Chapter 7 - Health Insurance Portability and Accountability Act Privacy Rule and the Privacy Act

Title	Section
Introduction	2-7.1
Purpose	2-7.1A
Background	2-7.1B
Authority	2-7.1C
Policy	2-7.1D
Definitions	2-7.1E
Responsibilities	2-7.2
Director, IHS	2-7.2A
Director, Office of Information Technology	2-7.2B
Area Director	2-7.2C
Area Privacy Official	2-7.2D
Chief Executive Officers	2-7.2E
Designated Headquarters, Area, and Service Unit Privacy Act HIPAA and HIM Employees	2-7.2F
All IHS Employees	2-7.2G
Procedures	2-7.3
Safeguards	2-7.3A
Complaints	2-7.3B
Sanctions	2-7.3C
Prohibited Sanctions	2-7.3D
Mitigation	2-7.3E
Refraining from Intimidating or Retaliatory Acts	2-7.3F
Waiver of Rights	2-7.3G
Procedures for Patients' Rights to Access, Inspect, and Obtain a Copy of Their PHI	2-7.4
Purpose	2-7.4A
Policy	2-7.4B
Background	2-7.4C
Authorities	2-7.4D
Definition	2-7.4E
Procedures for Access to Records Subject to the Privacy Act	2-7.4F
Procedures for Access to Deceased Patient Records or Records of Non-U.S. Citizens     not Lawfully Admitted for Permanent Residence	2-7.4G
Request for Access to Deceased Patient Records by Persons Who Are Not The Deceased     Patient's Personal Representative.	2-7.4H
Procedure for Matters Related to Accounting of Disclosures of PHI	2-7.5
Purpose	2-7.5A
Policy	2-7.5B
Conditions of Disclosure Requirements under the Privacy Act	2-7.5C
Other Disclosures that Require an Accounting under the IHS Privacy Act     System of Records Notice 09-17-0001, Medical, Health, and Billing     Records - Routine Uses Disclosures	2-7.5D
How to Make an Accounting of Disclosures	2-7.5E
Procedure for the Transmittal of Confidential Communication by Alternate Means or to an Alternate Location	2-7.6
Purpose	2-7.6A
Policy	2-7.6B
Definitions	2-7.6C
Procedure	2-7.6D
Written Request	2-7.6E
Procedure for the Use or Disclosure of Health Information Pursuant to Authorization of Valid Written Request	2-7.7
Purpose	2-7.7A
Policy	2-7.7B
Procedures	2-7.7C
Procedure for Requests for Correction/Amendment of PHI	2-7.8
Policy	2-7.8A
Request for Correction/Amendment of PHI	2-7.8B
Approval of Request for Correction or Amendment of PHI	2-7.8C
Denial of Correction or Amendment of PHI	2-7.8D
Appeal Rights	2-7.8E
Permanent Record	2-7.8F
Complaints	2-7.8G
Model Letters	2-7.9
Model Letter Approving Request for Correction or Amendment	2-7.9A
Model Letter of Acknowledgment of Receipt of Request for Correction     or Amendment	2-7.9B
Model Letter Denying Request for Correction or Amendment - Service Unit Letterhead     and Address	2-7.9C
Procedure for De-Identification of PHI and Subsequent Re-Identification	2-7.10
Purpose	2-7.10A
Policy	2-7.10B
Definitions	2-7.10C
De-identification Procedures	2-7.10D
Re-identification	2-7.10E
Procedure for Use and Disclosure of PHI for Directory Purposes	2-7.11
Policy	2-7.11A
Procedures	2-7.11B
Procedure for the Use and Disclosure of PHI during a Disaster and for Disaster Relief Purposes	2-7.12
Policy	2-7.12A
Disaster	2-7.12B
Notification	2-7.12C
Uses and Disclosures when the Patient is Present	2-7.12D
Limited Uses and Disclosures when the Patient is not Present	2-7.12E
Compliance	2-7.12F
Procedure for Sending and Receiving PHI by FACSIMILE	2-7.13
Purpose	2-7.13A
Policy	2-7.13B
Definitions	2-7.13C
Procedures	2-7.13D
Sending Information	2-7.13E
Receiving Information	2-7.13F
Procedure for Creating a Limited Data Set	2-7.14
Purpose	2-7.14A
Policy	2-7.14B
Definitions	2-7.14C
Procedures	2-7.14D
Data Use Agreement - Example	2-7.15
Procedure for Limiting the Use or Disclosure of and Requests for PHI to the Minimum Necessary	2-7.16
Purpose	2-7.16A
Policy	2-7.16B
Responsibilities	2-7.16C
Procedures	2-7.16D
Procedure for Providing IHS Notice of Privacy Practice	2-7.17
Purpose	2-7.17A
Policy	2-7.17B
Procedures	2-7.17C
Notice Distribution	2-7.17D
Inmates and the "Notice"	2-7.17E
Notice	2-7.18
Procedure for the Use and Disclosure of PHI for Involvement in the Patient's Care and for Notification Purposes	2-7.19
Purpose	2-7.19A
Policy	2-7.19B
Procedures	2-7.19C
Procedure for the Use and Disclosure of PHI for Research Purposes	2-7.20
Purpose	2-7.20A
Policy	2-7.20B
Procedures	2-7.20C
Procedure for the Maintenance, Use, and Disclosure of Psychotherapy Notes	2-7.21
Purpose	2-7.21A
Policy	2-7.21B
Definitions	2-7.21C
Procedures	2-7.21D
Exclusions	2-7.21D
Procedure for the Request for Restriction(s) of the Use and/or Disclosure of PHI	2-7.22
Purpose	2-7.22A
Policy	2-7.22B
Procedures	2-7.22C
Restriction	2-7.22D
Restriction Agreement	2-7.22E
Procedure for Access to or Disclosure of PHI of Unemancipated Minors	2-7.23
Purpose	2-7.23A
Policy	2-7.23B
Definitions	2-7.23C
Procedures for Access to or Disclosure of a Minor's PH	2-7.23D
Requests for Access to the Minor's PHI by a Parent, Guardian, or Individual Acting in Loco     Parentis	2-7.23E
Creation of a Personal Health Record for a Minor	2-7.23F
Request from Other Third Parties	2-7.23G
Request for Access to or Disclosure of PHI	2-7.23H
Procedure for Verification of Indentity Prior to Disclosure of PHI	2-7.24
Purpose	2-7.24A
Policy	2-7.24A
Disclosure	2-7.24C
Responsibilities	2-7.24D
Procedure	2-7.24E
Procedure for the Use and Disclosure of PHI for Emancipated Minors and Adults with Personal Representatives or Legal Guardians	2-7.25
Purpose	2-7.25A
Policy	2-7.25B
Definitions of a Personal Representative	2-7.25C
Procedure	2-7.25D
Procedure for the Disclosure of PHI to Law Enforcement Officials	2-7.26
Purpose	2-7.26A
Policy	2-7.26B
Procedures	2-7.26C
Disclosures of PHI to Law Enforcement Officials that do not require a Law     Enforcement Request.	2-7.26D
Members of the IHS Workforce Who are Victims of Crime	2-7.26E
Verification of Identity of Law Enforcement Official	2-7.26F
Temporary Suspension of Accounting for Disclosure to Law Enforcement Officials	2-7.26G

2-7.1  INTRODUCTION

1. Purpose.  The purpose of this chapter is to provide instructions and guidance regarding the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, Health Information Technology for Economic and Clinical Health (HITECH) Act, and the Privacy Act requirements.
2. Background.  This updated chapter contains the Indian Health Service (IHS) policy and procedures for compliance with the HIPAA Privacy Rule, HITECH, the IHS Notice of Privacy Practices (Notice), including the required forms, instructions for completion, and procedures for the transmission or receipt of information by facsimile.

