The Department of Health & Human Services (DHHS) has made a serious commitment to protecting the information of the individuals it serves. This is a requirement of state and federal law.
The DHHS Privacy Officer monitors, reviews, and investigates activities within DHHS to ensure the Department is compliant with privacy laws, and also develops privacy trainings for the DHHS workforce and updates the Department’s policies and forms related to the access and authorization to release protected information. While the Privacy Officer largely deals with the Health Insurance Portability & Accountability Act (HIPAA), they are also responsible for ensuring that DHHS is compliant with other federal and state privacy laws as they relate to DHHS services, such as the U.S. Privacy Act of 1974, the Family Education Rights & Privacy Act (FERPA), and the NH Right to Privacy Act.
The DHHS Notice of Privacy Practices explains the uses and disclosures of identifiable information allowed by law that the Department follows.
What is the Health Insurance Portability and Accountability Act (HIPAA)?
HIPAA is a federal law that protects the privacy and security of identifiable health information. HIPAA governs the uses and disclosures of protected health information (PHI) and provides individuals with rights concerning their PHI while also allowing the flow of necessary health information needed to provide and promote quality health care for the individual.
What information does HIPAA protect?
HIPAA applies to protected health information (PHI) in any format (verbal, electronic, oral), such as your medical records, mental health records, lab results, or eligibility records for health-related programs such as Medicare and Medicaid. It does not apply to other types of protected information, such as federal tax information, personal financial information, or educational records. However, there are other state and federal laws that protect non-PHI or personally identifiable information (PII).
Who is covered by HIPAA?
HIPAA applies to “covered entities.” A “covered entity” is a health care provider, health plan, or a healthcare clearinghouse that transmits identifiable health care information electronically. It is important to note that HIPAA does not apply to all businesses, but only those which are designated as a “covered entity” under the law.
- Health Plans: A health plan is an individual or group plan that provides or pays the cost of medical care. This includes but is not limited to health, dental, vision, and prescription drug insurers, health maintenance organizations (HMOs), Medicare, and Medicaid.
- Health Care Providers: Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions (claims, benefit eligibility inquiries, etc.) is a covered entity.
- Health Care Clearinghouses: A health care clearinghouse is an entity that processes nonstandard information they receive from another entity into a standard format, or vice versa. The clearinghouse will receive individually identifiable information only when they are processing these services to a health plan or health care provider. This includes billing services, repricing companies, and community health management information systems.
The Department is considered a “health plan” under HIPAA as it administers the Medicaid program. It is also considered a “health care provider” as it operates New Hampshire Hospital and Glencliff Home for the Elderly.
What is 42 CFR Part 2?
42 CFR Part 2 is a regulation that applies specifically to substance use disorder (SUD) records as they are defined in that part of the law. Part 2 records are PHI, with greater restrictions and consent requirements in order to protect this very sensitive health information.
What is PHI/PII/SUD?
PHI stands for “protected health information.” PHI is information that relates to a person’s past, present, or future physical or mental health or condition, the provision of health care, or the past, present, or future payment for the provision of health care.
Substance Use Disorder (SUD) information is information created by a Part 2 Program that identifies an individual and is used for evaluation, treatment, or referral for treatment for substance user disorder. The law has a specific definition of a Part 2 program in 42 CFR Part 2.11.
PI or PII stands for “personal information” or “personally identifiable information,” which includes information such as name, and other specific unique identifiers such as date of birth, address, social security number or bank account number.
What are my rights under HIPAA?
Under HIPAA, you have the right to:
- Request to view, access, and obtain a copy of your PHI;
- Authorize your PHI to be sent to someone else;
- Request an amendment to your records (such as changing any wrong information in your file, or adding any missing or incomplete information);
- Request an accounting (list) of people/entities that DHHS has released your information to; and
- Request a restriction to the information that DHHS discloses to a specific person, provider, or other entity. Restrictions can also be made on specific pieces of your record (i.e. do not disclose my pharmacy or drug information to this family member).
Can DHHS release my information without my consent?
In most cases, no, DHHS cannot release your PHI without your consent. However, HIPAA does allow for covered entities to release your information without your consent for treatment, payment, and health care operations purposes, and in the case of a medical emergency.
Can I access my information kept by DHHS?
Yes! You can access your PHI at any time for any reason by submitting a written request to the Privacy Officer. You may also authorize DHHS to disclose your information to a third party, such as a lawyer or family member. See the forms listed under HIPAA Forms and Publications to access the request form.
What if I believe my HIPAA rights have been violated by my doctor, hospital, or mental health facility?
HIPAA is a federal law; as such, NH DHHS does not have authority over the privacy practices of non-DHHS owned or funded facilities. If you feel your HIPAA rights have been violated, you may submit a complaint to the Office of Civil Rights.
What if I believe my HIPAA rights have been violated by DHHS?
If you believe your HIPAA rights have been violated by a DHHS program or facility, you may submit a complaint to the DHHS Privacy Officer by phone, letter, or email.
While the Privacy Officer can receive and respond to privacy-related complaints about a DHHS program or facility, they do not have authority over hospitals or other private healthcare facilities and professionals. Non-DHHS entities are overseen by the Office of Civil Rights (OCR) within the U.S. Department of Health & Human Services.