Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, with provisions that, among other things, mandated privacy protections for individually identifiable health information. Rules adopted under HIPAA requires appropriate safeguards to protect the privacy of personal health information, and limits the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients certain rights over their health information. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
The Children’s Services Council is considered a “covered entity” under HIPAA and must comply with all of its rules. Provider agencies in the Healthy Beginnings system are considered “business associates” and have to comply with some of the HIPAA rules, all as set forth in the Business Associate Agreement between the Council and the agency.
Please review the guidelines below to better understand your role in protecting the privacy of the children and families you serve, in accordance with federal law.
Notice of Privacy Practice
Clients must be offered this form by every program in the Healthy Beginnings System with which they interact. The client should either sign, acknowledging receipt (to be kept by your agency) or your staff should fill out the bottom of the form explaining why a signature was not obtained. When available, the Notice of Privacy Practices (NPP) created by your agency may be used.
Authorization to Use and Disclose Information
To refer a client to an Entry Agency (EA), the referring agency is required to have the Authorization to Use and Disclose Information form signed in addition to the referral form. If the client declines to sign the authorization, the ASQ can still be completed if parents agree to sign ASQ consent, but the client cannot be referred to an EA. Instead, those who decline can be referred to external programs and services.
The Call Center, DCF and walk-ins are referred to EAs without the Authorization to Use and Disclose Information form signed. In this case, the EA is responsible for getting the form signed. A client in the HBP needs to sign only one authorization.
Consent for Healthy Beginnings Program
EAs must have clients sign the consent form during the first meeting when HBP services are explained. Assessments cannot be completed without a signed consent form. The ASQ can still be completed if parents agree to sign ASQ consent. Clients who decline to sign the consent form can be referred to external resources. A client in HBP needs to sign only one consent.
Providers of Healthy Beginnings Services should use their program-specific consent form if its requirements regarding access to family data are not stricter than those detailed in the HBP’s form. Please consult with your Program Officer prior to using your agency’s consent form.