   The HIPAA Privacy Rule requires the IHS to implement procedures for protecting Protected Health Information (PHI) created or received by the IHS, or in its direct possession or control.  The implementation of these procedures requires the use of HIPAA forms.

   The HIPAA Privacy Rule requires that the IHS provide all individuals with a Notice specifying how their personal PHI may be used and disclosed, how the individual can get access to such information, and the obligations the IHS has to patients regarding the use and disclosure of such information.  In addition, the IHS must attempt to obtain acknowledgment from the patient(s) that they have received the Notice prior to the IHS providing treatment to the extent possible.

   Patient health information must be transmitted in accordance with the requirements of the Privacy Act of 1974, as amended, 5 United States Code (U.S.C.) § 552a; the HIPAA General Administrative Requirements; and HIPAA Security and Privacy Rule 45 Code of Federal Regulations (CFR), Parts 160 and 164.  Note:  Due to the complex and distinct issues related to computer based electronic transmission of health information, this chapter is not intended to address the safeguards necessary to ensure the confidentiality of that particular form of health information transmission.  See 45 CFR § 164.308; 45 CFR § 164.310; 45 CFR § 164.312; and 45 CFR § 164.530(c)(1) and (2).

3. Authority.
   1. 5 U.S.C. § 552a, 552a(b)(5)(7), 552a(d), 552a(h)
   2. Part 2, 45 CFR, Parts 5b, 5b.5, 5b.6, 5b.9(b)(7), 5b 9(c), 45 CFR, 160, 164, 164.502(b)(g), 164.508(a)(2), 164.510(a)(b)(1)(ii)(3)(4), 164.512, 164.512(i)(c)(1)(2), 164.514(a)(c)(d)(e)(h), 164.520, 164.522(a)(b)(1)(2), 164.524(a)(3)(ii), 164.526, and 164.528
   3. Department of Health and Human Services (HHS) Privacy Regulations 45 CFR §§ 5b.5(b)(2) - 5b.10
   4. Health Information Technology for Economic and Clinical Health Act, Title XIII, Subtitle D of the American Reinvestment and Recovery Act of 2009, Public Law (P.L.) No. 111-5, 123 Statute 115 (2009)
4. Policy.  It is IHS policy to:
   1. Fully comply with the requirements of the HIPAA General Administrative Requirements, the HIPAA Privacy Rule, and the Privacy Act.
   2. Provide every patient who receives services at an IHS facility with a copy of the IHS Notice.
   3. Ask the patient to acknowledge receipt of the IHS Notice.
   4. Ensure the confidentiality of health information transmitted by facsimile.
5. Definitions.
   1. Accounting of Disclosures.  The IHS, with respect to each system of records under its direct control (i.e., Privacy Act System of Record 09-17- 0001, Medical, Health, and Billing Records) must keep a record of the date, nature, and purpose of each disclosure of a record to any person or Agency under subsection (b) of the Privacy Act (5 U.S.C. § 552a) and the name and address of the person or Agency to whom the disclosure is made.  An accounting need not be kept of intra-agency disclosures (referenced as (b)(1) under the Privacy Act and Freedom of Information Act (FOIA) disclosures (referenced as (b)(2) under the Privacy Act).

      This record must be kept for 5 years or the life of the record; whichever is longer, after the disclosure for which the accounting has been made.  An individual (beneficiary) is entitled, upon request, to get access to this disclosure record of his or her own personal records with the exception for disclosures made under subsection (b) (7) of the Privacy Act (as a result of civil or criminal law enforcement activity).  The IHS must inform any person or other Agency about any correction or notation of dispute made by the IHS in accordance with subsection (d)(4) of the Privacy Act (Access of Records) of any record that has been disclosed to the person or Agency if an accounting of the disclosure was made.  This is a mandatory reporting requirement and may be recorded utilizing the Resource and Patient Management System (RPMS) Release of Information (ROI) software application or the IHS-505, "Disclosure Accounting Record" form.  https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2019-05/ps505.pdfExit Disclaimer: You Are Leaving www.ihs.gov 

   2. Breach.  A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI.  An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
      1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
      2. The unauthorized person who used the PHI or to whom the disclosure was made.
      3. Whether the PHI was actually acquired or viewed.
      4. The extent to which the risk to the PHI has been mitigated.
   3. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.htmlExit Disclaimer: You Are Leaving www.ihs.gov 
   4. Designated Record Set.  For purposes of this paragraph, the term "record" means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.  A designated record set means a group of records maintained by or for a covered entity that is:
      1. The medical, health, and billing records about individuals maintained by or for a covered health care provider.
      2. The enrollment, payment, claims adjudication, and case, or medical management record systems maintained by or for a health plan.
      3. Used, in whole, or in part, by or for the covered entity to make decisions about individuals.  45 CFR § 164.501
   5. De-identified Protected Health Information.  Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.
   6. Electronic Health Record.  "Electronic Health Record" shall mean an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
   7. Emergency Medical Condition.  An emergency medical condition is a medical condition manifesting itself by acute symptoms of sufficient severity (including severe pain) such that the absence of immediate medical attention could reasonably be expected to result in:
      1. Placing the health of the individual (or, with respect to a pregnant woman, the health of the woman or her unborn child) in serious jeopardy.
      2. Serious impairment to bodily functions.
      3. Serious dysfunction of any bodily organ or part.
   8. Health Information.  Any information, whether oral or recorded in any form or medium, that:
      1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse.
      2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
   9. Highly Sensitive Health Information.  Highly sensitive health information is any PHI relating to:
      1. The diagnosis, treatment, or referral for the Human Immunodeficiency Virus/Acquired Immune Deficiency Syndrome (HIV/AIDS) or other sexually transmitted diseases (STD).<./li>
      2. The diagnosis, treatment, or referral for cancer or other life threatening illnesses.
      3. The diagnosis, treatment, or referral for treatment of sexual assault/abuse, mental illness, and/or alcohol or substance abuse.
   10. Individually Identifiable Health Information.  Individually identifiable health information is information that:
       1. is a subset of health information, including demographic information collected from an individual;
       2. is created or received by a health care provider, health plan, employer, or health care clearinghouse;
       3. relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
       4. that identifies the individual; or
       5. with respect to which there is a reasonable basis to believe the information can be used to identify the individual.  45 CFR § 160.103
   11. Limited Data Set.  A limited data set is PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual:
       1. Names
       2. Postal address information, other than town or city, State, and zip code
       3. Telephone numbers
       4. Fax numbers
       5. Electronic mail addresses
       6. Social security numbers
       7. Medical record numbers
       8. Health plan beneficiary numbers
       9. Account numbers
       10. Certificate/license numbers
       11. Vehicle identifiers and serial numbers, including license plate numbers
       12. Device identifiers and serial numbers
       13. Web Universal Resource Locators (URLs)
       14. Internet Protocol (IP) address numbers
       15. Biometric identifiers, including finger and voice prints
       16. Full face photographic images and any comparable images.  45 CFR § 164.514(e)(2).
   12. Notice of Privacy Practices.  The Notice describes:
       1. How an individual's PHI may be used and disclosed by the IHS.
       2. The individual's rights, including how to access PHI.
       3. The IHS' responsibilities with respect to PHI.
   13. Privacy Rule.  "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Parts 160 and 164, Subpart A and Subpart E.
   14. Protected Health Information.  Protected health information means individually identifiable health information that is:
       1. Transmitted by electronic media.
       2. Maintained in electronic media.
       3. Transmitted or maintained in any other form or medium.  45 CFR § 160.103
   15. Protected Health Information (Excluded).  Excluded PHI refers to individually identifiable health information in:
       1. Education records covered by the Family Educational Rights and Privacy Act, as amended 20 U.S.C. § 1232g.
       2. Records described at 20 U.S.C. § 1232g(a)(4)(B)(iv).
       3. Employment records held by a covered entity in its role as employer.  45 CFR § 160.103
   16. Psychotherapy Notes.  Psychotherapy notes are those notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the individual's medical record.  Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items:  diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.  45 CFR § 164.501
   17. Required by Law.  Required by law means a mandate contained in law, and enforceable in a court of law, that compels an entity to make, use, or disclose PHI.  Required by law includes, but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or Tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.  45 CFR § 164.501.
   18. Unsecured Protected Health Information.  "Unsecured Protected Health Information" or "Unsecured PHI" shall mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary, HHS, in guidance on the HHS Web site issued under section 13402(h)(2) of the HITECH Act.

