4010.0.0REQUEST AMENDMENT OF PROTECTED HEALTH INFORMATION4010.1.0PurposeTo insure Department of Human Services (DHS) compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Regulations regarding a patient's right to request an amendment or correction to their protected health information.
4010.2.0AuthorityHIPAA Standards for Privacy of Individually Identifiable Health Information 45 CFR Part 164 Section 164.526 Amendment of protected health information. To issue instructions to all DHS offices, facilities, programs and workforce members ("entities") regarding the Department's obligations relating to the implementation of HIPAA, 42 U.S.C. §§ 1320d-1329d-8, and regulations promulgated hereunder, 45 CFR Parts 160 and 164.
4010.3.0ApplicabilityThis rule applies to all DHS employees. DHS offices, facilities, programs and workforce members are directed to follow all applicable policies and procedures found in the HIPAA Policies and Procedures Manual. Failure to comply with this rule and its reference documents may result in disciplinary sanctions as defined in DHS 1084, Employee Discipline.
4010.4.1Protected Health Information (PHI) - individually identifiable information relating to past, present or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for health care provided to an individual.4010.4.2Workforce Members - employees, volunteers, trainees, and other persons whose conduct, in the performance of work for DHS, its offices, programs or facilities, is under the direct control of DHS, regardless of whether they are paid by the entity.4010.5.1 These procedures are in addition to procedures set out in other rules or implemented by the Office of Administrative Services (OAS).4010.5.2 Patient requests for amendment of protected health information shall be made in writing to the covered entity and clearly identify the information to be amended, as well as the reasons for the amendment. These requirements are detailed in the Notice of Privacy Practices.4010.5.3 Requests may be denied if the material requested to be amended: A. Was not created by DHS, unless the originator is no longer available to act on the requestB. Is not part of the individual's health recordC. Is not accessible to the individual because federal and state law do not permit itD. Is accurate and complete4010.5.4 DHS must act on the individual's request for amendment no later than 60 days after receipt of the amendment. DHS may have a one-time extension of 30 days for processing the amendment if the individual is given a written statement of the reason for the delay, and the date by which the amendment request will be processed.4010.6.0Amendment Request is GrantedIf the request is granted, after review and approval by the individual responsible for the entry to be amended, DHS must:
A. Insert the amendment or provide a link to the amendment at the site of the information that is the subject of the request for amendmentB. Inform the individual that the amendment is acceptedC. Obtain the individual's identification of and agreement to have DHS notify the relevant persons with whom the amendment needs to be sharedD. Within a reasonable time frame, make reasonable efforts to provide the amendment to persons identified by the individual, and persons, including business associates, that DHS knows have the protected health information that is the subject of the amendment and that may have relied on or could foreseeably rely on the information to the detriment of the individual4010.7.0 Amendment Request is Denied4010.7.1 If the request is denied, DHS must provide the individual with a timely written denial in plain language that contains:A. The basis for the denial (see section 4010.5.3 above)B. The individual's right to submit a written statement disagreeing with the denial and how the individual may file such a statementC. A statement that if the individual does not submit a statement of disagreement, the individual may request that DHS provide the individual's request for amendment and the denial with any future disclosures of the protected health information that was the subject of the requestD. A description of how the individual may complain to DHS or the Secretary of Health and Human ServicesE. The name or title, and the telephone number of the designated contact person who handles complaints for DHS4010.7.2 DHS must permit the individual to submit to DHS, a written statement disagreeing with the denial of all or part of the requested amendment and the basis of such agreement. DHS may reasonably limit the length of a statement of disagreement.4010.7.3 DHS may prepare a written rebuttal to the individual's statement of disagreement. Whenever such a rebuttal is prepared, DHS must provide a copy to the individual who submitted the statement of disagreement.4010.7.4 DHS must, as appropriate, identify the record of protected health information that is the subject of the disputed amendment and append or otherwise link the individual's request for amendment, DHS denial of the