Health Insurance Portability & Accountability Act (HIPAA)

Rhode Island Department of Human Services HIPAA-1 (Eff. 04/03)
600 New London Avenue
Cranston, RI 02920-3024

NOTICE OF PRIVACY PRACTICES
(Notice)

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

1. Our Duty to Safeguard Your Protected Health Information.

Individually identifiable information about your past, present, or future health or condition, the delivery of health care to you, or the payment for the health care is considered "Protected Health Information" (PHI).

We are required to follow the privacy practices described in this Notice, although we reserve the right to change our privacy practices and the terms of this Notice at any time. We will post any changes to our Notice on our Rhode Island DHS web site located at http://www.dhs.state.ri.us/dhs/dheacre.htm where you may also obtain more detailed information regarding each of the topics addressed in our Notice. You may also request a hard copy of our Notice by writing our Privacy Contact Office.

2. How We May Use and Disclose Your Protected Health Information.

Generally, we are permitted to use and/or disclose your PHI for your Treatment, the Payment for services you receive, and for our normal health care Operations (TPO). For most other uses and/or disclosure of your PHI, you will be asked to grant your permission via a signed Authorization. However, we are permitted to make certain other uses and/or disclosures of your PHI without your authorization. Uses and/or disclosures are permitted as follows:

* Uses and/or disclosures related to your treatment, our payment, or our health care operations (TPO):
* For treatment (T): We may exchange your PHI with your doctor, dentist, or other healthcare provider to make sure you receive proper care.
* For payment (P): We may exchange your PHI with Medicare or other health insurance plans you may have to make sure the treatment you receive is paid for.
* For health care operations (O): We may exchange your PHI with other Business Associates and health care review organizations to make policy decisions that could affect you and others enrolled in DHS Programs.
* Appointment reminders: Unless you request that we contact you by other means, we are permitted to send appointment reminders and other similar materials to your address.

* Uses and/or disclosures requiring your Authorization: Generally, most uses and/or disclosures of your PHI for purposes other than TPO will require your signed Authorization. You retain the right to revoke your Authorization at any time except to the extent that we have already undertaken an action in reliance upon your Authorization.

* Uses and/or disclosures not requiring your Authorization:

-When required by law to:
- Report abuse, neglect or domestic violence
- Public health activities
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement activities
- Coroners, medical examiners and funeral directors about decedents
- For medical research purposes
- Prevent a serious threat to health or safety
- For specific government functions and national security reasons

* Uses and Disclosures requiring you to have an Opportunity to Object:
- To families, friends or others involved in your care

3. Your Rights Regarding Your Protected Health Information (PHI).
* Right to request restrictions on PHI uses and/or disclosures
* Right to request confidential communications
* Right to access and copy your PHI
* Right to request amendment of your PHI
* Right to an accounting of disclosures of your PHI

4. How to Complain about our Privacy Practices.

If you believe that we may have violated your individual privacy rights, you may submit your written complaint to our Privacy Compliance Officer at the address provide in this paragraph. Your written complaint must name the entity that is the subject of your complaint and describe the acts and/or omissions you believe to be in violation of the Rule or of the provisions outlined in our Notice of Privacy Practices. If you prefer, you may file your complaint directly with the Secretary of the U.S. Department of Health and Human Services (Secretary). However, any complaint you file must be received by us, or filed with the Secretary, within 180 days of when you knew, or should have known, the act or omission occurred. We will take no retaliatory action against you if you make such complaints. If you wish to file any complaints, please forward your written correspondence to:

RI Department of Human Services
Privacy Compliance Officer
600 New London Avenue – LP
Cranston, RI 02920

(401) 462-2130 – Telephone
(401) 462-6239 – TTY (or 711) For Hearing Impaired
(401) 462-6165 – Fax

5. Contact Person for Information.

RI Department of Human Services
HIPAA Privacy Office
600 New London Avenue – Forand
Cranston, RI 02920
(401) 462-6312

6. Effective Date: This Notice is effective April 14, 2003.

* * *

Congress passed the Health Insurance Portability and Accountability Act of 1996 – HIPAA – which requires that the Secretary of the US Department of Health and Human Services adopt standards for numerous electronic healthcare transactions, identifiers, security, and privacy. The standards will be binding on virtually all healthcare plans, including Medicare and Medicaid. Within two years of the effective date of publication of these final rules, Medicare, Medicaid, and other payers must complete their conversion to use these standards or be subject to sanctions and penalties.

Providers are required to use these standards when they use electronic transactions for data exchanges of the types specified in the regulations. However, Medicare and Medicaid must be able to exchange each of these transactions electronically, even if they do not currently support electronic exchange of these types of data.

Within two years of the effective date of the HIPAA standards, Medicare, Medicaid, and other payers will be prohibited from electronically exchanging data with providers or other payers for coordination of benefits in a transaction unless that data is in HIPAA Administrative Simplification-approved standard version. Furthermore, payers will be prohibited from use of codes, identifiers, or data elements that do not comply with the implementing regulations for these HIPAA standards. Payers will be prohibited from making any modification to the standards implementation guides.

The HIPAA Administrative Simplification requirements will have a major impact on the way we do business. In the short term, implementation will require significant resources – money, staff, and time. In the long term, cross industry standardization will result in improvements in healthcare data exchanges leading to program savings.