Open records are routinely disclosed without the consent of
the subject. To the extent allowed by law, the department may also use and
disclose confidential information without the consent of the subject or the
subject's representative.
(1)
Internal use. Confidential information may be disclosed to
employees and agents of the department as needed for the performance of their
duties. The custodian of the record shall determine what constitutes legitimate
need to use confidential records.
(2)
Audits and health oversight
activities.
a.
Audits. Information concerning program expenditures and client
eligibility is released to staff of the state executive and legislative
branches who are responsible for ensuring that public funds have been managed
correctly. Information is also released to auditors from federal agencies when
those agencies provide program funds.
b.
Health oversight
activities. The department will follow the uses and disclosures
standards for health oversight activities as outlined in
45 CFR §
164.512 as amended to January 6,
2016.
(3)
Program
review. Information concerning client eligibility and benefits is
released to state or federal officials responsible for determining whether the
department is operating a program lawfully. These officials include the
ombudsman office under Iowa Code section
2C.9, the auditor of state under
Iowa Code section 11.2, the Office of Inspector General in the federal
Department of Health and Human Services, and the Centers for Medicare and
Medicaid Services.
(4)
Contracts and agreements with agencies and persons.
a. The department may enter into contracts or
agreements with public or private agencies to carry out the department's
official duties or as necessary to administer a program within the other
agency. Information necessary to carry out these duties may be shared with
these agencies. The department may disclose protected health information to a
business associate and may allow a business associate to create or receive
protected health information on its behalf if the department obtains
satisfactory assurance that the business associate will appropriately safeguard
the information.
b. The department
may enter into agreements to share information with agencies administering
federal or federally assisted programs which provide assistance or services
directly to persons on the basis of need. Only information collected in the
family investment program, the child care assistance program, the food
assistance program, the refugee resettlement program, or the child support
recovery program may be shared under these agreements.
c. To meet federal income and eligibility
verification requirements, the department has entered into agreements with the
department of workforce development, the United States Internal Revenue
Service, and the United States Social Security Administration. The department
obtains information regarding persons whose income or resources are considered
in determining eligibility and the amount of benefits for the family investment
program, refugee cash assistance, child care assistance, food assistance,
Medicaid, state supplementary assistance and foster care. Identifying
information regarding clients of these programs is released to these agencies.
The information received may be used for eligibility and benefit
determinations.
d. To meet federal
requirements under the Immigration Reform and Control Act of 1986 (IRCA)
relating to the Systematic Alien Verification for Entitlements (SAVE) program,
the department has entered into an agreement with the Bureau of Citizenship and
Immigration Service (BCIS). Under the agreement, the department exchanges
information necessary to verify alien status for the purpose of determining
eligibility and the amount of benefits for the family investment program,
refugee cash assistance, food assistance, Medicaid, state supplementary
assistance and foster care assistance. Identifying information regarding these
subjects is released to the BCIS. The information received may be used for
eligibility and benefit determinations.
e. The department has entered into an
agreement with the department of workforce development to provide services to
family investment program clients participating in the PROMISE JOBS program as
described at 441-Chapter 93. Information necessary to carry out these duties
shall be shared with the department of workforce development, as well as with
its subcontractors.
f. The
department has entered into an agreement with the department of education,
vocational rehabilitation, disability determination services, to assist with
Medicaid disability determinations.
g. The department has entered into an
agreement with the department of education to share information that assists
both schools and department clients in carrying out the annual verification
process required by the United States Department of Agriculture, Food and
Nutrition Service. That federal agency requires the department of education and
local schools to verify eligibility of a percentage of the households approved
for free-meal benefits under the school lunch program. When a department office
receives a written request from the local school, the department office
responds in writing with the current family investment program and food
assistance program status of each recipient of free meals listed in the
request. Other client-specific information is made available only with written
authorization from the client.
(5)
Release for judicial and
administrative proceedings. Information is released to the court as
required in Iowa Code sections
125.80,
125.84,
125.86,
229.8,
229.10,
229.13, 229.14,
229.15,
229.22,
232.48,
232.49,
232.52,
232.71B,
232.81,
232.97, 232.98,
232.102,
232.111,
232.117 and
235B.3.
a. The department may disclose protected
health information in the course of any judicial or administrative proceeding
in response to an order of a court or administrative tribunal, provided that
the department discloses only the protected health information expressly
authorized by the order and the court makes the order knowing that the
information is confidential.
b.
When a court subpoenas information that the department is prohibited from
releasing, the department shall advise the court of the statutory and
regulatory provisions against disclosure of the information and shall disclose
the information only on order of the court.
(6)
Fraud. Information
concerning suspected fraud or misrepresentation to obtain department services
or assistance is disclosed to the department of inspections, appeals, and
licensing and to law enforcement authorities.
(7)
Service referrals.
Information concerning clients may be shared with purchase of service providers
under contract to the department.
a.