request, the individual's statement of disagreement, if any, and DHS's rebuttal, if any.4010.7.5 If the individual has submitted the statement of disagreement, DHS must include the material appended or an accurate summary of such information with any subsequent disclosure of the protected health information to which the disagreement relates.4010.7.6 If the individual has not submitted a written statement of disagreement, DHS must include the individual's request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of protected health information only if the individual has requested such action.4010.7.7 When a subsequent disclosure is made using a standard transaction that does not permit the additional material to be included, DHS must separately transmit the material required.4010.7.8 A covered entity that is informed by DHS of an amendment to an individual's protected health information must amend the protected health information in written or electronic form.4010.7.9 DHS must document the titles for the persons or offices responsible for receiving and processing requests for amendments.4010.8.0Additional Considerations of Amendments From Other Covered EntitiesWhen a provider receives notification from another health care provider or health plan that a patient's protected health information has been amended, the receiving provider:
A. Must ensure that the amendment is appended to the patient's health recordB. Will inform its business associates that may use or rely on the patient's protected health information of the amendment (as agreed to in the business associate contract) so that they may make the necessary revisions based on the amendment4010.9.0Originating Section/Department Contact*ffice of Chief Counsel Donaghey Plaza South P. O. Box 1437, Slot S260 Little Rock, AR 72203-1437 Telephone: (501) 682-8934
4011.0.0ACCOUNTING FOR DISCLOSURES OF PROTECTED HEALTH INFORMATION4011.1.0PurposeTo establish Health Information Portability and Accountability Act (HIPAA) compliant policies and procedures for tracking and accounting for disclosures of Protected Health Information (PHI).
4011.2.1 Pursuant to 45 CFR 164.528, Department of Human Services (DHS) clients (and their legal representatives) have a right to request an accounting of PHI disclosures that DHS has made for a period of up to six years previous to the date of request. It is DHS policy that all disclosures of client PHI (subject to accounting and tracking) will be recorded on the Protected Health Information (PHI) Tracking Sheet, Form DHS-4002, and entered into the PHI Disclosure Tracking system for retrieval.4011.2.2 Upon receipt of a request for an accounting of PHI disclosures, DHS will have a maximum of 60 calendar days to compile the accounting of disclosures and respond to the client request. If DHS is unable to comply with the client's request for an accounting of PHI disclosures within 60 calendar days, DHS may make a one-time extension of the time frame for response by 30 calendar days.4011.2.3 The accounting of PHI disclosures must include:A. The date of the disclosure.B. The name, and address if known, of the person or entity that received the disclosed PHI.C. A brief description of the information disclosed.D. A brief statement of the purpose of the disclosure that reasonably informs the client of the basis for the disclosure, or, in lieu of such statement, a copy of the client's written request for the accounting of disclosures.4011.3.0 Disclosures subject to tracking and accounting include:4011.3.1Abuse Reports. PHI provided (other than protective services staff who respond to such reports) pursuant to mandatory abuse reporting laws to an entity authorized by law to receive abuse reports.4011.3.2Audit Review. PHI provided from a client record in relation to an audit or review of a provider or contractor.4011.3.3Health and Safety. PHI provided to avert a serious threat to the health and/or safety of a person or persons.4011.3.4Licensee/Provider. PHI provided from a client record in relation to licensing, regulation or certification of a provider or licensee involved with the provision of care or services to the client.4011.3.5Legal Proceedings. PHI ordered to be disclosed pursuant to a court order.4011.3.6Law Enforcement Official/Court Order. PHI provided to a law-enforcement official pursuant to a court order.4011.3.7Law Enforcement or Other Official/Deceased. PHI concerning a deceased client provided to law-enforcement official, medical examiner or other official for the purpose of identifying a deceased person, determining the cause of death, or for other reasons authorized by law.4011.3.8Law Enforcement Official/Warrant. To the extent permitted by law, PHI provided to a law-enforcement official concerning a fleeing felon or client subject to an arrest warrant.4011.3.9Public Health Official. PHI provided to a public health official for the reporting of disease or injury or for the conduct of a public health study or investigation. 