TITLE 8 SOCIAL SERVICES
CHAPTER 8 CHILDREN, YOUTH AND FAMILIES GENERAL
PROVISIONS
PART 5 PRIVACY OFFICE
8.8.5.1 ISSUING AGENCY: Children, Youth and Families Department.
[8.8.5.1 NMAC - N, 4/30/2003]
8.8.5.2 SCOPE: Department staff and the general public.
[8.8.5.2 NMAC - N, 4/30/2003]
8.8.5.3 STATUTORY AUTHORITY: Section 9-2A-7(D) NMSA 1978 provides that the secretary of the children, youth and families department (the department) may make and adopt such reasonable procedural rules and regulations as may be necessary to carry out the duties of the department and its divisions. The secretary has determined an operational need to comply with the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 USCS 1320d et seq.
[8.8.5.3 NMAC - N, 4/30/2003]
8.8.5.4 DURATION: Permanent.
[8.8.5.4 NMAC - N, 4/30/2003]
8.8.5.5 EFFECTIVE DATE: April 30, 2003.
[8.8.5.5 NMAC - N, 4/30/2003]
8.8.5.6 OBJECTIVE: The objective of this rule is to implement the department’s policy in compliance with privacy related requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and accompanying regulations, 45 CFR Part 164, Subpart E.
[8.8.5.6 NMAC - N, 4/30/2003]
8.8.5.7 DEFINITIONS:
A. “Citizen review board” means a body appointed pursuant to 32A-8-1 et seq. NMSA 1978 to review dispositional children’s court orders and the department’s progress report and to submit its own reports to the court.
B. “Court appointed special advocate” means a person appointed by the children’s court judge to assist in any children’s court proceeding.
C. “Covered” means department components or workforce whose activities and job duties are within the purview of a HIPAA health plan or health care provider.
D. “De-identified information” means health information that is not individually identifiable and is being used by the department for allowable purposes in an aggregated data set.
E. “Disclosure” means the release, transfer, provision of access to or divulging in any other manner of protected health information outside the department’s covered components.
F. “Guardian ad litem” means a person who is appointed by the court to represent a minor or legally incompetent person in legal proceedings.
G. “Health care operations” means conducting quality assessment and improvement activities; population-based activities relating to improving services, costs or mandated reporting activities; reviewing worker competence or qualifications, evaluating performance and conducting training; conducting or arranging for case review, legal services and auditing functions; strategic planning and development; and management and general administrative activities of the department, including, but not limited to implementation and compliance with HIPAA requirements, customer service, resolutions of internal grievances and creating de-identified health information for allowable purposes for which an individual authorization is not required.
H. “Individual” means the person who is the subject of protected health information.
I. “Individually identifiable health information” means information that is created or received by the department, that relates to the past, present or future physical or mental condition of an individual, provision of health care to an individual or the past, present or future payment for health care and that either identifies the individual or can reasonably be believed to identify the individual.
J. “Law enforcement official” means an officer or employee of any agency or authority of the United States, a state, a territory, a political division of a state or territory or an Indian tribe who is empowered by law to investigate or conduct an official inquiry into a potential violation of law or prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.
K. “Minimum necessary” means the standard adopted by the department when using or disclosing protected health information or when requesting protected health information from another entity in covered circumstances, to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
L. “Personal representative” means (1) a person who has legal authority under applicable law to act on behalf of an individual adult or emancipated minor, and (2) a parent, guardian or other person acting in loco parentis who is authorized by law to act on behalf of an individual unemancipated minor, except where the minor is authorized by law to act on his own behalf or via court approval or where the parent guardian or person acting in loco parentis has assented to an agreement of confidentiality between the provider and the minor.
M. “Protected health information” or “PHI” means individually identifiable health information that is transmitted by electronic media, maintained in any medium described in the definition of electronic media at 45 CFR Section 162.103 or transmitted or maintained in any other form or medium. PHI excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act at 20 USC 1232g, records described at 20 USC 1232g(a)(4)(B)(iv) and employment records held by the department in its role as employer.
