The Health Insurance Portability Act of 1996 (HIPAA)

Reference: 42 USC 1320d, Public Law 104-191, Title II, Subtitle F, Administrative Simplification, Health Insurance Portability and Accountability Act of 1996 Protected health, confidential and sensitive information is information that is either protected by law or is of such personal or private nature that it is normally not treated as public record. The Privacy and Security Agreement at the end of the procedure briefly describes many of the major laws and regulations pertaining to confidential information.

Access the HIPAA Web site

An individual’s responsibility extends to all situations where the individual is accessing, using, circulating, maintaining, disclosing and disposing of reports or documents that contain protected, confidential or sensitive information.

Specifically,

1. Individuals shall not release protected health, confidential and sensitive information to themselves or to other persons, entities or employees outside the scope of their duties.
2. Individuals shall not seek access to, or inquire about protected health, confidential or sensitive information in excess of the minimum necessary to efficiently discharge responsibilities within the scope of their duties.  
3. Individuals shall familiarize themselves with the laws pertaining to confidential information described on the revised September 2004 Privacy and Security of Protected Health Information, Confidential and Sensitive Security Agreement in order to comply with those restrictions.
4. Individuals shall familiarize themselves with what types of information are considered protected health information, confidential, personal or other sensitive information and do their utmost to protect it.  For an example, when documents or reports are circulated that contain such information, the sender will alert the receiver(s) to insure the confidentiality of the data.
5. Individuals shall not include protected health information, confidential, personal or other sensitive information on documents or reports if it is not necessary. 
6. Individuals, when sending mail or other correspondence containing protected health information, confidential, personal or other sensitive information to any person, shall indicate “Personal and Confidential” on the envelope to insure that only the addressee opens it.
7. Individuals shall take reasonable and appropriate measures to protect identifying numbers.  Of particular concern is the social security number and all individuals shall do their utmost to safeguard it.
8. When no specific guidance is provided regarding responding to requests for information and a written request for information is received, only Cabinet employees shall release the information and only after receiving the written authorization of the affected party.
9. When no specific guidance is provided regarding responding to an oral or unwritten request for information - where no written request for information is received - only Cabinet employees shall release the information, and only after verifying and documenting the authorization of the affected party. 
10. Whenever reasonable and practical, restricted, protected, internal or privileged reports and documents shall be maintained in a secured container.
11. Individuals shall dispose of documents that contain protected health information, confidential, personal or other sensitive information correctly.  The documents or reports shall be placed in a “shred” box that is removed from the work site and destroyed prior to disposal or recycling, rather than placing the documents in a regular solid waste or recycling receptacle.
12. Individuals shall not disclose protected health information, confidential, personal or other sensitive information even after their employment with the Cabinet ceases.  State and Federal law regarding protected health information, confidential, personal or sensitive information also applies OUTSIDE the employment relationship and criminal or civil penalties including fines and imprisonment could apply.
13. Individuals shall be aware that disregard of the privacy and security of protected health information, confidential, personal or other sensitive information shall result in disciplinary action, up to and including dismissal.  Additionally, individuals may subject themselves to civil and criminal liability for the disclosure of confidential information to unauthorized persons.

Examples of safeguards that apply to covered entities are (1) shredding documents prior to disposal, (2) locking doors or cabinets where medical records are kept, and (3) limiting access to the keys or combinations of the locks for these doors and cabinets.  Other examples of safeguarding the privacy of health information and all other confidential information is listed below: 

• Turn computer screens away from public view; 
• Lock or log off computer monitors when they are not being used; 
• Never give health information to a third party who is not an authorized representative;*
• Monitor the duplication and transmission of health records on fax machines, photocopiers, and printers; 
• Keep records containing health information face down on desks and tables; 
• When sending a fax containing health information, first call the recipient so the fax will  be picked up immediately; and 
• Speak softly so that others do not overhear health information.

*An authorized representative is a person who has either: signed a confidentiality agreement, is a member of a law enforcement agency, or a judicial official. DCC will share information with the approval of the Office of General Counsel.
 
45 CFR Section 164.530(a)(1) requires that a covered entity designate a privacy official who is responsible for the development and implementation of the privacy policies and procedures as required by HIPAA. CFC has designated an individual from Office of the General Counsel (OGC) in Quality Central to be the HIPAA Privacy Officer. Questions and concerns about practices relating to the safeguarding of protected health information are to be directed to the OGC Privacy Officer at (502) 564-7900.

45 CFR Section 164.530(a)(1) also requires that a covered entity designate an official who is responsible for receiving complaints and who is able to provide additional information about HIPAA. CFC has designated the Ombudsman’s Office in Quality Central to act as CFC’s Compliance Officer. The Ombudsman’s Office will be responsible for receiving complaints and for providing information concerning matters covered by privacy practices. Questions, concerns, and complaints are to be directed to the address and telephone number below.

Cabinet for Families and Children
Ombudsman’s Office
Attn: HIPAA Compliance Officer
275 East Main Street (1E-B)
Frankfort, KY 40621
(502) 564-5497

Division of Child Care Policy for Compliance with the Health Insurance Portability Act of 1996 (HIPAA)

Federal security standards and the increased use of the Internet and electronic transmission of data require changes in security practices. The Division of Child Care (DCC) must have policy in place to be in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or Public Law 104-191, which was signed into law on August 21, 1996. As a result of HIPAA, DCC must develop policies and procedures to safeguard personally identifying health information. HIPAA can be accessed on the Internet.

According to the requirements of HIPAA, the Division of Child Care (DCC) and statewide child care staff are neither a covered entity nor a business associate. However, DCC and other child care staff must protect the privacy of health information because DCC and child care staff conduct business with covered entities and business associates, and therefore come into contact with their protected health information. Child care staff and contracted Child Care Assistance Program staff come into contact with protected health information through the required application documents (physician’s statements, TB skin tests) for the Family Child Care Certification Program and the Child Care Assistance Program’s registered providers. DCC field staff and contracted CCAP staff review immunization records of children in care of the licensed, certified, and registered providers. DCC staff also come in contact with protected health information that is in hard copy case records during investigations of complaints or during monitoring of contracted agencies.

Cabinet for Health and Family Services
Ombudsman’s Office
Attn: HIPAA Compliance Officer
275 E. Main St. (1E-B)
Frankfort, KY 40621
(502) 564-5497