HIPAA/Privacy Officer

HIPAA is a federal law that protects the privacy and security of identifiable health information. HIPAA governs the uses and disclosures of protected health information (PHI) and provides individuals with rights concerning their PHI while also allowing the flow of necessary health information needed to provide and promote quality health care for the individual.

HIPAA applies to protected health information (PHI) in any format (verbal, electronic, oral), such as your medical records, mental health records, lab results, or eligibility records for health-related programs such as Medicare and Medicaid. It does not apply to other types of protected information, such as federal tax information, personal financial information, or educational records. However, there are other state and federal laws that protect non-PHI or personally identifiable information (PII).

HIPAA applies to “covered entities.” A “covered entity” is a health care provider, health plan, or a healthcare clearinghouse that transmits identifiable health care information electronically. It is important to note that HIPAA does not apply to all businesses, but only those which are designated as a “covered entity” under the law.

• Health Plans: A health plan is an individual or group plan that provides or pays the cost of medical care. This includes but is not limited to health, dental, vision, and prescription drug insurers, health maintenance organizations (HMOs), Medicare, and Medicaid.
• Health Care Providers: Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions (claims, benefit eligibility inquiries, etc.) is a covered entity.
• Health Care Clearinghouses: A health care clearinghouse is an entity that processes nonstandard information they receive from another entity into a standard format, or vice versa. The clearinghouse will receive individually identifiable information only when they are processing these services to a health plan or health care provider. This includes billing services, repricing companies, and community health management information systems.

The Department is considered a “health plan” under HIPAA as it administers the Medicaid program. It is also considered a “health care provider” as it operates New Hampshire Hospital and Glencliff Home for the Elderly.

42 CFR Part 2 is a regulation that applies specifically to substance use disorder (SUD) records as they are defined in that part of the law. Part 2 records are PHI, with greater restrictions and consent requirements in order to protect this very sensitive health information.

PHI stands for “protected health information.” PHI is information that relates to a person’s past, present, or future physical or mental health or condition, the provision of health care, or the past, present, or future payment for the provision of health care.

Substance Use Disorder (SUD) information is information created by a Part 2 Program that identifies an individual and is used for evaluation, treatment, or referral for treatment for substance user disorder. The law has a specific definition of a Part 2 program in 42 CFR Part 2.11.

PI or PII stands for “personal information” or “personally identifiable information,” which includes information such as name, and other specific unique identifiers such as date of birth, address, social security number or bank account number.

Under HIPAA, you have the right to:

• Request to view, access, and obtain a copy of your PHI;
• Authorize your PHI to be sent to someone else;
• Request an amendment to your records (such as changing any wrong information in your file, or adding any missing or incomplete information);
• Request an accounting (list) of people/entities that DHHS has released your information to; and
• Request a restriction to the information that DHHS discloses to a specific person, provider, or other entity. Restrictions can also be made on specific pieces of your record (i.e. do not disclose my pharmacy or drug information to this family member).

In most cases, no, DHHS cannot release your PHI without your consent. However, HIPAA does allow for covered entities to release your information without your consent for treatment, payment, and health care operations purposes, and in the case of a medical emergency.

Yes! You can access your PHI at any time for any reason by submitting a written request to the Privacy Officer. You may also authorize DHHS to disclose your information to a third party, such as a lawyer or family member. See the forms listed under HIPAA Forms and Publications to access the request form.

HIPAA is a federal law; as such, NH DHHS does not have authority over the privacy practices of non-DHHS owned or funded facilities. If you feel your HIPAA rights have been violated, you may submit a complaint to the Office of Civil Rights.

If you believe your HIPAA rights have been violated by a DHHS program or facility, you may submit a complaint to the DHHS Privacy Officer by phone, letter, or email.