2-7.2  RESPONSIBILITIES

Historically, it has been the IHS policy that all health information professionals, health care providers, managers, and staff, i.e., Health Information Managers (HIM), who were responsible for the creation, maintenance and disposition of health records; were required to maintain and preserve the confidentiality of the patients health records (Part 3, Chapter 3, "Health Information Management," IHM).  With the passage of the HITECH Act, and other laws, paper health records are in the process of being transitioned into electronic health records.  As a result of the rise of the electronic health records, the IHS Office of Clinical and Preventive Services (OCPS), the Office of Information Technology (OIT) and the Office of Management Services (OMS) must coordinate activities and share responsibilities to ensure that the IHS is in compliance with the HIPAA Privacy Rule, HITECH Act, and the Privacy Act requirements.

1. Director, IHS.  The Director, IHS, ensures administrative compliance with the HIPAA Privacy Rule, HITECH Act, and Privacy Act requirements.  The Director, or her or his appointed delegate (as indicated in writing) is responsible to:
   1. Provide advice to Area Directors, Service Unit Chief Executive Officers (CEO), and staff on IHS-wide health privacy activities and patient information or medical record issues.
   2. Consult with the Director, OMS, and the Director, Division of Regulatory Affairs (DRA) on HIPAA Privacy Rule and Privacy Act issues.
2. Director, Office of Information Technology.  The Director, OIT is responsible to:
   1. Provide information technology (IT) services and support to IHS, Tribal, and Urban Indian Health Programs (UIHP).
   2. Develop clinical and business practice healthcare applications, such as, the RPMS and the EHR.
   3. Ensure access to the RPMS and EHR is appropriately limited, via established security procedures, to those individuals whose roles or official duties require such access.  Information security officers and system data stewards review and authorize data access requests.  The IHS OIT regulates data access with security software that authenticates IHS users and requires individual unique codes and passwords.
   4. Provide information security training to all staff and instructs staff on the responsibility each person has for safeguarding data confidentiality.  The IHS OIT regularly updates security standards and procedures that are applied to systems and individuals supporting this program.
   5. Ensure data transmissions between operational systems and IHS Personal Health Record (PHR) are protected by telecommunications software and hardware as prescribed by IHS standards and practices.  This includes firewalls, encryption, and other security measures necessary to safeguard data as it travels across the IHS-wide Area Network.
   6. Safeguard copies of back-up computer files which are maintained at secure off-site locations.
3. Area Director.  Each Area Director will:
   1. Report to the Director, IHS, all HIPAA privacy and other documentation issues that could affect health care delivery.
   2. Ensure their Area is in compliance with the HIPAA Privacy Rule, HITECH Act, and Privacy Act regulations.
   3. Where applicable, be responsible for the development of his or her respective Area HIPAA policies and procedures.
   4. Designate (in writing) an Area Privacy Official who is delegated the authority and responsibility to oversee all HIPAA Privacy Rule and Privacy Act activities.
   5. Designate (in writing) an Area Purchased/Referred Care (PRC) Privacy Official, for PRC provided directly through the Area Office, with the authority and responsibility to:
      1. Review and approve or deny any patient request to restrict the use or disclosure of PHI.
      2. Inform the patient in writing regarding the decision.
      3. Acknowledge receipt of the completed IHS-917, "Request for Correction/Amendment of Protected Health Information" form.
      4. Ensure that the completed IHS-917 form and any correspondence pertaining to the request are filed in the patient's health record.
4. Area Privacy Official.  The Area Privacy Official must be knowledgeable of the HIPAA Privacy Rule, HITECH Act, and Privacy Act requirements, including the complaint process and breach reporting responsibilities; and be capable of resolving privacy issues.  The Area Privacy Official may be designated as the Area Privacy Act Advocate and/or the Area HIPAA Coordinator.  The Area Privacy Official must provide:
   1. Training on the HIPAA Privacy Rule, HITECH Act, and Privacy Act to all employees, volunteers, trainees, and contractors.
   2. Training for new employees as soon as possible, but no later than 30 days after official date of hire.
   3. Function-specific training to staff, such as, HIM staff, business office staff, nursing staff, and medical staff.
   4. Training to designated staff when policies and procedures are revised.
   5. Training documentation to the trainee and maintain the documentation in writing for 6 years
5. Chief Executive Officers.  Each CEO is responsible to:
   1. Report HIPAA privacy and other documentation issues that could affect health care delivery to his or her respective Area Director.
   2. Ensure compliance with HIPAA Privacy Rule, HITECH Act, and Privacy Act regulations.
   3. Designate (in writing) a Service Unit Privacy Official with the authority and responsibility to:
      1. Oversee all HIPAA Privacy Rule and Privacy Act activities.
      2. Develop Service Unit privacy policies and procedures, as needed.
6. Designated Headquarters, Area, and Service Unit Privacy Act, HIPAA, and HIM Employees.
   1. The IHS Headquarters Privacy Act/HIPAA Privacy Officer, the Area Director(s) or his or her designee(s), Area Privacy Act Advocates, and/or HIPAA Coordinators, and Service Unit Privacy Act Liaisons, in consultation with Area HIM Consultants (in Areas with designated HIM Consultants) are responsible for ensuring HIPAA compliance within their geographic area.
   2. The IHS Headquarters Privacy Act/HIPAA Privacy Officer informs the Director, DRA, of potential privacy compliance issues affecting the IHS.
   3. Area Privacy Act Advocates advise Service Unit staff on HIPAA Privacy Rule and Privacy Act issues.
   4. Area Privacy Act Advocates report directly to the Area Director and may advise the IHS Headquarters Privacy Act/HIPAA Privacy Officer of a privacy violation, non-compliance, complaint, and action taken.
7. All IHS Employees.  All IHS Employees are responsible for:
   1. Ensuring they are in compliance with HIPAA Privacy Rule, HITECH Act, and Privacy Act regulations.
   2. Immediately reporting to their supervisor a violation/breach of the HIPAA Privacy Rule; HITECH Act; Privacy Act regulations and any other regulation.  (See the Standard Operating Procedure for Incident Reporting, DIS-SOP-09-02, Version 3.4, dated February 2013.)
   3. Following existing incidence response processes.

