RULE 441-9.10 - Use and disclosure without consent of the subject

RULE 441-9.10. Use and disclosure without consent of the subject

Open records are routinely disclosed without the consent of the subject. To the extent allowed by law, the department may also use and disclose confidential information without the consent of the subject or the subject's representative.

(1) Internal use. Confidential information may be disclosed to employees and agents of the department as needed for the performance of their duties. The custodian of the record shall determine what constitutes legitimate need to use confidential records.

People affected by this rule include:

1. County-paid staff, field work students, and volunteers working under the direction of the department.

2. Council and commission members.

3. Policy review and advisory committees.

4. Consultants to the department.

(2) Audits and health oversight activities.

a. Audits. Information concerning program expenditures and client eligibility is released to staff of the state executive and legislative branches who are responsible for ensuring that public funds have been managed correctly. Information is also released to auditors from federal agencies when those agencies provide program funds.

b. Health oversight activities. The department shall disclose protected health information to the Secretary of Health and Human Services to investigate or determine the department's compliance with federal HIPAA regulations.

(1) Except as specified in paragraph 9.10(2)"c, " the department may also use protected health information, or disclose it to a health oversight agency, for other health oversight activities authorized by law. Health oversight activities include audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:

1. The health care system;

2. Government benefits programs for which protected health information is relevant to client eligibility;

3. Organizations subject to government regulatory programs for which protected health information is necessary for determining compliance with program standards; or

4. Organizations subject to civil rights laws for which protected health information is necessary for determining compliance.

(2) If a health oversight activity or investigation is conducted in conjunction with an oversight activity or investigation relating to a claim for public benefits not related to health, the joint activity or investigation shall be considered a health oversight activity for purposes of subrule 9.10(2).

c. Exception to health oversight activities. For the purpose of the disclosures permitted by paragraph 9.10(2) "b," a health oversight activity shall not include an investigation or other activity in which the subject is also the subject of the investigation or activity, unless the investigation or other activity directly relates to:

(1) The receipt of health care;

(2) A claim for public health benefits; or

(3) Qualification for or receipt of public benefits or services, when a patient's health is integral to the claim for public benefits or services.

(3) Program review. Information concerning client eligibility and benefits is released to state or federal officials responsible for determining whether the department is operating a program lawfully. These officials include the ombudsman office under Iowa Code section 2C.9, the auditor of state under Iowa Code section 11.2, the Office of Inspector General in the federal Department of Health and Human Services, and the Centers for Medicare and Medicaid Services.

(4) Contracts and agreements with agencies and persons.

a. The department may enter into contracts or agreements with public or private agencies, such as the department of inspections and appeals, and business associates, such as, but not limited to, the Iowa Medicaid enterprise units, in order to carry out the department's official duties. Information necessary to carry out these duties may be shared with these agencies. The department may disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on its behalf, if the department obtains satisfactory assurance that the business associate will appropriately safeguard the information.

b. The department may enter into agreements to share information with agencies administering federal or federally assisted programs which provide assistance or services directly to persons on the basis of need. Only information collected in the family investment program, the child care assistance program, the food assistance program, the refugee resettlement program, or the child support recovery program may be shared under these agreements.

c. To meet federal income and eligibility verification requirements, the department has entered into agreements with the department of workforce development, the United States Internal Revenue Service, and the United States Social Security Administration.

The department obtains information regarding persons whose income or resources are considered in determining eligibility and the amount of benefits for the family investment program, refugee cash assistance, child care assistance, food assistance, Medicaid, state supplementary assistance and foster care. Identifying information regarding clients of these programs is released to these agencies. The information received may be used for eligibility and benefit determinations.

d. To meet federal requirements under the Immigration Reform and Control Act of 1986 (IRCA) relating to the Systematic Alien Verification for Entitlements (SAVE) program, the department has entered into an agreement with the Bureau of Citizenship and Immigration Service (BCIS). Under the agreement, the department exchanges information necessary to verify alien status for the purpose of determining eligibility and the amount of benefits for the family investment program, refugee cash assistance, food assistance, Medicaid, state supplementary assistance and foster care assistance. Identifying information regarding these subjects is released to the BCIS. The information received may be used for eligibility and benefit determinations.

e. The department has entered into an agreement with the department of workforce development to provide services to family investment program clients participating in the PROMISE JOBS program as described at 441-Chapter 93. Information necessary to carry out these duties shall be shared with the department of workforce development, as well as with its subcontractors.

