DHHS POLICIES AND PROCEDURES

__________________________________________________________________________________________________________________________

Purpose

The purpose of this policy is to provide direction to facilities within the North Carolina Department of Health and Human Services (NC DHHS) in the use and disclosure of health information for treatment, payment, and health care operations (TPO) and to ensure compliance with NC General Statutes, as required.

This policy applies to Division of Mental Health/Developmental Disabilities/Substance Abuse Services (DMH/DD/SAS) facilities only.

Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule allows covered health care components to use individually identifiable health information within the facility and to disclose individually identifiable health information outside the facility without consent from the client or the client's personal representative for the purposes of treatment, payment, and health care operations. NC General Statute (GS) 122C-53(a) requires written consent for disclosure of confidential information unless there are other state laws that permit such disclosures without consent; therefore, NC law preempts the HIPAA Privacy Rule and consent must be obtained prior to release of individually identifying health information for specific treatment, payment, and health care operation purposes not otherwise allowed by law.

"Use" means the sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within the covered health care component that maintains the information.

"Disclosure" means the release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information outside the covered health care component holding the information.

The DHHS Consent for TPO allows staff in each facility to share and use the health information of clients who are receiving treatment in their facility and to disclose individually identifiable health information outside the facility for treatment, payment, and health care operation purposes. This consent does not replace each facility's Consent for Treatment, nor does it replace the DHHS Authorization to Disclose Health Information for disclosing individually identifiable health information for purposes other than treatment, payment, or health care operations. In addition, the DHHS consent form DOES NOT address disclosures to family/friends since those disclosures do not fall under the HIPAA definition of "treatment". For disclosures to family/friends, DMH/DD/SAS agencies need to refer to NCGS 122C-55 and require the client or responsible person to sign a DHHS Authorization to Disclose Health Information when required by law.

Policy

Facilities operated by DMH/DD/SAS shall obtain written consent from the client or personal representative prior to use and disclosure of individually identifiable health information for the purposes of treatment, payment, and health care operations. The department shall provide a consent form template, to include all the basic elements for DMH/DD/SAS facilities to use when customizing the template according to the needs of their individual agencies. Disclosure of health information for purposes other than treatment, payment, and health care operation activities requires the use of the DHHS Authorization to Disclose Health Information Form (see the DHHS Privacy Policy, Use and Disclosure Policies, Authorizations).

No covered health care component may condition treatment on the client providing consent for treatment, payment, and health care operations, and staff may use such information within the covered health care component to provide treatment and to carry out health care operations as identified in the agency's Notice of Privacy Practices (see the DHHS Privacy Policy, Client Rights Policies, Notice of Privacy Practices). However, without such consent, no individually identifiable health information may be disclosed outside the covered health care component unless there is an authorization from the client.

The signed DHHS Consent for TPO shall be considered valid for the period of time needed to fulfill its purpose for treatment and health care operations for up to one (1) year, after which time a new consent must be completed and signed. Any time during the year whenever a new person or agency not covered in the consent form is identified as a recipient of individually identifiable health information for TPO, a new DHHS Consent for TPO or an authorization from the client must be completed. For payment purposes, the consent is valid until the need for disclosure is satisfied.

Implementation

DHHS Responsibilities

The department shall provide a template for use by all facilities in developing their consent forms for using and/or disclosing individually identifiable health information for treatment, payment, or health care operations. The consent template shall contain the basic elements required by state and federal laws and regulations. Agencies may add additional elements to meet the needs of each facility.

Facility Responsibilities

Each facility is required to use the DHHS Consent for TPO (form DHHS-0017) to develop the facility’s consent form that allows use of individually identifiable health information within the covered health care component and disclosure outside that covered health care component for treatment, payment, and health care operation activities.

Facility procedures must specify the differences in requirements and implementation of:

• DMH/DD/SAS Consent for TPO
• Facility Consent for Treatment
• DHHS Authorization to Disclose Health Information

Procedures

1. Each facility shall develop their procedures for obtaining each client's consent for using individually identifiable health information within that covered health care component and for disclosing such information outside that covered health care component for the purposes of treatment, payment, or health care operations.



2. Each facility shall develop their consent form using the DHHS Consent for TPO (form DHHS-0017) as a baseline and adding additional elements deemed necessary for that facility.



3. Each facility shall make a "good faith effort" to obtain consent for treatment, payment, and health care operations upon admission of a client. Exceptions to the consent requirement permit use and disclosure without consent as follows:



• Should a client's mental condition be such that it is impossible for the client to understand and sign a consent for TPO, such information must be documented and consent should be obtained when the client is able to understand.
• Should a client be admitted in an emergency situation, such information must be documented and consent for TPO should be obtained when the client has stabilized.
• Should a client be involuntarily admitted and refuse to sign consent, such information must be documented and signature of the consent for TPO should be attempted at a later date.
• Should there be a substantial communication barrier and the client clearly does not understand the process, such information must be documented and consent for TPO should be obtained when a translator is available to explain the need for consent.
• Should a client understand the request and refuse to sign consent, such information must be documented including the attempt and the reason the client would not sign.


4. Each facility must develop and implement procedures for obtaining consent for treatment, payment, and health care operations from all new clients at the time of admission after the effective date of this policy. Facilities must also develop a policy and procedure for consent requirements when the same client is readmitted to the facility before the original consent expires. Procedures should include the process staff should follow when a client does not wish to consent to the use of or disclosure to all of the people/agencies listed on the consent template (e.g., allowing the client to strike through and initial the changes/deletions they desire.)



5. It is acceptable for facilities to phase-in the consent requirement for clients who were already residing in the facility on the implementation date of this policy. For long-term clients, it is recommended that such consent be obtained at the client's annual review, unless the need to disclose information comes before the annual review, at which time the consent would be obtained. Facilities must develop the agency's process for obtaining consent from long-term clients who were already residing in the facility prior to the implementation date of this policy and must determine if consent should be obtained at the time of their annual review or sooner.


6. Any time a disclosure for treatment, payment, or health care operations is to be made to a person or agency that is not covered on the consent form, facilities must initiate a new DHHS Consent for TPO or an authorization that identifies the new entity.



7. Staff must be instructed that until the DHHS Consent for TPO is obtained from clients already residing in the facility, the facility may disclose information for treatment and health care operations only as identified in the agency's Notice of Privacy Practices.



8. Each facility must document and implement the agency's process for informing staff of any disclosure limitations for each client in order to avoid any unauthorized disclosures.

Reference:

NCGS 122C-53(a)

For Relevant Forms:

DHHS Consent for TPO (form DHHS-0017)
Instructions for Consent for TPO

For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.