Open records are routinely disclosed without the consent of
the subject. To the extent allowed by law, the department may also use and
disclose confidential information without the consent of the subject or the
Confidential information may be disclosed to
employees and agents of the department
as needed for the performance of their
duties. The custodian
of the record shall determine what constitutes legitimate
need to use confidential records.
People affected by this rule include:
1. County-paid staff, field work students,
and volunteers working under the direction of the department.
2. Council and commission members.
3. Policy review and advisory
4. Consultants to the
Audits and health oversight activities.
concerning program expenditures and client eligibility is released to staff of
the state executive and legislative branches who are responsible for ensuring
that public funds have been managed correctly. Information is also released to
auditors from federal agencies when those agencies provide program
shall disclose protected health information
to the Secretary of Health and Human Services to investigate or determine the
's compliance with federal HIPAA regulations.
Except as specified in paragraph
may also use protected health
information, or disclose it to a health oversight agency, for other health
oversight activities authorized by law. Health oversight activities include
audits; civil, administrative, or criminal investigations; inspections;
licensure or disciplinary actions; civil, administrative, or criminal
proceedings or actions; or other activities necessary for appropriate oversight
1. The health care system;
2. Government benefits programs for which
protected health information is relevant to client eligibility;
3. Organizations subject to government
regulatory programs for which protected health information is necessary for
determining compliance with program standards; or
4. Organizations subject to civil rights laws
for which protected health information is necessary for determining
(2) If a
health oversight activity or investigation is conducted in conjunction with an
oversight activity or investigation relating to a claim for public benefits not
related to health, the joint activity or investigation shall be considered a
health oversight activity for purposes of subrule 9.10(2).
Exception to health oversight
For the purpose of the disclosures permitted by paragraph
a health oversight activity shall not include an
investigation or other activity in which the subject
is also the subject
investigation or activity, unless the investigation or other activity directly
(1) The receipt of health
(2) A claim for public health
(3) Qualification for
or receipt of public benefits or services, when a patient's health is integral
to the claim for public benefits or services.
Information concerning client eligibility and benefits is released to state or
federal officials responsible for determining whether the department is
operating a program lawfully. These officials include the ombudsman office
under Iowa Code section
2C.9, the auditor of state
under Iowa Code section
Office of Inspector General in the federal Department of Health and Human
Services, and the Centers for Medicare and Medicaid Services.
Contracts and agreements with
agencies and persons.
department may enter into contracts or agreements with public or private
agencies, such as the department of inspections and appeals, and business
associates, such as, but not limited to, the Iowa Medicaid enterprise units, in
order to carry out the department's official duties. Information necessary to
carry out these duties may be shared with these agencies. The department may
disclose protected health information to a business associate and may allow a
business associate to create or receive protected health information on its
behalf, if the department obtains satisfactory assurance that the business
associate will appropriately safeguard the information.
b. The department may enter into agreements
to share information with agencies administering federal or federally assisted
programs which provide assistance or services directly to persons on the basis
of need. Only information collected in the family investment program, the child
care assistance program, the food assistance program, the refugee resettlement
program, or the child support recovery program may be shared under these
To meet federal
income and eligibility verification requirements, the department
into agreements with the department
of workforce development, the United States
Internal Revenue Service, and the United States Social Security Administration.
The department obtains information regarding persons whose
income or resources are considered in determining eligibility and the amount of
benefits for the family investment program, refugee cash assistance, child care
assistance, food assistance, Medicaid, state supplementary assistance and
foster care. Identifying information regarding clients of these programs is
released to these agencies. The information received may be used for
eligibility and benefit determinations.
d. To meet federal requirements under the
Immigration Reform and Control Act of 1986 (IRCA) relating to the Systematic
Alien Verification for Entitlements (SAVE) program, the department has entered
into an agreement with the Bureau of Citizenship and Immigration Service
(BCIS). Under the agreement, the department exchanges information necessary to
verify alien status for the purpose of determining eligibility and the amount
of benefits for the family investment program, refugee cash assistance, food
assistance, Medicaid, state supplementary assistance and foster care
assistance. Identifying information regarding these subjects is released to the
BCIS. The information received may be used for eligibility and benefit
has entered into an agreement with the department
of workforce development to
provide services to family investment program clients participating in the
PROMISE JOBS program as described at 441-Chapter 93. Information necessary to
carry out these duties shall be shared with the department
development, as well as with its subcontractors.