N. “Psychotherapy notes” means notes recorded (in any medium) by a health care provider who is a mental health professional, documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
O. “Records custodian” means the person designated by the department to respond to public records requests pursuant to the Public Records Act, 14-2-1 et seq. NMSA 1978.
P. “Required by law” means a mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Required by law includes, but is not limited to,
(1) court orders and court-ordered warrants,
(2) subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general or an administrative body authorized to require the production of information,
(3) a civil or an authorized investigative demand,
(4) medicare conditions of participation with respect to health care providers participating in the program, and
(5) statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.
Q. “Research” means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
R. “Treatment” means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to an individual; or the referral of a individual for health care from one health care provider to another.
S. “Use” means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination or analysis of such information within an entity that maintains such information.
T. “Workforce” means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the department, is under the direct control of the department, whether or not they are paid by the department.
[8.8.5.7 NMAC - N, 4/30/2003]
8.8.5.8 PRIVACY OFFICER: The secretary designates a privacy officer who is responsible for the development and implementation of the department’s policies and procedures providing for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and who is responsible for receiving complaints under 45 CFR Section 164.530(d). The secretary may also designate such other personnel as necessary to support the efforts of the privacy office. The secretary’s personnel designations are documented in written or electronic form.
[8.8.5.8 NMAC - N, 4/30/2003]
8.8.5.9 NOTICE
OF PRIVACY PRACTICES:
A. Persons receiving covered health care or health-related services from the department receive written or electronic notice of the department’s privacy practices for Protected Health Information (PHI) in accordance with 45 CFR Section 164.520.
B. Notice is provided no later than the date of first delivery of services, except that persons receiving health-related services under the small health plan administered by the prevention and intervention division prior to April 14, 2004 shall receive notice on or before April 14, 2004. Persons deemed eligible for such services after April 14, 2004 shall receive notice on the date of first delivery of service. In an emergency treatment situation, notice will be given as soon as reasonably practicable after the emergency treatment situation.
C. The department makes a good faith effort to obtain written acknowledgement of an individual’s receipt of Notice, and if not obtained, will document said good faith efforts.
D. The department will retain copies of all versions of its notice of privacy practices, including dates and scope of use.
E. Persons held in lawful custody by the juvenile justice division do not have a right to receive notice of privacy practices.
[8.8.5.9 NMAC - N, 4/30/2003]
8.8.5.10 INDIVIDUAL RIGHTS RELATED TO PROTECTED HEALTH INFORMATION: The Health Insurance Portability and Accountability Act of 1996 and children, youth and families department policies, 8.8.5.1 through 8.8.5.20 NMAC, provide that individuals have certain rights with respect to their protected health information. Any requests to avail themselves of those rights, as enumerated herein, must be in writing.
A. Individuals or their personal representatives have a right to inspect and copy their own PHI as follows:
(1) Access is denied, with no right of review, if:
(a) the individual is a resident in a department correctional facility and obtaining such access would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other residents, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the resident;
(b) the information was compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative proceeding;
(c) the information is contained in psychotherapy notes;
(d) the PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information, or
(e) any circumstances where access to PHI is restricted by federal or state statute or regulation not otherwise pre-empted by HIPAA.
(2) Access is denied, with right of review, if:
(a) the access to the PHI requested is determined by a licensed health care professional to be likely to endanger the life or physical safety of the individual or another person; and such determination is documented;
(b) the access is requested by a personal representative and a licensed health care professional determines that such access is reasonably likely to cause substantial harm to the individual or another person, or
(c) the PHI makes reference to another person (unless such person is a health care provider) and a licensed health care professional has determined that granting the access requested is reasonably likely to cause substantial harm to such other person.
(3) If the basis for the denial of access provides for a right of review, the individual or his/her personal representative has a right to have the denial reviewed by another licensed health care professional who did not participate in the original denial decision. Such review must be completed within a reasonable period of time, and the department must promptly provide the individual or his/her personal representative with notice of the reviewer’s decision and comply with the determination to provide or deny access.
