Statutes, codes, and regulations
Iowa Administrative Code
Agency 441 - HUMAN SERVICES DEPARTMENTTitle I - GENERAL DEPARTMENTAL PROCEDURES
Chapter 9 - PUBLIC RECORDS AND FAIR INFORMATION PRACTICES
Rule 441-9.14 - [Effective until 7/3/2024] Special policies and procedures for protected health information

Iowa Admin. Code r. 441-9.14

Download
PDF
Current through Regsiter Vol. 46, No. 26, June 12, 2024
Rule 441-9.14 - [Effective until 7/3/2024] Special policies and procedures for protected health information
(1)Minimum necessary. When using or disclosing protected health information or when requesting protected health information from another covered entity, the department shall make reasonable efforts, as described in paragraphs 9.14(1) "a" through"e," to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
a. This requirement does not apply in the following circumstances:
(1) Disclosures to or requests by a health care provider for treatment.
(2) Uses or disclosures made to the subject.
(3) Uses or disclosures made pursuant to an authorization.
(4) Disclosures made to the Secretary of Health and Human Services.
(5) Uses or disclosures that are required by law.
(6) Uses or disclosures that are required for compliance with this chapter
b. The department shall take the following actions:
(1) Identify those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties.
(2) For each person or class of persons, identify the category or categories of protected health information to which access is needed and any conditions appropriate to the access.
(3) Make reasonable efforts to limit the access of these persons or classes.
c. For any type of disclosure that it makes on a routine and recurring basis, the department shall implement policies and procedures (which may be standard protocols) that limit the amount of the protected health information disclosed to that reasonably necessary to achieve the purpose of the disclosure.

For all other disclosures, the department shall develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought. The department shall review requests for disclosure on an individual basis in accordance with the criteria.

The department may rely, if reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when:

(1) Making permitted disclosures to a public official, provided the public official indicates that the information requested is the minimum necessary for the stated purposes;
(2) The information is requested by another covered entity; or
(3) The information is requested for the purpose of providing professional services to the department by a professional who is a workforce member or business associate of the department if the professional indicates that the information requested is the minimum necessary for the stated purpose.
d. Minimum necessary requests.
(1) When requesting information from other covered entities, the department shall limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made.
(2) For a request that is made on a routine and recurring basis, the department shall implement policies and procedures (which may be standard protocols) that limit the protected health information requested to the amount reasonably necessary to accomplish the purpose for which the request is made.
(3) For all other requests, the department shall develop criteria designed to limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made and to review requests for disclosure on an individual basis in accordance with the criteria.
e. For all uses, disclosures, or requests to which the minimum necessary requirements apply, the department shall not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.
(2)Uses and disclosures for premium rating and related purposes. If a health plan receives protected health information for the purpose of premium rating or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if the health insurance or health benefits are not placed with the health plan, the health plan shall not use or disclose the protected health information for any other purpose, except as may be required by law.
(3)Verification and documentation.
a. Before any disclosure of protected health information, the department shall obtain verification or documentation as follows:
(1) Verify the identity of a person requesting protected health information and the person's authority to access protected health information, if the department does not know the identity or authority of the person. This requirement is waived for disclosures to persons involved in the subject's care or for notification purposes, as described at subrule 9.7(3).
(2) Obtain any oral or written documentation, including statements and representations, from the person requesting the protected health information when this is a condition of the disclosure under this chapter
b. The following constitute appropriate verification or documentation, if reasonable under the circumstances:
(1) Documentation, statements, or representations. The department may rely on documentation, statements, or representations that, on their face, meet the applicable requirements.
(2) Identity of public officials. When disclosure of protected health information is requested by a public official or a person acting on behalf of the public official, the department may rely on any of the following to verify identity:
1. In-person presentation of an agency identification badge, other official credentials, or other proof of government status.
2. A written request on the appropriate government letterhead.
3. A written statement on appropriate government letterhead that the person is acting under the government's authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes the person is acting on behalf of the public official.
(3) Authority of public officials. When the disclosure of protected health information is requested by a public official or a person acting on behalf of the public official, the department may rely on any of the following to verify authority:
1. A written statement of the legal authority under which the information is requested.
2. If a written statement would be impracticable, an oral statement of the legal authority.
3. An order issued by a judicial or administrative tribunal.
(4) Exercise of professional judgment. The requirements of this subrule are met if the department relies on the exercise of professional judgment in use or disclosure to persons involved in the subject's care or for notification purposes, in accordance with subrule 9.7(3) , or acts on a good-faith belief in making a disclosure to avert a serious threat to health or safety, in accordance with subrule 9.10(18).
(4)Notice of privacy practices for protected health information. A subject has a right to adequate notice of the uses and disclosures of protected health information that may be made by the department, and of the subject's rights and the department's legal duties with respect to protected health information.
(5)Right to receive an accounting of disclosures. Within the limits described in this subrule, a subject has a right to receive an accounting of the disclosures of protected health information listed in paragraph 9.14(5) "a, " including disclosures to or by business associates of the department. A subject shall request an accounting using Form 470-3985, Request for a List of Disclosures.
a. Disclosures that may be included in an accounting. A subject's right to receive an accounting of disclosures made by the department, or to or by business associates of the department, is limited to the following disclosures that do not require an authorization or an opportunity for the subject to agree or object:
(1) For health oversight activities described at subrule 9.10(2).
(2) For judicial and administrative proceedings described at subrule 9.10(5).
(3) For law enforcement purposes described at subrule 9.10(15).
(4) For averting a threat to health or safety described at subrule 9.10(18).
(5) To meet requirements of law described at subrule 9.10(19).
(6) For public health activities described at subrule 9.10(22).
(7) For disclosures about suspected victims of domestic violence described at subrule 9.10(23).
(8) For disclosures about suspected victims of abuse or neglect described in 441-Chapter 9.
(9) To coroners, medical examiners, and funeral directors described at subrule 9.10(24).
(10) For cadaveric organ, eye, or tissue donation described at subrule 9.10(25).
(11) For specialized government functions described at subrule 9.10(26) , except those made for national security or intelligence purposes.
(12) By whistle blowers as described at subrule 9.10(27).
b. Content of the accounting. The department shall provide the subject who submits Form 470-3985, Request for a List of Disclosures, with a written accounting of disclosures that meets the following requirements.
(1) The accounting shall include disclosures of protected health information that occurred during the six years (or the shorter time requested by the subject) before the date of the request. However, disclosures that occurred before April 14, 2003, are not included in an accounting.
(2) Except for limitations regarding multiple disclosures to the same person or organization, the accounting shall include for each disclosure:
1. The date of the disclosure.
2. The name of the organization or person who received the protected health information and, if known, the address of the organization or person.
3. A brief description of the protected health information disclosed.
4. A brief statement of the purpose of the disclosure that reasonably informs the subject of the basis for the disclosure or, instead of the statement, a copy of a written request for a disclosure.
(3) If, during the period covered by the accounting, the department has made multiple disclosures of protected health information to a person or organization requesting a disclosure, the accounting may, with respect to the multiple disclosures, provide:
1. The information required by subparagraph 9.14(5) "b"(2) , for the first disclosure during the accounting period;
2. The frequency, periodicity, or number of the disclosures made during the accounting period;