2-7.3  PROCEDURES

1. Safeguards.  All IHS facilities shall maintain policies and procedures to safeguard PHI in accordance with the HIPAA Privacy and Security Rules, the Privacy Act, Federal Information Security Management Act, HITECH Act, and other applicable laws for both electronic and paper records to include administrative, technical, and physical safeguards.  Examples:
   1. Administrative safeguards include policies related to security management; assigned security responsibility; workforce security; information access management; security awareness and training; security incident procedures; contingency plans; and periodic evaluation.
   2. Technical safeguards include user access and restrictions controls; audit controls; integrity controls; person or entity authentication controls; and transmission security controls.
   3. Physical safeguards include facility access controls; workstation use controls; workstation security controls; and device and media controls.
2. Complaints.  All complaints shall be addressed to the Service Unit CEO or (his or her) designee.  Complaints must be documented, maintained, and filed, and include a brief explanation of resolution, if any.  Note:  Complaints may also be filed directly with the Secretary, HHS.
3. Sanctions.  Sanctions could range from a warning to removal, depending on the type of violation.  In addition, employees could be subject to administrative, civil, and/or criminal penalties under the HIPAA Privacy Rule or the HITECH Act.
4. Prohibited Sanctions  The IHS shall not invoke sanctions against employees, volunteers, trainees, and contractors under the following condition:
   1. Whistleblower.  If an employee discloses PHI, provided he or she believes in good faith that the facility is in violation of HIPAA Privacy and Privacy Act or other clinical or health care standards or that facility activities or conditions could potentially endanger a patient (or patients), employee, or member of the public, so long as the disclosure is made to:
      1. a healthcare oversight authority, law enforcement agency, or public health authority authorized by law to investigate such violations or an accreditation organization for the purpose of reporting the failure to meet standards of conduct by an IHS facility; or
      2. an attorney retained by the employee for the purpose of determining his or her legal options with regards to an IHS facility's conduct.

      For additional guidance on appropriate sanctions, consult with your servicing personnel office.

   2. Law Enforcement.  Disclosure of PHI by an employee, volunteer, trainee, or contractor, who is a victim of a crime, to a law enforcement official provided that the PHI disclosed is about the suspected criminal and the PHI disclosed is limited to the following:
      1. Name and address
      2. Date and place of birth
      3. Social Security Number
      4. ABO blood type and Rh factor
      5. Type of injury
      6. Date and time of treatment
      7. Date and time of death, if applicable
      8. Description of distinguishing physical appearance, including height, weight, gender, race, hair or eye color, presence or absence of facial hair, scars, and tattoos.
5. Mitigation.  When the IHS becomes aware of the use or disclosure of PHI in violation of applicable Federal law and/or of its policies or procedures by one or more of its employees, volunteers, trainees, contractors, or business associates, the IHS shall take reasonable steps to mitigate any known harmful effect of such use or disclosure of PHI.
6. Refraining from Intimidating or Retaliatory Acts.  The IHS shall not intimidate, threaten, coerce, discriminate against, or take retaliatory action against patients, employees, volunteers, trainees, and contractors for exercising their rights under the HIPAA Privacy Rule or the Privacy Act, or participating in any process for:
   1. Filing privacy complaints.
   2. Testifying, assisting, or participating in an investigation.
   3. Compliance review, proceeding, or hearing related to the HIPAA Privacy Rule or Privacy Act.
   4. Opposing any act or unlawful practice under the HIPAA Privacy Rule or Privacy Act and the manner of opposition is reasonable and does not involve a disclosure of PHI not permitted.
7. Waiver of Rights.  Individuals shall not be required to waive their rights under the HIPAA Privacy Rule or Privacy Act, including, but not limited to, their right to file a complaint as a condition for the provision of treatment, payment, eligibility (e.g., PRC), or other benefits.

2-7.4  PROCEDURES FOR PATIENTS' RIGHTS TO ACCESS, INSPECT, AND OBTAIN A COPY OF THEIR PHI

1. Purpose.  This section describes the rights of patients, under certain circumstances, to access, inspect, and obtain a copy of their PHI.
2. Policy.  It is IHS policy to provide patients or their personal representative(s) the maximum right to access, inspect, and obtain copies of their PHI.  With respect to access by or on behalf of unemancipated minors, please refer to Section 2-7.23, "Procedure for Access to or Disclosure of PHI of Unemancipated Minors."
3. Background.  Access to medical records residing in a Privacy Act "System of Records," (PASOR), e.g., the IHS Medical, Health, and Billing Records System may be gained according to the guidelines found at 5 U.S.C. §552a(d) "Access to Records."  The IHS follows the Privacy Act access procedures when determining whether to provide a patient with access to his or her PHI because the Privacy Act access procedures provide the patient with greater access to his or her own PHI.
4. Authorities.  The Privacy Act of 1974, as amended, the definition found at 5 U.S.C. §552a (a) (5) "System of Records" and/or a "designated record set" as defined at 45 CFR § 164.501.
5. Definition.  A PASOR is a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.  https://www.ihs.gov/sites/privacyact/themes/responsive2017/display_objects/documents/privacy-act-1974.pdf
6. Procedures for Access to Records Subject to the Privacy Act.  The following procedures shall be used when a patient whose records are subject to the Privacy Act makes a request to access, inspect, and/or obtain a copy of their PHI.
   1. The Request Must be Made in Writing.  A patient must submit a written request to the CEO or (his or her) designee responsible for maintaining the PHI that specifies the records the patient would like notification of or access to.  Service units may use IHS-810 form or a written request from the patient or personal representative. (For IHS Areas that provide PRC directly through the IHS Area Office, references to the CEO should be considered references to the IHS Area Director or (his or her) designee, as applicable.)  The form IHS-810 is available at:

      (For Public and Federal access) https://www.ihs.gov/forpatients/patientforms/

      (For IHS staff only)  https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2020-09/ihs-810.pdfExit Disclaimer: You Are Leaving www.ihs.gov 

   2. Verifying Patient's Identity.  The identity of the individual requesting access to a patient's records shall be determined in accordance with the instructions contained in Section 2-7.24, "Procedure for Verification of Identity Prior to Disclosure of Protected Health Information."
   3. Patient Must Designate a Representative.  At the time of the request for access to PHI, the patient must designate, in writing, a representative willing to review the record and inform the patient of its contents at the representative's discretion.  The representative may be a physician, other health professional, or other responsible individual.
   4. Authorizing a Third-Party to Accompany Patient during a Meeting.  If the patient requests access to his or her PHI, and is accompanied by another individual, the patient must affirmatively authorize (orally or in writing) the presence of the other individual during any discussion of a record to which access is requested.
   5. Requesting Copies.  In addition to requesting notification and access to records, the patient may request copies be made of such records in accordance with the fee schedule set forth at 45 CFR 5b.13.
   6. Maintaining Copy of Requests for Access.  All requests, designations, and correspondence relating to the patient's request for access should be maintained in the patient's medical record.
   7. Time Period to Act on Request.  When a patient makes a request to access, inspect, and obtain a copy of their PHI, the CEO or designee must act upon the request:
      1. within 30 days of receipt of the written request if the information is maintained or accessible onsite, or
      2. within 60 days if it is not maintained or accessible onsite.
   8. Extension.  One 30-day extension is permitted to complete action on a written request for PHI.  A written statement signed by the CEO or designee describing the reason(s) for the delay and a date by which action on the request will be completed must be provided to the patient (or the patient's personal representative, if applicable) within the 30-day or 60-day time frame.
   9. Access Granted in Whole or in Part.  A patient must be granted direct access to their PHI if the CEO or (his or her) designee determines that direct access is not likely to have an adverse effect on the patient.
      1. If direct access is granted, in whole or in part, the CEO or designee shall inform the patient in writing that they may inspect and/or obtain a copy of their PHI.
      2. The IHS is only required to produce the PHI once per request even if the record is maintained in more than one location or in more than one designated set of records.
      3. The IHS must provide the information in the requested form or format if it is readily available.  If it is not, the IHS must produce a readable hard copy in another form or format upon which both the patient and the IHS have agreed.
      4. When a copy is provided, the date on which the copy is delivered must be entered in the patient's chart.
      5. Subject to the patient's agreement in advance, a summary or an explanation of the PHI may be provided in lieu of the underlying information, but the patient retains the right of access to both the summary and underlying information.
      6. If an IHS business associate(s) maintains any designated record set on behalf of the IHS, and all or a portion of the patient's medical records are located in the designated record set maintained by such business associate(s), then the IHS shall also provide the patient with access to information in any such designated record set in the possession of its business associate(s).
      7. Access must be provided at a mutually convenient time and place for inspection or copying.  If requested, the IHS must mail the PHI, but may charge a cost based fee for copying, in addition to postage.  (See the fee schedule at 45 CFR 5b.13.)
   10. Adverse Effect of Direct Access on the Patient.  If the CEO or (his or her) designee determine that direct access to the PHI by the patient is likely to have an adverse effect on the patient:  The PHI must be sent to the patient's designated representative.  The designated representative will disclose the PHI to the patient.  The patient will be notified in writing that the PHI has been sent to (his or her) designated representative.
   11. Access Denied in-Whole or in-Part.  In some instances, a request for access, either by the patient or by their personal representative, will be denied.  Under the HIPAA Privacy Rule, certain denials are unreviewable, while others require the CEO or (his or her) designee to provide the patient (or personal representative) with the right to request review of the initial denial decision.  The grounds for denial that are unreviewable are set forth below, while the grounds for reviewable denials are set forth in section 2-7.4F(11)a below.  All requests for access that are denied, whether in whole or in part and for any reason (unreviewable or reviewable denials) must be processed pursuant to the procedures set forth in Section 2-7.4F(11)c below.  Additionally, access denials must comply with Section 2-7.4F(11)d review procedures (below).
       1. Unreviewable Grounds for Denial.  The following grounds for denial of a request for access are unreviewable:
          1. The records requested are "psychotherapy notes."  (See Section 2-7.21, "Procedure for Maintenance, Use, and Disclosure of Psychotherapy Notes.")
          2. The IHS may deny access to information compiled in reasonable anticipation of, or for use in, civil, criminal, or administrative actions or proceedings.  In such instances, the patient should be notified in writing of the Agency's decision to deny access on the grounds that such information was compiled in reasonable anticipation of, or for use in, civil, criminal, or administrative actions or proceedings, citing 5 U.S.C. § 552a(d)(5).