Information concerning the client's circumstances and need for service is
shared with prospective providers to obtain placement for the client. If the
client is not accepted for service, all written information released to the
provider shall be returned to the department.
b. When the information needed by the
provider is mental health information or substance abuse information, the
subject's specific consent is required.
(8)
Medicaid billing. Only
the following information shall be released to bona fide providers of medical
services in the event that the provider is unable to obtain it from the subject
and is unable to complete the Medicaid claim form without it:
a. Patient identification number.
b. Health coverage code as reflected on the
subject's medical card.
c. The
subject's date of birth.
d. The
subject's eligibility status for the month that the service was
provided.
e. The amount of
spenddown.
f. The bills used to
meet spenddown.
(9)
Reserved.
(10)
Child support
recovery. The child support recovery unit has access to information
from most department records for the purpose of establishing and enforcing
support obligations. Information about absent parents and recipients of child
support services is released according to the provisions of Iowa Code chapters
234, 252A, 252B, 252C, 252D, 252E, 252F, 252G, 252H, 252I, 252J, 252K, 598, and
600B and any other support chapter. Information is also released to consumer
reporting agencies as specified in rule
441-98.116 (252B).
(11)
Refugee resettlement
program. Contacts with both sponsor and resettlement agencies are made
as a part of the verification process to determine eligibility or the amount of
assistance. When a refugee applies for cash or Medicaid, the refugee's name,
address, and telephone number are given to the refugee's local resettlement
agency.
(12)
Abuse
investigation. The central abuse registry disseminates child abuse
information and dependent adult abuse information as provided in Iowa Code
sections 235A.15 and
235B.7, respectively. Reports of
child abuse and dependent adult abuse investigations are submitted to the
county attorney as required in Iowa Code sections
232.71B and
235B.3. Results of the
investigation of a report by a mandatory reporter are communicated to the
reporter as required in Iowa Code sections
235A.17(2) and
235A.15(2)
"b" (5).
(13)
Foster care. Information concerning a child's need for foster
care is shared with foster care review committees or foster care review boards
and persons named in the case permanency plan.
(14)
Adoption. Adoptive home
studies completed on families who wish to adopt a child are released to
licensed child-placing agencies, to the United States Immigration and
Naturalization Service, and to adoption exchanges. Information is released from
adoption records as provided in Iowa Code sections 600.16 and
600.24.
(15)
Disclosures to law
enforcement.
a.
Disclosures
by workforce members who are crime victims. The department is not
considered to have violated the requirements of this chapter if a member of its
workforce who is the victim of a criminal act discloses confidential
information to a law enforcement official, provided that:
(1) The confidential information disclosed is
about the suspected perpetrator of the criminal act and intended for
identification and location purposes; and
(2) The confidential information disclosed is
limited to the following information:
1. Name
and address.
2. Date and place of
birth.
3. Social security
number.
4. ABO blood type and Rh
factor.
5. Type of
injury.
6. Date and time of
treatment.
7. Date and time of
death, if applicable.
8. A
description of distinguishing physical characteristics, including height,
weight, gender, race, hair and eye color, presence or absence of facial hair
(beard or moustache), scars, and tattoos.
b.
Crime on premises. The
department may disclose to a law enforcement official protected health
information that the department believes in good faith constitutes evidence of
criminal conduct that occurred on the premises of the department.
c.
Decedents. The department
may disclose protected health information to a law enforcement official about a
subject who has died when the death resulted from child abuse or neglect or the
death occurred in a department facility.
d.
Other. The department may
disclose confidential information to a law enforcement official when otherwise
required or allowed by this chapter, such as disclosures about victims of child
abuse or neglect; disclosures to avert a threat to health or safety, or to
report suspected fraud; disclosures required by due process of law, such as
disclosures for judicial and administrative proceedings; or other disclosures
required by law.
(16)
Response to law enforcement. The address of a current
recipient of family investment program benefits may be released upon request to
a federal, state or local law enforcement officer if the officer provides the
name of the recipient, and the officer demonstrates that:
a. The recipient is a fugitive felon who is
fleeing prosecution, custody or confinement after conviction under state or
federal law, or who is a probation or parole violator under state or federal
law, or
b. The recipient has
information that is necessary for the officer to conduct the officer's official
duties, and
c. The location or
apprehension of the recipient is within the officer's official
duties.
(17)
Research. Disclosure is made to employees of federal, state
and local agencies and other researchers for purposes of bona fide research.
The department shall not release data or information pursuant to this paragraph
unless the department and the researcher have executed an agreement that
includes the conditions under which the confidential data or information may be
used and restrictions on further disclosure of the data or information.
a. Mental health information may be disclosed
for purposes of scientific research as provided in Iowa Code sections
228.5 and 229.25. Requests to do
research involving records of a department facility shall be approved by the
designated authority.
b. Abuse
registry information may be disclosed for research purposes as provided in
rules
441-175.42 (235A) and
441-176.12(235B) and authorized by Iowa Code sections
235A.15(2)
"e"(1) and 235B.6(2)
"e"(1).
c. For research relating to
protected health information, the researcher shall provide the department with
information about the nature of the research, the protocol, the type of
information being requested, and any other relevant information that is
available concerning the request. If the researcher feels that contact with the
subject is needed, the researcher shall demonstrate to the department that the
research cannot be conducted without contact with the subject. The researcher
shall pay for the costs of obtaining authorizations needed to contact the
subjects and for the cost of files and preparation needed for the research.
