 |
Iowa Administrative Rules (Last Updated: December 07, 2016) |
 |
Department 441. Human Services Department |
|
Chapter 9. PUBLIC RECORDS AND FAIR INFORMATION PRACTICES |
Section 441.9.1. Definitions.
-
As used in this chapter:
“Business associate” means a person or organization, other than a member of the department’s workforce, who meets one of the following criteria:
1. Performs, or assists in the performance of, a function or activity on behalf of the department which involves the use or disclosure of protected health information, including claims processing or administration, data analysis, research, utilization review, quality assurance, billing, benefit management, practice management, and repricing, or any other function or activity regulated by the rules on protected health information.
2. Provides legal, auctuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the department. The provision of the service shall involve the disclosure of protected health information from the department or from another business associate of the department to the person or organization.
“Client” means a person who has applied for or received services or assistance from the department.
“Confidential record” means a record which is not available as a matter of right for examination and copying by members of the public under applicable provisions of law. Confidential records include:
1. Records or information contained in records that the department is prohibited by law from making available for examination by members of the public, and
2. Records or information contained in records that is specified as confidential by Iowa Code section 22.7, or other provision of law, but that may be disclosed upon order of a court, the lawful custodian of the record, or by another person duly authorized to release the record.
Mere inclusion in a record of information declared confidential by an applicable provision of law does not necessarily make that entire record a confidential record.
“Covered entity” means:
1. A health plan.
2. A health care clearinghouse.
3. A health care provider that transmits any health information in electronic form in connection with a transaction covered by the HIPAA regulations.
“Covered functions” means the functions performed by a covered entity which make the covered entity a health plan, health care clearinghouse, or health care provider.
“Custodian” means the department or a person who has been given authority by the department to act for the department in implementing Iowa Code chapter 22. For local offices, the custodian is the service area manager. For a child support recovery office, the custodian is the regional administrator. For an institution, the custodian is the institution superintendent. For a central office unit, or for requests dealing with more than one service area, region, or institution, the custodian is the division administrator.
“Data aggregation” means the action by which a business associate combines protected health information of the department with protected health information of another covered entity to permit data analyses that relate to the health care operations of the respective covered entities.
“Department” means the Iowa department of human services.
“Designated record set” means a group of records maintained by or for the department that is:
1. The medical records about subjects that are maintained for facilities;
2. The enrollment, payment, and eligibility record systems maintained for Medicaid; or
3. The enrollment, payment, and eligibility record systems maintained for the HAWK-I program that are used, in whole or in part, by the HAWK-I program to make decisions about subjects.
For purposes of this definition, the term “record” means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for the department.
“Disclosure” means releasing, transferring, providing access to, or divulging in any other manner information outside the organization holding the information.
“Facility” or “facilities” means, with respect to HIPAA rules about health information, one or more of these department institutions: Cherokee Mental Health Institute, Clarinda Mental Health Institute, Glenwood Resource Center, Independence Mental Health Institute, Mount Pleasant Mental Health Institute, and Woodward Resource Center.
“Health care” means care, services, or supplies related to the health of a subject. “Health care” includes, but is not limited to, the following:
1. Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedures with respect to the physical or mental condition, or functional status, of a subject or affecting the structure or function of the body; and
2. Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
“Health care clearinghouse” means a public or private organization, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches, that performs either of the following functions:
1. Processes or facilitates the processing of health information received from another organization in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction.
2. Receives a standard transaction from another organization and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving organization.
“Health care operations” has the same definition as that stated in 45 CFR 164.501 as amended to August 14, 2002. For a covered entity in the department, “health care operations” has the following meaning:
1. For Medicaid, “health care operations” means any of the following activities of the department to the extent that the activities are related to covered functions:
● Conducting quality assessments and evaluating outcomes.
● Developing clinical guidelines.
● Improving general health or reducing costs.
● Developing protocols, including case management and care coordination models for MediPASS and pharmacy case management as well as for other service areas and client populations under the Medicaid program.
● Informing clients of treatment alternatives and related functions.
● Reviewing competence or qualifications or performance of health care professionals using the surveillance and utilization review subsystem.
● Reviewing health plan performance from encounter data.
● Premium rating and rate setting.
● Performing activities in reinsurance of risk with the health maintenance organizations.
● Reviewing medical level of care and prior authorizations.
● Obtaining legal services through the attorney general’s office or the county attorney’s office.
● Cooperating in audits and fraud detection by Iowa and federal auditors, the Iowa Medicaid enterprise, or the department of inspections and appeals.
● Conducting business planning and development including formulary development by the drug utilization review commission and the department’s research and statistics staff.
