TITLE 8              SOCIAL SERVICES

CHAPTER 300  MEDICAID GENERAL INFORMATION

PART 2                HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) POLICIES

 

8.300.2.1              ISSUING AGENCY:  New Mexico Health Care Authority.

[8.300.2.1 NMAC - Rp 8.300.2.1 NMAC, 7/1/2024]

 

8.300.2.2              SCOPE:  The rule applies to the general public.

[8.300.2.2 NMAC - Rp 8.300.2.2 NMAC, 7/1/2024]

 

8.300.2.3              STATUTORY AUTHORITY:  The New Mexico medicaid program is administered pursuant to regulations promulgated by the federal department of health and human services under Title XIX of the Social Security Act as amended, and by state statute.  See Section 27-2-12 et seq. NMSA 1978 (Repl. Pamp. 1991).  Section 9-8-1 et seq. NMSA 1978 establishes the health care authority (HCA) as a single, unified department to administer laws and exercise functions relating to health care facility licensure and health care purchasing and regulation.

[8.300.2.3 NMAC - Rp 8.300.2.3 NMAC, 7/1/2024]

 

8.300.2.4              DURATION:  Permanent.

[8.300.2.4 NMAC - Rp 8.300.2.4 NMAC, 7/1/2024]

 

8.300.2.5              EFFECTIVE DATE:  July 1, 2024, unless a later date is cited at the end of a section.

[8.300.2.5 NMAC - Rp 8.300.2.5 NMAC, 7/1/2024]

 

8.300.2.6              OBJECTIVE:  The objective of this rule is to provide Health Insurance Portability and Accountability Act (HIPAA) instructions and policies for the New Mexico medical assistance programs.

[8.300.2.6 NMAC - Rp 8.300.2.6 NMAC, 7/1/2024]

 

8.300.2.7              DEFINITIONS:  The following definitions apply to terms used in this chapter.

               A.           Alternate address:  A location other than the primary address on file with HCA for the recipient or the recipient’s personal representative.

               B.           Alternate means of communication:  A communication made other than in writing on paper, or made orally to the recipient or their personal representative.

               C.           Amend or amendment:  To make a correction to information that relates to the past, present, or future physical or mental health or condition of a recipient.

               D.           Authorized HCC employee:  A person employed within the health care component (HCC) workforce who is authorized by the immediate supervisor or by HCC policies to perform the task.

               E.           Business associate:  A person or entity that performs certain functions or services on behalf of the HCC involving the use or disclosure of individually identifiable health information.  These include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, and practice management.  They also include, other than in the capacity of a member of the HCC workforce, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the HCC.

               F.            Covered entity:  A health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a recipient’s health care transaction.

               G.           Disclose or disclosure:  To release, transfer, provide access to, or divulge in any other manner (verbally, written, or electronic) protected health information outside the HCC workforce or to an HCC business associate.

               H.           Health care component (HCC):  Those parts of the HCA, which is a “hybrid entity” under HIPAA 45CFR 164.105], that engage in covered health plan functions and business associate functions involving protected health information.  HCA’s health care component consists of the medical assistance division, supported by the income support division, the office of inspector general, the office of general counsel, and the office of the secretary.

               I.            Health care operations:  Any of the following activities:  quality assessment and improvement activities, credentialing activities, training, outcome evaluations, audits and compliance activities, planning, fraud and abuse detection and compliance activities, managing, and general administrative activities of the HCC, to the extent that these are related to covered health plan functions.

               J.            Health oversight agency:  An agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

               K.           Health Insurance Portability and Accountability Act (HIPAA) privacy rule:  The federal regulation Section 45 CFR part 160 and Subparts A and E of Part 164.

               L.           Health plan:  The medicaid program under Title XIX of the Social Security Act, 42 U.S.C. 1396, et seq., and the state children’s health insurance program (SCHIP) under Title XXI of the Social Security Act, 42 U.S.C. 1397, et seq.

               M.          HCC workforce:  Permanent, term, temporary and part-time employees (classified or exempt), university/federal government placements, volunteers, contractors and others conducting data entry tasks, and contractors and other persons whose conduct and work activities are under the direct control of HCC.

               N.           Medical record or designated record set:  Any HCC item, collection, or grouping of information that includes protected health information (PHI) that is written or electronic and is used in whole or in part, by or for HCC to make decisions about the recipient.  This applies to:

                              (1)          the medical records and billing records about the recipient maintained by or for the HCC;

                              (2)          the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for HCC; and

                              (3)          this definition excludes HCC documents such as those related to accreditation compliance activities (e.g., JCAHO), quality assurance, continuous quality improvement, performance improvement, peer reviews, credentialing and incident reports, and investigations.

               O.           Minimum necessary:  The least amount of information needed to accomplish a given task.

               P.            Notice of privacy practices, notice or NPP:  The official HCA notice of privacy practices that documents for a recipient the uses and disclosures of PHI that may be made by HCC and the recipient’s rights and HCC’s legal duties with respect to PHI.

               Q.           Payment:  All HCC activities undertaken in its role as a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan, and HCC activities undertaken to obtain or provide reimbursement for the provision of health care.  Such activities include but are not limited to:

                              (1)          determination of eligibility or coverage;

                              (2)          risk adjusting amounts due based upon health status or demographic characteristics;

                              (3)          billing, claims management, collection activities, and related health care data processing;

                              (4)          review of health care services with respect to medical necessity, coverage, appropriateness of care, or justification of charges;

                              (5)          utilization review activities; and

                              (6)          disclosure to consumer reporting agencies of lawful elements of PHI relating to collection of premiums or reimbursement.

               R.           Personal representative:  A person who has the legal right to make decisions regarding an eligible recipient’s PHI, and includes surrogate decision makers, parents of unemancipated minors, guardians and treatment guardians, and agents designated pursuant to a power of attorney for health care.

               S.            Privacy and security officer (PSO):  The individual appointed by HCA pursuant to HIPAA 45 CFR 164.530(a) who is responsible for development, implementation, and enforcement of the privacy policies and procedures required by HIPAA.

               T.           Protected health information (PHI):  Health information that exists in any form (verbal, written or electronic) that identifies or could be used to identify a recipient (including demographics) and relates to the past, present, or future physical or mental health or condition of that recipient.  It also includes health information related to the provision of health care or the past, present, or future payment for the provision of health care to a recipient.

               U.           Psychotherapy notes:  Notes recorded (in any medium) documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the recipient’s medical record.  Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

               V.           Public health agency:  An agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.

               W.          Requestor:  A recipient, personal representative of a recipient, or any other person making a request.

               X.           Restrict or restriction:  To limit the use or disclosure of PHI for purposes of TPO, or for purposes of disclosing information to a spouse, personal representative, close family member or person involved with the eligible recipient’s care.

