Effective: October 4, 2007
State of Connecticut
Department of Public Health
Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY
This Notice is provided pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (45 C.F.R. Parts 160 through 164). The only health information the Department receives, generates, and maintains that is governed by HIPAA, is information at the Departmentís Laboratory. Thus, the Department is a ďhybrid entityĒ as defined by ß164.504 of the HIPAA Privacy Regulations, and the Departmentís Laboratory is required by HIPAA to maintain the privacy of your personal health information. This Notice explains how the Laboratory may use and disclose health information, its obligations related to the use and disclosure of health information, and your rights related to that health information.
The Laboratory receives personal health information from healthcare institutions and other providers of health care who submit clinical samples to the Laboratory for testing. When the Laboratory conducts testing, it enters the testing results into the Laboratoryís data base, and also sends the test results to the health care institutions and providers that requested the testing. The Laboratory also routinely provides health information to other programs within the Department that engage in public health activities as described in this Notice. Those programs maintain the confidentiality of health information as required by state statutes and regulations.
Because the Laboratory has a Certificate of Compliance pursuant to the Clinical Laboratory Improvement Amendments of 1988, 42 U.S.C. 263a (CLIA), the Laboratory cannot release the results of its testing to anyone other than the health care institution or provider that requested the testing and the Departmentís programs that perform public health activities. Therefore, if you wish to obtain your test results, you must ask for them from the health care institution or provider that took the sample that was tested.
The Laboratory abides by the terms of this Notice, and any amendments to it that may be made from time to time. The Department reserves the right to change this Notice. If the Notice is changed, the changes will effect all personal health information the Laboratory receives, creates, and maintains after the date of the change. The Department will provide a copy of any changes to this Notice to any person who has requested a copy of this Notice within two years of the date of the change.
If you have any questions about this Notice, you may contact the Departmentís Privacy Officer:
Shawn L. Rutchick, Privacy Officer
410 Capitol Avenue, MS #13PHO
P.O. Box 340308
Hartford, CT 06134-0308
Tele: (860) 509-7471; Fax: (860) 509-7553
How the Departmentís Laboratory Uses and Discloses Your Health Information
Routine Disclosures: The Laboratory routinely uses and discloses the following health information to health care institutions and other providers for treatment and payment purposes, and to programs within the Department for public health activities:
For example, when a child is born, the hospital takes blood samples from the child and submits those samples along with health information about the child, to the Laboratory. The Laboratory then tests the sample to determine whether the child has, for example, sickle cell disease or hyperthyroidism. When the Laboratory completes the testing, it sends the results back to the hospital that took the sample, and the doctor at the hospital informs the patient of the test results.
Disclosures for Payment Purposes: In order to collect payment for the testing performed by the Laboratory, the Laboratory provides the names of each of the submitterís patients whose samples were tested, back to the submitters.
For example, when the Laboratory tests a sample sent to it by a hospital, it adds the name of the patient, the name of the test conducted, and the cost to the listing of all of the tests performed for that hospital. The list is then sent to the hospital for payment.
Disclosures as Required by Law and for Public Health and Health Oversight Activities: The Laboratory also discloses health information to programs within the Department as required by law and for public health and health oversight activities in compliance with state law and as authorized by ß164.512(a), (b), and (d) of the HIPAA Privacy Regulations. For each of these disclosures, the Laboratory is permitted by HIPAA to disclose your health information to programs at the Department without your authorization or consent, and without giving you an opportunity to object. Each of these types of disclosures requires that there be a state law authorizing the disclosure. Disclosures for public health activities include disclosures necessary for the prevention and control of disease, injury, or disability by receiving reports of diseases, injuries, and vital events, and by conducting public health surveillance, investigations, and interventions. Disclosures made for health oversight activities include disclosures necessary for audits, investigations, inspections, licensure or disciplinary actions, legal proceedings or actions, or other actions necessary for the oversight of the health care system and compliance with government regulatory programs.
Non-Routine Disclosures: If the laboratory receives any other requests to release personal health information, the request is directed to the Departmentís Privacy Officer who reviews the request in light of federal and state statutes and regulations to determine whether the information may be released.
If disclosure is permitted, the Privacy Officer shall only release what is minimally necessary to accomplish the purpose of the disclosure unless (1) the disclosure is to another provider for treatment; (2) there is an authorization to release the information; (3) the disclosure is to the Secretary of Health and Human Services who is conducting an investigation into a complaint against the Laboratory concerning its uses and disclosures of health information; or, (4) the information is required by law to be disclosed and the disclosure concerns a victim of abuse, neglect or domestic violence, is for judicial/administrative proceedings, or is for law enforcement purposes.