B. Individuals or their personal representatives have a right to submit a written request for an amendment to their own PHI for as long as the department maintains the PHI.
(1) The department must act on the request within sixty (60) days of receipt of the request by the privacy office or within ninety (90) days if the privacy office notifies the individual or his/her personal representative within the first sixty (60) days of the reasons for delay and the date by which action on the request will be taken. Requests to amend the individual’s record may be denied for the following reasons:
(a) PHI contained in the record
is deemed to be accurate and complete;
(b) PHI contained in the record
was not created by department employees, (unless the individual or his/her personal
representative provides reasonable basis to believe that the originator of the
records is no longer available to act on the request), or
(c) the information that is the
subject of the request for amendment is not part of the designated record set.
(d) would not be available for
inspection under Section 8.8.5.10(A)(1) above.
(2) Approved amendments will become incorporated into the individual’s record and the department will make reasonable efforts to provide the amended information to those persons and others, including business associates, that the department knows to have the affected PHI and that may have relied, or be foreseen to rely, on that information to the detriment of the individual. If the department rejects the amendment, the individual or his/her personal representative will be provided an opportunity to submit a written letter of disagreement that shall be appended or otherwise linked to the part of the record containing the disputed information.
C. Individuals or their personal representatives have a right to request receipt of the department’s communications containing PHI by alternative means or at alternative locations by submitting a request in writing to the department’s privacy officer. The department routinely accommodates all reasonable requests.
D. Individuals or their personal representatives have a right to submit a written request for a written accounting of disclosures made by the department within the previous six years as provided in Section 8.8.5.17 herein. The department acts on the request no later than 60 days after receipt, and the time may be extended for a 30 day period if the department provides a written statement of the reasons for the delay. Health oversight agencies and law enforcement officials may require, under certain circumstances provided in 45 CFR Section 164.528(a)(2), a suspension of the right to an accounting for a specified time. An accounting does not include disclosures made:
(1) to carry out treatment,
payment and health care operations;
(2) to the individual or to the
individual’s personal representative of his or her own PHI;
(3) incident to certain uses or
disclosures permitted or required pursuant to 45 CFR Section 164.502;
(4) pursuant to a written
authorization;
(5) to correctional institutions
or law enforcement officials pursuant to 45 CFR Section 164.512(k)(5);
(6) prior to the compliance date
for providers of April 14, 2003 or for the small health plan administered by
the prevention and intervention division of
April 14, 2004.
(7) that are otherwise excepted in 45 CFR Section 164.528(a)(1).
E. Individuals have a right to complain to the department concerning the department’s policies and procedures implementing HIPAA. The complaint is made in writing either to the department privacy office and/or to the secretary of the United States department of health and human services. The complaint must be filed within 180 days of when the complainant knew or should have known that the alleged violation occurred, unless this time limit is waived for good cause shown. The complaint must name the entity or person that is the subject of the complaint, describe the alleged violation and the applicable requirements of the code or regulation.
[8.8.5.10 NMAC - N, 4/30/2003]
8.8.5.11 USES
AND DISCLOSURES:
A. The department uses PHI for purposes of treatment, payment, and health care operations and as required by law. Written authorization is not required for these uses.
B. Any request for, or need to use, PHI for any purpose other than those specified in paragraph A of this section, such as research or marketing, is forwarded to the privacy office for response. The records custodian will also forward any Public Records Act requests involving PHI to the privacy office. The privacy office will determine whether written authorization is required for the requested use pursuant to 45 CFR Section 164.508.
C. Individuals have a right to request restrictions on uses or disclosures of PHI. The department may accept or deny such restrictions, at its discretion.
D. Pursuant to 45 CFR Section 164.502(b) and 164.514(d), uses and disclosures are limited to the minimum necessary information to accomplish the purpose intended, except that the following uses and disclosures are not subject to minimum necessary requirements:
(1) uses and disclosures for purposes of treatment;
(2) certain uses and disclosures to the individual or his/her personal representative, pursuant to 45 CFR Section 164.502(b)(2)(ii);
(3) uses and disclosures made pursuant to an authorization;
(4) disclosures made to the secretary of the United States health and human services department, pursuant to 45 CFR Section 160.300 et seq.;
(5) uses and disclosures required by law, pursuant to 45 CFR Section 164.512(a)(2), (c),(e) and (f), and
(6) uses and disclosures required for compliance with applicable federal HIPAA regulations.
