Institutional Review Board Manual
SOUTH CAROLINA DEPARTMENT OF MENTAL HEALTH
Columbia, South Carolina
|OFFICE OF THE STATE DIRECTOR OF MENTAL HEALTH||
DIRECTIVE NO. 837-03
TO: All Employees
SUBJECT: Privacy Practices
This Directive describes DMH policy for the use and disclosure of DMH Consumer medical and payment Protected Health Information or “PHI” (see Notice for terms that begin with a capital letter) and Consumer rights related to access, control, accounting and amending of their PHI. This Directive incorporates DMH Form M-010, “NOTICE OF PRIVACY PRACTICES” (“Notice”), as well as other forms and procedures listed in the Appendix. Appendix components are identified in this Directive by quotes and caps (e.g. “AUTHORIZATION TO DISCLOSE SCDMH PROTECTED HEALTH INFORMATION”). This Directive includes future Notices, forms or procedures added to the Appendix, and adopted in accord with DMH policy and applicable law.
Each DMH employee, volunteer or other person (e.g., contract physician) incorporated in the DMH workforce (“workforce member” or “staff”) and officials, must sign acknowledgement of receipt of, and agreement to comply with this Directive. The signed statement must be kept in the applicable personnel or other official folder. Each DMH component must ensure training of its staff consistent with this Directive and DMH Privacy Practices training. All DMH component policies or agreements must be consistent with this Directive.
This Directive is to conform with, and is subject to, applicable federal and state law, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Section 44-22-100 of the Code of Laws of South Carolina. Identifying information from alcohol and drug treatment programs is subject to additional restrictions and protections under federal law 42 CFR Part 2. If in doubt as to whether 42 CRF Part 2 applies to a DMH program, the applicable local director should consult with the DMH Office of General Counsel. In general, DMH is required by law to: follow the Notice requirements; keep Consumer information private; give Consumers the opportunity to review the Notice and request restrictions on PHI use or disclosure; not use or share PHI without Consumer Authorization except as described in the Notice; provide for Consumer rights involving control over his or her PHI; and a procedure for Consumer complaints about DMH privacy practices.
Additional requirements (e.g., for licensing, accreditation, etc.) may also apply to individual DMH components.
A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to read it. When DMH changes the Notice, a current copy must be posted in like manner. A copy of the Notice must also be posted on the DMH Internet Web site. Consumers must have the opportunity to review the Notice and receive a paper copy at any time. DMH service sites must attempt to obtain a Consumer’s signed acknowledgement of receipt of the Notice at the Consumer’s next visit beginning April 14, 2003. This acknowledgment is to be recorded on DMH Form C-107 (revised March, 2003) “CONSENT TO EXAMINATIONS AND TREATMENT” or an applicable intake or admission form, containing the statement (or an attached statement):”I have been provided a copy of the SCDMH Notice of Privacy Practices and an opportunity to review it and ask questions.” If not signed, staff must note on the signature line of the statement, why signed acknowledgement was not obtained (e.g., “refused a copy of the Notice”, “refused to sign”, etc.) Questions concerning the Notice, this Directive, or DMH Privacy Practices should be directed to the local Privacy Officer or the DMH Privacy Officer.
2) DMH Uses and Disclosures of PHI
After providing the Consumer with the opportunity to review the Notice, and object and/or request certain restrictions, staff may share PHI as described in the Notice. In an emergency or if the Consumer is incapacitated, without giving the Consumer the opportunity to review the Notice, object or request limitations, DMH may use and/or share PHI as permitted under the Notice. As soon as reasonable after the emergency or incapacity, the Consumer must be given those opportunities. When practical and when it will not compromise Treatment, DMH should accommodate a Consumer’s request to limit PHI use or disclosure. As described in the Notice, PHI may be disclosed pursuant to a Business Associate Agreement, approved by the DMH Contracts Office and the DMH Privacy Officer. DMH workforce members should limit use or disclosure of PHI to the Minimum Necessary to accomplish the purpose for the use or disclosure as described in the Notice.
For use and disclosure of PHI for Operation purposes, applicable component directors must identify employees who need access to PHI to carry out their DMH duties (see Notice); and the PHI categories to which access is needed and any limitations to such access. For types of disclosure of, or request for, PHI made on a routine and recurring basis, the component must implement protocols limiting the PHI disclosed or requested to the Minimum Necessary to achieve the purpose of the disclosure or request. Protocols must be reviewed and approved by the local Privacy Officer. For other PHI disclosures or requests (i.e., non-routine, non-recurring), the component must develop protocols to limit the PHI disclosed or requested to the Minimum Necessary and review all such requests for disclosure on a case by case basis to determine that the PHI information sought is limited to the Minimum Necessary to achieve the purpose of the specific disclosure or request.
3) Other Exceptions, Legal Proceedings, Notice of Privacy Law
Unless disclosure is otherwise permitted by the Notice, upon receipt of a subpoena or other request for PHI, a statement substantially similar to the “MODEL NOTICE OF PRIVACY LAW” must be sent to the requester. If required to provide testimony or other information containing PHI in a legal proceeding, staff must follow the procedure described in “DISCLOSURES IN LEGAL PROCEEDINGS.”