● Managing activities, which include claiming of federal financial participation, recovering unknown third-party liability, recovering nursing care funds and other expenditures through estate recovery, Grouper programming for hospitals, lock-in activities, and federal reporting of paid claims.
● Providing customer service, which includes income maintenance workers answering questions about lock-in providers, copayment for pregnant women, and claims payment problems; and the Iowa Medicaid enterprise provider services unit answering questions on claims payment.
● Coordinating care and monitoring the effective delivery of child welfare services to ensure the safety and well-being of children, including reporting and providing testimony to the court of jurisdiction on the condition and service progress of a client receiving services from the department. These care coordination and monitoring activities include providing information concerning the client to attorneys representing the various parties in the court proceedings.
2. For the HAWK-I program, “health care operations” means any of the following activities of the department to the extent that the activities are related to covered functions:
● Conducting quality assessment and improvement activities, including evaluation of outcomes and development of clinical guidelines; population-based activities relating to improving health or reducing health care costs, protocol development and related functions that do not include treatment.
● Reviewing health plan performance.
● Premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits.
● Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs.
● Performing business planning and development functions, such as conducting cost-management and planning-related analyses relating to management and operations and the development or improvement of methods of payment or coverage policies.
● Performing business management and general administrative activities, including, but not limited to, management activities relating to implementation of and compliance with privacy requirements, customer service, and resolution of internal grievances.
3. For the facilities, “health care operations” means any of the following activities of the department to the extent that the activities are related to covered functions:
● Conducting quality assessment and improvement activities, including evaluation of outcomes and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from these activities; population-based activities relating to improving health or reducing health care costs; protocol development; case management and care coordination; contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment.
● Reviewing the competence or qualifications of health care professionals.
● Evaluating performance of practitioners, providers and health plans.
● Conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers.
● Training of non-health care professionals.
● Performing accreditation, certification, licensing, or credentialing activities.
● Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs.
● Performing business planning and development functions, such as conducting cost-management and planning-related analyses related to managing and operating the organization, including formulary development and administration, development or improvement of methods of payment or coverage policies.
● Performing business management and general administrative activities, including, but not limited to, management activities related to implementation of and compliance with the requirements of HIPAA; customer service, which includes the provision of data analyses for policyholders, plan sponsors, or other customers, provided that protected health information is not disclosed to the policyholder, plan sponsor, or customer; resolution of internal grievances; and activities consistent with the applicable requirements of subrule 9.10(29) on creating de-identified health information or a limited data set.
“Health care provider” means a provider of services, as defined in Section 1861(u) of the Social Security Act and 42 U.S.C. 1395x(u); a provider of medical or health services, as defined in Section 1861(s) of the Social Security Act and 42 U.S.C. 1395x(s); and any other person or organization that furnishes, bills, or is paid for health care in the normal course of business. In the department, “health care provider” means one of the department’s facilities.
“Health information” means any information, whether oral or recorded in any form or medium, that relates to the past, present, or future physical or mental health or condition of a subject; the provision of health care to a subject; or the past, present, or future payment for the provision of health care to a subject.
“Health maintenance organization (HMO)” means a public or private organization licensed as an HMO under the commerce department, insurance division, 191—Chapter 40.
“Health oversight agency” means an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or organization acting under a grant of authority from or contract with a public agency, that is authorized by law to:
1. Oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance; or
2. Enforce civil rights laws for which health information is relevant.
The term “health oversight agency” includes the employees or agents of the public agency and its contractors or persons or organizations to which the agency has granted authority.
“Health plan” means an individual or group plan that provides or pays the cost of medical care, as defined at 45 CFR 160.103 as amended to August 14, 2002. In the department, “health plan” means Medicaid or HAWK-I.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996.
“Law enforcement official” means an officer or employee of any agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, who is empowered by law to:
1. Investigate or conduct an official inquiry into a potential violation of law; or
2. Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.
“Legal representative” is a person recognized by law as standing in the place or representing the interests of another for one or more purposes. For example, guardians, conservators, custodians, attorneys, parents of a minor, and executors, administrators, or next of kin of a deceased person are legal representatives for certain purposes.
“Mental health information” means oral, written, or otherwise recorded information which indicates the identity of a person receiving professional services (as defined in Iowa Code section 228.1(8)) and which relates to the diagnosis, course, or treatment of the person’s mental or emotional condition. Mental or emotional conditions include mental illness, mental retardation, degenerative neurological conditions and any other condition identified in professionally recognized diagnostic manuals for mental disorders.
“Open record” means a record other than a confidential record.
