9 CSR 10-5.220 - Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA)
PURPOSE: This amendment updates terminology related to the HIPAA privacy rule.
PURPOSE: This rule specifies the policies and procedures required for covered entities under the HIPAA privacy rule.
(1) This rule applies
to all programs that are licensed, certified, accredited, in possession of
deemed status, funded by, and/or have a contractual relationship with the
Department of Mental Health.
(2)
Definitions. The following terms, as used in this rule, shall mean:
(A) HIPAA-the Health Insurance Portability
and Accountability Act ( 45 CFR parts 160 and 164 ) as it relates to the
Privacy Rule;
(B) Protected Health
Information (PHI)-As defined by HIPAA (
45
CFR section 160.103 ), PHI is individually
identifiable health information that is-
1.
Transmitted by electronic media;
2.
Maintained in electronic media; or
3. Transmitted or maintained in any other
form or medium;
(C)
Individually identifiable health information-As defined by HIPAA (
45
CFR section 160.103 ), information that is a
subset of health information, including demographic information collected from
an individual, and-
1. Is created or received
by a healthcare provider, health plan, employer, or healthcare clearinghouse;
and
2. Relates to the past,
present, or future physical or mental health or condition of an individual; the
provision of healthcare to an individual; or the past, present, or future
payment for the provision of healthcare to an individual; and-
A. That identifies the individual;
or
B. With respect to which there
is reasonable basis to believe the information can be used to identify the
individual; and
(D) Business associate-As defined by HIPAA (
45
CFR section 160.103 ), with respect to a
covered entity, a person who-
1. On behalf of
the covered entity or of an organized healthcare arrangement in which the
covered entity participates, but other than in the capacity of a member of the
workforce of such covered entity or arrangement;
2. Creates, receives, maintains, or transmits
protected health information for a function or activity regulated by this rule
and 45 CFR section
160.103, including claims processing or
administration, data analysis, processing or administration, utilization
review, quality assurance, patient safety activities listed at
42
CFR 3.20, billing, benefit management,
practice management, and repricing; or
3. Provides, other than in the capacity of a
member of the workforce of such covered entity, legal, actuarial, accounting,
consulting, data aggregation, management, administrative, accreditation, or
financial services to or for such covered entity, or to or for an organized
healthcare arrangement in which the covered entity participates, where the
provision of the service involves the disclosure of protected health
information from such covered entity or arrangement, or from another business
associate of such covered entity or arrangement, to the person.
(3) Covered Entity. All
providers that determine they qualify as a covered entity must comply with the
provisions of the privacy rule of the Health Insurance Portability and
Accountability Act (HIPAA).
(A) A covered
entity is defined as a healthcare provider that transmits any health
information in electronic form in connection with a transaction covered by
section 160.103 of 45 CFR part 160 , a health plan, or a healthcare
clearinghouse.
(B) If a provider is
a covered entity, HIPAA requires the appropriate policies and procedures be in
place to comply with the HIPAA Privacy Rule. HIPAA requires such policies and
procedures to include, but not be limited to, the following:
1. Notice of Privacy Practices;
2. Amendment of Protected Health Information
(PHI);
3. Client Access to
PHI;
4. Accounting of
Disclosures;
5. Workforce
Training;
6.
Verification;
7. Authorization for
Disclosures of PHI;
8. HIPAA
Complaint Process;
9. Marketing (if
applicable);
10. Research (if
applicable);
11. Audit and
Monitoring of HIPAA compliance; and
12. Business Associates Agreements with
companies qualifying as business associates as defined in this rule and in 45
CFR part 160 .
Notes
*Original authority: 630.050, RSMo 1980, amended 1993, 1995.
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.