Examples of non-routine disclosures may include: a court order directing the laboratory to release personal health information to an attorney; another Department program requests the release of personal health information to avert a serious threat to public health or safety and the disclosure is requested by a person who is able to prevent or lessen the threat.
Memoranda of Understanding (MOUs) with Business Associates of the Laboratory:
MOU with the Department of Administrative Services: When health care institutions and providers send the Laboratory health information regarding newborns, the information is sent electronically to the State Department of Administrative Services (DAS) which then forwards the information electronically to the Laboratory. Because DAS receives personal health information on behalf of the Departmentís Laboratory, DAS is a Business Associate of the Laboratory; and, the Department has entered into an MOU with DAS to ensure that DAS will safeguard the privacy of the personal health information it receives and transmits.
MOU with the Attorney Generalís Office: When the Laboratory requires legal advice, it may become necessary to disclose personally identifiable health information to the Assistant Attorney Generals who provide the Laboratory with legal advice. Therefore, the Attorney Generalís Office is a Business Associate of the Department, and the Department has entered into an MOU with the Attorney Generalís Office to ensure that it will safeguard the privacy of personal health information it receives from the Laboratory.
MOU with Newborn Screening Program: The Laboratory routinely shares identifiable health information with the Departmentís Newborn Screening Program (NBS) as required by law and as part of the Departmentís public health activities, as described above. NBS, which is not a covered component of the Department, routinely discloses that information to providers, as required by state law, in furtherance of its public health activities. In the case of Laboratory findings that may indicate a serious or life-threatening condition, the NBS promptly reports those findings to providers. Because the Laboratory also has a separate requirement under CLIA to make the same prompt reports to providers of such test results, the Laboratory has entered into an MOU with the NBS so that the NBSí reports of such test results are also made on behalf of the Laboratory, in satisfaction of the Laboratoryís CLIA reporting requirement.
Research, Marketing, and Fundraising: The Laboratory does not release personal health information for research, marketing or fundraising purposes. The Department programs that receive personal health information for their public health activities may, however, release personal health information for research purposes both within and outside the Department consistent with federal and state statutes and regulations other than HIPAA. If you have questions concerning the Departmentís use of personal health information for such research purposes, please call the Departmentís Privacy Officer for additional information.
Notice of Patient Rights
Under HIPAA, patients generally have certain rights regarding their personal health information. Because the Laboratory already restricts its use of your health information and only sends test results to the submitters, you do not have many of the rights enumerated below. If you wish to request any of these rights, your request should be made in writing to the Departmentís Privacy Officer, unless otherwise indicated.
No Right to Restrictions: Although you have the right to request the following restrictions on the uses and disclosures of your personal health information, the Laboratory already restricts its use and disclosure of your health information and does not release the results of testing to anyone other than the provider who requested the testing, and certain programs within the Department that engage in public health activities authorized by law. You may request the following restrictions:
To limit use or disclosure of personal health information to that which is necessary for treatment, payment or health care operations. Please note: the Laboratory already restricts its use of personal health information to that which is necessary for treatment and payment, and does not use or disclose personal health information for any health care operations.
To restrict notification to family members, relatives, friends or any other person identified by you. Please note: the Laboratory does not provide the results of testing to anyone other than the healthcare institution or provider that submitted the sample for testing.
To limit a professionalís exercise of his or her judgment in releasing personal health information if you are unable to communicate your preferences, or in an emergency situation, in notifying or assisting in the notification of (including identifying or locating) family members, a personal representative or other person responsible for your care, of your location, general conditions, or death. Please note: the Laboratory only provides the results of testing to the healthcare institution or provider that submitted the sample for testing.
Please note: You may not restrict the uses or disclosures the Laboratory may make in any of the following situations, if the Laboratory were to determine that such disclosures are authorized pursuant to CLIA and other federal and state statutes and regulations:
When the Laboratory is required by state law to release information
For public health and health oversight activities
When the Laboratory is required to release personal health information in a judicial or administrative proceeding
When the Laboratory is required to release information for law enforcement purposes
When the Laboratory is required to release information regarding a decedent if the laboratory suspects the death resulted from criminal conduct
To organ and tissue procurement organizations.