The department has entered into an agreement with the department of human rights to provide services to family investment program clients participating in the family development and self-sufficiency program as described at 441-Chapter 165. Information necessary to carry out these duties shall be shared with the department of human rights, as well as with that agency's subcontractors.

f. State legislation requires that all emergency assistance households apply for and accept benefits for which they may qualify from the energy assistance, county general relief and veteran's affairs programs before approval for emergency assistance. To meet this requirement, the department may enter into agreements with the agencies that administer these programs under which they may provide services to emergency assistance households as described at 441-Chapter 58. Information necessary to carry out these duties shall be shared with these agencies.

g. The department has entered into an agreement with the department of education, vocational rehabilitation, disability determination services, to assist with Medicaid disability determinations.

h. The department has entered into an agreement with the department of education to share information that assists both schools and department clients in carrying out the annual verification process required by the United States Department of Agriculture, Food and Nutrition Service. That federal agency requires the department of education and local schools to verify eligibility of a percentage of the households approved for free-meal benefits under the school lunch program.

When a department office receives a written request from the local school, the department office responds in writing with the current family investment program and food assistance program status of each recipient of free meals listed in the request. Other client-specific information is made available only with written authorization from the client.

(5) Release for judicial and administrative proceedings. Information is released to the court as required in Iowa Code sections 125.80, 125.84, 125.86, 229.8, 229.10, 229.13, 229.14, 229.15, 229.22, 232.48, 232.49, 232.52, 232.71B, 232.81, 232.97, 232.98, 232.102, 232.111, 232.117 and 235B.3.

a. The department may disclose protected health information in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal, provided that the department discloses only the protected health information expressly authorized by the order and the court makes the order knowing that the information is confidential.

b. When a court subpoenas information that the department is prohibited from releasing, the department shall advise the court of the statutory and regulatory provisions against disclosure of the information and shall disclose the information only on order of the court.

(6) Fraud. Information concerning suspected fraud or misrepresentation to obtain department services or assistance is disclosed to the department of inspections and appeals and to law enforcement authorities.

(7) Service referrals. Information concerning clients may be shared with purchase of service providers under contract to the department.

a. Information concerning the client's circumstances and need for service is shared with prospective providers to obtain placement for the client. If the client is not accepted for service, all written information released to the provider shall be returned to the department.

b. When the information needed by the provider is mental health information or substance abuse information, the subject's specific consent is required in subrule 9.3(4).

(8) Medicaid billing. Only the following information shall be released to bona fide providers of medical services in the event that the provider is unable to obtain it from the subject and is unable to complete the Medicaid claim form without it:

a. Patient identification number.

b. Health coverage code as reflected on the subject's medical card.

c. The subject's date of birth.

d. The subject's eligibility status for the month that the service was provided.

e. The amount of spenddown.

f. The bills used to meet spenddown.

(9) County billing. Information necessary for billing is released to county governments that pay part of the cost of care for intermediate care facility services for the mentally retarded under 441-subrule 82.14(2) or Medicaid waiver services under rule 441-83.70 (249A) or 441-83.90 (249A). This information includes client names, identifying numbers, provider names, number of days of care, amount of client payment, and amount of payment due.

(10) Child support recovery. The child support recovery unit has access to information from most department records for the purpose of establishing and enforcing support obligations. Information about absent parents and recipients of child support services is released according to the provisions of Iowa Code chapters 234, 252A, 252B, 252C, 252D, 252E, 252F, 252G, 252H, 2521, 252J, 252K, 598, 600B, and any other support chapter. Information is also released to consumer reporting agencies as specified in rule 441-98.116 (252B).