The department has entered into an agreement with the
department of human rights to provide services to family investment program
clients participating in the family development and self-sufficiency program as
described at 441-Chapter 165. Information necessary to carry out these duties
shall be shared with the department of human rights, as well as with that
State legislation requires that all emergency assistance households apply for
and accept benefits for which they may qualify from the energy assistance,
county general relief and veteran's affairs programs before approval for
emergency assistance. To meet this requirement, the department may enter into
agreements with the agencies that administer these programs under which they
may provide services to emergency assistance households as described at
441-Chapter 58. Information necessary to carry out these duties shall be shared
with these agencies.
department has entered into an agreement with the department of education,
vocational rehabilitation, disability determination services, to assist with
Medicaid disability determinations.
has entered into an
agreement with the department
of education to share information that assists
both schools and department
clients in carrying out the annual verification
process required by the United States Department
of Agriculture, Food and
Nutrition Service. That federal agency requires the department
of education and
local schools to verify eligibility of a percentage of the households approved
for free-meal benefits under the school lunch program.
When a department office receives a written request from the
local school, the department office responds in writing with the current family
investment program and food assistance program status of each recipient of free
meals listed in the request. Other client-specific information is made
available only with written authorization from the client.
Release for judicial
and administrative proceedings.
Information is released to the court
as required in Iowa Code sections
a. The department may disclose protected
health information in the course of any judicial or administrative proceeding
in response to an order of a court or administrative tribunal, provided that
the department discloses only the protected health information expressly
authorized by the order and the court makes the order knowing that the
information is confidential.
When a court subpoenas information that the department is prohibited from
releasing, the department shall advise the court of the statutory and
regulatory provisions against disclosure of the information and shall disclose
the information only on order of the court.
concerning suspected fraud or misrepresentation to obtain department services
or assistance is disclosed to the department of inspections and appeals and to
law enforcement authorities.
Information concerning clients may be
shared with purchase of service providers under contract to the department
a. Information concerning the client's
circumstances and need for service is shared with prospective providers to
obtain placement for the client. If the client is not accepted for service, all
written information released to the provider shall be returned to the
b. When the information
needed by the provider is mental health information or substance abuse
information, the subject's specific consent is required in subrule
Only the following information shall be
released to bona fide providers of medical services in the event that the
provider is unable to obtain it from the subject
and is unable to complete the
Medicaid claim form without it:
coverage code as reflected on the subject's medical card.
c. The subject's date of birth.
d. The subject's eligibility status for the
month that the service was provided.
e. The amount of spenddown.
f. The bills used to meet
Information necessary for billing is released
to county governments that pay part of the cost of care for intermediate care
services for the mentally retarded under 441-subrule 82.14(2) or
Medicaid waiver services under rule
information includes client
names, identifying numbers, provider names, number
of days of care, amount of client
payment, and amount of payment due.
Child support recovery.
The child support recovery unit has access to information from most department
records for the purpose of establishing and enforcing support obligations.
Information about absent parents and recipients of child support services is
released according to the provisions of Iowa Code chapters 234, 252A, 252B,
252C, 252D, 252E, 252F, 252G, 252H, 2521, 252J, 252K, 598, 600B, and any other
support chapter. Information is also released to consumer reporting agencies as
specified in rule 441-98.116
program. Contacts with both sponsor and resettlement agencies are made
as a part of the verification process to determine eligibility or the amount of
assistance. When a refugee applies for cash or Medicaid, the refugee's name,
address, and telephone number are given to the refugee's local resettlement
investigation. The central abuse registry disseminates child abuse
information and dependent adult abuse information as provided in Iowa Code
respectively. Reports of child abuse and dependent adult abuse investigations
are submitted to the county attorney as required in Iowa Code sections
Results of the investigation of a report by a mandatory reporter are
communicated to the reporter as required in Iowa Code sections 23 5A. 17(2) and
Information concerning a child's need for foster care is shared with foster
care review committees or foster care review boards and persons named in the
case permanency plan.
