regulations[(45 C.F.R. § 303.32]).Release of the information requested on the NMSN is a disclosure required by law,under Title 45 of the Code of Federal Regulations Sectionsper 45 C.F.R. §§ 303.30(a)(7) and 303.32,and Section 6058A of Title 36 of the Oklahoma Statutes Section 6058A and Title 43 of the Oklahoma Statutes Section 118.2(B).
340:2-8-7. Authorization
Issued 8-21-03Revised 9-16-19
(a) A valid authorization is required to disclose protected health information (PHI) unless it is:
(1) for the purposes of treatment, payment, or health care operations; or
(2) listed specifically in Oklahoma Administrative Code (OAC) 340:2-8-6.
(b) An authorization is considered valid,ifwhen:
(1) it contains the elements described,atper Section 164.508(c) of Title 45 of the Code of Federal Regulations and OAC 340:2-8-2;
(2) the expiration date has not passed; and
(3) the authorization is signed by the client, parent, guardian, or court-orderedclient's personal representative of the client.¢ 1
(c) A client may only revoke an authorization if the revocation is in writing.¢ 2
INSTRUCTIONS TO STAFF 340:2-8-7
Issued 8-21-03Revised 9-16-19
1.(a) The client, parent, guardian, or client's court-ordered personal representative completes and signs Oklahoma Department of Human Services (OKDHS)(DHS) Form HIPAA-313HI003E, Authorization to Disclose Medical Records, is completed when a client requestshe or she wants DHS to disclose protected health information disclosure to a third party.
(b) ADHS staff gives a copy of the valid authorization is providedForm 13HI003E to the client.
(c) Valid authorizations aremust be kept in the client's filecase record for at least six years.
2.ADHS staff attaches a copy of the written revocation is attached to the original authorization and placedForm 13HI003E and images or files the documents in the client's filecase record.
340:2-8-8. Disclosures to friends and relatives
Issued 8-21-03Revised 9-16-19
(a) IfWhen the client has beenis informed in advance and has been given the opportunity to either agree or to refuse or restrict the disclosure of protected health information (PHI), Oklahoma Department of Human Services (OKDHS)(DHS) staff may disclose protected health information (PHI) to the client's friends and relatives of the client to the extent allowed by the client allows.The disclosure must only reveal PHI that directly relates to such person's involvement with the client's care or payment for such care.
(b) IfWhen the client is not present, or the opportunity to object to the disclosure cannot practicably be provided due to the client's incapacity or an emergency situation,OKDHSDHS staff determines, using professional judgment, whetherif the disclosure is in the client's best interestsinterest.IfWhen disclosure is in the client's best interest, then the minimum necessary disclosure may be made.IfWhen disclosure is not in the client's best interest, then no disclosure is made.
(c) OralVerbal permission to disclose PHI to friends and relatives is not sufficient when the client is referred to or receiving substance abuse treatment, mental health, or vocational rehabilitation services.Written authorization is required under those circumstances.
340:2-8-9. Personal representative
Issued 8-21-03Revised 9-16-19
(a) A personal representative must be authorized under state law or by the client to act onin the client's behalf of the client with respect to use or disclosure of protected health information (PHI).¢ 1
(1) Personal representatives may include:
(A) an individual granted durable power of attorney for health care;
(B) an individual appointed as a health care proxy;
(C) a court appointed guardian who has authority over the care and management of the person, estate, or both;
(D) a court appointed executor or administrator of a deceased individual's estate;
(E) an Oklahoma Department of Human Services (DHS) Adult Protective Services employee investigating the abuse or neglect of an alleged vulnerable adult;
(F) a DHS Child Welfare Services employee who is responsible for a child in DHS custody; or
(G) a DHS Office of Client Advocacy employee.
(2) A parent, legal guardian, or legal custodian appointed by a court may act as a minor's personal representative except when the minor acts on his or her behalf, per (A) through (G) of this paragraph.A minor acts on his or her own behalf when he or she:
(A) is married;
(B) has a dependent child;
(C) is emancipated;
(D) is separated from his or her parents or legal guardian and is not supported by them;
(E) is or was pregnant; or
(F) is seeking confidential treatment, diagnosis, or prevention services for a communicable disease or drug or alcohol use or abuse.
