Statutes, codes, and regulations
Missouri Administrative Code
Title 9 - DEPARTMENT OF MENTAL HEALTHDivision 10 - Director, Department of Mental Health
Chapter 5 - General Program Procedures
Section 9 CSR 10-5.220 - Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA)

Mo. Code Regs. tit. 9 § 10-5.220

Download
PDF
Current through Register Vol. 49, No. 21, November 1, 2024.
Section 9 CSR 10-5.220 - Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA)

PURPOSE: This amendment updates terminology related to the HIPAA privacy rule.

PURPOSE: This rule specifies the policies and procedures required for covered entities under the HIPAA privacy rule.

(1) This rule applies to all programs that are licensed, certified, accredited, in possession of deemed status, funded by, and/or have a contractual relationship with the Department of Mental Health.
(2) Definitions. The following terms, as used in this rule, shall mean:
(A) HIPAA-the Health Insurance Portability and Accountability Act ( 45 CFR parts 160 and 164) as it relates to the Privacy Rule;
(B) Protected Health Information (PHI)-As defined by HIPAA (45 CFR section 160.103), PHI is individually identifiable health information that is-
1. Transmitted by electronic media;
2. Maintained in electronic media; or
3. Transmitted or maintained in any other form or medium;
(C) Individually identifiable health information-As defined by HIPAA (45 CFR section 160.103), information that is a subset of health information, including demographic information collected from an individual, and-
1. Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and-
A. That identifies the individual; or
B. With respect to which there is reasonable basis to believe the information can be used to identify the individual; and
(D) Business associate-As defined by HIPAA (45 CFR section 160.103), with respect to a covered entity, a person who-
1. On behalf of the covered entity or of an organized healthcare arrangement in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement;
2. Creates, receives, maintains, or transmits protected health information for a function or activity regulated by this rule and 45 CFR section 160.103, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
3. Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized healthcare arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
(3) Covered Entity. All providers that determine they qualify as a covered entity must comply with the provisions of the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA).
(A) A covered entity is defined as a healthcare provider that transmits any health information in electronic form in connection with a transaction covered by section 160.103 of 45 CFR part 160, a health plan, or a healthcare clearinghouse.
(B) If a provider is a covered entity, HIPAA requires the appropriate policies and procedures be in place to comply with the HIPAA Privacy Rule. HIPAA requires such policies and procedures to include, but not be limited to, the following:
1. Notice of Privacy Practices;
2. Amendment of Protected Health Information (PHI);
3. Client Access to PHI;
4. Accounting of Disclosures;
5. Workforce Training;
6. Verification;
7. Authorization for Disclosures of PHI;
8. HIPAA Complaint Process;
9. Marketing (if applicable);
10. Research (if applicable);
11. Audit and Monitoring of HIPAA compliance; and
12. Business Associates Agreements with companies qualifying as business associates as defined in this rule and in 45 CFR part 160.
(C) Where existing confidentiality protections provided by 42 CFR part 2, related to the release of records pertaining to substance use disorders, are greater than HIPAA, then any such provision of 42 CFR part 2 shall be the guiding law.

9 CSR 10-5.220

AUTHORITY: section 630.050, RSMo 2000* and 45 CFR parts 160 and 164, the Health Insurance Portability and Accountability Act of 1996. Emergency rule filed April 1, 2003, effective April 14, 2003, expired Oct. 14, 2003. Original rule filed April 1, 2003, effective Oct. 30, 2003.
Amended by Missouri Register August 15, 2022/Volume 47, Number 16, effective 9/30/2022

*Original authority: 630.050, RSMo 1980, amended 1993, 1995.