             Note:  This type of information should not be filed in the patient's medical record.  Should such information be found in the patient's medical record, contact the OGC.

          3. The IHS may deny an individual's access to PHI created or obtained by the IHS in the course of research that includes treatment for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in research that includes treatment, and the IHS has informed the individual that the right of access will be reinstated upon completion of the research.
          4. The IHS may deny an individual's access to PHI that is contained in records that are subject to the Privacy Act if the denial of access under the Privacy Act would meet the requirements of that law.
          5. The IHS may deny an individual's access to PHI if the PHI was obtained from someone other than the IHS under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.
          6. The IHS may deny a request to access PHI because the IHS does not maintain the requested PHI.  However, if the IHS knows where it is maintained, the IHS shall inform the patient where the PHI is maintained and direct the request to that site.
       2. Reviewable Grounds for Denial.  The IHS may deny a patient access to PHI in the following circumstances, provided that the patient is given a right to have such denials reviewed pursuant to the procedures set forth in Section 2-7.4F(11)d below:
          1. A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.
          2. The PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person.
          3. The request for access is made by the individual's personal representative, and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.
       3. Procedures to Follow in the Event of a Denial of Access.  If access is denied for any reason, the CEO or designee must use the following procedures:
          1. The CEO or designee must, to the extent possible, give the individual access to any PHI requested that is not subject to the denial decision.
          2. The CEO or designee must provide a timely denial, written in plain language that includes:
             1. The basis for the denial.
             2. If applicable, a statement of the individual's rights to request a review of the denial decision.
             3. A description of the facility's complaint procedures.
       4. Review of Denial Requested.  If an individual requests a review of a reviewable denial decision, then the facility must designate a licensed health care professional to act as a reviewing official, and promptly refer the request to him or her for review.  That official must not have participated in the facility's original decision to deny access.  The designated reviewing official must, within a reasonable period of time, determine whether or not to grant the individual the requested access, and the facility shall promptly provide the individual with written notice of such determination.  The individual may not request further review of any determination upholding the original denial.
7. Procedures for Access to Deceased Patient Records or Records of Non-U.S. Citizens not Lawfully Admitted for Permanent Residence.
   1. Exemption.  The medical records of certain patients are expressly exempted from coverage under the Privacy Act:  Namely, medical records of deceased patients, and medical records of patients who are neither U.S. citizens nor aliens lawfully admitted for permanent residence in the U.S.  The procedures for handling such requests are set forth in this section 2-7.4H for requests for access to the medical records of deceased patients by individuals who are not the deceased patient's personal representative.
   2. Written Request.  A patient (or the patient's legal representative) must submit a written request to the CEO or designee of the facility that maintains the PHI, specifying the records the individual would like notification of or access to.  (For IHS Areas that provide PRC directly through the IHS Area Office, references to the CEO should be considered references to the IHS Area Director's designee, as applicable.)
   3. Maintaining Copy of the Request.  All requests, designations, and correspondence relating to a patient's request for access should be maintained in the patient's medical record.
   4. Authorizing a Third-Party to Accompany Patient During a Meeting.  If the patient requests access to his or her record, and is accompanied by another individual, the patient must affirmatively authorize (orally or in writing) the presence of the other individual during any discussion of a record to which access is requested.
   5. Verifying Patient's Identity.  The identity of the individual requesting access to a patient's records shall be determined in accordance with the instructions contained in Section 2-7.24, "Verification of Identity Prior to Disclosure of PHI."
   6. Determining Whether an Individual is a Deceased Patient's Personal Representative.  If an individual is seeking access to the records of a deceased patient on the basis that they have the legal authority to act on behalf of the deceased patient or the deceased patient's estate, the IHS must first determine if the individual is the "personal representative" of the deceased patient as that term is defined in the HIPAA Privacy Rule, 45 CFR 164.502(g)(4).  In making this determination, the IHS should follow the procedures set forth in Section 2-7.25, "Use and Disclosure of PHI for Emancipated Minors and Adults with Personal Representatives or Legal Guardians."  If the individual is deemed to be the patient's personal representative, the request for access shall be processed in accordance with the procedures set forth in Section 2-7.4F.  If the individual is deemed not to be the deceased patient's personal representative, the request shall be processed in accordance with the procedures set forth in Section 2-7.4H below.
   7. Time Period to Act on Request.  When a patient or the patient's personal representative makes a request to access, inspect, and obtain a written copy of their PHI, the CEO or (his or her) designee must act upon the request:
      1. within 30 days of receipt of the request if the information is maintained or accessible onsite, or
      2. within 60 days if it is not maintained or accessible on-site.
   8. Extension.  One 30-day extension is permitted to complete action on the written request.  A written statement signed by the CEO or designee describing the reason(s) for the delay and a date by which action on the request will be completed must be provided to the patient (or the patient's personal representative, if applicable) within the 30-day or 60-day time frame.
   9. Access Granted in Whole or in Part.  If direct access is granted, in whole or in part, the CEO or designee shall inform the patient in writing that they may inspect and/or obtain a copy of their PHI.
      1. The IHS is only required to produce the PHI once per request even if the record is maintained in more than one location or in more than one designated set of records.
      2. The IHS must provide the information in the requested form or format if it is readily available.  If it is not, the IHS must produce a readable hard copy in another form or format upon which both the patient and the IHS have agreed.
      3. Subject to the patient's agreement in advance, a summary or an explanation of the PHI may be provided in lieu of the underlying information, but the patient retains the right of access to both the summary and underlying information.
      4. Access must be provided at a mutually convenient time and place for inspection or copying.  If requested by the patient or their personal representative, the IHS shall copy and mail the PHI, but may impose a reasonable, cost based fee for copying and postage.  (See the fee schedule at 45 CFR 5b.13.)
      5. The IHS may provide access to the PHI in the form or format requested by the individual, if the facility where the record resides has the capability to produce it in the format requested, e.g., if an individual requests record in a compact disc (CD) format, it may be copied to a CD if the facility has the capability to do so.