               Y.           Standard protocols:  A process that details what PHI is to be disclosed or requested, to whom, for what purpose, and that limits the PHI to be disclosed or requested to the amount reasonably necessary to achieve the purpose of the disclosure or request.

               Z.           TPO:  Treatment, payment or health care operations.

               AA.        Treatment:  The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a recipient; or the referral of a recipient for health care from one health care provider to another.

               BB.         Valid authorization:  An authorization with all required elements, as specified in HIPAA privacy policy in Section 13 of 8.300.2 NMAC.

[8.300.2.7 NMAC - Rp 8.300.2.7 NMAC, 7/1/2024]

 

8.300.2.8              MISSION STATEMENT:  The mission of the New Mexico medical assistance division (MAD) is to maximize the health status of eligible recipients by furnishing payment for quality health services at levels comparable to private health plans.

[8.300.2.8 NMAC - Rp 8.300.2.8 NMAC, 7/1/2024]

 

8.300.2.9              GENERAL HIPAA APPLICATION AND INTERPRETATION:  This part describes HIPAA policies including health plan responsibilities, disclosure requirements, minimum necessary, business associates, sanctions, reporting, and documentation requirements.  The HCC shall meet all requirements in this chapter.

               A.           Medicaid is a health plan and a covered entity under HIPAA:  The New Mexico medicaid program under title XIX of the Social Security Act qualifies as a health plan under HIPAA regulations at 45 CFR 160.103 and is considered a covered entity.

               B.           Inconsistency between state and federal law:  In the event of any inconsistency between the federal HIPAA privacy rule and New Mexico statutes or regulations, the HIPAA privacy rule shall preempt state law, except where 45CFR 160.203]:

                              (1)          a determination is made by the secretary of the United States department of health and human services pursuant to 45 CFR 160.204;

                              (2)          the provision of state law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification under the HIPAA privacy rule;

                              (3)          the provision of state law and procedures established thereunder provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation or intervention; or

                              (4)          the provision of state law requires the HCC to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals.

[8.300.2.9 NMAC - Rp 8.300.2.9 NMAC, 7/1/2024]

 

8.300.2.10            NOTICE OF PRIVACY PRACTICES:  The HCA shall establish policies protecting a recipient’s rights regarding HIPAA privacy practices 45CFR 164.520.

               A.           Notice of privacy practices requirements:

                              (1)          HCA shall provide notice of privacy practices, update the notice as necessary, and distribute the notice and any revised notices to all recipients or their personal representatives.

                              (2)          All notice of privacy practices required elements listed in the HIPAA privacy rule shall be contained in the HCA notice of privacy practices 45 CFR 164.520.

                              (3)          The name of every recipient and, as applicable, their personal representative to whom the HCA notice of privacy practices is sent shall be recorded.

               B.           Notice schedule:

                              (1)          For an eligible recipient enrolled in medicaid prior to July 1, 2003, a copy of the notice of privacy practices shall be sent to each eligible recipient’s or their personal representative’s last known address no later than November 1, 2003.

                              (2)          For revisions made to the notice of privacy practices, a copy of the revised notice of privacy practices shall be mailed to each enrolled MAD eligible recipient or their personal representative within 60 calendar days of the effective date of the revision.

                              (3)          For a new eligible recipient approved after July 1, 2003, a copy of the notice of privacy practices shall be mailed with the eligible recipient’s new medicaid card or their eligibility determination notice.

                              (4)          At least once every three years, HCA shall notify eligible recipients or their personal representatives by mail of the availability of the notice of privacy practices and how to obtain the notice of privacy practices.

[8.300.2.10 NMAC - Rp 8.300.2.10 NMAC, 7/1/2024]

 

8.300.2.11            RECIPIENT’S RIGHTS:  HCA shall establish policies protecting a recipient’s rights regarding HIPAA privacy practices.

               A.           Alternate means of communication:  A recipient or their personal representative shall have the right to request an alternate means of communication and an alternative address to receive communications of protected health information (PHI) from the HCC.  The HCC shall accommodate such requests when reasonable 45CFR 164.522(b).

                              (1)          If the recipient or their personal representative is unable to write the request, the recipient or their personal representative may request assistance from the HCC.  If assistance is provided, the HCC shall document that the assistance was given, have the recipient or their personal representative sign and date the document, co-sign and retain the document in the medical record.

                              (2)          The HCC staff may determine the reasonableness of a request.  If an HCC staff member is unable to determine if the request is reasonable, the staff member may request a supervisor’s assistance.

                              (3)          If the recipient or the recipient’s personal representative is present when the request is approved or denied, HCC staff shall notify the recipient or the recipient’s personal representative verbally of the decision, and shall document the notification in the recipient’s file.

                              (4)          If the recipient or their personal representative is not present when the request is approved or denied, HCC shall notify the recipient or their personal representative of the decision in writing and retain the copy of the decision in the recipient’s file.

                              (5)          If the request is approved, an HCC staff member shall record the alternative method or address in the medical record and in the PSO’s database.

               B.           Inspect and copy:  A recipient or their personal representative may inspect their own PHI in a medical file (designated record set) as maintained by the HCC.  This does not include psychotherapy notes.

                              (1)          For all requests received in writing, the HCC shall respond in writing to the request to inspect or to obtain a copy of HCC PHI no later than 60 calendar days after receipt of the request.  The HCC shall then determine, using the criteria in HIPAA privacy rule, if the request will be granted in part, in full, or denied.

                                             (a)          If the request will be granted in full, the PSO shall provide a written response arranging with the recipient or their personal representative a convenient time and place to inspect or obtain a copy of the PHI, or may mail the copy of the PHI at the recipient’s or their personal representative’s request; and shall discuss the scope, format, and other aspects of the recipient’s or their personal representative’s request with the recipient or personal representative as necessary to facilitate timely provision.

                                             (b)          If the PSO is unable to gather the required data within the time period required, the PSO may extend the time for the action by no more than 30 calendar days so long as the recipient or their personal representative is provided with a written statement of the reason(s) for the delay and the date by which the PSO shall complete the action on the request.  However, only one such extension of time shall be allowed.

                                             (c)          The PSO shall provide a copy of the recipient’s PHI to the recipient or their personal representative in the format requested, if possible.  If not, the PSO shall provide the PHI in a readable hard copy form or in another format mutually agreed upon by the PSO and the recipient or their personal representative.