(11) Refugee resettlement program. Contacts with both sponsor and resettlement agencies are made as a part of the verification process to determine eligibility or the amount of assistance. When a refugee applies for cash or Medicaid, the refugee's name, address, and telephone number are given to the refugee's local resettlement agency.

(12) Abuse investigation. The central abuse registry disseminates child abuse information and dependent adult abuse information as provided in Iowa Code sections 235A.15 and 235B.7, respectively. Reports of child abuse and dependent adult abuse investigations are submitted to the county attorney as required in Iowa Code sections 232.71B and 235B.3. Results of the investigation of a report by a mandatory reporter are communicated to the reporter as required in Iowa Code sections 23 5A. 17(2) and 235A.15(2)"b"(5).

(13) Foster care. Information concerning a child's need for foster care is shared with foster care review committees or foster care review boards and persons named in the case permanency plan.

(14) Adoption. Adoptive home studies completed on families who wish to adopt a child are released to licensed child-placing agencies, to the United States Immigration and Naturalization Service, and to adoption exchanges. Information is released from adoption records as provided in Iowa Code sections 600.16 and 600.24.

(15) Disclosures to law enforcement.

a. Disclosures by workforce members who are crime victims. The department is not considered to have violated the requirements of this chapter if a member of its workforce who is the victim of a criminal act discloses confidential information to a law enforcement official, provided that:

(1) The confidential information disclosed is about the suspected perpetrator of the criminal act and intended for identification and location purposes; and

(2) The confidential information disclosed is limited to the following information:

1. Name and address.

2. Date and place of birth.

3. Social security number.

4. ABO blood type and Rh factor.

5. Type of injury.

6. Date and time of treatment.

7. Date and time of death, if applicable.

8. A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.

b. Crime on premises. The department may disclose to a law enforcement official protected health information that the department believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the department.

c. Decedents. The department may disclose protected health information to a law enforcement official about a subject who has died when the death resulted from child abuse or neglect or the death occurred in a department facility.

d. Other. The department may disclose confidential information to a law enforcement official when otherwise required or allowed by this chapter, such as disclosures about victims of child abuse or neglect; disclosures to avert a threat to health or safety, or to report suspected fraud; disclosures required by due process of law, such as disclosures for judicial and administrative proceedings; or other disclosures required by law.

(16) Response to law enforcement. The address of a current recipient of family investment program benefits may be released upon request to a federal, state or local law enforcement officer if the officer provides the name of the recipient, and the officer demonstrates that:

a. The recipient is a fugitive felon who is fleeing prosecution, custody or confinement after conviction under state or federal law, or who is a probation or parole violator under state or federal law, or

b. The recipient has information that is necessary for the officer to conduct the officer's official duties, and

c. The location or apprehension of the recipient is within the officer's official duties.

(17) Research. Information that does not identify individual clients may be disclosed for research purposes with the consent of the division administrator responsible for the records. The division administrator shall investigate the credentials of the researcher.

a. Mental health information may be disclosed for purposes of scientific research as provided in Iowa Code section 228.5, subsection 3, and section 229.25. Requests to do research involving records of a department facility shall be approved by the designated authority.

b. Abuse registry information may be disclosed for research purposes as provided in rules 441-175.42 (235A) and 441-176.11(235B) and authorized by Iowa Code sections 235A.15(2) V(1) and 235B.6(2)"e"(1).

c. For research relating to protected health information, the researcher shall provide the department with information about the nature of the research, the protocol, the type of information being requested, and any other relevant information that is available concerning the request. If the researcher feels that contact with the subject is needed, the researcher shall demonstrate to the department that the research cannot be conducted without contact with the subject. The researcher shall pay for the costs of obtaining authorizations needed to contact the subjects and for the cost of files and preparation needed for the research.

