Skip to main content

Policy/Memo 116

Number: Policy Memo 116
Date Issued: April 14, 2003
Policy File Ref: A1820
Subject: Uses and Disclosures of PHI and Authorization Requirements

ISSUE:

Uses and Disclosures of PHI

PURPOSE:

To issue instructions to EBD workforce members regarding permitted uses and disclosures of protected health information in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

Background:

The subject of the privacy of individuals’ health records has been a topic of increasing importance as people begin to realize the amount of personal information about them in records systems, and the effect of unauthorized release. Agencies of New York State are required by the Personal Privacy Protection Act (PPPA) to conform to certain practices which protect the confidentiality of records under their purview. Additionally, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires health plans to meet numerous requirements in protecting individually identifiable health information from unauthorized use or disclosure.

Policy:

Protected Health Information (PHI) means individually identifiable information relating to past, present or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual.

PHI maintained by EBD includes any information contained in the individual’s enrollment record and any other individually identifying record of information. Demographic and enrollment information is considered PHI.

EBD shall adhere to the following policies to ensure adequate protection of individuals’ health information.

Minimum Necessary Standard
EBD will make reasonable efforts to ensure that the minimum amount of PHI necessary to fulfill the intended purpose or function is used or disclosed. The minimum necessary standard does not apply to:

  • disclosures to the individual who is the subject of the information;
  • disclosures made pursuant to the subject individual’s authorization;
  • disclosures to or requests by healthcare providers for treatment purposes;
  • disclosures required for compliance with the standardized HIPAA transactions;
  • disclosures made to HHS pursuant to a privacy investigation; and
  • disclosures required by law, including the HIPAA privacy regulations.

Deceased Individuals
EBD shall comply with its HIPAA privacy policies and procedures with respect to the PHI of a deceased individual.

Personal Representatives
A personal representative must be treated as the individual regarding access to the subject individual’s PHI. A person shall be considered a personal representative if, under applicable law, he/she has authority to act on behalf of an individual in making decisions related to health care.

Who may be considered as a personal representative depends on whether the person being represented is an adult or a minor.

For adults and emancipated minors, proof of status as a personal representative may be shown through:

  • A health care proxy;
  • A power of attorney that includes health care decisions; or
  • A court order appointing them with authority to make health care decisions.

For unemancipated minors, a personal representative can be any of the following:

  • A parent or legal guardian, such as a foster parent;
  • A person acting in the position or place of a parent, such as a representative of a child welfare/foster care agency or a friend of the family with written permission to act as the personal representative, such as a court order or notarized statement from the parent/legal guardian; or
  • Someone with a close familial relationship, such as a grandparent, acting in the parent's absence.

Exceptions to treating Personal Representatives as the Individual
In certain instances, EBD does not need to treat a Personal Representative as the individual for purposes of disclosing PHI. For example, PHI need not be disclosed to the Personal Representative if it is reasonably believed that such disclosure could endanger the individual, or is otherwise not in the best interest of the individual. Any questions regarding specific disclosures to Personal Representatives should be referred to the EBD Privacy Official.

Verification of recipient of PHI
EBD staff shall make good faith efforts to verify the identity of the person requesting PHI and the authority of such person to access the PHI (if not previously known).

Telephone Disclosures
For verbal disclosures to the individual that is the subject of the PHI, EBD shall verify the identity of the individual by requesting the caller provide the following information and compare it to the enrollment record (NYBEAS):

  • Name;
  • Date of birth;
  • Social Security number.

If the individual provides incorrect information, i.e. the date of birth does not match the NYBEAS record, EBD staff may rely on their professional judgment to permit individual to verify other information contained in the enrollment record to ascertain the individual’s identity.

Public Officials
With regard to verifying the identity of public officials, EBD staff may rely, if reasonable under the circumstances, on any of the following to verify identity when the disclosure of PHI is to a public official or a person acting on behalf of a public official:

  • if the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of governmental status;
  • if the request is in writing, on appropriate government letterhead;
  • if the disclosure is to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting with authority, or other evidence of agency (e.g.,a contract for services, Memorandum of Understanding, or purchase order) that the person is acting on behalf of the public official;
  • a written statement of legal authority under which the information is requested, or, if a written statement would be impractical, a verbal statement of such authority; or
  • a request made by legal process, warrant, subpoena, order, or other legal process issued by a grand jury or judicial or administrative tribunal is presumed to constitute legal authority.

Professional Judgment
Verification requirements are met if the Employee Benefits Division relies on the exercise of professional judgment, or acts on good faith belief, in making a use or disclosure in accordance with this policy.