                              (2)          If the request is denied, in part or in full, the PSO shall either:

                                             (a)          give the recipient or their personal representative access to any permitted PHI requested to the extent possible; or

                                             (b)          provide a written denial to the  recipient or their personal representative; the denial shall be written in plain language and contain:

                                                            (i)           the basis for the denial,

                                                            (ii)          if applicable, a statement of the recipient’s review rights, and

                                                            (iii)        a description of how the recipient or their personal representative may complain to the PSO or to the secretary of HCA; this description shall include the title and telephone number of the PSO and the secretary of HCA.

                              (3)          If the HCC does not maintain the PHI that is the subject of the request for inspection or copying, the PSO shall inform the recipient or their personal representative where to direct the request, if known.

                              (4)          Exceptions:  A recipient or their personal representative may not inspect the recipient’s own protected health information (PHI) in a medical record in connection with:

                                             (a)          psychotherapy notes;

                                             (b)          information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative proceeding;

                                             (c)          PHI maintained by the HCC that is subject to the clinical laboratory improvements amendments (CLIA) to the extent that access to the recipient or their personal representative is prohibited by CLIA;

                                             (d)          when the access to the PHI requested is reasonably likely to endanger the life or physical safety of the recipient or another person as determined by a licensed health care professional by using their professional judgment;

                                             (e)          when the PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that granting the access requested is reasonably likely to cause substantial harm to such other person; or

                                             (f)           when the request for access is made by recipient’s personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the recipient or another person 45CFR 164.524.

                              (5)          The PSO shall record all actions pertaining to access to inspect and copy

               C.           Accounting of disclosures:  Accounting of all disclosures of a recipient’s PHI shall be produced via written report by the PSO when the request is made in writing by the recipient or their personal representative and sent to the PSO.

                              (1)          All disclosures shall be reported except for those:

                                             (a)          made to carry out TPO 45 CFR 164.506;

                                             (b)          for a facility directory;

                                             (c)          for notification purposes that include disaster relief, emergencies, or in the case of recipient death;

                                             (d)          for national security purposes;

                                             (e)          to correctional institutions or law enforcement officials having custody of an inmate;

                                             (f)           made prior to July 1, 2003;

                                             (g)          made more than six years prior to the date the accounting is requested;

                                             (h)          made to the recipient or their personal representative of the recipient’s own PHI; or

                                             (i)           made to individuals involved in the recipient’s care 45 CFR 164.528.

                              (2)          If the HCC does not maintain the PHI that is the subject of the request for accounting, the PSO shall inform the recipient or their personal representative where to direct the request, if known.

                              (3)          When a recipient or their personal representative requests in writing to the PSO an accounting of disclosures of PHI:

                                             (a)          within 60 calendar days of receiving a recipient’s or their personal representative’s request, HCC prepares a report from the PSO’s database that includes all required PHI disclosures that occurred during the six years prior to the date of the request for an accounting, unless the recipient or their personal representative requested an accounting for a shorter period of time than six years.

                                             (b)          the deadline for producing the disclosure report may be extended for up to 30 calendar days, provided that a written statement is sent to the recipient citing the reasons for the delay and the date by which the accounting shall be received;

                                             (c)          the HCC must provide free of charge the first accounting report within any 12-month period; if additional requests for an accounting are made within the same 12-month period, the HCC shall notify the recipient or their personal representative if a fee will be charged for the additional copies;

                                             (d)          the accounting disclosure information is entered into the PSO’s database.

               D.           Setting restrictions:  A recipient or their personal representative may request restrictions on the uses and disclosures of their own protected health information (PHI) by submitting a request in writing to the HIPAA privacy and security officer (PSO).

                              (1)          The PSO shall approve or deny requests for restriction(s) in writing within 15 calendar days.

                              (2)          If the HCC does not maintain the PHI that is the subject of the request for setting restrictions, the PSO shall inform the recipient or their personal representative where to direct the request, if known.

                              (3)          If a restriction is approved by the PSO, the information shall be entered into the PSO’s database and the HCC shall not use or disclose the restricted PHI 45CFR 164.522(a).

                              (4)          If the recipient or their personal representative is unable to write the request, the recipient or their personal representative may request assistance from the HCC.  If assistance is provided, the HCC shall document that the assistance was given, have the recipient or their personal representative sign and date the document, co-sign and retain the document in the recipient’s file.

                              (5)          Limited use and disclosure of PHI is allowable when the recipient or their personal representative is not present for an emergency or because of the incapacity of the recipient or their personal representative.

                              (6)          The HCC shall approve or deny the request as appropriate and ensure that the approval or denial of the restriction is entered into the medical record.

                              (7)          If the restriction would involve more than a single location, the HCC staff worker shall send the request to the HIPAA privacy and security officer.

                              (8)          The PSO shall inform the recipient or their personal representative in writing of the approval or denial of the request to restrict use and disclosure.

                              (9)          The PSO shall document the restriction(s) in the PSO’s database.

               E.           Amendments:  It is the policy of the HCC that the HCC shall allow a recipient to request that an amendment be made to the recipient’s own protected health information (PHI) contained in a designated record set as long as the PHI was originated by the HCC.

                              (1)          A request for an amendment shall be submitted in writing to the PSO 45 CFR 164.526.

                              (2)          If the HCC does not maintain the PHI that is the subject of the request for amending, the PSO shall inform the recipient or their personal representative where to direct the request, if known.

                              (3)          Within five working days of receiving the recipient’s or their personal representative’s written request for an amendment, the PSO shall forward the request to the possessor of the PHI requested to be amended for a determination on whether to grant or deny, in whole or in part, the recipient’s or their personal representative’s request.

                              (4)          The possessor of the PHI shall:

                                             (a)          review the recipient’s or their personal representative’s request for an amendment;

                                             (b)          determine whether to grant or deny, in whole or in part, the recipient’s or their personal representative’s request;

                                             (c)          within 45 calendar days of receiving the recipient’s or their personal representative written request for an amendment from the PSO, inform the PSO of the decision to grant or deny, in whole or in part, the recipient’s or their personal representative’s request and the reason(s) for reaching the decision;

                                             (d)          within 60 calendar days of the original receipt of the recipient’s or their personal representative’s request for an amendment, the PSO shall inform the recipient or their personal representative of the decision to grant or deny the requested amendment in whole or in part; and

                                             (e)          if the PSO is unable to act on the amendment within the required 60 calendar day period, the time may be extended by no more that 30 calendar days, provided that the PSO provides the recipient or their personal representative with a written statement of the reasons for the delay and the date the action on the request will be completed.

                              (5)          If the recipient’s or their personal representative’s request is granted in whole or in part:

                                             (a)          the possessor shall make the appropriate amendment to the recipient’s PHI in the designated record set;

                                             (b)          the PSO shall inform the recipient or their personal representative that the amendment is accepted;

                                             (c)          the PSO shall obtain the recipient’s or their personal representative’s agreement and identification of persons that the HCC is to notify of the amendment; and

                                             (d)          the PSO shall provide the amendment to those persons identified by the recipient or their personal representative and to persons, including business associates, that the PSO knows have received the PHI that is the subject of the amendment and who may have relied, or could predictably rely, on such information to the detriment of the recipient.