         Note:  Requests to send information via e-mail shall not be honored at this time until the IHS develops policy and procedures for e-mail receipt and transmission of PHI.

      6. When a copy is provided, the date on which the copy is delivered must be entered in the patient's chart.
   10. Access Denied in-Whole or in-Part.  In some instances, a request for access, either by the patient or by their personal representative, will be denied.  Under the HIPAA Privacy Rule, certain denials are unreviewable, while others require the CEO or (his or her) designee to provide the patient (or personal representative) with the right to request review of the initial denial decision.  The grounds for denial that are unreviewable are set forth in section 2-7.4G(10)a below, while the grounds for reviewable denials are set forth in section 2-7.4G(10)b below.  All requests for access that are denied, whether in-whole or in-part and for any reason (unreviewable or reviewable denials) must be processed pursuant to the procedures set forth in Section 2-7.4G(10)c below.  Additionally, access denials must comply with the review procedures set forth in Section 2-7.4G(10)d below.
       1. Unreviewable Grounds for Denial.  The following grounds for denial of a request for access are unreviewable:
          1. The records requested are "psychotherapy notes."  See definitions in 2-7.21, "Maintenance, Use, and Disclosure of Psychotherapy Notes."
          2. If the information is compiled in reasonable anticipation of, or for use in, civil, criminal, or administrative actions or proceedings.

             Note:  This type of information should not be filed in the patient's medical record.  If the information is filed in the patient's medical record:  Contact the OGC.

          3. If the PHI is created or obtained by the IHS in the course of research that includes treatment for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in research that includes treatment, and the IHS has informed the individual that the right of access will be reinstated upon completion of the research.
          4. If the PHI is contained in records that are subject to the Privacy Act if the denial of access under the Privacy Act would meet the requirements of that law.
          5. If the PHI was obtained from someone other than the IHS under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.

             Note:  This type of information should not be filed in the patient's medical record.  Should such information be found in the patient's medical record, contact the OGC.

          6. If the IHS does not maintain the requested PHI.  However, if the IHS knows where it is maintained, the IHS shall inform the patient where the PHI is maintained and direct the request to that site.
       2. Reviewable Grounds for Denial.  The IHS may deny a patient access to PHI in the following circumstances, provided that the patient is given a right to have such denials reviewed pursuant to the procedures set forth in Section 2-7.4G(10)c below:
          1. A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.
          2. The PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person.
          3. The request for access is made by the individual's personal representative, and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.
       3. Procedures to Follow in the Event of a Denial of Access.  If access is denied for any reason, the CEO or designee must use the following procedures:
          1. The CEO or designee must, to the extent possible, give the individual access to any PHI requested that is not subject to the denial decision.
          2. The CEO or designee must provide a timely, written denial, written in plain language that includes:
             1. The basis for the denial.
             2. If applicable, a statement of the individual's rights to request a review of the denial decision.
             3. A description of the facility's complaint procedures.
       4. Review of Denial Requested.  If the individual requests a review of a reviewable denial decision, then the facility must designate a licensed health care professional to act as a reviewing official, and promptly refer the request to him or her for review.
          1. The reviewing official must, within a reasonable period of time, determine whether or not to grant the individual the requested access, and the facilities CEO shall promptly provide the individual with a written notice of such determination.
          2. The reviewing official must not have participated in the facility's original decision to deny access.
          3. The individual may not request further review of any determination upholding the original denial.
8. Request for Access to Deceased Patient Records by Persons Who Are Not The Deceased Patient's Personal Representative.  A third-party (not the patient's personal representative) seeking access to a deceased patient's PHI must submit a written request to the IHS, specifying the records the individual would like notification of or access to.  The individual's request shall be treated by the IHS as FOIA request.  The IHS shall use the following procedures in processing such requests:
   1. Chief Executive Officer.  The CEO or his or her designee must, in accordance with IHS FOIA policies, immediately forward the request, along with a copy of the relevant medical records, to the Area FOIA Coordinator.
   2. Area Office FOIA Coordinator.  The Area Office FOIA Coordinator, in turn, shall immediately forward the request and relevant medical records to the IHS Headquarters FOIA office in Rockville, Maryland.  The Area Office FOIA Coordinator must maintain a log of all FOIA requests received from the Service Units.
   3. Indian Health Service Headquarters FOIA Staff.  Within 20 working days from the date a written request is received by the IHS HQ FOIA Coordinator, the IHS HQ FOIA Coordinator, shall respond to the request and notify the person making the request of the rights of such person to appeal any adverse determination.