(18) Threat to health or safety.

a. All programs. A client's name, identification, location, and details of a client's threatened or actual harm to department staff or property may be reported to law enforcement officials. Other information regarding the client's relationship to the department shall not be released.

When a department staff person believes a client intends to harm someone, the staff person may warn the intended victim or police or both. Only the name, identification, and location of the client and the details of the client's plan of harm shall be disclosed.

b. Protected health information. The department may, consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the department, in good faith, believes the use or disclosure:

(1) Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or

(2) Is necessary for law enforcement purposes as described in this chapter.

c. When the department uses or discloses protected health information pursuant to paragraph 9.10(18)"b," the department is considered to have acted in good faith if the action is based on the department's actual knowledge or on a credible representation by a person with apparent knowledge or authority.

(19) Required by law.

a. Information is shared with other agencies without a contract or written agreement when federal law or regulations require it.

b. The department may use or disclose protected health information to the extent that use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of the law.

c. State law shall preempt rules in this chapter about protected health information when any one of the following conditions exists:

(1) Exception granted by Secretary of Health and Human Services. A determination is made by the Secretary of Health and Human Services under 45 CFR 160.204 as amended to August 14, 2002, that the provision of state law:

1. Is necessary:

* To prevent fraud and abuse related to the provision of or payment for health care;

* To ensure appropriate state regulation of insurance and health plans to the extent expressly authorized by statute or regulation;

* For state reporting on health care delivery or costs; or

* For purposes of serving a compelling need related to public health, safety, or welfare, and, if a requirement under this chapter is at issue, the Secretary of Health and Human Services determines that the intrusion into privacy is warranted when balanced against the need to be served; or

2. Has as its principal purpose, the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances, as defined in 21 U.S.C. 802, or that is deemed a controlled substance by state law.

(2) State law more stringent. The provision of state law relates to the privacy of protected health information and is more stringent than a requirement of this chapter, within the meaning of "more stringent" found at 45 CFR 160.202 as amended to August 14, 2002.

(3) Reporting requirements. The provision of state law, including state procedures established under the law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.

(4) Requirements related to audits, monitoring, evaluation, licensing, and certification. The provision of state law requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities and persons.

(20) School attendance. Rescinded IAB 7/7/04, effective 7/1/04.

(21) Treatment, payment, or health care operations.

a. The department may use or disclose protected health information for treatment, payment, or health care operations, as described in this paragraph, except for psychotherapy notes, which are subject to the limits described in paragraph 9.10(21) "b. " The use or disclosure shall be consistent with other applicable requirements of this chapter.

(1) The department may use or disclose protected health information for its own treatment, payment, or health care operations.

(2) The department may disclose protected health information for treatment activities of a health care provider.

(3) The department may disclose protected health information to another covered entity or a health care provider for the payment activities of the person or organization that receives the information.

(4) The department may disclose protected health information to another covered entity for health care operations activities of the covered entity that receives the information, if each covered entity either has or had a relationship with the person who is the subject of the protected health information being requested, the protected health information pertains to the relationship, and the disclosure is:

1. For apurpose listed in numbered paragraph "1" or "2" of the definition of health care operations in 45 CFR 164.501 as amended to August 14, 2002; or

2. For the purpose of health care fraud and abuse detection or compliance.

b. The department may use or disclose psychotherapy notes without an authorization for any one of the following reasons:

(1) To carry out the following treatment, payment, or health care operations:

1. Use by the originator of the psychotherapy notes for treatment.

2. Use or disclosure by the department for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling.

3. Use or disclosure by the department to defend itself in a legal action or other proceeding brought by the subject.

(2) When required by the Secretary of Health and Human Services to investigate or determine the department's compliance with federal HIPAA regulations.

(3) For health oversight activities, as described at subrule 9.10(2), with respect to the oversight of the originator of the psychotherapy notes.

(4) When necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public as described at subrule 9.10(18).

(5) When required by law as described at subrule 9.10(19).

(6) To disclose protected health information in the designated record set to a coroner or medical examiner as described at subrule 9.10(24).