(b) Oklahoma Department of Human Services (OKDHS)DHS treats a personal representative the same as the client is treated, unless:
(1) there is reasonable belief that the client has beenwas or may be subjected to domestic violence, abuse, or neglect by the personal representative; or
(2) by using professional judgment, it is determined that it is not in the client's best interest of the client to treat the person as a personal representative.
INSTRUCTIONS TO STAFF [REVOKED]
Issued 8-21-03
1.(a) Examples of personal representatives are:
(1) an individual who has been granted durable power of attorney for health care;
(2) an individual who has been appointed a health care proxy;
(3) a court appointed guardian who has authority over the care and management of the person, estate, or both; or
(4) a court appointed executor or administrator of a deceased's estate.
(b) A parent, legal guardian, or legal custodian appointed by a court may act as a minor's personal representative except in the circumstances listed in (c).
(c) A minor acts on his or her own behalf if the minor:
(1) is married;
(2) has a dependent child;
(3) is emancipated;
(4) is separated from his or her parents or legal guardian and is not supported by them;
(5) is or has been pregnant; or
(6) is seeking confidential treatment, diagnosis, or prevention services for a communicable disease or drug or alcohol abuse.
340:2-8-10. Minimum necessary standards
Issued 8-21-03Revised 9-16-19
The Oklahoma Department of Human Services (OKDHS)(DHS) limits requestrequests for, use of, and disclosure of protected health information (PHI) to that which is reasonably necessary to accomplish the intended purpose of the use,or disclosure, or request, per Section 164.502(b) of Title 45 of the Code of Federal Regulations (45 C.F.R. § 164.502(b)).This minimum necessary standard willis not be used to impede the essential activities of treatment, payment, or health care operations.
(1) The minimum necessary standard applies to:
(A) the use of PHI within OKDHSDHS.Employees who:
(i) do not need PHI to perform their job duties must not access PHI; and
(ii) need PHI to perform their job duties must access PHI to the least extent necessary;
(B) disclosure of PHI to a third party in response to a request; and
(C) the request of PHI from another covered entity.
(2) The minimum necessary standard does not apply to disclosures made:
(A) disclosures to or requests by a health care provider for treatment;
(B) disclosures made to the individual;
(C) disclosures made in accordance with a valid authorization, per 45 C.F.R. § 164.508(c);
(D) disclosures made to the United States Secretary of Health and Human Services for the purposes of compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule; or
(E) for uses or disclosures that are required by law.
340:2-8-11. Safeguarding protected health information
Issued 8-21-03Revised 9-16-19
(a) IfWhen Oklahoma Department of Human Services (OKDHS)(DHS) staff is familiar with the person or entity requesting protected health information (PHI), OKDHSDHS verifies the authority of the person or entity to receive the information.If OKDHSWhen DHS staff is not familiar with the person or entity requesting PHI, OKDHSDHS staff verifies the identity and authority of the person or entity to receive the information, perSection 164.514(h) of Title 45 of the Code of Federal Regulations.¢ 1
(b) OKDHSDHS staff must exercise care to avoid incidental disclosures of PHI through oralverbalcommunications.¢ 2
(c) Appointment reminders may be left on answering machines and voice mail systems, unless the client has requestedcompletes Form 13HI006E, Request for Alternative Means of Communication, or provides a written statement requesting an alternate means of communication.¢ 3
(d) Faxing PHI is allowedDHS staff may fax PHI when the PHI is sent with Form 13HI008E, Health Information Coversheet, and:
(1) only the minimum necessary PHI is sent;
(2) the information is not sensitive or, when sensitive, it is an emergency situation; and
(3) the information is accompanied by Form HIPAA-8, Health Information Fax Cover Sheet; and
(4) staff makes reasonable efforts are made to ensure the fax transmission is sent to the correct destination.
(e) PHI is only photocopied when necessary for treatment, payment, or health care operations, when authorized by the client or the client's personal representative, or when required by law.
(f) PHI must be discarded in accordance with OAC 340:2-21-35.
(g) Client's PHI placed in case records and other forms of PHIor other records must be filed and kept safe from unauthorized access.
(h)(g) Clients and visitors must be appropriately escorted in a secured area to ensure there is not unauthorized PHI access to PHIdoes not occur.
(i)(h) Computer monitors must be positioned to prevent unauthorized PHI observation or access.Unattendedand unattended computers must be returned to a password protected screen saver.