2-7.5  PROCEDURE FOR MATTERS RELATED TO ACCOUNTING OF DISCLOSURES OF PHI

1. Purpose.  This section specifies the IHS policy and procedures for accounting of disclosures and for receiving and processing requests by patients.
2. Policy.  Unless a patient requests an accounting of disclosures for a shorter period of time, a patient has the right to request and receive (with certain exceptions) an accounting of disclosures of PHI about the patient made by the IHS, including disclosures to or by its "business associates," as defined at 45 CFR 160.103, in the 5 years prior to the date on which the accounting is requested or for the life of the record, whichever is longer.
3. Conditions of Disclosure Requirements under the Privacy Act.
   1. Disclosures that do not require an Accounting.
      1. Disclosure to HHS employees who maintain the record and who have a need for the record in the performance of their duties (this is also known as the Need to Know clause of the Privacy Act); including, but not limited to treatment, payment, or health care operations, or for disclosures to the Secretary, HHS, that are required in order to investigate or determine compliance with the Privacy Act and HIPAA Privacy Rule requirements.
      2. Disclosures required under the FOIA. Note: These disclosures are reported as Third Party Requests under Section 552 of this title.
      3. Disclosure to the patient.
      4. Disclosure pursuant to the patient's written authorization.
   2. Disclosures that require an Accounting.  All disclosures that require an accounting for a routine use as defined as disclosure of a record outside HHS, without the consent of the subject individual, for a purpose which is compatible with the purpose for which the record was collected, see the listing of Routine Uses following the Privacy Act disclosures that follow:
      1. To the Bureau of Census for purposes of planning or carrying out a census or survey or related activity pursuant to Title 13 U.S.C.
      2. To a recipient who has provided the Agency with advance written assurance that the record will be used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable.
      3. To the National Archives and Records Administration (NARA) as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government or for evaluation by the Archivist of the United States or designee to determine whether the record has such value.
      4. To another government agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of such government agency or instrumentality has submitted a written request to the Agency (i.e., IHS which maintains the record) specifying the particular portion of the record desired and the law enforcement activity for which the record is sought.
      5. To an individual pursuant to a showing of compelling circumstances affecting the health and safety of any individual if a notice of the disclosure is transmitted to the last known address of the subject individual.
      6. To either House of Congress or to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee of any such joint committee.
      7. To the Comptroller General or any of (his or her) authorized representatives, in the course of the performance of the duties of the General Accounting Office.
      8. Pursuant to the order of a court of competent jurisdiction.
4. Other Disclosures That Require an Accounting under the IHS Privacy Act System of Records Notice 09-17-0001, Medical, Health, and Billing Records - Routine Uses Disclosures.
   1. Health Care Providers.  Records may be disclosed to Federal and non-Federal (public or private) health care providers that provide health care services to IHS individuals for purposes of planning for or providing such services, or reporting results of medical examination and treatment.
   2. Government Authorized Organizations.  Records may be disclosed to Federal, State, local or other authorized organizations that provide third-party reimbursement or fiscal intermediary functions for the purposes of billing or collecting third-party reimbursements.  Relevant records may be disclosed to debt collection agencies under a business associate agreement arrangement directly or through a third-party.
   3. State Agencies.  Records may be disclosed to State agencies or other entities acting pursuant to a contract with Centers for Medicare and Medicaid Services (CMS), for fraud and abuse control efforts, to the extent required by law or under an agreement between IHS and respective State Medicaid agency or other entities.
   4. Schools.  Records may be disclosed to school health care programs that serve American Indian/Alaska Native (AI/AN) for the purpose of student health maintenance.
   5. Bureau of Indian Affairs.  Records may be disclosed to the BIA, Bureau of Indian Education (BIE) or their contractors under an agreement between IHS and the BIA and/or BIE relating to disabled AI/AN children for the purposes of carrying out its functions under the Individuals with Disabilities Education Act, 20 U.S.C. 1400, et seq.
   6. Qualified Organizations.  Records may be disclosed to organizations deemed qualified by the Secretary, HHS, and under a business associate agreement to carry out quality assessment, quality improvement, medical audits, utilization review or to provide accreditation or certification of health care facilities or programs.
   7. Business Associate Agreement or Authorized Organizations.  Records may be disclosed under a business associate agreement to individuals or authorized organizations sponsored by IHS, such as the National Indian Women's Resource Center, to conduct analytical and evaluation studies.
   8. Congressional Inquiry.  Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.  The IHS-810 form, "Authorization for Use or Disclosure of Protected Health Information," is required for the disclosure of sensitive PHI (e.g., alcohol/drug abuse patient information, Human Immunodeficiency Virus/Acquired Immune Deficiency Syndrome (HIV/AIDS), Sexually Transmitted Disease (STD), or mental health) that is maintained in the medical record.
   9. Research Purposes.  Records may be disclosed for research purposes to the extent permitted by:
      1. Determining that the use(s) or disclosure(s) are met under 45 CFR 164.512(I).
      2. Determining that the use(s) or disclosure(s) are met under 45 CFR 164.514(a) through (c) for de-identified PHI and 5 U.S.C. 552a(b)(5).
      3. Determining that the requirements of 45 CFR 164.514(e) for limited data sets and 5 U.S.C.552a(b)(5) are met.
   10. Records.  Information from records, including but not limited to information concerning the commission of crimes, suspected cases of abuse (including child, elder and sexual abuse), the reporting of neglect, sexual assault or domestic violence, births, deaths, alcohol or drug abuse, immunization, cancer, or the occurrence of communicable diseases, may be disclosed to public health authorities, epidemiology centers established and funded under 25 U.S.C. 1621m, and other appropriate government authorities which are authorized by applicable Federal, State, Tribal or local law or regulations to receive such information.

       Note:  In Federally conducted or assisted alcohol or drug abuse programs, under 42 CFR Part 2, disclosure of patient information for purposes of criminal investigations must be authorized by court order issued under 42 CFR 2.65, except that reports of suspected child abuse may be made to the appropriate State or local authorities under State law.

   11. Federal, State, or Tribal Agencies.  Information may be disclosed from these records regarding suspected cases of child abuse to:
       1. Federal, State, or Tribal agencies that need to know the information in the performance of their duties.
       2. Members of community child protection teams for the purposes of investigating reports of suspected child abuse, establishing a diagnosis, formulating or monitoring a treatment plan, and making recommendations to the appropriate court.
          1. Community child protection teams are comprised of representatives of Tribes, the BIA, child protection service agencies, the judicial system, law enforcement agencies, and the IHS.
   12. Administrative Claims.  The IHS may disclose information from these records in litigations and/or proceedings related to an administrative claim when:
       1. The IHS has determined that the use of such records is relevant and necessary to the litigation and/or proceedings related to an administrative claim and would help in the effective representation of the affected party listed in subsection "(i)" through "(iv)" below, and that such disclosure is compatible with the purpose for which the records were collected.  Such disclosure may be made to the HHS OGC, and/or DOJ, pursuant to an agreement between IHS and OGC, when any of the following is a party to litigation and/or proceedings related to an administrative claim or has an interest in the litigation and/or proceedings related to an administrative claim:
          1. The HHS or any component thereof.
          2. Any HHS employee in his or her official capacity.
          3. Any HHS employee in his or her individual capacity where the DOJ (or HHS, where it is authorized to do so) has agreed to represent the employee.
          4. The United States or any Agency thereof (other than HHS) where the HHS OGC has determined that the litigation and/or proceedings related to an administrative claim is likely to affect HHS or any of its components.
       2. In the litigation and/or proceedings related to an administrative claim described in subsection (a) above, information from these records may be disclosed to a court or other tribunal, or to another party before such tribunal in response to an order of a court or administrative tribunal, provided that the covered entity discloses only the information expressly authorized by such order.
   13. Business Associate or Contractor.  Records may be disclosed under a business associate agreement to an IHS contractor (including a Health Information Exchange, Regional Health Information Organization, or E-prescribing Gateway) for the purpose of computerized data entry, medical transcription, duplication services, maintenance of records, data formatting services or for any other agency function or activity involving the use or disclosure of records contained in this system.
   14. Personal Service Contracts or Agreements.  Records may be disclosed under a personal services contract or other agreement to student volunteers, individuals working for the IHS, and other individuals performing functions for the IHS who do not technically have the status of Agency employees, if they need the records in the performance of their agency functions.
   15. Unemancipated Minor's Parent or Legal Guardian.  Records regarding specific medical services provided to a unemancipated minor individual may be disclosed to the unemancipated minor's parent or legal guardian who previously consented to those specific medical services, to the extent permitted under 45 CFR 164.502(g).
   16. Incompetent Individual's Representative.  Records may be disclosed to an individual having authority to act on behalf of an incompetent individual concerning health care decisions, to the extent permitted under 45 CFR 164.502(g).
   17. Visitation.  Information may be used or disclosed from an IHS facility directory in response to an inquiry about a named individual from a member of the general public to establish the individual's presence (and location when needed for visitation purposes) or to report the individual's condition while hospitalized (e.g., satisfactory or stable), unless the individual objects to disclosure of this information.  The IHS may provide the religious affiliation only to members of the clergy.
   18. Individuals.
       1. Information may be disclosed to a relative, a close personal friend, or any other person identified by the individual that is directly relevant to that person's involvement with the individual's care or payment for health care.
       2. Information may also be used or disclosed in order to notify a family member, personal representative, or other person responsible for the individual's care, of the individual's location, general condition, or death.
       3. Information may also be used or disclosed if the individual is present for or otherwise available prior to, a use or disclosure, and is competent to make health care decisions:
          1. May use or disclose information only after the individual's consent is obtained.
          2. May use or disclose information only after the individual is provided with the opportunity to object and the individual does not object.
          3. May use or disclose information only if it could be reasonably inferred, based on professional judgment, that the individual does not object.
          4. If the individual is not present or the opportunity to agree or object cannot practicably be provided due to incapacity or emergent circumstances:  Information may be used or disclosed only if an IHS health care provider may determine, based on his or her professional judgment, whether disclosure is in the individual's best interest, and if so, the health care provider may disclose only what is directly relevant to the individual's health care.
   19. Exposure.  Information concerning exposure to the HIV/AIDS may be disclosed, to the extent authorized by Federal, State or Tribal law, to the sexual and/or needle-sharing partner(s) of a subject individual who is infected with HIV/AIDS under the following circumstances:
       1. The information has been obtained in the course of clinical activities at IHS facilities;
       2. the IHS has made reasonable efforts to counsel and encourage the subject individual to provide information to the individual's sexual or needle-sharing partner(s);
       3. the IHS determines that the subject individual is unlikely to provide the information to the sexual or needle-sharing partner(s) or that the provision of such information cannot reasonably be verified.
       4. the notification of the partner(s) is made, whenever possible, by the subject individual's physician or by a professional counselor and shall follow standard counseling practices; and
       5. the IHS has advised the partner(s) to whom information is disclosed that they shall not re-disclose or use such information for a purpose other than that for which the disclosure was made.
   20. Protection and Advocacy Organizations.  Records may be disclosed to Federal and non-Federal protection and advocacy organizations that serve AI/AN for the purpose of investigating incidents of abuse and neglect of individuals with developmental disabilities (including mental disabilities), as defined in 42 U.S.C. 10801-10805(a)(4) and 42 CFR 51.41-46, to the extent that such disclosure is authorized by law and the conditions of 45 CFR 1386.22(a)(2) are met.
   21. Correctional Institution or Law Enforcement Official.  Records of an individual may be disclosed to a correctional institution or law enforcement official, during the period of time the individual is either an inmate or is otherwise in lawful custody, for the provision of health care to the individual or for health and safety purposes.  Disclosure may be made upon the representation of either the institution or a law enforcement official that disclosure is necessary for the provision of health care to the individual, for the health and safety of the individual and others (e.g., other inmates, employees of the correctional facility, transport officers), and for facility administration and operations.  This routine use applies only for as long as the individual remains in lawful custody, and does not apply once the individual is released on parole or placed on either probation or on supervised release, or is otherwise no longer in lawful custody.
   22. Social Security Administration.  Records including patient name, date of birth, Social Security Number (SSN), gender, and other identifying information may be disclosed to the Social Security Administration (SSA) as is reasonably necessary for the purpose of conducting an electronic validation of the SSN(s) maintained in the record to the extent required under an agreement between the IHS and the SSA.
   23. Funeral Directors.  Disclosure of relevant health care information may be made to funeral directors or representatives of funeral homes in order to allow them to make necessary arrangements prior to and in anticipation of an individual's impending death.
   24. Disaster Relief Organizations.  Records may be disclosed to a public or private covered entity that is authorized by law or charter to assist in disaster relief efforts (e.g., the Red Cross and the Federal Emergency Management Administration), for purposes of coordinating information with other similar entities concerning an individual's health care, payment for health care, notification of the individual's whereabouts and his or her health status or death.
   25. Breach of Security.  Records may be disclosed to appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance.
   26. Registries.  Records may be disclosed to a State Health Department for data sharing, i.e., for use in immunization or other registries, as requested, after it is ascertained that the registry fulfills the cited criteria for Routine Uses No. 1 (See 2-7.5D(1)) and/or Routine Uses No. 10 (See 2-7.5D(10)).  The data may only be reported to the organization or Agency listed in the statute or regulation.  The IHS requires all registries to identify its legal authority for collecting information.  Some registries may not be able to fulfill required Routine Use No. 1 criteria and may only report the results of medical examinations.  If so, the IHS may disclose medical examination results information in accordance with Routine Use No. 10.  When applying Routine Use No. 10 criteria to disclose certain information the IHS must determine that a Federal, State, Tribal, or local statute or regulation mandates the IHS facility to report the data.