(22) Public health activities. The department may disclose protected health information for the public health activities and purposes described in this subrule. This disclosure is in addition to any other disclosure to a public health authority allowed by this chapter, such as a disclosure to report child abuse or neglect. For the purposes of this subrule, a public health authority includes state and local health departments, the Food and Drug Administration (FDA), and the Centers for Disease Control and Prevention.

a. The department may disclose protected health information to a public health authority that is authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability.

(1) The information that may be disclosed includes, but is not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions.

(2) At the direction of a public health authority, the department may also report this information to an official of a foreign government agency that is acting in collaboration with a public health authority.

b. The department may disclose protected health information to a person or organization that is subject to the jurisdiction of the FDA for public health purposes related to the quality, safety, or effectiveness of an FDA-regulated product or activity for which that person or organization has responsibility. These purposes include:

(1) To collect or report adverse events (or similar activities with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product).

(2) To track FDA-regulated products.

(3) To enable product recalls, repairs, or replacement, or lookback (including locating and notifying subjects who have received products that have been recalled, withdrawn, or are the subject of lookback).

(4) To conduct postmarketing surveillance.

c. The department may disclose protected health information to a person who is at risk of contracting or spreading a disease or condition. The disclosure must be necessary to carry out public health interventions or investigations or to notify a person that the person has been exposed to a communicable disease to prevent or control the spread of the disease.

(23) Victims of domestic violence. The department shall disclose confidential information about an individual whom the department reasonably believes to be a victim of domestic violence when required by state law.

(24) Disclosures to coroners, medical examiners, and funeral directors.

a. Coroners and medical examiners. The department may disclose protected health information about a subject that is contained in the designated record set to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law.

b. Funeral directors. The department may disclose protected health information about a subject that is contained in the designated record set to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. If necessary for funeral directors to carry out their duties, the department may disclose the protected health information before, and in reasonable anticipation of, the subject's death.

(25) Disclosures for cadaveric organ, eye or tissue donation purposes. The department may disclose protected health information about a subject that is contained in the designated record set to organ procurement organizations or other organizations engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation. The department shall make a disclosure only when the disclosure has been approved by the deceased subject's authorized legal representative and there is evidence that the decedent had given approval for organ, eye, or tissue donation procedures before the decedent's death.

(26) Specialized government functions. Protected health information may be shared under the circumstances described at 45 CFR 164.512, paragraph"k," as amended to August 14, 2002, if otherwise allowable under state law, such as sharing protected health information with the Social Security Administration in determining Medicaid eligibility for supplemental security income applicants and recipients.

(27) Whistle blowers. The department is not considered to have violated the requirements of this chapter when a member of its workforce or a business associate discloses protected health information, provided that:

a. The workforce member or business associate has a good-faith belief that the department or a business associate has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or has provided care, services, or conditions that potentially endanger one or more patients, workers, or the public; and

b. The disclosure is made to one of the following:

(1) A health oversight agency or public health authority authorized by law to investigate or oversee conduct or conditions for the purpose of reporting the allegation of failure to meet professional standards or misconduct.

(2) An appropriate health care accreditation organization.

(3) An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate.

(28) Secondary to a use or disclosure of protected health information. The department may use or disclose protected health information that is secondary to a use or disclosure otherwise permitted or required by these rules, such as when a visitor in a facility overhears a doctor speaking to a subject about the subject's health.

(29) De-identified data or a limited data set.

a. De-identified information. The department may use or disclose protected health information to create information that is de-identified under the conditions specified in 45 CFR 164.514, paragraphs"a" through "c, " as amended to August 14, 2002.

b. Limited data set. The department may use or disclose a limited data set under the conditions specified at 45 CFR 164.514, paragraph "e," as amended to August 14, 2002, when the department enters into a data use agreement for research, public health, or health care operations.

(Amended by IAB February 10, 2021/Volume XLIII, Number 17, effective 4/1/2021)

The following state regulations pages link to this page.