DHHS POLICIES AND PROCEDURES

_______________________________________________________________________________________________________________

Section VIII:

Privacy and Security

Title:

Privacy Manual

Chapter:

Administrative Policies, Legal Occurrences

Current Effective Date:

5/1/05

Revision History:

2/19/04

Original Effective Date:

4/14/03

_______________________________________________________________________________________________________________

Purpose

This policy establishes requirements for disclosing individually identifiable health information when responding to judicial and administrative proceedings, court orders (including protective orders), subpoenas, law enforcement, and other legal mandates.

This policy shall apply to the following Department of Health and Human Services (DHHS) agencies:

Health Insurance Portability and Accountability Act (HIPAA) covered health care components and
Internal business associates

Background

Health care organizations have a legal and ethical duty to protect the privacy of confidential health information maintained regarding their clients. However, there are situations when organizations are required to use and/or disclose individually identifiable health information such as whenever state or federal law requires the use or disclosure of health information to specific entities for specific purposes. Client authorization is not necessary for such use and disclosures. These situations shall be identified in this policy as “legal occurrences.”

North Carolina (NC) law requires the disclosure of confidential information or records to certain people upon their demand; however, there may be federal laws that supersede the state requirements such as the federal Substance Abuse Regulations. The HIPAA requires agencies to verify the identity and authority of individuals requesting individually identifying health information prior to releasing such information to them. Examples of individuals and groups who may need individually identifiable health information include:

The chief medical examiner or a county medical examiner who is investigating the death of a DHHS client;
The director of social services or designee who is investigating a case of known or suspected child abuse or neglect;
The guardian ad litem representing a child in a case of known or suspected child abuse or neglect;
A guardian ad litem representing a minor between the ages of 14 and 16 who wants to marry;
The NC State Child Fatality Prevention Team/ the NC Child Fatality Task Force/ a community or local child protection and review team that are involved in the review of a child’s death;
The NC Secretary of DHHS when it has been determined that there is a “clear danger to public health;” and
The state or local health director when pertaining to the diagnosis, treatment, or prevention of communicable disease.

NC law also requires the reporting of specific information that will involve the release of individually identifiable health information (unless prohibited by federal law) such as:

Known or suspected child abuse or neglect, child dependency, and child deaths believed to be due to maltreatment;
Belief that a disabled adult is in need of protective services;
Known or suspected cases or outbreaks of communicable diseases;
Wounds and injuries caused by firearms;
Illnesses caused by poisoning;
Wounds or injuries caused by knives or other sharp instruments and a physician suspects a criminal act;
Any other wound, injury, or illness wherein a treating physician suspects criminal violence was involved;
Client-specific information for the central cancer registry; and
Symptoms, diseases, conditions, trends in the utilization of health care services, or other health-related information that the State Health Director determines is needed to conduct a public health investigation of a possible terrorist incident.

Policy

Required by Law

DHHS agencies shall use or disclose individually identifiable health information as “required by law” wherein a federal, state, tribal, or local law compels an agency to make a use or disclosure of confidential information and that is enforceable in a court of law such as:

Court orders;
Court ordered warrants;
Subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information;
A civil or authorized investigative demand;
Medicare conditions of participation with respect to health care providers participating in the program; and
Statutes or regulations that require the production of information (including those that require such information if payment is sought under a government program providing public benefits).

All uses and disclosures of confidential information that are required by law must comply with and be limited to the requirements of the applicable law.

Preemption of State Laws

Each DHHS agency shall review other state and federal laws with which the agency must comply to determine if any provision of state law is contrary to a requirement of the HIPAA Privacy Rule. Such review is entitled “preemption analysis” and shall be conducted on a provision-by-provision basis of each state and federal law. If a state law relating to the privacy of individually identifiable health information is more stringent than a privacy regulation, state law shall not be preempted, thus providing greater privacy protections for a client.