Adoption. Adoptive home studies completed on families who wish
to adopt a child are released to licensed child-placing agencies, to the United
States Immigration and Naturalization Service, and to adoption exchanges.
Information is released from adoption records as provided in Iowa Code sections
Disclosures to law
by workforce members who are crime victims.
considered to have violated the requirements of this chapter if a member of its
workforce who is the victim of a criminal act discloses confidential
information to a law enforcement official, provided that:
(1) The confidential information disclosed is
about the suspected perpetrator of the criminal act and intended for
identification and location purposes; and
The confidential information disclosed is
limited to the following information:
2. Date and place of
3. Social security
4. ABO blood type and Rh
5. Type of
6. Date and time of
7. Date and time of
death, if applicable.
description of distinguishing physical characteristics, including height,
weight, gender, race, hair and eye color, presence or absence of facial hair
(beard or moustache), scars, and tattoos.
Crime on premises. The
department may disclose to a law enforcement official protected health
information that the department believes in good faith constitutes evidence of
criminal conduct that occurred on the premises of the department.
Decedents. The department
may disclose protected health information to a law enforcement official about a
subject who has died when the death resulted from child abuse or neglect or the
death occurred in a department facility.
Other. The department may
disclose confidential information to a law enforcement official when otherwise
required or allowed by this chapter, such as disclosures about victims of child
abuse or neglect; disclosures to avert a threat to health or safety, or to
report suspected fraud; disclosures required by due process of law, such as
disclosures for judicial and administrative proceedings; or other disclosures
required by law.
Response to law enforcement.
The address of a current
recipient of family investment program benefits may be released upon request to
a federal, state or local law enforcement officer if the officer provides the
name of the recipient, and the officer demonstrates that:
a. The recipient is a fugitive felon who is
fleeing prosecution, custody or confinement after conviction under state or
federal law, or who is a probation or parole violator under state or federal
b. The recipient has
information that is necessary for the officer to conduct the officer's official
c. The location or
apprehension of the recipient is within the officer's official
Information that does not identify individual
clients may be disclosed for research
purposes with the consent of the division
administrator responsible for the records. The division administrator shall
investigate the credentials of the researcher.
a. Mental health information may be disclosed
for purposes of scientific research as provided in Iowa Code section
subsection 3, and section
Requests to do research involving records of a department facility shall be
approved by the designated authority.
Abuse registry information may be
disclosed for research
purposes as provided in rules
441-176.11(235B) and authorized by Iowa Code sections
c. For research relating to protected health
information, the researcher shall provide the department with information about
the nature of the research, the protocol, the type of information being
requested, and any other relevant information that is available concerning the
request. If the researcher feels that contact with the subject is needed, the
researcher shall demonstrate to the department that the research cannot be
conducted without contact with the subject. The researcher shall pay for the
costs of obtaining authorizations needed to contact the subjects and for the
cost of files and preparation needed for the research.
Threat to health or
All programs. A client
name, identification, location, and details of a client
's threatened or actual
harm to department staff or property may be reported to law enforcement
officials. Other information regarding the client
's relationship to the
department shall not be released.
When a department staff person believes a client intends to
harm someone, the staff person may warn the intended victim or police or both.
Only the name, identification, and location of the client and the details of
the client's plan of harm shall be disclosed.
Protected health information
may, consistent with applicable law and standards of ethical
conduct, use or disclose protected health information, if the department
good faith, believes the use or disclosure:
(1) Is necessary to prevent or lessen a
serious and imminent threat to the health or safety of a person or the public;
and is to a person or persons reasonably able to prevent or lessen the threat,
including the target of the threat; or
(2) Is necessary for law enforcement purposes
as described in this chapter.
c. When the department uses or discloses
protected health information pursuant to paragraph
9.10(18)"b," the department is considered to have acted in
good faith if the action is based on the department's actual knowledge or on a
credible representation by a person with apparent knowledge or
Required by law.