               F.            Complaints and appeals:  It is the policy of the HCC to receive, investigate and resolve complaints made by a recipient or their personal representative of alleged violations of the HIPAA privacy rule.  Complaints shall be made in writing, specifying how the recipient’s privacy rights have been violated, and submitted to the PSO or to the secretary of HCA 45 CFR 164.530(d)(1), (e), and (f).

                              (1)          Within five working days of receipt of the complaint, the PSO shall initiate a HIPAA privacy investigation.

                              (2)          The PSO shall enter the complaint into the PSO’s database.

                              (3)          Within 30 calendar days of contact by the PSO, the appropriate HCC staff shall conduct the HIPAA privacy investigation and prepares a written report to the PSO documenting the details of the HIPAA privacy investigation and the findings.

                              (4)          Within 30 calendar days after receiving the written report from the appropriate HCC staff, the PSO shall determine the validity of the complaint and notify the recipient or their personal representative, the HCC supervisor and the HCC staff of the action taken.  In consultation with the HCC supervisor, the PSO shall take appropriate action to mitigate the adverse effects of any unauthorized disclosure.

                              (5)          For valid complaints, the PSO shall ensure that the appropriate disciplinary action and training are applied as per 8.300.2.24 NMAC.

                              (6)          The PSO shall enter the HIPAA privacy investigation results into the PSO’s database.

                              (7)          If the recipient’s or their personal representative’s request pursuant to this section is denied in whole or in part, the PSO shall:

                                             (a)          provide recipient or their personal representative with a timely, written denial, which includes the reason for the denial;

                                             (b)          inform the recipient or their personal representative of the recipient’s right to submit, and the procedure for submission of a written statement disagreeing with the denial and also inform the recipient or their personal representative that if no statement of disagreement is submitted, the recipient or their personal representative may request that the HCC provide the recipient’s or their personal representative’s request for amendment and the denial with any future disclosures of the PHI that is the subject of the amendment request;

                                             (c)          if necessary, prepare a written rebuttal to the recipient’s or their personal representative’s statement of disagreement and provide a copy to the recipient or their personal representative;

                                             (d)          identify the record or PHI and append to the designated record set the:

                                                            (i)           recipient’s or their personal representative’s request for an amendment;

                                                            (ii)          the HCC’s denial of the request;

                                                            (iii)        the recipient’s or their personal representative’s statement of disagreement, if any; and

                                                            (iv)         the HCC’s rebuttal, if any.

[8.300.2.11 NMAC - Rp 8.300.2.11 NMAC, 7/1/2024]

 

8.300.2.12            USE AND GENERAL DISCLOSURES OF PROTECTED HEALTH INFORMATION:  PHI shall be used or disclosed only by authorized HCC staff or contractors and only in accordance with HCC policies and procedures 45 CFR 164.502(a) and 45 CFR 164.530(i).

               A.           Making a disclosure when an authorization is required:  When PHI is requested, an authorized HCC employee shall:

                              (1)          determine if a valid authorization is presented.  See 8.300.2.13 NMAC;

                              (2)          determine the identity and authority of the requestor as per 8.300.2.21 NMAC;

                              (3)          if a valid authorization is presented and the identity and authority of the requestor is verified, the HCC is authorized to disclose the PHI in accordance with the valid authorization’s instructions;

                              (4)          HCC shall retain the valid authorization in the recipient’s file;

                              (5)          the valid authorization and the disclosure shall be documented in the PSO’s database;

                              (6)          if the request is not accompanied by a valid authorization, the HCC shall determine if an exception to the authorization requirement applies; and

                              (7)          if no exception applies, the HCC shall deny the request for disclosure of PHI, document the denial and instruct the requestor that a valid authorization shall be obtained from the recipient or their personal representative before MAD will disclose PHI.

               B.           Exceptions:  A valid written authorization shall be required from a recipient or their personal representative before any use or disclosure of PHI, with the following exceptions:

                              (1)          disclosures to the recipient or personal representative pursuant to their request 45 CFR 164.502(a)(1)(i);

                              (2)          for purposes of TPO 45 CFR 164.502 and 506;

                              (3)          when a consent, authorization, or other express legal permission in writing was obtained from the  eligible recipient prior to July 1, 2003, and is on file in an HCC location that permits the use or disclosure of PHI 45 CFR 164.532; and

                              (4)          when the use or disclosure of PHI is limited to the minimum necessary to or for the following:

                                             (a)          assist disaster relief agencies 45 CFR 164.510(b)(4);

                                             (b)          coroners, medical investigators, funeral directors, and organ procurement organizations as authorized by law 45 CFR 164.512(g) and (h);

                                             (c)          avert a serious and imminent threat to the health or safety of a person or the public 45CFR 164.512(j):

                                             (d)          health oversight activities 45CFR 164.512(d);

                                             (e)          disclosures required by law pursuant to a legal duty to disclose or report, such as for law enforcement purposes, child abuse or neglect, judicial or administrative proceedings, or workers compensation proceedings pursuant to a subpoena 45CFR 164.512(a), (c), (e) and (f):

                                             (f)           public health activities 45CFR 164.512(b):

                                             (g)          correctional institutions or law enforcement officials who have custody of an inmate 45CFR 164.512(k)(5):

                                             (h)          government agencies which administer a government program that provides public benefits, where the disclosure is necessary to coordinate, improve, investigate, or manage the program 45CFR 164.512(d)(1) and (3): or

                                             (i)           research purposes that have been granted a waiver of authorization by an appropriately constituted institutional review board (IRB), a privacy board or representation that the PHI is necessary for research purposes 45CFR 164.512(i).

[8.300.2.12 NMAC - Rp 8.300.2.12 7/01/2024]

 

8.300.2.13            AUTHORIZATIONS:  When a disclosure is made as a result of an exception to an authorization being required, the authorized HCC employee shall follow the specific procedure established for that exception 45CFR 164.502(b), 45 CFR 164.508, 45 CFR 164.512, 45 CFR 164.532.

               A.           Treatment, payment, or health care operations (TPO):

                              (1)          When conducting daily business that involves the use or disclosure of PHI, the HCC shall determine whether the use or disclosure is for TPO.

                              (2)          If the person who requested the PHI is unknown, the HCC shall verify the identity and authority in accordance with 8.300.2.21 NMAC.

                              (3)          The HCC shall apply the minimum necessary criteria to disclosures of PHI for payment or health care operations.

                              (4)          The HCC shall ensure that there are no restrictions to the requested disclosure for PHI.

