1.00 - MANAGEMENT AND PROTECTION OF PERSONAL HEALTH INFORMATION

I. Purpose:
To issue instructions to all ADAMH workforce members regarding the management and protection of individuals' health information.

II. Applicability:
This policy applies to all ADAMH workforce members.

III. Authority:
45 CFR Parts 160 & 164

IV. Definitions:

Covered Entity (CE) means a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form relating to any covered transaction.

Health Plan means an individual or group plan that provides, or pays the cost of medical care as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg- 91(a)(2)).

Health Oversight Agency means an entity acting under a grant of authority from, or a contract with a State, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance.

Protected Health Information (PHI) means individually identifiable information relating to the past, present or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual.

Designated Record Set means a group of records maintained by or for the ADAMH Board. It includes the medical and billing records relating to an individual; the enrollment, payment, claims adjudication, and case or medical management systems maintained by or for a health plan, or; used in whole or part, by or for the ADAMH Board to make decisions about individuals.

Treatment, Payment and Health Care Operations (TPO) includes all of the following:

Treatment means the provision, coordination, or management of health care and related services, consultation between providers relating to an individual, or referral of an individual to another provider for health care.
Payment means activities undertaken to obtain or provide reimbursement for health care, including determinations of eligibility or coverage, billing, collections activities, medical necessity determinations and utilization review.
Health Care Operations includes functions such as quality assessment and improvement activities, reviewing competence or qualifications of health care professionals, conducting or arranging for medical review, legal services and auditing functions, business planning and development, and general business and administrative activities.

Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

Use means with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.

Personal Representative means a person who has authority under applicable law to make decisions related to health care on behalf of an adult or an emancipated minor, or the parent, guardian, or other person acting in loco parentis who is authorized under law to make health care decisions on behalf of an unemancipated minor, except where the minor is authorized by law to consent, on his/her own or via court approval, to a health care service, or where the parent, guardian or person acting in loco parentis has assented to an agreement of confidentiality between the provider and the minor.

Workforce Members means Board of Trustees members, employees, volunteers, trainees, and other persons whose conduct, in the performance of work for ADAMH, is under the direct control of ADAMH, regardless of whether they are paid by ADAMH.

V. Policy:
For details on specific requirements, refer to the appropriate policies in this ADAMH HIPAA Policies & Procedures Manual as indicated in brackets.

1. ADAMH designation: ADAMH defines itself as a Health Plan (45 CFR 160.103) and a Health Oversight Agency (45 CFR 164.501) as defined by the final HIPAA Administrative Simplification rules.
2. Generally: PHI shall not be used or disclosed except as permitted or required by law.
3. Notice of Privacy Practices Required: Individuals served must be given a Privacy Notice outlining the uses and disclosures of PHI that may be made, and notifying them of their rights and our legal duties with respect to PHI. [See 3.00 Privacy Notice]
4. Permitted and Required Uses and Disclosures: PHI may or shall be disclosed as follows:
   1. To the individual [See 7.00 Individuals' Rights Related to PHI];
   2. To carry out TPO activities, within specified limits [ See 5.00 Use or Disclosure of PHI for TPO Purposes];
   3. Pursuant to and in compliance with a current and valid Authorization [ See 6.00 Authorization for Use or Disclosure of PHI];
   4. In keeping with a Business Associate arrangement [ See 9.00 Business Associate Agreements];
   5. As otherwise provided for in the HIPAA privacy regulations [ See 5.00 V. B. Uses and Disclosures of PHI beyond TPO for which Authorization is Not Required].
5. Minimum Necessary: Generally, when using or disclosing PHI, or when requesting PHI from another entity, reasonable efforts must be made to limit the PHI used or disclosed to the minimum necessary to accomplish the purpose of the use/disclosure [ See 4.00 Minimum Necessary Requirements].
6. Personal Representatives: A person acting in the role of personal representative must be treated as the individual regarding access to relevant PHI unless:
   1. The individual is an unemancipated minor, but is authorized to give lawful consent, or may obtain the health care without consent of the personal representative, and minor has not requested that the person be treated as a personal representative, or the personal representative has assented to agreement of confidentiality between the provider and the minor;
   2. There is a reasonable basis to believe that the individual has been or may be subjected to domestic violence, abuse or neglect by the personal representative or that treating that person as a personal representative could endanger the individual, and, in the exercise of professional judgment, it is determined not to be in the best interests of the individual to treat that person as a personal representative.
7. Agreed Upon Restrictions: An individual has a right to request a restriction on any uses or disclosures of his/her PHI, though a covered entity need not agree to the requested restriction, and cannot agree to a restriction relating to disclosures required under law (i.e. disclosures to the U. S. Secretary of Health and Human Services for HIPAA enforcement purposes). [ See 7.00 Individuals' Rights Related to PHI]
8. Confidential Communications: An individual has a right to request to receive communications of PHI by alternative means or at alternative locations, and reasonable requests must be accommodated. [ See 7.00 Individuals' Rights Relating to PHI]
9. Accounting for Disclosures: An individual has a right to an accounting of disclosures of his/her PHI for up to a six year period. [ See 8.00 Accounting for Disclosures of PHI]
10. De-identified PHI: Health information may be considered not to be individually identifiable in the following circumstances:
    1. A person with appropriate knowledge and experience with generally acceptable statistical and scientific principles and methods determines that the risk is very small that the information could be used, alone or with other reasonably available information, to identify the individual who is the subject of the information; or
    2. The following identifiers of the individual (and relatives, employers or household members) is removed: names; information relating to the individual's geographic subdivision if it contains fewer than 20,000 people; elements of dates (except year) directly related to the individual, and all ages and elements of dates that indicate age for individuals over 89, unless aggregated into a single category of age 90 and older; telephone numbers; fax numbers; email addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate or license numbers; vehicle identifiers and serial numbers, including license plate numbers; device identifiers and serial numbers; Web Universal Resource Locators (URLs); Internet Protocol (IP) address numbers; biometric identifiers; full face photographic images; and, any other unique identifying number, characteristic or code.
11. Complaint Process: The ADAMH Board must have in place a process for individuals to make complaints about the entity's HIPAA policies and procedures and/or the entity's compliance with those policies and procedures. [ See 11.00 Complaint Processes]
12. Documentation: ADAMH must maintain written or electronic copies of all policies and procedures, communications, actions, activities or designations as are required to be documented under this manual for a period of six (6) years from the later of the date of creation or the last effective date. NOTE: This is the documentation requirement under HIPAA, but does not necessarily reflect any longer retention period for particular documentation that may be mandated by state or federal law on another basis.