E. The department is required by law to provide certain PHI to designated persons pursuant to court order, including court appointed special advocates, special masters, and guardians ad litem. The department is also required to provide certain PHI to the citizen review board pursuant to 32A-8-1 et seq. NMSA 1978.
[8.8.5.11 NMAC - N, 4/30/2003]
8.8.5.12 PERSONAL REPRESENTATIVE: The department generally recognizes the legal authority of a personal representative to act on behalf of an individual. However, the department will decline to treat a person as a personal representative in the following circumstances:
A. The person does not present sufficient documentation or other evidence of authority to represent the individual;
B. There is a reasonable belief that the individual has been or may be subjected to domestic violence, abuse or neglect by such person and that treating the person as the personal representative could endanger the individual or that, in the department’s professional judgment, it is not in the best interest of the individual to treat the person as the individual’s personal representative, or
C. The individual is an unemancipated minor but is authorized to give lawful consent or authorization or may obtain health care without consent of the personal representative, and the minor has not requested that the person be treated as the minor’s personal representative, or the personal representative has assented to agreement of confidentiality between the department and the minor.
[8.8.5.12 NMAC - N, 4/30/2003]
8.8.5.13 DE-IDENTIFICATION OF AGGRAGATED DATA: The department may use PHI to create de-identified information for purposes such as research, quality control and reporting to various federal and state agencies. Health information that does not identify an individual is not individually identifiable health information as defined in HIPAA. A person with appropriate knowledge of, and experience with, generally accepted statistical and scientific principles and methods for rendering information not individually identifiable applies such principles and methods to determine if the information, in combination with other information could identify the individual to the anticipated recipient. The method and results of the analysis are documented.
[8.8.5.13 NMAC - N, 4/30/2003]
8.8.5.14 SAFEGUARDING PHI: The department takes reasonable precautions to safeguard PHI from any intentional or unintentional use or disclosure that would violate the provisions of HIPAA.
[8.8.5.14 NMAC - N, 4/30/2003]
8.8.5.15 TRAINING AND PERSONNEL
PRACTICES:
A. The department provides HIPAA training to all covered workforce within a reasonable period of time after initial employment and will provide notice and training, if necessary, of material changes in HIPAA policies and procedures within a reasonable time after the change occurs. All training is documented in written or electronic form and retained by the department for six years.
B. The department’s policies regarding employee discipline for HIPAA violations and prohibiting retaliation are contained in its code of conduct. The privacy office will investigate all alleged violations and initiate any appropriate disciplinary action.
[8.8.5.15 NMAC - N, 4/30/2003]
8.8.5.16 MITIGATION: The department mitigates, to the extent practicable, any harmful effect known to the department resulting from a use or disclosure of PHI in violation of this policy or the requirements of HIPAA by the department or its business associates. Measures taken will depend on individual circumstances.
[8.8.5.16 NMAC - N, 4/30/2003]
8.8.5.17 DOCUMENT RETENTION: The department retains certain documents for
six years from the date of creation or the date the document was last in
effect, whichever is later, as provided in 45 CFR Section 164.500 et seq.
[8.8.5.17 NMAC - N, 4/30/2003]
8.8.5.18 RIGHTS NOT WAIVED: The
department does not require individuals to waive their rights to complain to
the secretary of the United States health and human services department or any
other rights under 45 CFR Part 164 Subpart E as a condition of the provision of
treatment, payment, enrollment in a health plan or eligibility for benefits.
[8.8.5.18 NMAC - N, 4/30/2003]
8.8.5.19 PROCEDURES: The
department will develop all procedures, guidelines and protocols necessary to
implement these policies.
[8.8.5.19 NMAC - N, 4/30/2003]
HISTORY OF 8.8.5
NMAC: [RESERVED]