                              (5)          The HCC shall use or disclose the minimum necessary PHI.  The minimum necessary criteria do not apply to disclosures or requests by a health care provider for treatment purposes.

                              (6)          Disclosures made for the purpose of providing TPO are not required to be documented.

               B.           Averting a serious threat:

                              (1)          If in good faith and using professional judgment, the HCC determines that the use or disclosure of PHI is necessary to avert a serious and imminent threat to the health or safety of a person or the public.

                                             (a)          If the identity of the requestor is unknown, the HCC shall verify the identity and authority of the requestor in accordance with 8.300.2.21 NMAC.

                                             (b)          The HCC shall apply the minimum necessary criteria per 8.300.2.16 NMAC for disclosing PHI to prevent or lessen the threat.

                                             (c)          The HCC shall disclose the PHI only to person(s) reasonably able to prevent or lessen the threat, including the target of the threat.

                              (2)          The disclosure of PHI shall be documented in the PSO’s database.

               C.           Workers compensation:

                              (1)          If the identity and authority of the requestor is unknown, the HCC shall verify the information as required per 8.300.2.21 NMAC.

                              (2)          The HCC shall disclose the required PHI to the workers’ compensation administration in accordance with the minimum necessary criteria.

                              (3)          The disclosure of PHI shall be documented in the PSO’s database.

               D.           Coroners, medical investigators, funeral directors, and organ procurement organizations:  When the PHI request is from coroners, medical investigators, funeral directors, or organ procurement organizations, the HCC shall:

                              (1)          if unknown, verify the identity and authority of the requestor as per 8.300.2.21 NMAC;

                              (2)          apply the minimum necessary criteria per 8.300.2.16 NMAC;

                              (3)          disclose the minimum necessary PHI.  Disclosures to the coroner or medical investigator require a valid  subpoena; and

                              (4)          record the disclosure in the PSO’s database.

               E.           Disaster relief efforts:  When an entity in disaster relief efforts requests PHI to assist in notifying, identifying, or locating a family member, personal representative or other person responsible for the care of the recipient regarding the recipient’s location, general condition or death, the HCC shall:

                              (1)          if unknown, verify the identity and authority of the requestor as per 8.300.2.21 NMAC;

                              (2)          apply the minimum necessary criteria per 8.300.2.16 NMAC;

                              (3)          provide recipients or their personal representatives the opportunity to agree to, restrict, or prohibit the use or disclosure of PHI to the disaster relief entity, unless the recipient is not present or is unable to agree to, restrict, or prohibit the disclosure; and

                              (4)          record the disclosure in the PSO’s database.

               F.            Health oversight activities:  The health oversight agency may request documents related to a recipient’s PHI and record the identity of recipients for whom PHI was accessed. The HCC shall then:

                              (1)          if unknown, verify the identity and authority of the requestor as per 8.300.2.21 NMAC;

                              (2)          apply the minimum necessary criteria per 8.300.2.16 NMAC;

                              (3)          disclose the minimum necessary PHI;

                              (4)          obtain the identity of recipients for whom PHI was accessed; and

                              (5)          record the disclosure in the PSO’s database.

               G.           Public health activities:  A public health agency may request documents related to a recipient’s PHI.  The HCC shall then:

                              (1)          if unknown, verify the identity and authority of the requestor as per 8.300.2.21 NMAC;

                              (2)          apply the minimum necessary criteria per 8.300.2.16 NMAC;

                              (3)          disclose the minimum necessary PHI if the purpose of requesting the information is for:

                                             (a)          the prevention or control of disease, injury, or disability including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;

                                             (b)          another public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect;

                                             (c)          a person subject to the jurisdiction of the food and drug administration:

                                                            (i)           to report adverse events (or similar reports with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations if the disclosure is made to the person required or directed to report such information to the food and drug administration;

                                                            (ii)          to track products if the disclosure is made to a person required or directed by the food and drug administration to track the product;

                                                            (iii)        to enable product recalls, repairs, or replacement (including locating and notifying individuals who have received products subject to recalls, withdrawals, or other problems); or

                                                            (iv)         to conduct postmarketing surveillance to comply with requirements or at the direction of the food and drug administration, or

                                             (d)          a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition.

                              (4)          record the disclosure in the PSO’s database.

               H.           Required by law:

                              (1)          If the request for the disclosure of PHI appears to be required by law, the HCC shall verify the identity of the requestor and forward the request to the HCA office of general counsel (OGC) for a determination of the validity of the request.

                              (2)          If advised by OGC that the request is valid, the HCC shall disclose the PHI in accordance with the minimum necessary criteria.

                              (3)          The HCC shall record the disclosure in the PSO’s database.

               I.            Law enforcement requests:  When the disclosure of PHI is for law enforcement purposes, the HCC shall:

                              (1)          verify identity and authority of the requestor;

                              (2)          forward the request to OGC for a determination of the validity of the request;

                              (3)          if advised by OGC that the request is valid, disclose the PHI in accordance with the minimum necessary criteria; and

                              (4)          record the disclosure in the PSO’s database.

               J.            Legal requests:

                              (1)          If the request for PHI arises from legal proceedings and requests such as judicial or administrative proceedings or subpoenas, the HCC shall verify the identity of the requestor if practicable, and forward the request to OGC, unless documented exceptions from OGC have been received.

                              (2)          If the identity of the requestor has not been previously verified to OGC, the HCC shall verify the identity of the requestor and determine the validity of the legal or law enforcement request.

                              (3)          The HCC shall then disclose the PHI or direct the disclosure to be made.

                              (4)          The HCC shall record the disclosure in the PSO’s database.

               K.           When consent or authorization for the use or disclosure of PHI was made prior to July 1, 2003:

                              (1)          The HCC shall determine if a valid authorization exists for the specific use or disclosure of PHI request.

                              (2)          If a valid authorization does not exist, the HCC shall determine if a consent, an authorization, or other legal permission exists that was obtained before July 1, 2003.

                              (3)          If a consent, an authorization, or other legal permission exists, the HCC shall verify that it is still in effect and that it is for the use or disclosure of the specific PHI requested.

                                             (a)          If yes, the HCC shall disclose the PHI and record the disclosure in the PSO’s database.

                                             (b)          If no, the HCC shall deny the PHI request and instruct the requestor that a valid authorization must be obtained from the recipient.  The requestor shall be provided a blank authorization form to be completed by recipient.

[8.300.2.13 NMAC - Rp 8.300.2.13 NMAC, 7/1/2024]

 

8.300.2.14            DISCLOSURES FOR RESEARCH PURPOSES:

               A.           Before a disclosure is made for research purposes, a valid authorization must be signed by the recipient or a waiver of authorization must have been obtained from a properly constituted institutional review board (IRB), a privacy board or representation that the PHI is necessary for research purposes 45CFR 164.512(i)(l); 45 CFR 164.514(b) and (e).