Legal Disclosures Requiring Authorization

As a rule, DHHS agencies shall not disclose individually identifiable health information without first obtaining written authorization from the client who is the subject of the request or the client’s personal representative, unless there is a court order that requires disclosure of confidential information. This rule applies when responding to:

Requests presented by way of judicial or administrative proceedings;
Subpoenas;
Law enforcement officials (apart from when reporting a crime on the premises such as ‘escapees’ or ‘missing children’); or
Warrants.

Any administrative investigator or prosecutor, including investigators of Medicaid fraud that are not expressly authorized by federal or state law, must present a court order before an agency may disclose individually identifiable health information.

Legal Disclosures Not Requiring Authorization

There are various legal occurrences when DHHS agencies may disclose individually identifiable health information without authorization. These instances include:

Responding to court orders (including protective orders);
Requests specifically authorized by state or federal law (as may be the case for certain health oversight activities, auditing, licensing, and disciplinary actions); or
Responding to law enforcement officials when reporting a crime, so long as federal or state requirements do not forbid or limit the disclosure.

Implementation

Preemption Analysis

Each DHHS agency shall identify all of the state and federal laws and regulations that apply to that agency’s components and shall review the requirements for using and disclosing individually identifiable health information. Agencies shall determine which law/regulation is more stringent and provides the most protections for the confidential information maintained on the agency’s clients such as laws that:

Prohibit or restrict a use or disclosure when the privacy regulation would permit it;
Provide clients with greater rights of access or amendment to their health information;
Require covered health care components to provide clients with more information about uses, disclosures, rights, and remedies;
Require express legal permission from a client that is more limiting in scope or reduces the effect of the permission;
Require covered health care components to retain or report information for the accounting of disclosures that is more detailed or is for a longer duration; or
Provide greater privacy protection for the client.

Preemption analysis may be limited to those provisions in laws and regulations that apply to the use and disclosure of individually identifiable health information maintained by HIPAA covered health care components.

Legal Proceedings

There may be instances where a client may be involved in a legal proceeding, either conducted by a court of law or a government agency. In such proceedings attorneys, judges and others involved with the proceeding may contact a DHHS agency to access a client’s individually identifiable health information.

Subpoenas

When DHHS agencies receive a subpoena for individually identifiable health information, it must be determined whether the subpoena resulted from a judicial or administrative order. If a court or administrative tribunal issues the subpoena, confidential information may be disclosed without authorization. A subpoena received from any other entity must be accompanied by an authorization from the client whose individually identifiable health information is being requested or a court order to release such information.

Agencies must develop procedures to be followed upon receipt of a subpoena. Such procedures must include any special nuances required by additional state or federal laws/regulations that affect all or a portion of a covered health care component (i.e., documents containing substance abuse or HIV information).

Court Order

An order issued by a judge that specifically identifies the individually identifying health information to be disclosed. Agencies must comply with court orders.

Involuntary Commitment

Agencies may disclose individually identifiable health information without authorization. Such disclosure is permitted by both state law and the HIPAA Privacy Rule when initiating the involuntary commitment process of an individual.

Incompetency Hearing

Disclosure of individually identifiable health information without authorization is permitted by both state law and the HIPAA Privacy Rule when initiating incompetency status.

Commitment Hearings and Rehearings

Agencies must provide certified copies of written results of examinations by physicians and records in cases of clients voluntarily admitted or involuntarily committed to the client’s counsel, the attorney representing the state’s interest, and the court in district or superior court hearings. Individually identifiable health information shall be preserved in all matters except those pertaining to the necessity for admission or for continued stay in a DHHS facility or commitment under review. The relevance of health information for which disclosure is sought shall be determined by the court with jurisdiction over the matter.

Forensic Clients – Court Ordered Exam

Agencies may send the results or the report of a client’s mental examination to the clerk of court, to the district attorney or prosecuting officer, and to the attorney for the defendant when a mental examination has been ordered by the court.