For research purposes so long as the research complies with HIPAA requirements and are overseen by either an Institutional Review Board (IRB) or Privacy Board meeting HIPAA specifications. Please note: the Laboratory does not release personal health information for research purposes. However, as stated above, once the information is released to the Departmentís programs for public health activities, such information may then be used for research purposes, consistent with other federal and state statutes and regulations.
To avert a serious threat to health or safety.
For specialized government functions such as military and veterans activities, national and intelligence activities, etc.
In compliance with Workersí Compensation laws. Please note: the Laboratory does not release personal health information pursuant to Workersí Compensation laws. All such information must be obtained from the healthcare institution or provider that requested the testing.
Termination of Restrictions: If you request a restriction and the Laboratory agrees with your request, the Laboratory may terminate the restriction by informing you of the termination, in writing, and delivering the notification to you by certified mail. Such termination will be effective for personal health information created or received after you have received the notification. You may also terminate a previously requested restriction, either orally or in writing, by speaking with the Departmentís Privacy Officer. Any oral request shall be documented on the same date.
No Right to Receive Confidential Communications of Personal Health Information by Alternative Means or at Alternative Locations: While patients generally have the right to request to receive confidential communications regarding their health information by alternative means or at alternative locations, the Laboratory only releases testing results to the health care institution or provider that requested the testing, pursuant to CLIA and state regulations, and will not approve such a request.
No Right of Access to Inspect and Copy: While patients generally have a right to access, inspect and copy their health information, the Laboratory is prohibited by CLIA and state regulations from releasing a patientís health information directly to the patient. The HIPAA Privacy Regulations also do not require that the laboratory programs release this information. See, ß164.524(a)(1)(iii)(B) of the HIPAA Privacy Regulations. Thus, patients may not access, inspect, or copy the health information received, generated, and maintained by the Laboratory.
If you request to copy your records, you will receive a written response to your request within thirty days, which will state the basis for the determination. There is no right of review when a denial is based on the grounds that the information is subject to CLIA.
No Right to Amend Personal Health Information: While patients generally have a right to request that their health information be amended, under CLIA, the Laboratory will not approve any such request. If you make such a request, you must do so in writing to the Privacy Officer, stating the reason you are requesting an amendment.
The Right to Receive an Accounting: You have the right to receive an accounting of all disclosures of your personal health information made by the Laboratory during the previous six years or less, with the following exceptions:
Disclosures that occurred before April 13, 2003
Disclosures made for treatment, payment or health care operations
Disclosures made with your authorization
Disclosures to persons involved in your care
Disclosures made for national security or intelligence purposes
Disclosures made to correctional institutions or law enforcement officials for special government functions
Disclosures made as part of a limited data set
Please note: The Laboratory will not provide an accounting of disclosures to health oversight and law enforcement agencies for any time period specified by the agency if the agency provides a statement that such an accounting is reasonably likely to impede the agencyís activities.
To request an accounting, submit a written request to the Privacy Officer who shall respond to your request within sixty days after receiving it. The Privacy Officer may extend this period one time for thirty days. If the Privacy Officer extends this time period, you will be provided with a statement of the reason for the extension and the new compliance date
Right to Receive Notice: You have the right to receive a paper copy of this Notice by making either an oral or written request to the Privacy Officer identified in this Notice. Such Notice will be provided by certified mail or in person at the Department of Public Health, The Public Health Hearing Office, 410 Capital Avenue, Hartford, Connecticut.
Procedures for Filing Complaints
Procedure for Filing A Complaint with the Department: If you believe the Laboratory has violated this Notice or the provisions of HIPAA, you may file a complaint with the HIPAA Privacy Officer at the address provided on the first page of this Notice, and/or with the Office for Civil Rights (OCR) of the Department of Health and Human Services. Complaints may be filed in writing, on paper or electronically, by mail, fax, or email, within 180 days of when you knew or should have known about the conduct that is the basis of your complaint. If you need help filing a complaint or have a question about the process, please call OCR at one of the numbers listed below. The OCR regional office address and phone numbers are:
Office for Civil Rights
U.S. Department of Health & Human Services
JFK Federal Building Ė Room 1875
Boston, MA 02203
(617) 565-1340; (617) 565-1343 (TDD)
(617) 565-3809 (FAX)
Notice: The Department does not retaliate against any person for filing a complaint with either the Department or the Secretary of Health and Human Services.