               B.           Disclosure requirements:  The HCC shall:

                              (1)          accept requests for PHI for research purposes with an authorization; or without a recipient authorization where the research entity provides documentation reflecting alteration or waiver of the authorization requirement 45CFR 164.512(i)(1) and (2):

                              (2)          forward all requests to the PSO;

                              (3)          if the requestor is unknown, verify the identity and authority of the requestor in accordance with 8.300.2.21 NMAC;

                              (4)          grant or deny requests in accordance with the HIPAA privacy rule 45CFR 164.512(i): and

                              (5)          enter the disclosure information into the PSO’s database.

[8.300.2.14 NMAC - Rp 8.300.2.14 NMAC, 7/1/2024]

 

8.300.2.15            RECORDING AUTHORIZATIONS AND DISCLOSURES:  The HCC shall record all valid authorizations and record all disclosures of PHI.

               A.           Recording of authorizations:  All valid authorizations shall be recorded when received in the PSO’s database 45CFR 164.508(b)(6).  Any disclosures of PHI shall be made and recorded only by authorized members of the HCC workforce in the PSO’s database.

               B.           Exceptions:  The only exceptions that shall be allowed to the recording of disclosures of PHI are those:

                              (1)          made to carry out TPO;

                              (2)          for notification purposes that include disaster relief, emergencies, or in the case of recipient death;

                              (3)          for national security purposes;

                              (4)          to correctional institutions or law enforcement officials having custody of an inmate;

                              (5)          made prior to July 1, 2003  45CFR 164.528a:

                              (6)          made six years prior to the date the accounting is requested;

                              (7)          made to the recipient of the recipient’s own PHI; or

                              (8)          made to individuals involved in the recipient’s care.

[8.300.2.15 NMAC - Rp 8.300.2.15 NMAC, 7/1/2024]

 

8.300.2.16            MINIMUM NECESSARY:  The HCC shall apply minimum necessary criteria to limit PHI for the use, disclosure, or request for PHI to the amount necessary to accomplish the task, except for disclosures to or requests by a health care provider for treatment purposes.  The minimum necessary criteria do not apply with respect to disclosures to or requests by a health care provider for treatment.  45CFR 164.514(d)(2)-(5), 45 CFR 164.502(b)(2).

               A.           HCC’s use of protected health information:

                              (1)          An HCC supervisor shall determine the minimum necessary PHI needed by each HCC employee to perform their job duties and shall:

                                             (a)          grant appropriate medical record access;

                                             (b)          grant appropriate access to billing and payment information;

                                             (c)          grant appropriate access to other files containing PHI; or

                                             (d)          grant appropriate electronic access to PHI and set security levels.

                              (2)          Members of the HCC authorized workforce shall use PHI as authorized.  Requests for additional access to PHI shall be forwarded to the supervisor if needed to perform job duties.

               B.           HCC disclosures of protected health information:

                              (1)          Prior to making any disclosures of PHI, an authorized HCC employee shall determine the minimum necessary PHI to disclose by applying the following.

                                             (a)          If the disclosure request is made for a medical record maintained within the supervisor’s organizational unit, the request must specifically justify in writing why the entire medical record is needed.  The HCC employee shall apply professional judgment in determining whether all PHI requested is necessary to be disclosed.  Absent such justification, the request shall be denied.  The written request and disposition shall be maintained within the medical record.

                                             (b)          If a request for PHI to be disclosed is pursuant to a state or federal statute, administrative rule, court order, contract or grant and the disclosure is routine or recurring, the HCC employee shall determine if a MAD protocol for that disclosure exists.

                                             (c)          If it does, the HCC employee shall follow the protocol established for that routine and recurring disclosure.

                                             (d)          For any other routine or recurring disclosures, the HCC employee shall contact the PSO with a proposed standard protocol that details the minimum necessary PHI to be disclosed, to whom and for what purpose.  Once developed and approved, the HCC employee shall follow the protocol established for such routine and recurring disclosures.  By following such protocol, the minimum necessary requirement will be met.

                                             (e)          If the disclosure is not routine or recurring, the minimum necessary PHI to disclose is the PHI that has been requested by any of the following:

                                                            (i)           a health care provider or health plan;

                                                            (ii)          a business associate of the HCC, if the business associate represents that the PHI is the minimum necessary needed; or

                                                            (iii)        a researcher whose request for PHI is consistent with the documentation of approval of such research by an IRB or privacy board, and which documentation was provided to, and approved by the PSO, in accordance with 8.300.2 NMAC and 45CFR 164.512(h).

                              (2)          When determining the minimum necessary PHI for all other disclosures, the HCC shall:

                                             (a)          review each request and if necessary make appropriate inquiries of the requestor to determine why the PHI is needed;

                                             (b)          apply professional judgment in determining whether all of the PHI requested is necessary to be disclosed to accomplish the identified purpose of the requested disclosure;

                                             (c)          limit the disclosure to the appropriate PHI to accomplish the identified purpose;

                                             (d)          if the disclosure is less than requested, provide an explanation of the limitation.when the disclosure is made;

                                             (e)          refer questions concerning the minimum necessary disclosure of PHI to the PSO;

                                             (f)           if proposed standard protocols are received, the PSO reviews and approves or disapproves the standard protocol, keeps a copy of all approved standard protocols and notifies the supervisor of the decision; and

                                             (g)          authorized HCC employees shall:

                                                            (i)           follow the standard protocols that have been approved by the PSO;

                                                            (ii)          forward the request to their immediate supervisor, if disclosure requests are received other than from the recipient;

                                                            (iii)        provide the minimum necessary PHI that the recipient requested, if the disclosure request is from the recipient; and

                                                            (iv)         record the disclosure in the PSO’s database.

               C.           HCC requests for protected health information:  HCC employees shall determine the minimum necessary PHI to request by applying the following guidelines.

                              (1)          If the request is made for a medical record, the request shall specifically justify why the entire medical record is needed.  If the medical record is disclosed to or requested by a health care provider for treatment purposes, minimum necessary does not apply and justification is not required.

                              (2)          If the request for PHI is not routine or recurring, the request shall be limited to the minimum necessary PHI to accomplish the task.

                              (3)          All requests for PHI shall be in writing and a copy given to the PSO for audit purposes.

                              (4)          For any PHI requests that are routine or recurring, employees shall send the proposed standard protocol to the PSO that details the minimum necessary PHI needed to accomplish the task.

                              (5)          The PSO shall maintain written PHI requests and perform audits as necessary.