Information is shared with other agencies without a contract or written
agreement when federal law or regulations require it.
b. The department may use or disclose
protected health information to the extent that use or disclosure is required
by law and the use or disclosure complies with and is limited to the relevant
requirements of the law.
law shall preempt rules in this chapter about protected health information
any one of the following conditions exists:
Exception granted by Secretary of Health
and Human Services. A determination is made by the Secretary of Health and
Human Services under 45 CFR 160.204
as amended to August 14, 2002, that the
provision of state law:
* To prevent fraud and abuse related to the provision of or
payment for health care;
* To ensure appropriate state regulation of insurance and
health plans to the extent expressly authorized by statute or
* For state reporting on health care delivery or costs;
* For purposes of serving a compelling need related to public
health, safety, or welfare, and, if a requirement under this chapter is at
issue, the Secretary of Health and Human Services determines that the intrusion
into privacy is warranted when balanced against the need to be served;
Has as its principal
purpose, the regulation of the manufacture, registration, distribution,
dispensing, or other control of any controlled substances, as defined in 21
, or that is deemed a controlled substance by state law.
State law more stringent. The
provision of state law relates to the privacy of protected health information
and is more stringent than a requirement of this chapter, within the meaning of
"more stringent" found at 45 CFR 160.202
as amended to August 14,
(3) Reporting requirements.
The provision of state law, including state procedures established under the
law, as applicable, provides for the reporting of disease or injury, child
abuse, birth, or death, or for the conduct of public health surveillance,
investigation, or intervention.
Requirements related to audits, monitoring, evaluation, licensing, and
certification. The provision of state law requires a health plan to report, or
to provide access to, information for the purpose of management audits,
financial audits, program monitoring and evaluation, or the licensure or
certification of facilities and persons.
Rescinded IAB 7/7/04, effective 7/1/04.
Treatment, payment, or health
may use or disclose protected health information for treatment, payment, or
health care operations, as described in this paragraph, except for
psychotherapy notes, which are subject to the limits described in paragraph
9.10(21) "b. "
shall be consistent with
other applicable requirements of this chapter.
(1) The department may use or disclose
protected health information for its own treatment, payment, or health care
(2) The department may
disclose protected health information for treatment activities of a health care
(3) The department may
disclose protected health information to another covered entity or a health
care provider for the payment activities of the person or organization that
receives the information.
may disclose protected health information to another covered entity
for health care operations activities of the covered entity that receives the
information, if each covered entity either has or had a relationship with the
person who is the subject of the protected health information being requested,
the protected health information pertains to the relationship, and the
For apurpose listed in
numbered paragraph "1" or "2" of the definition of health care
operations in 45
as amended to August 14, 2002; or
2. For the purpose of health care fraud and
abuse detection or compliance.
may use or disclose
psychotherapy notes without an authorization for any one of the following
To carry out the following
, or health care
1. Use by the originator of the psychotherapy
notes for treatment.
2. Use or
disclosure by the department for its own training programs in which students,
trainees, or practitioners in mental health learn under supervision to practice
or improve their skills in group, joint, family, or individual
3. Use or disclosure by
the department to defend itself in a legal action or other proceeding brought
by the subject.
required by the Secretary of Health and Human Services to investigate or
determine the department's compliance with federal HIPAA regulations.
(3) For health oversight activities, as
described at subrule 9.10(2), with respect to the oversight of the originator
of the psychotherapy notes.
When necessary to prevent or lessen a serious and imminent threat to the health
or safety of a person or the public as described at subrule 9.10(18).
(5) When required by law as described at
(6) To disclose
protected health information in the designated record set to a coroner or
medical examiner as described at subrule 9.10(24).
may disclose protected health information
for the public health activities and purposes described in this subrule. This
disclosure is in addition to any other disclosure to a public health authority
allowed by this chapter, such as a disclosure to report child abuse or neglect.