(18)
Threat to
health or safety.
a. All programs. A
client's name, identification, location, and details of a client's threatened
or actual harm to department staff or property may be reported to law
enforcement officials. Other information regarding the client's relationship to
the department shall not be released. When a department staff person believes a
client intends to harm someone, the staff person may warn the intended victim
or police or both. Only the name, identification, and location of the client
and the details of the client's plan of harm shall be disclosed.
b. Protected health information. The
department will follow the disclosure standards in
45 CFR §
164.512 as amended to January 6,
2016.
(19)
Required by law.
a.
Information is shared with other agencies without a contract or written
agreement when federal law or regulations require it.
b. The department may use or disclose
protected health information to the extent that use or disclosure is required
by law and the use or disclosure complies with and is limited to the relevant
requirements of the law.
c. State
law shall preempt rules in this chapter about protected health information when
any one of the following conditions exists:
(1) Exception granted by Secretary of Health
and Human Services under 45
CFR §
160.204 as amended to March 26,
2013.
(2) State law more stringent.
The provision of state law relates to the privacy of protected health
information and is more stringent than a requirement of this chapter, within
the meaning of "more stringent" found at
45 CFR §
160.202 as amended to March 26,
2013.
(3) Reporting requirements.
The provision of state law, including state procedures established under the
law, as applicable, provides for the reporting of disease or injury, child
abuse, birth, or death, or for the conduct of public health surveillance,
investigation, or intervention.
(4)
Requirements related to audits, monitoring, evaluation, licensing, and
certification. The provision of state law requires a health plan to report, or
to provide access to, information for the purpose of management audits,
financial audits, program monitoring and evaluation, or the licensure or
certification of facilities and persons.
(20)
Treatment, payment, or health
care operations.
a. The department
may use or disclose protected health information for treatment, payment, or
health care operations, as permitted by
45 CFR §
164.506 as amended to January 25, 2013,
except for psychotherapy notes, which are subject to the limits described in
paragraph 9.10(21)
"b." The use or disclosure shall be
consistent with other applicable requirements of this chapter.
b. The department may use or disclose
psychotherapy notes without an authorization for any one of the following
reasons:
(1) To carry out the following
treatment, payment, or health care operations:
1. Use by the originator of the psychotherapy
notes for treatment.
2. Use or
disclosure by the department for its own training programs in which students,
trainees, or practitioners in mental health learn under supervision to practice
or improve their skills in group, joint, family, or individual
counseling.
3. Use or disclosure by
the department to defend itself in a legal action or other proceeding brought
by the subject.
(2) When
required by the Secretary of Health and Human Services to investigate or
determine the department's compliance with federal HIPAA regulations.
(3) For health oversight activities with
respect to the oversight of the originator of the psychotherapy
notes.
(4) When necessary to
prevent or lessen a serious and imminent threat to the health or safety of a
person or the public as described in this chapter.
(5) When required by law as described in this
chapter.
(6) To disclose protected
health information in the designated record set to a coroner or medical
examiner as described in this chapter.
(21)
Other uses and disclosures for
which an authorization or opportunity to agree or object is not
required. The department may use or disclose protected health
information for which an authorization or opportunity to agree or object is not
required, as permitted by 45
CFR §
164.512 as amended to January 25,
2013.
(22)
Victims of
domestic violence. The department shall disclose confidential
information about an individual whom the department reasonably believes to be a
victim of domestic violence when required by state law.
(23)
Whistle blowers. The
department is not considered to have violated the requirements of this chapter
when a member of its workforce or a business associate discloses protected
health information, provided that:
a. The
workforce member or business associate has a good-faith belief that the
department or a business associate has engaged in conduct that is unlawful or
otherwise violates professional or clinical standards, or has provided care,
services, or conditions that potentially endanger one or more patients,
workers, or the public; and
b. The
disclosure is made to one of the following:
(1) A health oversight agency or public
health authority authorized by law to investigate or oversee conduct or
conditions for the purpose of reporting the allegation of failure to meet
professional standards or misconduct.
(2) An appropriate health care accreditation
organization.
(3) An attorney
retained by or on behalf of the workforce member or business associate for the
purpose of determining the legal options of the workforce member or business
associate.
(24)
Secondary to a use or disclosure of protected health
information. The department may use or disclose protected health
information that is secondary to a use or disclosure otherwise permitted or
required by these rules, such as when a visitor in a facility overhears a
doctor speaking to a subject about the subject's health.
(25)
De-identified data or a limited
data set. The department may use or disclose protected health
information to create information that is de-identified or a limited data set
under the conditions specified in
45 CFR §
164.514 as amended to August 14,
2002.