                              (6)          If proposed standard protocols are received, the PSO shall review and approve or disapprove the standard protocol, keep a copy of all approved standard protocols, and notify the supervisor of the decision.

[8.300.2.16 NMAC - Rp 8.300.2.16 NMAC, 7/1/2024]

 

8.300.2.17            DE-IDENTIFICATION OF PROTECTED HEALTH INFORMATION:  The HCC may de-identify PHI on recipients by removing all recipient identifiable information 45CFR 164.514(a)(b).  Authorized HCC employees shall forward the PHI to be de-identified to a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable; or they shall remove all the following recipient identifiable information.

               A.           Names.

               B.           Location:  All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the bureau of the census:

                              (1)          the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

                              (2)          the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

               C.           Dates:  All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

               D.           Numbers:  All elements of numbers, or combination of alpha-numeric and special characters, for identification directly related to an individual, including:

                              (1)          telephone numbers;

                              (2)          fax numbers;

                              (3)          e-mail addresses;

                              (4)          social security numbers;

                              (5)          medical record numbers;

                              (6)          health plan beneficiary numbers;

                              (7)          account numbers;

                              (8)          certificate/license numbers;

                              (9)          vehicle identifiers and serial numbers, including license plate numbers;

                              (10)        device identifiers and serial numbers;

                              (11)        web universal resource locators; (URLs);

                              (12)        internet protocol (IP) address numbers;

                              (13)        any other unique identifying number, characteristic, or code, except as otherwise permitted.

               E.           Imagery:  All elements of physical characteristics captured in any format, or combination of formats, for identification directly related to an individual, including:

                              (1)          biometric identifiers, including finger and voiceprints; and

                              (2)          full face photographic images and any comparable images.

[8.300.2.17 NMAC - Rp 8.300.2.17 NMAC, 7/1/2024]

 

8.300.2.18            TERMINATION OF RESTRICTIONS:

               A.           Termination requirements:  Restrictions on the uses and disclosures of PHI shall be terminated if:

                              (1)          the recipient or the recipient’s personal representative requests the termination in writing;

                              (2)          the PSO informs the recipient or the recipient’s personal representative in writing that the HCC agreement to a restriction has ended and that the termination of the restriction is effective with any PHI created or received after the recipient or the recipient’s personal representative is notified of the termination 45CFR 164.522(a)(2): or

                              (3)          if the recipient is unable to write the request, the recipient may request assistance from HCC; if assistance is provided, HCC shall document that the assistance was given, have the recipient sign and date the document, co-sign and retain the document in the medical record.

               B.           Consideration of request:

                              (1)          The PSO shall approve or deny the request within five working days.  If approved, the PSO shall notify the recipient or the recipient’s personal representative in writing of the termination request and give the recipient or the recipient’s personal representative 10 working days to disagree in writing; if denied, the PSO shall notify the requestor in writing.

                              (2)          If the recipient or the recipient’s personal representative disagrees, the PSO shall inform the requestor of the disagreement and require a response in three working days to review the communication from the recipient or the recipient’s personal representative to ascertain if the disagreement by the recipient has bearing on the PSO final decision to terminate the restriction.

                              (3)          The PSO shall issue a final decision within five working days and notify the recipient or personal representative and the MAD requestor.

                              (4)          The PSO shall record the termination of restriction in the PSO’s database.

[8.300.2.18 NMAC - Rp 8.300.2.18 NMAC, 7/1/2024]

 

8.300.2.19            BUSINESS ASSOCIATES:  The HCC shall have privacy protections in all contracts if the contract anticipates that HCC will make disclosures of PHI to the contractor so that the contractor may use the PHI to perform a business associate function on behalf of MAD relating to TPO.  The written protections shall satisfy HIPAA privacy rule 45 CFR 164.504(e).

[8.300.2.19 NMAC - Rp 8.300.2.19 NMAC, 7/1/2024]

 

8.300.2.20            MITIGATION:

               A.           HCC workforce:  To the extent practicable, the HCC shall mitigate any harmful effect that is known to the HCC from an improper use or disclosure of a recipient’s PHI by an HCC employee by applying the requirements set forth in the HCA HIPAA privacy policies and procedures applicable to an HCC workforce disciplinary action and training 45CFR 164.530(f).  See 8.300.2 23 and 8.300.2.24 NMAC.

               B.           Business associates:  To the extent practicable, the HCC will mitigate any harmful effect that is known to it from an improper use or disclosure of a recipient’s PHI by any of its business associates by including language in its contracts with business associates that may impose fines and penalties to the business associate, up to and including immediate termination of a business associate’s relationship with the HCC 45CFR 164.530(f).

[8.300.2.20 NMAC - Rp 8.300.2.20 NMAC, 7/1/2024]

 

8.300.2.21            VERIFYING IDENTITY AND AUTHORITY:  If the identity or authority of a requestor of PHI is unknown, the identity and authority of that requestor shall be verified prior to any disclosure 45CFR 164.514(h).

               A.           Identification:  Upon receipt of a request for PHI, an authorized HCC employee must determine whether the requestor is a recipient or personal representative of a recipient.

                              (1)          If the requestor is unknown to the authorized HCC employee, the employee shall request proof of identity, such as a photograph ID, credit card issued to the requestor, or medicaid card issued to the requestor.

                              (2)          If the request is made over the phone, the HCC employee shall require proof of identity by asking for a social security number or omnicaid system ID.

                              (3)          If the requestor is the recipient, a valid signed authorization satisfies the authority requirement.

                              (4)          If the requestor is the recipient’s personal representative, the HCC employee shall require proof of authority to act on the recipient’s behalf.

                              (5)          If the request for PHI disclosure is by a government official, and the government official’s identity is unknown, the HCC employee shall verify the identity of the government official by viewing an agency identification badge or other official credentials.

                              (6)          The HCC employee shall forward all requests for PHI for research purposes to the PSO.  See 8.300.2.14 NMAC.

               B.           Authority:  Once the identity of the government official is verified (or if already known), the HCC employee shall verify the authority of the request.  If the disclosure of PHI is required by law, the employee shall disclose the PHI and record the disclosure in the PSO’s database.  If there are questions as to whether PHI disclosure is required by law, the employee shall seek assistance from OGC prior to any PHI disclosure.

                              (1)          HCC shall forward all requests for PHI from subpoenas, legal requests, or for law enforcement purposes to OGC within two working days.

                              (2)          For any requests for PHI received, OGC shall determine the identity of the requestor and the authority of the requestor.  OGC then shall approve or deny the request and take the appropriate legal action.

               C.           Restrictions or amendments:  If a valid authorization from an ISD location is received because a restriction or amendment is recorded in the PSO’s database, the HCC shall take the following action.