Permitted Uses and Disclosures of Protected Health Information

PHI may be used and disclosed by EBD in the following circumstances:

  • To the individual that is the subject of the PHI and to his or her Personal Representative.
  • To a third party based on a valid, signed authorization from the individual.
  • For treatment purposes, including the disclosure of enrollment and demographic information to insurers or organizations responsible for delivering or administering an individual’s health care.
  • For determination of eligibility, coverage, and cost sharing amounts such as the cost of a benefit, plan maximums, co-payments, subrogation of claims, and establishing participants’ contributions.
  • To collect premiums or determine or fulfill the Plan’s responsibility for premium payments to insurers, including disclosures to the Office of the State Comptroller and agencies for use in collecting premiums.
  • For billing, collection activities and related health care data processing, including disclosure to consumer reporting agencies related to the collection of premiums or reimbursement.
  • To employers participating in the plan for purposes of performing administrative duties. This includes disclosure of enrollment and premium information to Health Benefits Administrators.
  • To an entity with which EBD has entered into a Business Associate contract, provided the disclosure is consistent with the contractual provisions.
  • As part of a Limited Data Set, for research purposes. All uses and disclosures for research purposes must be reviewed by the EBD Privacy Official and/or Counsel’s Office to ensure compliance with HIPAA. (Refer to the Department’s Health Information Privacy Policy – Section 6.4)
  • For quality assessment and improvement activities.
  • To perform population-based activities relating to improving services or reducing plan costs, such as protocol development and disease management programs.
  • To conduct claims management and related health care data processing, including auditing payments, investigating and resolving payment disputes, and responding to participant inquiries about payments.
  • For premium rating and other activities related to the creation, renewal or replacement of a contract of health insurance or health benefits.
  • To the Plan Sponsor, so that it can monitor, audit and otherwise administer its employee health plan.
  • To conduct or arrange for legal services, banking services, benefits consulting services, auditing services, medical review, and the investigation of fraud and abuse cases.
  • For business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the plans administered by EBD, including the development or improvement of payment methods or coverage policies.
  • For business management and general administrative activities of the plans administered by EBD, including but not limited to:
    • management activities related to ensuring HIPAA compliance;
    • customer service;
    • the disclosure of enrollment information to local plan sponsors;
    • disclosure of summary health information to local plan sponsors for the purpose of obtaining premium bids for the provision of health insurance coverage under the local plan and/or for modifying, amending, or terminating the local plan;
    • data analysis for participants and local plan sponsors;
    • the resolution of internal grievances; and
    • auditing contractual performance standards.
  • When asked to do so by a law enforcement official, such as:
    • In response to a court order, subpoena, warrant, summons or similar process;
    • To identify or locate a suspect, fugitive, material witness, or missing person;
    • About the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement;
    • About a death we believe may be the result of criminal conduct;
    • About criminal conduct associated with NYSHIP; and
    • In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
  • For specialized government functions, including:
    • To authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
    • To authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations.
    • As required by military command authorities for members of the armed forces or reserves.
  • For activities related to oversight of the health care system, government health benefits programs, and entities subject to government regulation, including activities such as audits, civil and criminal investigations and proceedings, inspections, and licensure and certification actions. PHI may only be disclosed for investigations of an individual that are related to receipt of health care, or the qualification for, receipt of, or claim for public benefits.
  • As necessary to prevent a serious threat to the health and safety of an individual or the public.
  • To a public health authority to prevent or control disease, injury or disability.
  • To the Department of Health and Human Services when required to investigate or determine compliance with the HIPAA Privacy Regulations.
  • As authorized and to the extent necessary to comply with laws relating to workers’ compensation and other similar programs.
  • When we are required to do so by federal, state or local law.

Disclosures Requiring Opportunity for individual to Agree or Object
Under certain circumstances, it is permissible for EBD to share certain PHI with a family member, other relative, close personal friend, or any other person identified by the individual who is involved in the care, or payment of care, of the individual. EBD may use or disclose PHI without the written or verbal permission of the individual to such persons involved in the individual’s care, or payment of care, provided the individual is informed in advance (in writing or verbally) and has the opportunity to agree to, or to prohibit or restrict, the disclosure. The PHI disclosed should be limited to that which is directly relevant to such person’s involvement with or payment related to the individual’s health care.

  • If the individual is present and available and has capacity to make his/her own health care decisions, EBD may share PHI with a family member, other relative, close personal friend, or any other person identified by the individual, if:
    • the individual agrees to the disclosure(s);
    • the individual is provided with an opportunity to object and the individual does not object; or
    • in the exercise of professional judgment, EBD staff reasonably infer from the circumstances that the individual does not object to the disclosure. Such circumstances, and the fact of the disclosure, must be appropriately documented.
  • If the opportunity for the individual to agree or object cannot practicably be provided due to incapacity or emergency circumstance, EBD staff may, in the exercise of its professional judgment, determine whether the disclosure is in the best interests of the individual. If so, only that PHI that is directly relevant to the person’s involvement with the individual’s health care may be disclosed. Such circumstances, and the fact of the disclosure, must be appropriately documented.

Disclosures Requiring Authorization from the Individual
In compliance with federal regulations (45 CFR Part 164) and New York State law, all uses and disclosures of PHI beyond those otherwise permitted or required by law require a signed authorization. EBD shall obtain a signed authorization from the individual before making any disclosures of PHI not otherwise permitted by HIPAA. EBD must maintain documentation of authorizations and revocations for a period of six (6) years from its date of execution or the last date it was effective, whichever is later. [Policy Memorandum #117 – Authorization for Use or Disclosure of PHI]