4011.3.10Public Record. PHI disclosed pursuant to a Public Record request without the client's authorization.4011.3.11Research. PHI provided for research purposes using a waiver of authorization provided by an Institutional Review Board (IRB).4011.4.0 Disclosures not subject to tracking and accounting include:4011.4.1Disclosures for Treatment Payment and Operations (TPO). A. Treatment - the provision, coordination, or management of health care and related services, consultation between providers relating to an individual, or referral of an individual to another provider for health care.B. Payment - activities undertaken to obtain or provide reimbursement for health care, including determinations of eligibility or coverage, billing, collection activities, medical necessity determinations and utilization review.C. Operations - functions such as quality assessment and improvement activities, reviewing competence or qualifications of health care professionals, conducting or arranging for medical review, legal services and auditing functions, business planning and development, and general business and administrative activities.4011.4.2Disclosures to the Client.4011.4.3Disclosures made pursuant to a valid authorization of the client.4011.4.4Disclosures or uses made subject to the client's opportunity to object including:A. Use to maintain a facility directory and disclosures from the directory to clergy and persons who ask for the individual by name.B. Use and disclosure to persons involved with the client's care, payment for services, or for notification of general condition or death to persons responsible for the care of the client.C. Disclosures for disaster relief purposes.4011.4.5Use and disclosures for national security and intelligence activities.4011.4.6Use and disclosures to correctional institutions and other law enforcement custodial situations.4011.4.7Disclosure as part of a limited data set which excludes direct identifiers for research, public health, or health care operations. Refer to DHS Policy 4009 for specific guidance.4011.4.8Disclosures, which occurred prior to the effective date of HIPAA Privacy requirements. PROCEDURES
4011.5.0Requests for Accounting of PHI DisclosuresClients (or their legal representatives) may make their requests in-person, by letter, by facsimile or orally by phone. A request for an accounting of PHI disclosures must identify the record holder and the period of time covered by the request. When a request for an accounting is received:
A. The DHS staff member receiving the request for an accounting must document the identity of the requestor by identification badge, driver's license, written statement of identity on agency letterhead, or similar proof. When an oral request is received in person or by phone, DHS will confirm the request with a written statement describing the request and obtain a client signature for authentication.B. When the request for accounting is documented and accepted, the client will be provided an acknowledgement statement indicating when he can expect to receive an accounting. Form DHS 4009 will be used for this purpose.C. The client's health record will be reviewed to determine if PHI disclosures have occurred during the time period covered by the client's request. This will be accomplished through manual review of the Protected Health Information (PHI) Tracking Sheet, DHS-4002, or inquiry to the PHI Disclosure Tracking system. If accounting of disclosures cannot be completed within 60 days of the request, the client will be notified using form DHS-4011.D. When a list of disclosures has been compiled, form DHS-4010 will be completed and the form and list of disclosures will be forwarded to the client.E. If the client has any questions concerning the content of the accounting, he/she will be referred to the DHS Privacy Official at: Arkansas Department of Human Services
DHS Privacy Official
P.O. Box 1437 Mail Slot S201
Little Rock, Arkansas 72203-1437
Phone: 501-682-8650
Email: mailto:Privacyofficial@mail.state.ar.us
Phone 501-582-8920, TDD 501-682-8933 or Fax 501-682-8884
F. Client requests for accountings of PHI disclosures will be filed in the client's health record and maintained for a period of 6 years from the date the request is completed.4011.6.0Any questions concerning DHS Policy Number 4011 should be directed to:DHS Office of Chief Counsel Post Office Box 1437/Slot S260 Little Rock, Arkansas 72203-1437 Telephone: (501) 682-8934
ARKANSAS DEPARTMENT OF HUMAN SERVICES Amendment of Health Record Request Form
(For use by DHS clients asking for amendment of their records.)
Click here to view image
Click here to view image
ARKANSAS DEPARTMENT OF HUMAN SERVICES
Protected Health Care Disclosure Accounting Acknowledgement
Click here to view image
ARKANSAS DEPARTMENT OF HUMAN SERVICES
Protected Health Care Disclosure Accounting Response
Click here to view image
ARKANSAS DEPARTMENT OF HUMAN SERVICES
Protected Health Care Disclosure Accounting Delay
Click here to view image
016.14.03 Ark. Code R. § 008