All information obtained through the process of providing services to client/individuals of DPP, conducting adult or child abuse, neglect or dependency investigations, foster or adoptive home studies and adoption where judgment has been rendered, is deemed confidential.
Applicants for services and clients of DPP are made aware of the information maintained in their case record. Information contained in a client’s case record will not be released outside DPP except as specified by KRS 61.870-61.884, Open Records Act and HIPAA regulations. When statutes are in conflict, the federal law prevails.
Each DPP office, facility and program has in place appropriate administrative, technical and physical safeguards to reasonably secure all information pertaining to a client’s case records and protected health information (PHI) from intentional and unintentional unauthorized use or disclosure.
Any person requesting disclosure of information pertaining to a client’s case record follows the procedures outlined in SOP 30.10 CPS Open Records Request and Disclosure of Information and 30.11 APS Open Records and Confidentiality. Information regarding notice of privacy practices and access to and obtaining a copy of protected health information is located on the tip sheet Health Insurance Portability and Accountability Act Tip Sheet linked in this section.
The SSW and appropriate Cabinet staff adhere to the following safeguards regarding the security of a client’s confidential information:
- Client information is not discussed in public except in a professional setting required and incidental to the delivery of services or in the performance of other functions required of DPP by federal or state mandate;
- Client information or data whether in case record or on computerized file, is maintained in a secure location and away from public access as reasonably appropriate;
- If a SSW possesses confidential client information on an electronic device or other computerized file, the SSW keeps the device or file on their person at all times or at the very least, securely locked in the trunk of their vehicle;
- Client case records are maintained in locked files when not in use and only limited authorized workforce staff will have access to keys or combinations;
- When DPP offices are open to the public, the unlocked files containing client case records are in view and monitored by workforce staff at all times;
- Access to any client case record or data file is limited to employees, business associates or service providers who have a legitimate interest in the case or as required by law;
- When accessing client case records, computer monitors are positioned as appropriate to reasonably eliminate unintentional, unauthorized viewing;
- DPP computers access client case records information via a secure site and only authorized workforce staff with user ID and password with appropriate access level may gain access;
- All obsolete client files that are to be disposed are incinerated or shredded by authorized workforce staff;
- Interviews with clients of DPP are not filmed, taped, photographed or observed without the knowledge and written consent of the client, except where permitted by law as in the case of child abuse where photographs are permissible;
- DPP workforce staff does not provide any adoption case record information when an adoption judgment has been rendered to anyone, even the parties of the adoption, the names of any parties appearing in the records or any copy of the records except upon order of the court which granted the adoption;
- DPP offices, programs and facilities have in place appropriate administrative, technical and physical safeguards to reasonably secure and protect protected health information (PHI) from intentional or unintentional unauthorized use or disclosure;
- DPP workforce staff adheres to this SOP pertaining to office, programs or facility safeguards to ensure HIPAA privacy regulations.
- Each new workforce staff receives HIPAA training elements within six (6) months after joining DPP;
- Each new workforce staff, whose job requirements are impacted by a material change in the policies and procedures relating to protected health information (PHI), or by a change in position or job description, receives the training as described above within a reasonable time after the change becomes effective;
- Upon employment each workforce staff signs the CHFS-219- Employee Confidentiality/Security Agreement, indicating their understanding and compliance to applicable policies and procedures relating to confidentiality and security;
- The CHFS-219 is then maintained in their personnel file.
- The Training Branch maintains documentation of each staff member’s completion of HIPAA trainings.
- Hard copy cases should never be removed from the local office unless they are being transported from one approved DCBS location to another. Examples include:
- 2nd level case reviews;
- Case transfers; Fatalities;
- Service complaints/CAPTA appeals;
- Pre-Permanency conferences;
- Sealed adoption cases to central office.
The department designates an individual from the Office of Legal Services (OLS) at central office as HIPAA privacy officer, responsible for overseeing, counseling and approving the development and implementation of DPP standards of practice relating to the safeguarding of PHI. The department designates the Office of the Ombudsman, in coordination with the Records Management Section, at central office as the body responsible for receiving complaints concerning HIPAA privacy regulations, validating and approving or denying client or the client’s personal representative’s access to protected health information.
DPP, offices, programs and facilities of the division maintain required standards of practice and procedures in written or electronic form and copies of all communications, actions, activities or designations as are required to be documented under HIPAA privacy regulations, for a minimum period of six (6) years from the later of the date of creation or the last effective date.
The Office of the Ombudsman, in conjunction with the Records Management Section, local offices and workforce staff documents:
- Any and all signed authorizations;
- All complaints and their disposition if any;
- Any sanctions that are applied as a result of non-compliance to HIPAA privacy regulations;
- Any use or disclosure of PHI for research without the client’s authorization; and
- Compliance with the Notice of Privacy Practices by retaining:
- Copies of current and past notices it issues;
- Written acknowledgements of the receipt of notice;
- Written documentation of good faith efforts that failed to obtain written acknowledgment; and
- Any SOP required to implement compliance.
- Designated case records that are subject to access by clients/individuals and the titles of persons or offices responsible for receiving and processing requests for access.
- All agreements with the client or personal representative by DPP regarding restriction of use and disclosure of PHI about the client to carry out treatment, payment or health care operations and the titles of persons or offices responsible for receiving and processing requests for restrictions.
- All agreements with the client or personal representative by DPP regarding amendments to the client’s PHI and the titles of persons or offices responsible for receiving and processing requests for amendments.
- Accounting of disclosures of PHI required by HIPAA privacy regulations made by DPP to include:
- The date of the disclosure;
- The name of the entity or individual who received the PHI and, if known, the address of such entity or individual;
- A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis of the disclosure;
- The written accounting of disclosure that is provided the individual; and
- The titles of persons or offices responsible for receiving and processing requests for an accounting of disclosure by clients.