and

3. The date of the last disclosure during the accounting period.
c. Time limits for providing the accounting. The department shall act on the subject's request for an accounting no later than 60 days after receipt of a request, as follows:
(1) The department shall provide the subject with the accounting requested; or
(2) If the department is unable to provide the accounting within these 60 days, the department may extend the due date one time, for a period not to exceed 30 days. In order to extend the due date, the department shall provide the subject with a written statement of the reasons for the delay and the date by which the department shall provide the accounting. The department shall provide this written statement within the 60-day period after receipt of the request for an accounting.
d. Fee for accounting. The department shall provide to a subject one accounting without charge in any 12-month period. The department may impose a reasonable, cost-based fee for each subsequent request for an accounting by the same subject within the 12-month period, as set forth in subrule 9.3(7) , provided that the department:
(1) Informs the subject in advance of the fee; and
(2) Provides the subject with an opportunity to withdraw or modify the request for a subsequent accounting in order to avoid or reduce the fee.
e. Suspension of right. The department shall temporarily suspend a subject's right to receive an accounting of disclosures made to a health oversight agency or law enforcement official, as permitted in this chapter, if the agency or official provides the department with a statement that the accounting would likely impede the agency's activities and specifies the time for which a suspension is required.
(1) If the agency or official statement is submitted in writing, the department shall suspend the right to receive accounting for the time specified by the agency or official.
(2) If the agency or official statement is made orally, the department shall:
1. Document the statement, including the identity of the agency or official making the statement;
2. Temporarily suspend the subject's right to an accounting of disclosures subject to the statement;

and

3. limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless the agency or official statement is submitted in writing during that time.
(6)Complaint procedure. A person who believes the department is not complying with the rules on protected health information or with the applicable requirements of 45 CFR Part 160 as amended to August 14,2002, or with the applicable standards, requirements, and implementation specifications of 45 CFR of Subpart E of Part 164 as amended to August 14,2002, may file a complaint with the department's privacy office or with the Secretary of Health and Human Services.
a. Complaints to the department's privacy office shall be in writing and may be delivered personally or by mail to the DHS Privacy Office, 1305 E. Walnut Street, First Floor, Des Moines, Iowa 50319-0114. Complaints regarding facilities may be sent to the applicable facility.
b. Complaints to the Secretary of Health and Human Services shall be made using the procedures set forth in 45 CFR 160.306 as amended to August 14, 2002.
(7)Appeal rights.
a. If the subject disputes a decision by the privacy officer, the department's designated licensed health care professional, or the facility administrator on any of the following requests, the subject may appeal the decision in accordance with 441-Chapter 7.
(1) A request for restriction on use or disclosure of protected health information.
(2) A request for confidential communication of protected health information.
(3) A request for access to protected health information.
(4) A request to amend protected health information.
(5) A request for accounting of disclosures.
b. The privacy officer or facility shall assist the subject in making the appeal, if needed.
c. Appeals shall be:
(1) Mailed to the Appeals Section, Fifth Floor, Iowa Department of Human Services, 1305 E. Walnut Street, Des Moines, Iowa 5 0319-0114; or
(2) Submitted electronically atwww.dhs.state.ia.us/appeals.asp. [File Link Not Available].
(8)Record retention. Notwithstanding any other department rule to the contrary, protected health information shall be retained for at least six years from the date of creation or the date when the information last was in effect, when required by 45 CFR 164.530, paragraph"j, " as amended to August 14, 2002.

Iowa Admin. Code r. 441-9.14