.
Covered and Hybrid entities
Team meetings
http://www.f2f.ca.gov/res/HIPPAandTDMs.pdf
page 2
This document is designed to provide a basic background to begin to evaluate
questions that arise for Family to Family sites regarding HIPAA, particularly in the
context of the team decision-making process. It is not intended to provide legal
advice regarding HIPAA compliance. Child welfare agencies, health providers
and other health organizations should consult with an attorney to evaluate their
specific situation and determine their specific obligations, if any, with respect to
HIPAA.
page 3
CAN A CHILD WELFARE AGENCY BE A COVERED ENTITY UNDER HIPAA?
YES. A Child Welfare Agency (CWA) may be a covered entity under HIPAA if
the agency functions as health care provider, health plan, or health
clearinghouse. A CWA commonly falls into one of these categories when: 1) the
CWA is part of a larger human services agency that functions as a health plan or
a health provider and does not declare itself as a “hybrid entity” under HIPAA;
or 2) the CWA directly provides health care services such as targeted case
management services that are billed to and paid for by Medicaid.
The HIPAA regulations permit an agency that performs both covered and noncovered
functions to elect to be a “hybrid entity”vi by designating in writing its
operations that perform covered functions as one or more “health care
components”.vii If the agency makes such a designation, only the health care
components will be subject to the HIPAA standards regarding privacy, security,
and data. If the agency fails to make the hybrid designation or designates itself
as a single legal entity, the entire agency is deemed to be subject to the HIPAA
standards.
...
Oregon
DHS has elected to designate itself
as a single covered entity under
HIPAA.
WASHINGTON COUNTY,
MINNESOTA has declared the
county as a hybrid entity under
HIPAA.
page 4
1. Does HIPAA prohibit the sharing of health information in a TDM
meeting?
NO. HIPAA does not provide absolute prohibitions on disclosure of health
information. HIPAA only applies to the sharing of health information by an
individual or entity covered by HIPAA. HIPAA does not prohibit redisclosure of
health information by TDM meeting participants who are not covered entities.
If the CWA or any other participant in a TDM meeting is a covered entity under
HIPAA, the privacy standards permit disclosure of health information with a
patient’s written authorizationix and under certain circumstances, permit
disclosure without a patient’s written authorization.
The privacy standards permit disclosures of health information without the
patient’s written consent under circumstances that clearly give the patient the
opportunity to agree, acquiesce, or object to the disclosure. This provision would
apply, for example, if a health care provider (or other HIPAA covered entity)
disclosed health information about a parent at a TDM meeting, with or without the
parent in attendance, if the parent has agreed to participate in the TDM process,
has been informed that the health information will be disclosed, and has been
given the opportunity to object to or restrict the disclosure.
page 5
2. Does HIPAA prohibit the CWA from sharing specific information about
reasons for removal that include protected health information (e.g. parent’s
substance abuse and/or mental illness) with resource caregivers?
NO. If the CWA is a covered entity, the privacy standards permit disclosure of
health information with a written patient authorization and even without written
authorization under certain circumstances. In addition to the circumstances
described above in question 1, disclosure of the reasons for removal when they
include protected health information may be authorized without written consent
by the privacy standards: 1) to carry out treatmentx, 2) when required by law xi, or
3) for safety reasons to prevent or lessen a serious and imminent threat to the
safety of a personxii. For example, a CWA may disclose to the caregiver that the
child was removed for reasons related to the parent’s mental illness if a state
statute, regulation or a court order requires caregivers to be provided with the
reasons for removal or if the parent’s mental illness poses an imminent and
serious threat to the caregiver or the child.
3. Does HIPAA require consent/permission from parents--separate from a
Court order--to validate participation in therapy, parenting classes,
etc…?
NO. If the health care provider is an entity covered by HIPAA, the provider may
disclose participation information pursuant to a court order. HIPAA permits the
disclosure of protected health information without the authorization of the
individual in the course of any judicial or administrative proceeding in response to
a court or administrative order. xiii
.