On January 13, 2014, the Department of Behavioral Health published an updated DBH Privacy Manual. The policy is available on the Department’s website at http://dmh.dc.gov/node/286992.
The purpose of the policy is to provide comprehensive guidance to our workforce members and network providers on the privacy and security requirements contained in HIPAA, including the recent HIPAA Omnibus Rule published in January 2013, the Mental Health Information Act, and 42 CFR Part 2. While the policy contains 149 pages, it is very important that your organization read this policy and review your existing privacy practices to ensure compliance. For example, the policy incorporates the new requirements concerning Business Associates (14.1) and provides a revised Joint Notice of Privacy Practices (DBH-HIPAA form 1).
In addition to incorporating the changes required by the HIPAA Omnibus Rule, the policy also operationalizes the expanded, yet largely underutilized, authority under the Data Sharing Act of 2010 to disclose mental health information without a signed authorization between DC Health and Human Service agencies and their contracted or grant-funded service providers for purposes of treatment and care coordination. Since HIPAA permits disclosures of protected health information without an authorization from one covered entity to another for purposes of treatment, the Data Sharing Act simply amended the Mental Health Information Act to permit similar disclosures, however, to a narrower universe of covered entities, i.e. only those covered entities that are DC Health and Human Service Agencies and their service providers. We have provided examples on page 3.3. In addition to those examples, this expanded authority would also permit a Core Services Agency to disclose its consumer’s mental health information without an authorization to the consumer’s Medicaid Managed Care Organization (MCO) for purposes of care coordination, since the MCOs are HIPAA covered entities and contracted insurers with the DC Department of Health Care Finance.
Finally, while the Data Sharing Act broadened the ability to disclose without an authorization, it did not otherwise alter fundamental HIPAA principles, including verifying the identity of individuals requesting information, documenting disclosures in writing for auditing and accountability purposes and limiting any disclosure to the minimum necessary to accomplish the purpose of the disclosure.
Thank you for your attention to this important matter. In 2013, there were several high-profile HIPAA enforcement actions in 2013, including one case where a provider was fined $150,000.00 after an unencrypted thumb drive containing protected health information of 2,200 patients was stolen from a staff member’s vehicle. With the addition of the HIPAA Omnibus Rule published in January 2013, HIPAA compliance will remain a top priority for federal regulators in 2014.
If you have any questions or concerns about the DBH Privacy Manual, please contact Ms. Sabriana Clark, Director of Health Information Management, (202) 671- 4088 or [email protected].
