13 CSR 70-1.020 - Standards for Privacy of Individually Identifiable Health Information

PURPOSE: The state of Missouri, Department of Social Services, MO HealthNet Division, is committed to protecting the confidentiality of protected health information of applicants and participants of the Medical Assistance MO HealthNet Program. This rule describes how health care information about MO HealthNet applicants and participants may be used and disclosed and how MO HealthNet participants can get access to their personal health information.

(1) General Authority. There are many state and federal laws and regulations that safe guard applicants' and participants' protected health information.

(A) Section 1902(a)(7) of the federal Social Security Act requires that a state plan for medical assistance must provide safeguards which restrict the use or disclosure of information concerning applicants and participants to purposes directly connected with the administration of the plan.

(B) The Health Insurance Portability and Accountability Act (HIPAA) represents the first comprehensive federal protection of patient privacy (45 Code of Federal Regulations, parts 160-164). Passed by the United States Congress in 1996, HIPAA sets national standards to protect personal health information, reduces health care fraud, and makes health coverage more portable. The entire health care industry must implement HIPAA, including state governments.

(C) The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act, Sections 13400-13424 of Public Law 111-5, codified at 42 U.S.C. 300 jj et seq.; 17901 et seq., addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued a final rule that implements a number of provisions of the HITECH Act, to strengthen the privacy and security protections for health information established under the HIPAA for individual's health information maintained in electronic health records and other formats at 45 CFR Parts 160 and 164, Vol. 78, No. 17.

(2) Definitions.

(A) Breach. The unauthorized acquisition, access, use, or disclosure of Protected Health Information which compromises the security or privacy of such information, except as provided in 42 U.S.C. section 17921.

(B) Business Associate. An individual or business who carries out a function or activity, involving the use or disclosure of individually identifiable health information, on behalf of the Department of Social Services and its divisions.

(C) Covered Entity. A health plan, a healthcare clearinghouse, and a healthcare provider who transmits any health information in electronic form in connection with a covered transaction. The Department of Social Services is a Health Plan, as defined in HIPAA.

(D) Health Information Network. A group of hospitals and medical professionals, and its related infrastructure, who share protected health information as defined by HIPAA.

(E) Health Information Technology for Economic and Clinical Health (HITECH) Act. Subtitle D of the HITECH Act, addresses privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules, including, business associate liability, enforcement, and breach notification.

(F) Health Insurance Portability and Accountability Act of 1996 (HIPAA). This law established "portability" requirements, allowing employees to "take their coverage with them" when they changed jobs. The "Administrative Simplification" section of the law deals with privacy, security of health care information, and standardized formats for electronic health care transactions (such as submission of health care claims).

(G) MO HealthNet. In Missouri, the medical assistance program on behalf of needy persons, Title XIX, Public Law 89-97, 1965 amendments to the federal Social Security Act, 42 U.S.C. Section 301, et seq., shall be known as "MO HealthNet." Medicaid shall also mean "MO HealthNet" whenever it appears throughout Missouri Revised Statues.

(H) Protected Health Information. A term established under the HIPAA privacy rules, it refers to individually identifiable health information, in whatever medium it is transmitted or maintained (e.g., paper, electronic, or even oral), including demographic information, that is created or received by a health care provider, health plan, employer, or health care clearinghouse and that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

(I) Treatment, Payment, and Health Care Operations (TPO) includes all of the follow ing:

1. Treatment means the provision, coordination, or management of health care and related services, consultation between providers relating to an individual, referral of an individual to another provider for health care, and the necessary sharing of information through a health information network.

2. Payment means activities undertaken by a health plan to obtain premiums or deter mine/fulfill responsibility for coverage or provision of benefits, or by a provider or health plan to obtain or provide reimbursement for health care, including determinations of eligibility or coverage, billing, collections activities, medical necessity determinations, and utilization review.

3. Health care operations includes functions such as quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, case management and care coordination, reviewing competence or qualifications of health care professionals, conducting training programs, licensing and credentialing activities, under writing, premium rating, conducting or arranging for medical review, legal services and auditing functions, business planning and development, and general business and administrative activities (including activities relating to the sale, transfer, or merger of the covered entity).

(3) Disclosures of Protected Health Information Required or Allowed by Law.

(A) The Department of Social Services, the single state MO HealthNet agency, and its divisions, may use an applicant's or participant's individually identifiable health information for treatment, payment, or health care operations. For example, individually identifiable health information may be used to determine disability for a public assistance program; when reviewing a request from the treating physician for a MO HealthNet service that requires a prior approval; when sharing information through a health information network for treatment purposes; and when processing claims and other requests for medical care payments. The Department of Social Services, MO HealthNet Division may also report information for research purposes and matters con cerning organ donations. The research must be for helping the MO HealthNet program.