                              (1)          If a restriction is already documented, and the valid authorization from the recipient is asking for the restricted PHI to be disclosed, the HCC shall notify the recipient in writing within three working days that a previously set restriction must be revoked in writing by the recipient before the disclosure can be made.

                              (2)          If an amendment is requested, within three working days the HCC shall determine if the PHI to be disclosed has been amended.  If yes, the HCC shall disclose the amended PHI.

                              (3)          The HCC shall record the disclosure in the PSO’s database.

[8.300.2.21 NMAC - Rp 8.300.2.21 NMAC, 7/1/2024]

 

8.300.2.22            SAFEGUARDING PROTECTED HEALTH INFORMATION:  PHI shall be confidential and shall be subject to safeguarding procedures.  PHI shall be restricted from the public 45CFR 164.530(c).

               A.           Restricting access to PHI:  When meeting with recipients or their personal representative, HCC employees shall ensure that any PHI that does not belong to that recipient is not visible.  If meeting with the general public, HCC employees shall ensure that no PHI is accessible or visible.

               B.           Computer monitors:  The HCC workforce shall:

                              (1)          ensure that all computer monitors that provide access to PHI that are located in an area accessible to or visible by the general public are not facing the public; and

                              (2)          ensure that each computer monitor that provides access to PHI is locked with a password-protected screen saver or otherwise secure the computer monitor by a method approved by the PSO before leaving the computer monitor for any reason.

               C.           Facsimile machines:  The HCC workforce shall:

                              (1)          when a fax machine is located in an area accessible by the general public, remove incoming and outgoing faxes immediately; and

                              (2)          prior to sending any fax document containing PHI, verify the disclosure is in accordance with 8.300.2.12 NMAC;

                                             (a)          apply the minimum necessary criteria in accordance with 8.300.2.16 NMAC;

                                             (b)          verify that the number to which the PHI is being sent is the correct number;

                                             (c)          determine if the disclosure is required to be recorded, in accordance with 8.300.2.15 NMAC; and

                                             (d)          record any required disclosure of PHI in the PSO’s database in accordance with 8.300.2.15 NMAC.

               D.           Electronic mail:  Prior to sending an e-mail that contains PHI, the HCC workforce shall:

                              (1)          verify the disclosure is in accordance with 8.300.2.15 NMAC;

                              (2)          apply the minimum necessary criteria in accordance with 8.300.2.16 NMAC;

                              (3)          enter a notation referring to the confidential or sensitive nature of the information in the subject line to further safeguard the confidentiality of electronically submitted data;

                              (4)          verify the recipient’s e-mail address; and

                              (5)          determine if the disclosure is required to be recorded in the PSO’s database in accordance with 8.300.2.15 NMAC, and if so, record it.

               E.           Document disposal:  When documents that contain PHI that are no longer needed and are not required to be retained under state of New Mexico records and archives requirements, authorized members of the HCC workforce shall request such records be destroyed in accordance with 1.13.30.9 NMAC.

                              (1)          HCC workforce members shall destroy any form of paper that contains PHI by shredding or equivalent means as approved by the PSO. If a shredder is not available at the time the paper containing PHI needs to be destroyed, the papers shall be placed in a secure, locked environment until a shredder is available.

                              (2)          Under no circumstances shall un-shredded paper containing PHI be placed in a trashcan, recycle bin or otherwise disposed of.

               F.            Physical security:  The HCC shall have in place appropriate physical safeguards to protect the privacy of protected health information 45CFR 164.530(c).

               G.           Violations:

                              (1)          The PSO shall perform random audits to assure compliance with this procedure and shall report any confirmed violation to the HCC workforce member’s supervisor/coordinator.

                              (2)          The PSO shall implement the appropriate disciplinary action and training (if applicable) described in 8.300.2.24 NMAC and record the confirmed violation and disciplinary action into the employee’s file in the HCA office of human resources.

[8.300.2.22 NMAC - Rp 8.300.2.22 NMAC, 7/1/2024]

 

8.300.2.23            STAFF TRAINING:  All members of the HCC workforce shall be trained within appropriate timeframes on HIPAA privacy policies and procedures regarding the proper use and disclosure of PHI 45CFR 164.530(b).

               A.           Initial training:  The HCC shall:

                              (1)          develop a training plan with HCC supervisory staff involvement to determine the timing of and level of training appropriate to members of the HCC workforce;

                              (2)          develop bureau-specific training curricula and materials; the training material shall be maintained for six years;

                              (3)          provide bureau-specific training for the current HCC workforce no later than July 1, 2003; and

                              (4)          ensure documentation of initial training completion and forward documentation to the HCA office of human resources.

               B.           Continuous training:  For HCC workforce members who begin employment or whose job functions change subsequent to July 1, 2003, HCC shall:

                              (1)          within one working day of start date, notify the PSO of the new HCC workforce member, and schedule training for the new workforce member to be completed within 10 working days of the start date;

                              (2)          for HCC workforce members whose job functions change, and who thus require a new level of training, notify the PSO and schedule the training prior to having the workforce member assume the new job duties; employees must successfully complete training within 10 working days of their start date, and evidence of training must be provided to the HCA office of human resources; and

                              (3)          the HCA office of human resources shall retain the original signed training documentation for six years.

               C.           Privacy policy changes:  When changes are made to HCC policies or procedures or when HCC changes its privacy practices 45CFR 164.530(b)], HCC shall:

                              (1)          prepare relevant changes to the bureau-specific curricula;

                              (2)          prepare changes to training materials;

                              (3)          retain the training material for six years;

                              (4)          after determining affected staff with supervisor involvement, develop a training plan;

                              (5)          ensure that the HCC workforce successfully completes training and provide individual signed documentation of training to the PSO;

                              (6)          the PSO shall forward the individual documentation of training to the HCA office of human resources; and

                              (7)          the HCA office of human resources shall retain the original signed training documentation for six years.

[8.300.2.23 NMAC - Rp 8.300.2.23 NMAC, 7/1/2024]

 

8.300.2.24            [RESERVED]

 

8.300.2.25            [RESERVED]

 

8.300.2.26            [RESERVED]

 

8.300.2.27            [RESERVED]

 

8.300.2.28            [RESERVED]

 

HISTORY OF 8.300.2 NMAC:  [RESERVED]

 

History of Repealed Material:  8.300.2 NMAC - Health Insurance Portability And Accountability Act Of 1996 (Hipaa) Policies (filed 6/16/2003) Repealed 7/1/2024.

 

Other:  8.300.2 NMAC - Health Insurance Portability And Accountability Act Of 1996 (Hipaa) Policies (filed 6/16/2003) Replaced by 8.300.2 NMAC - Health Insurance Portability And Accountability Act Of 1996 (Hipaa) Policies effective 7/1/2024.