“Payment,” with respect to HIPAA rules about protected health information, has the same definition as that stated in 45 CFR 164.501 as amended to August 14, 2002. In the department, “payment” applies to subjects for whom health care coverage is provided under the Medicaid program or the HAWK-I program. “Payment” has the following meanings for these health plans:
1. For Medicaid, “payment” includes activities undertaken by this health plan to:
● Determine or fulfill its responsibility for coverage and provision of benefits under the health plan.
● Obtain or provide reimbursement for the provision of health care.
● Determine eligibility, including spenddown for the medically needy program or obtaining premiums for the Medicaid for employed people with disabilities program, or coverage, including coordination of benefits or the determination of cost-sharing amounts, and adjudication or subrogation of health benefit claims.
● Perform risk adjustment of amounts due based on enrollee health status and demographic characteristics.
● Bill; manage claims; collect; obtain payment under a contract for reinsurance, including stop-loss insurance and excess of loss insurance; and conduct related health care data processing.
● Review health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges.
● Perform utilization review activities, including precertification and preauthorization of services and concurrent and retrospective review of services.
2. For the HAWK-I program, “payment” includes activities undertaken by this health plan to:
● Obtain reimbursement or pay for providing health care services.
● Obtain premiums or determine or fulfill its responsibility for coverage and providing benefits. Activities include, but are not limited to, determinations of eligibility for coverage, including coordination of benefits or the determination of cost-sharing amounts; billing and collection activities; review of health care services with respect to coverage under a health plan; and utilization review activities.
“Personally identifiable information” means information about or pertaining to the subject of a record which identifies the subject and which is contained in a record system. The incidental mention of another person’s name in a subject’s record (e.g., as employer, landlord, or reference) does not constitute personally identifiable information.
“Personal representative” means someone designated by another as standing in the other’s place or representing the other’s interests for one or more purposes. The term “personal representative” includes, but is not limited to, a legal representative. For disclosure of protected health information, the definition of “personal representative” is more restrictive, as described at rule 441—9.15(17A,22).
“Plan sponsor” has the same definition as that stated in Section 3(16)(B) of ERISA, 29 U.S.C. 1002(16)(B).
“Protected health information” means information that contains a subject’s medical information, including past, present, or future treatment and payment information. “Protected health information” is a composite of multiple fields that grouped together give detailed accumulative information about a subject’s health. When joined together in an accessible record set, the following three distinct areas of health-care-processing file information constitute protected health information:
1. Information that identifies the subject.
2. Medical information describing condition, treatment, or health care.
3. Health care provider information.
Identification information together with any information from one of the other two categories constitutes protected health information. When the information that identifies the subject is present in the record set, any information that ties health care data to the subject’s identification information constitutes protected health information.
“Psychotherapy notes” means notes that are recorded in any medium by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the subject’s medical record. “Psychotherapy notes” excludes medication prescription and monitoring, counseling session start and stop times, the methods of therapy and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
“Public health authority” means an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or organization acting under a grant of authority from or contract with a public agency that is responsible for public health matters as part of its official mandate. “Public health authority” includes the employees or agents of the public agency and its contractors or persons or organizations to which it has granted authority.
“Record” means the whole or a part of a “public record” as defined in Iowa Code section 22.1, that is owned by or in the physical possession of the department.
“Record system” means any group of records under the control of the department from which a record may be retrieved by a personal identifier such as the name of a subject, number, symbol, or other unique identifier assigned to a subject.
“Required by law” means a mandate contained in federal law, federal regulation, state law, state administrative rule, case law, or court order that is enforceable in a court of law. For the purposes of this chapter, “required by law” includes statutes or regulations that require the production of information, such as statutes or regulations that require the information if payment is sought under a government program that provides public benefits.
“Research” means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
“Subject” means the person who is the subject of the record, whether living or deceased.
“Substance abuse information” means information which indicates the identity, diagnosis, prognosis, or treatment of any person in an alcohol or drug abuse program.
“Transaction” means the electronic transmission of information between two parties to carry out financial or administrative activities related to health care. The term includes the following defined HIPAA standard transactions:
● Health care claims or equivalent encounter information.
● Health care payment and remittance advice.
● Coordination of benefits.
● Health care claim status.
● Enrollment and disenrollment in a health plan.
● Eligibility for a health plan.
● Health plan premium payments.
● Referral certification and authorization.
● Other transactions that the Secretary of Health and Human Services may prescribe by regulation.
“Treatment,” with respect to HIPAA rules about protected health information, means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation among health care providers about a patient; and the referral of a patient from one health care provider to another.
“Use,” with respect to protected health information, means the sharing, application, utilization, examination, or analysis of the information within an organization that maintains the protected health information.
“Workforce” means employees, volunteers, trainees, and other people whose conduct, in the performance of work for the covered entity, is under the direct control of the covered entity, whether or not these people are paid by the covered entity.