(B) The Department of Social Services, MO HealthNet Division shall provide information-

1. To public health authorities to report contagious and reportable diseases, including, but not limited to, those defined by 19 CSR 20-20.020, birth defects, cancer, or other information for public health purposes;

2. Reporting of certain types of wounds or other physical injuries;

3. Regarding reactions to problems with medicines;

4. To the police when required by law;

5. For court and administrative proceedings, when ordered;

6. To health oversight authorities to review how Department of Social Services programs are working;

7. To a provider or other insurance company who needs to know if a participant is enrolled in one of the Department of Social Services programs;

8. To Workers' Compensation for work related injuries;

9. Birth, death, and immunization information;

10. To the federal government to protect our country, the president, and other government workers;

11. When reporting information about victims of abuse, neglect, or domestic violence to a government authority to the extent the disclosure is required by law;

12. For Medical eligibility when that information is used for a governmental function, such as local public health agency using eligibility information to determine eligibility for local health programs;

13. To funeral directors or coroners; and

14. To another government agency administering a government program providing public benefits if the programs serve the same or similar populations and the disclosure of protected health information is necessary to coordinate the covered functions of such programs or to improve administration and management relating to the covered functions of such programs.

(4) Disclosure of Protected Health Information to Business Associates and Other Covered Entities. The Department of Social Services, and its divisions, may disclose, at its discretion, a participant's protected health information to designated business associates in accordance with and as authorized by HIPAA, as amended by the HITECH Act, and all regulations promulgated pursuant to authority granted therein. Examples of how a participant's protected health information may be disclosed, include, but are not limited to:

(A) Treatment of a Participant. Includes activities such as, providing, coordinating, or managing health care delivery and related services; consultation between providers relating to a participant; referral of a participant to another provider for health care; and necessary sharing of information through a health information network;

(B) Payment. Payment activities may include obtaining premiums or determining/fulfilling responsibility for coverage or provision of benefits by a provider or health plan to obtain or provide reimbursement for health care; providing reimbursement for health care services provided to the participant, which may include eligibility determinations, medical necessity or appropriateness; utilization management activities; claims management; billing; and collection activities; and

(C) Health Care Operations. Includes functions such as quality assessment and improvement activities; population-based activities relating to improving health or reducing health care costs; wellness and risk assessments; quality assessments and improvement, case management and care coordination; conducting training programs; licensing and credentialing activities; underwriting, premium rating, conducting or arranging for medical review; legal services and auditing functions; business planning and development; customer service; and general business and administrative activities (including activities relating to the sale, transfer or merger of the covered entity).

(5) Restrictions of Allowable Disclosures by a Participant. In accordance with HIPAA, a participant may request Department of Social Services to restrict allowable disclosures of the participant's protected health information. Such requests must be made in writing to the Department of Social Services Privacy Officer. The Department of Social Services Privacy Review Board shall consider the request and assess the impact on ensuring delivery of safe and quality health care to the participant, timely and accurate payment for services provided to the participant, and for the accurate review and audit of public funds used to provide health care to the participant. Decisions of the Department of Social Services Privacy Review Board may be appealed to the Department of Social Services Director for affirmation or reversal.

(6) Protected Health Information Available Through Health Information Networks. Protected health information may be made available for the treatment of a participant, review of health care services for payment of medical expenses, and healthcare operations, including case management and care coordination for a

participant, upon request from authorized business associates through a health information network or by other electronic means provided directly by the department, if such disclosures are made in accordance with HIPAA and for the purposes stated herein.

(7) Other Uses and Disclosures Require the Applicant's or Participant's Written Autho rization. For other situations, the Department of Social Services will ask for the applicant's, or participant's, or their representative's writ ten authorization before using or disclosing information. The applicant, or participant, or their representative may cancel this authorization at any time in writing. The Department of Social Services cannot take back any uses or disclosures already made with the applicant's, or participant's, or their representative's authorization.

(8) Applicant or Participant Rights to Restrict or Request Protected Health Information. An applicant, or participant, or their representative has the right to-

(A) Receive private information from the Department of Social Services by other means or at another place;

(B) Have their doctor see their health information, unless it is psychotherapy notes taken by a mental health provider that are kept separate from the rest of the individual's medical record;

(C) Request a change of their medical information if they think some of the information is wrong; and

(D) Request a list of medical information the Department of Social Services shared that was not for treatment, payment, or health care operations or as required by federal law. An applicant or participant or their representative can get a list of where their health information has been sent, unless it was sent for treatment, payment, health care operations; such as checking to make sure they received quality care, or to make sure the laws are being followed, on forms prepared by the Department of Social Services.

1. If the individual requests a copy of the protected health information or agrees to a summary or explanation of such information, the covered entity may impose a reason able, cost-based fee, provided that the fee includes only the cost of-

A. Copying, including the cost of supplies for and labor of copying, the protected health information requested by the individual;

B. Postage, when the individual has requested the copy, or summary or explanation, be mailed;

C. Preparing an explanation or summary of the protected health information; and

D. Requests for information in other formats such as compact disks (CDs), flash drives, will be invoiced at the rate the agency actually paid for the format used.

Notes

13 CSR 70-1.020

AUTHORITY: section 208.201, RSMo Supp. 2007.* Original rule filed Feb. 3, 2003, effective Sept. 30, 2003. Amended: Filed Oct. 12, 2007, effective April 30, 2008. Amended by Missouri Register September 15, 2014/Volume 39, Number 18, effective 10/31/2014

*Original authority: 208.201, RSMo 1987, amended 2007.