Unless permitted by the Notice, PHI may not be disclosed without a signed “AUTHORIZATION TO DISCLOSE SCDMH PROTECTED HEALTH INFORMATION”, to be kept in the Consumer’s medical record. Requests pursuant to an Authorization must be acknowledged within 15 days of receipt and completed within 60 days.
5) Re-Disclosure Notice
When PHI is authorized to be disclosed by the Notice (e.g. photocopies of a medical records sent to a non-DMH medical provider for Treatment), the disclosed copies of PHI must be accompanied by a notice cover sheet or other statement substantially similar to the “MODEL NOTICE PROHIBITING RE-DISCLOSURE.”
6) Consumer Privacy Rights
The Notice describes the following Consumer PHI privacy rights: receipt of a copy of the Notice and opportunity to review and ask questions; object and request restrictions on some PHI uses or disclosures; request confidential communication/notification; inspect and obtain copy of PHI; request amendment to PHI; receive an accounting of PHI disclosures; and the right to file a complaint with DMH, HHS and Office of Civil rights about DMH privacy practices. As described following, exercise of Consumer privacy rights concerning his or her PHI, may require that a Consumer complete a written request and follow the noted procedure. Formal Privacy Practice complaints may involve the Privacy Officer and the Consumer Advocate.
7) Consumer Access to His or Her Own PHI, Psychotherapy Notes
A Consumer has the right to request (“REQUEST TO INSPECT AND/OR COPY SCDMH PROTECTED HEALTH INFORMATION”) access and/or copies of his/her PHI as described in the Notice as long as DMH maintains the PHI. The applicable component must document and retain for 6 years, Designated Record Sets subject to Consumer access and titles of persons and/or offices responsible for processing access requests. The DMH component must act on a Consumer’s request as described in the Notice, but may deny access to some information including Psychotherapy Notes as described in the Notice. Note the narrow definition of Psychotherapy Notes in the Notice. All DMH Treatment and Payment information should be kept in the applicable DMH record. If a member of the DMH workforce keeps Psychotherapy Notes, he or she does so as an individual, and is therefore individually responsible for their content, control, protection, access and disclosure, including disclosure pursuant to a court order or as otherwise required by law.
As applicable, the DMH component must inform the Consumer that the request has been granted and provide access as requested (see “MODEL REPLY TO REQUEST TO INSPECT AND/OR COPY”). PHI should be provided in the format requested if readily reproducible or in readable hard copy or other format as agreed to by the Consumer, unless he or she agrees to a written summary as described in the Notice. If the same PHI is maintained in more than one Designated Record Set or at more than one location, the PHI may only be produced once. If the component does not maintain the requested PHI, but knows where it is maintained, the component must inform the individual where to direct the request.
If access is denied, the DMH component must provide a written denial within 15 days of the request (see “MODEL REPLY TO REQUEST TO INSPECT AND/OR COPY”). If the Consumer requests a review in writing, the component must designate a licensed health care professional who was not involved in the denial decision to review the denial. The designated person must give the Consumer written notice within 15 days of review request, the designated person’s decision, and take other action necessary to carry out the decision.
8) Consumer’s Right to Request Amendment to PHI
After a Consumer requests an amendment in writing (“REQUEST TO AMEND SCDMH PROTECTED HEALTH INFORMATION”) staff must act on the request in accord with the Notice timelines and procedures. The request must be forwarded to the component director with copy to the local Privacy Officer. The director must designate staff to review the request and take needed action documented on Page 2 of the “REQUEST” form. The request must be reviewed by the designated staff in conjunction with staff originally recording the PHI and by the staff’s supervisor(s), who must consult with other staff as needed to determine if an amendment is needed. Any conflict must be resolved by the director. The Consumer must be informed of the final decision by a letter substantially similar to the “MODEL REPLY TO REQUEST TO AMEND” with a copy of the original “REQUEST”, including Page 2 documenting the DMH component’s review and basis for its decision.
If the request for amendment is approved, after notifying the Consumer as noted above and obtaining the Consumer’s agreement with the proposed amendment, the amendment should be made, the record flagged to indicate the amendment and the amendment form filed in the record. Staff should also attempt to secure the Consumer’s permission to notify necessary relevant persons of the amendment. If the Consumer refuses, document the attempt to obtain permission in the record prior to giving needed notification.
A request for amendment may be denied if the PHI: was not created by DMH; is not in the Designated Record Set; or the PHI is accurate and complete. If the request is denied, the Consumer must be notified in writing as described above indicating: the basis for the denial; that the Consumer may submit a one-page written disagreement, stating the basis for disagreement; that the Consumer may request that future disclosures of the disputed PHI include the request and the denial; and how the Consumer may file a Complaint.
Records must be maintained identifying the PHI in the Designated Record Set that is the subject of the disputed amendment and appended or otherwise linked to the Consumer’s request for amendment, DMH denial, Consumer’s statement of disagreement, and any DMH rebuttal. If a Consumer submits a statement of disagreement following a denial, subsequent disclosures of the disputed PHI must include the above items.