(j)(i) Correspondence, including e-mailemail and fax, that includes PHI is allowed ifwhen limited to the minimum necessary standard, per Oklahoma Administrative Code 340:2-8-10.
INSTRUCTIONS TO STAFF 340:2-8-11
Issued 8-21-03Revised 9-16-19
1.When verifyingTo verify the identity or authority of a person or entity requesting protected health information (PHI), obtain anystaff obtains documentation, statements, or verbal or written representations, whether oral or written.
2.Conversations in public areas must be avoided and/or voices must be lowered and attention paid to unauthorized listeners when discussing PHI.
3.The content of appointment reminders and telephonephone messages must follow the minimum necessary standard.
340:2-8-12. Business associate
Issued 8-21-03Revised 9-16-19
(a) A business associate, per Section 160.103 of Title 45 of the Code of Federal Regulations (45 C.F.R. § 160.103), is defined as an individual or entity who:
(1) performs on behalf of the Oklahoma Department of Human Services (OKDHS)(DHS), any function or activity involving the use or disclosure of protected health information (PHI); and
(2) is not a member of the OKDHSDHS workforce.
(b) The definition of "function or activity" includes:
(1) claims processing or administration;
(2) data analysis and data processing;
(3) utilization review;
(4) quality assurance; and
(5) billing, actuarial accounting, and other financial services.
(c) OKDHSDHS discloses a client's PHI to a business associate, and allows a business associate to create or receive PHI on behalf of OKDHSDHS.
(d) OKDHSDHS enters into a contractual agreement with a business associate, per 45 C.F.R. § 164.504(e). The contract includes the appropriate language and provisions required by the federal Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule regarding the proper use and disclosure of PHI.¢ 1
INSTRUCTIONS TO STAFF 340:2-8-12
Issued 8-21-03Revised 9-16-19
1.Questions regarding the status of a vendor or independent contract are forwarded to the privacy officer.,See OACper Oklahoma Administrative Code 340:2-8-5.
340:2-8-13. Uses and disclosures for research or marketing purposes
Issued 8-21-03Revised 9-15-19
(a) Per Section 164.508(a) of Title 45 of the Code of Federal Regulations, the Oklahoma Department of Human Services (OKDHS) must obtain a valid authorization for any use or disclosure of protected health information (PHI) to outside entities for:¢ 1research purposesor.¢ 1
(b) OKDHS must obtain a valid authorization for any use or disclosure of PHI for marketing purposes unless the communication is in the form of face-to-face contact made by OKDHS staff.¢ 1
INSTRUCTIONS TO STAFF 340:2-8-13
Issued 8-21-03Revised 9-16-19
1.Refer allAll requests for protected health information (PHI) for research and/or marketing purposes are referred to the privacy officer,.See OACper Oklahoma Administrative Code 340:2-8-5.A valid authorization is not required when the PHI is requested by face-to-face contact from other Oklahoma Department of Human Services staff.
340:2-8-14. Privacy complaints
Issued 8-21-03Revised 9-16-19
(a) A client or employee wishing to file a complaint regarding the use or disclosure of protected health information (PHI) is instructed to contact the Oklahoma Department of Human Services (OKDHS)(DHS) privacy officer.¢ 1
(b) A client or employee who requests an alternative means of filing a complaint regarding the use or disclosure of PHI, is instructed to contact the federalUnited States Department of Health and Human Services.¢ 2
(c) OKDHS willPer Section 160.316 of Title 45 of the Code of Federal Regulations, DHS must not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for:
(1) filing a privacy violation complaint;
(2) testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing conducted by a government enforcement agency; or
(3) opposing any act or practice made unlawful by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, provided the manner of opposition does not involve a PHI disclosure of PHI.
INSTRUCTIONS TO STAFF 340:2-8-14
Issued 8-21-03Revised 9-16-19
1.(a) The address is:Oklahoma Department of Human Services, Privacy Officer, P.O.PO Box 5302525352, Oklahoma City, OK 73152Oklahoma 73125.
(b) The privacy officer documents each complaint received and keepsmust keep the documentation for at least six years.
(c) The privacy officer investigates each complaint and documents the resolution of the investigation and any corrective actions taken.
2.The address is:Office for Civil Rights, United States Department of Health and Human Services, 1301 Young Street, Suite 1169, Dallas, Texas 75202.
