HIPAA POLICY
The primary stated purpose of the Health Insurance Portability and Accountability Act (HIPAA) was “to improve the portability and continuity of health insurance coverage in the group and individual markets.” Portability of coverage would help eliminate job lock (a person unable to change jobs for fear of losing health coverage for a medical condition affecting the person or a family member).
It is the County’s policy to comply fully with HIPAA’s requirements. To that end, all members of the County’s workforce who have access to PHI must comply with this Privacy Policy. For purposes of this Policy and the CCPH’s Personnel Policy, the workforce includes individuals who would be considered part of the workforce under HIPAA such as employees, volunteers, trainees, and other persons whose work performance is under the direct control of the county, whether or not they are paid by the County. The term “employee” includes all of these types of workers.
In our normal business operations, CCPH may receive protected health information (PHI), which is information identifying you, your family or close contacts and which includes some indication of your medical condition. The law requires that the information be protected. CCPH is allowed to use this information and share it with others, if the protected health information is being used for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to the mandated reporting of disease, injury, vital events such as birth or death and to conduct public health surveillance or interventions. CCPH is also authorized and required by law to report suspected evidence of child abuse or neglect or suspected evidence of elder abuse or neglect.
CCPH follows the law when we must share health information and when we can share health information, without your permission. CCPH will share information:
• as required by law, subject to limited restrictions;
• to state and local public health authorities to report such things as contagious diseases and for birth, death and immunization records;
• to the police or military as required by law;
• for court and administrative proceedings as required by law;
• to the health oversight authorities to see that government programs are being run properly;
• to the City government to protect the City, the mayor, the government workers and for other governmental programs as indicated by law;
• to family, relatives or other close contacts or those who help in your care such as physicians,
hospitals, or other public health authorities, as indicated by law; and
• gathered through surveys or questionnaires and is released only in aggregate form that prevents the identification of a patient/client or physician, unless that information is being shared with another public health authority.
Sometimes, health information that can normally be released, cannot be released. For example, if state law says the information will not be released and federal law allows it to be released, it will not be released. The same is true if federal law says the information cannot be released, but state law allows it to be released. Whichever law is more restrictive is the one that will apply.
Other than the examples listed, CCPH may not share any of your information without your written permission. You can allow CCPH to share as much of your information as you wish. You can also cancel your permission for CCPH to share that information.
Your Rights
1. You have the right to request that CCPH limit the information it shares about you, but CCPH does not have to agree to such requests.
2. You have the right to receive your information from CCPH privately. CCPH will provide it to whatever address you choose and in the form you choose.
3. You have the right to inspect and copy your information that CCPH has.
4. You have the right to ask that the information in CCPH’s files be changed. However, there are limits regarding what may be changed.
5. You have the right to receive a list of the parties outside CCPH that have received your information.
6. You also have the right to request this notice on paper, electronically or both.
How Protected Health Information (PHI) Will Be Used
Release to Legal Representative and/or Immediate Family
In certain circumstances, our clients may have other persons serving as legal representative for the client. In cases where the client has a legally appointed representative, or in the case of a minor child, his/her parent, we will be permitted to disclose PHI to such individuals upon reasonable verification of their appointment as legal representative or their position as parent of the minor.
We will also ask our clients in advance if we are permitted to disclose or discuss PHI with other persons they specify such as immediate family members.
When releasing PHI over the phone to physicians for the purposes of treatment and or in person to the client, a signed release is not necessary.
Immunization records will be disclosed to physicians via phone on representation by the physician that they are the treating physician of the patient and will maintain confidentiality of the information.
Revocation of Authorizations
At any time, the client in writing or verbally may withdraw their consent to release or discuss PHI to third-parties and, any such withdrawal will be duly noted on the client record.
Complying with Minimum Necessary Standards
Disclosures of PHI will be limited to the minimum necessary for the purpose of the disclosure, unless we receive an authorization from the client. This provision does not apply to the disclosure of PHI for treatment purposes because physicians, specialists, and other providers need access to the full record to provide quality care. The minimum necessary standard requires that providers make all reasonable efforts to limit the PHI to the minimum necessary to accomplish the purpose of use or disclosure.
Incidental Use and Disclosure
Uses and disclosures that are incidental to an otherwise permitted use or disclosure may occur, provided that reasonable safeguards and minimum necessary requirements have been met.
This specifically means that our office may use waiting room sign-in sheets; doctors can talk to clients in semi-private rooms, and doctors can confer at nurse’s stations without fear of violating the rule if PHI is overheard by a passerby.
PHI may be emailed for the purposes of coordinating treatment using CCPHs internal secure email or the Ohio Department of Health’s secure T-1 line only. All other emails containing PHI are prohibited.
How PHI Will Not Be Used
PHI will not be used for purposes that are not related to health care – such as disclosures to employers to make personnel decisions, or to financial institutions – without written authorization from the client.
Disclosure of HIV Test Results or a Diagnosis of AIDS or HIV
O.R.C. 3701.243 prohibits health care providers and state agencies from disclosing the following information without specific written client authorization. A general medical release is not sufficient.
The identity of an individual on whom an HIV test is performed
The results of an HIV test (unless anonymous)
The identity of any individual diagnosed with AIDS or ARC
Patient Records for Alcohol or Drug Treatment
Federal law provides for the confidentiality of alcohol and drug treatment records and such information may not be released without a specific written client authorization.
Permissive Disclosures of PHI
PHI may be disclosed in the following situations without a participant’s authorization, when specific requirements are satisfied. The requirements include prior approval of the County’s privacy officer. The permissive disclosures are:
This policy was adopted by the Crawford County Board of Health on January 21, 2016 and reviewed on February 15, 2017.
419.562.5871, ext 1209
Fax: 419.562.2048
email: nursing@crawford-co.org