Reporting Child Abuse or Neglect

Agencies are required to report child abuse and neglect. When reporting child abuse or neglect cases, demographic data and information relative to the suspected abuse or neglect may be reported without authorization to the DHHS Department of Social Services.

(NOTE: The federal substance abuse regulations exception allowing programs to comply with mandatory child abuse reporting requirements under state law applies only to the initial reports of child abuse or neglect, and to a written confirmation of that initial report. All other reporting requires authorization from the client or the client’s personal representative.)

Reporting Adult Abuse or Neglect

Agencies are required to report adult abuse and neglect, unless prohibited by federal law.

(NOTE: The federal substance abuse regulations do not address adult abuse or neglect.) When reporting adult abuse or neglect cases, demographic data and information relative to the suspected abuse or neglect may be reported without authorization.

Reporting Communicable Disease/Injuries/Danger

Agencies are required to report communicable diseases, serious wounds, and injuries. A responsible professional in the agency may disclose confidential information without authorization from the client when in the professional’s opinion there is an imminent danger to the health or safety of a client or another individual; or when there is likelihood of the commission of a felony or violent misdemeanor.

Reporting for Master Client Index

Mental Health, and Developmental Disabilities, and Substance Abuse Services (MH/DD/SAS) facilities may furnish client identifying information to DHHS for the purpose of maintaining an index of clients service in state MH/DD/SAS facilities.

Legal Disclosures

DHHS agencies may receive requests for individually identifiable health information that are legally allowed in specific situations, which are listed below.

Specialized Government Functions (i.e., Law Enforcement/Secret Service/FBI)

Agencies may disclose confidential information to agents representing specialized government functions as long as the request is reasonable, the identity of the requestor is verified, and there are no laws that prohibit such disclosure.

Provide only the following protected health information when assisting law enforcement officials for the purposes of identification and location:

Name and address;
Date and place of birth,
Social Security Number;
ABO blood type and Rh factor;
Type of injury;
Date and time of treatment;
Date and time of death (as applicable); and
A description of distinguishing physical characteristics (e.g., height, weight, gender, race, hair and eye color, presence or absence of beard or mustache, scars, and tattoos)

Next of Kin

MH/DD/SAS residential facilities may disclose the fact of admission or discharge of a client to the client’s next of kin whenever the responsible professional determines that the disclosure is in the best interest of the client; however, if the client is present or available and capable, the agency may not make such disclosure unless the client agrees, is provided an opportunity to object but expresses no objection, or the agency reasonably infers from the circumstances that the client does not object.

Internal Client Advocates (MH/DD/SAS)

An internal client advocate shall be granted, without authorization of a client or the client’s personal representative, access to routine reports and other confidential information needed to fulfill the advocate’s monitoring and advocacy functions. In this role, the advocate may re-disclose such information to the facility director or other staff who are involved in the treatment of the client.

External Client Advocates (MH/DD/SAS)/Long Term Care Ombudsmen

External client advocates and Long Term Care Ombudsmen must obtain prior written authorization from a client or the client’s personal representative before being granted access to that client’s confidential information, unless other federal laws permit access. Access to information shall be limited to that which is specified in the authorization.

Accounting of Disclosures

In accordance with DHHS Privacy Policy Use and Disclosure Policies, Accounting of Disclosures, agencies are required to keep a record of any paper, electronic, or verbal disclosure of individually identifiable health information made in response to the legal occurrences as specified in this policy.

Reference

21.20; 130A, Article One; 130A, Article One, Part One; 130A-4; 130A-12; 130A-209; 130A-476(b) (c); 7-B-1413; 122C53, 54; and 42 CFR164.512

For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.

Section VIII:	Privacy and Security
Title:	Privacy Manual
Chapter:	Administrative Policies, Legal Occurrences
Current Effective Date:	5/1/05
Revision History:	2/19/04
Original Effective Date:	4/14/03