9) Consumer’s Right to Request Accounting of Some PHI Disclosures
DMH components must log each applicable PHI disclosure using the “ACCOUNTING LOG OF PHI DISCLOSURES”. The accounting must include disclosures by DMH as well as disclosures to a DMH Business Associate. This accounting requirement does not include PHI used or shared before April 14, 2003 or other disclosures described in the Notice. The local Privacy Officer or designee must respond to a Consumer’s written request, and provide, a copy of the applicable accounting log as described in the Notice (see “MODEL REPLY TO REQUEST OF ACCOUNTING LOG”). However, a Consumer’s right to receive an accounting log must be suspended if a health oversight agency (HHS) or law enforcement official notifies DMH that providing an accounting would be reasonably likely to impede the health oversight or law enforcement agency’s activities and specifying the time for which the suspension is required. DMH must document that statement (including the identity of the agency or official) and temporarily suspend the Consumer’s right to an accounting for no longer than 30 days, unless a written statement is received from the applicable agency during that time.
10) Consumer Privacy Practice Complaints
Applicable DMH components must, in coordination with the local Privacy Officer and Consumer Advocate, have a process for Consumers to make a written complaint about DMH privacy practices or compliance with those practices (“SCDMH PRIVACY PRACTICES COMPLAINT”) and must document all complaints received and their disposition as described in the Notice. At any time, a Consumer has the right to file a complaint with DMH and/or HHS as described in the Notice. DMH must provide records and compliance reports, as required by HHS and otherwise permit access, as requested by HHS, to applicable facilities, records, and other sources of Information, including PHI as needed for a HHS inquiry or investigation pursuant to a Complaint.
DMH component or staff may not intimidate, threaten, coerce, discriminate against, or retaliate against any person for the exercise of rights or participation in any process relating to this Directive, or against any person for filing a complaint with DMH, HHS or other privacy related investigation, compliance review, proceeding or hearing, or engaging in reasonable opposition to any act or practice that the person in good faith believes to be unlawful under HIPAA or state law as long as the action does not involve disclosure of PHI in violation of the regulations, nor require individuals to waive any of their rights under HIPAA or state law as a condition of Treatment or eligibility for DMH services.
11) DMH Privacy Officer:
DMH must designate a DMH Privacy Officer responsible for the development and implementation of DMH privacy practices. Applicable DMH components must designate a local Privacy Officer and Privacy Practices workgroup that advise and support the local Privacy Officer and DMH Privacy Officer.
DMH components must document training on DMH Privacy Practices before April 14, 2003 for its workforce members. Each new workforce member must receive this training within 30 days after joining the workforce. Each workforce member, whose functions are impacted by a material change in this Directive, or by a change in position or job description, must receive the training as described above within a reasonable time after the change becomes effective. All training must be documented and records retained for 6 years.
13) Sanctions and Mitigation of Damages
DMH Human Resources office must document and each DMH component must apply, appropriate DMH employee disciplinary action, for employees who fail to comply with this Directive. Exceptions include disclosures made by employees as whistleblowers, for mandatory reporting or certain crime victims. Each DMH component must have a process to mitigate, to the extent practicable, any harmful effects of unauthorized uses or disclosures of PHI by the component or any of its Business Associates.
Applicable DMH components must comply with “PRIVACY PRACTICES SECURITY” requirements.
15) Documentation Requirements:
Applicable DMH components must maintain Directive policies and procedures in written or electronic form as well as written or electronic copies of all communications, actions, activities or designations required to be documented by this Directive, for 6 years from the later of the date of creation or the last effective date.
16) Disclosure of Unidentifiable Information or Information in Limited Data Sets
PHI may be disclosed under the requirements and protocols described in “UNIDENTIFIABLE OR DE-INDENTIFIED INFORMATION” or “LIMITED DATA SETS.”
17) Charges for Copying and Other Expenses Related to Copying and Access to PHI.
As permitted by this Directive, PHI may be disclosed by photocopy or fax. A fee to cover costs of reproducing may be charged and collected in advance of providing copies in accord with DMH Regulation 87-4(D): “The first fifteen copies will be provided at no charge; beginning with the sixteenth copy, there will be a fee of twenty cents per page. If a request is made for records which are not readily available, the Department may determine a reasonable hourly rate for the expense of searching for and securing such records. The Department may also require a reasonable deposit for such anticipated expense from the person making the request prior to searching for or making copies of the records. “
18) Violations and Penalties
All violations of this directive must be reported to the applicable person's supervisor. DMH employees who make an unauthorized disclosure of PHI, or otherwise violate provisions of this Directive, are subject to disciplinary action in accordance with the DMH Employee Discipline Directive. Further, South Carolina law provides for penalties for the unauthorized disclosure of PHI up to one year imprisonment and/or a fine of up to $500. Federal law provides for penalties of $100 per incident up to $250,000 and ten years in prison. Unauthorized use or disclosure of PHI may also subject the employee to additional civil or criminal liability.
This Directive with referenced “Notice of Privacy Practices” and Appendix, replaces the DMH Directive No. 771-92 “Confidentiality of Medical Records and Patient Information.” This Directive is effective April 14, 2003.