For the purposes of this subrule, a public health authority includes state and
local health departments, the Food and Drug Administration (FDA), and the
Centers for Disease Control and Prevention.
may disclose protected
health information to a public health authority that is authorized by law to
collect or receive the information for the purpose of preventing or controlling
disease, injury, or disability.
information that may be disclosed includes, but is not limited to, the
reporting of disease, injury, vital events such as birth or death, and the
conduct of public health surveillance, public health investigations, and public
(2) At the
direction of a public health authority, the department may also report this
information to an official of a foreign government agency that is acting in
collaboration with a public health authority.
may disclose protected
health information to a person or organization that is subject to the
jurisdiction of the FDA for public health purposes related to the quality,
safety, or effectiveness of an FDA-regulated product or activity for which that
person or organization has responsibility. These purposes include:
(1) To collect or report adverse events (or
similar activities with respect to food or dietary supplements), product
defects or problems (including problems with the use or labeling of a
(2) To track
enable product recalls, repairs, or replacement, or lookback (including
locating and notifying subjects who have received products that have been
recalled, withdrawn, or are the subject of lookback).
(4) To conduct postmarketing
department may disclose protected health information to a person who is at risk
of contracting or spreading a disease or condition. The disclosure must be
necessary to carry out public health interventions or investigations or to
notify a person that the person has been exposed to a communicable disease to
prevent or control the spread of the disease.
Victims of domestic
violence. The department shall disclose confidential information about
an individual whom the department reasonably believes to be a victim of
domestic violence when required by state law.
Disclosures to coroners, medical
examiners, and funeral directors.
Coroners and medical examiners. The department may disclose
protected health information about a subject that is contained in the
designated record set to a coroner or medical examiner for the purpose of
identifying a deceased person, determining a cause of death, or other duties as
authorized by law.
Funeral directors. The department may disclose protected
health information about a subject that is contained in the designated record
set to funeral directors, consistent with applicable law, as necessary to carry
out their duties with respect to the decedent. If necessary for funeral
directors to carry out their duties, the department may disclose the protected
health information before, and in reasonable anticipation of, the subject's
Disclosures for cadaveric organ, eye or tissue donation
purposes. The department may disclose protected health information
about a subject that is contained in the designated record set to organ
procurement organizations or other organizations engaged in the procurement,
banking, or transplantation of cadaveric organs, eyes, or tissue for the
purpose of facilitating organ, eye or tissue donation and transplantation. The
department shall make a disclosure only when the disclosure has been approved
by the deceased subject's authorized legal representative and there is evidence
that the decedent had given approval for organ, eye, or tissue donation
procedures before the decedent's death.
Protected health information
may be shared under the
circumstances described at 45 CFR 164.512
amended to August 14, 2002, if otherwise allowable under state law, such as
sharing protected health information
with the Social Security Administration in
determining Medicaid eligibility for supplemental security income applicants
is not considered to have
violated the requirements of this chapter when a member of its workforce or a
discloses protected health information, provided that:
a. The workforce member or business associate
has a good-faith belief that the department or a business associate has engaged
in conduct that is unlawful or otherwise violates professional or clinical
standards, or has provided care, services, or conditions that potentially
endanger one or more patients, workers, or the public; and
is made to one of the
(1) A health oversight agency or
public health authority authorized by law to investigate or oversee conduct or
conditions for the purpose of reporting the allegation of failure to meet
professional standards or misconduct.
(2) An appropriate health care accreditation
(3) An attorney
retained by or on behalf of the workforce member or business associate for the
purpose of determining the legal options of the workforce member or business
Secondary to a use or disclosure
of protected health information. The department may use or disclose
protected health information that is secondary to a use or disclosure otherwise
permitted or required by these rules, such as when a visitor in a facility
overhears a doctor speaking to a subject about the subject's health.
De-identified data or a limited
may use or disclose protected health
information to create information that is de-identified under the conditions
specified in 45 CFR 164.514
as amended to August 14, 2002.
Limited data set.
may use or disclose a limited data set under the conditions
specified at 45 CFR 164.514
, paragraph "e,"
as amended to
August 14, 2002, when the department
enters into a data use agreement for
research, public health, or health care operations.