       Summarizing this process, the IHS may disclose records to the registries that meet Routine Use No. 1 criteria and/or Routine Use No.10 criteria.  If the above criteria to disclose the records are not met; then the IHS must obtain the patient's written consent on the IHS 810 form, "Authorization for Use or Disclosure of Protected Health Information."

       Any disclosures that are made pursuant to a Routine Use (listed above) are discretionary, not mandatory.  Accordingly, the decision to share IHS patient data with the requesting organization's registry is made at the discretion of the appropriate Privacy Act System Manager:

       1. Area Office level:  Area Director or his or her designee.
       2. Service Unit level:  Chief Executive Officer or his or her designee.
5. How to Make an Accounting of Disclosures.
   1. Recording Methods.  Disclosures of PHI that are subject to an accounting must be recorded on IHS-505 form "Disclosure Accounting Record" or electronically, utilizing the Release of Information (ROI) software application of the RPMS.
   2. Writing or Recorded in the ROI.  Each accounting must be in writing or recorded in the ROI, include disclosures to and by IHS contractors (business associates), and include for each disclosure:
      1. date of the disclosure;
      2. name and address of the person or organization receiving the PHI;
      3. a brief description of the PHI disclosed, e.g., immunization record, labs, X-ray;
      4. a brief statement of the purpose of the disclosure (or include a copy of the written request for disclosure, if appropriate); and
      5. accountings of oral disclosures of PHI should also include the name, signature and title of staff that made the oral disclosure.
   3. Multiple Disclosures.  If, during the period covered by the accounting, the IHS has made multiple disclosures of PHI to the same patient or entity for a single purpose, the accounting may be documented on the first disclosure, the frequency or number of disclosures made during the accounting period and the date of the last disclosure during the accounting period.
   4. Responding to Patient Requests for an Accounting of Disclosures.
      1. A request for an accounting of disclosures must be in writing and must be made on the IHS-913 form, "Request for an Accounting of Disclosures."  The IHS-913 form must be submitted to the responsible Health Information Management Department for receiving and processing such requests.  The IHS 913 form is available at:

         (For Public and Federal access) https://www.ihs.gov/forpatients/patientforms/

         (For IHS staff only) https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2020-09/ihs-913.pdfExit Disclaimer: You Are Leaving www.ihs.gov 

      2. When a patient requests an accounting of disclosures, the patient must present valid identification unless the patient is personally known to the employee responding to the patient request. Guidance on identification procedures is found in Section 2-7.24, "Procedure for Verification of Identity Prior to Disclosure of PHI."
      3. The IHS must act on the request no later than 60 days after receipt of the request, and may extend this time for an additional 30 days, so long as it informs the patient in writing of the reason(s) for the delay and the date by which the patient can expect the accounting.  The explanation sent to the patient must be retained in the patient's medical record.
   5. Temporary Suspensions of a Patient's Right to Receive an Accounting of Disclosures to Health Oversight Agencies or Law Enforcement Officials.
      1. A health oversight agency or a law enforcement official may submit a written statement to request the IHS to suspend a patient's right to receive an accounting of disclosures to such health oversight agency or law enforcement official.  The written statement must specify:
         1. the reason that an accounting to the patient would be likely to impede the Agency's activities.
         2. the time for which such a suspension is required.
      2. If the IHS agrees to suspend a patient's right to receive an accounting of disclosures:
         1. During the period of suspension, any disclosures to such health oversight agency or law enforcement official requiring an accounting must still be recorded.
         2. At the end of the suspension of access, a patient's right to receive a complete accounting is reinstated.
      3. A health oversight agency or a law enforcement official may request a temporary suspension orally.  If the request is made orally, the IHS must:
         1. Document the identity of the agency or official who made the request.
         2. Exclude the disclosure(s) for no longer than 30 days from the date of the request, unless a written request is provided during that time.
      4. If the Agency or official provides a written request that meets the requirements of E(5) above, the IHS must temporarily suspend the patient's right to an accounting for the time period specified in the written request.

2-7.6  PROCEDURE FOR THE TRANSMITTAL OF CONFIDENTIAL COMMUNICATION BY ALTERNATE MEANS OR TO AN
          ALTERNATE LOCATION

1. Purpose.  This section to specify IHS policy and procedures for allowing patients to request the transmission of PHI by alternate means or to an alternate location.
2. Policy.  An individual has the right to request the transmission of PHI by alternate means or to an alternate location if the individual makes a written request and the request is reasonable.
3. Definitions.
   1. Alternate Means.  Alternate means are methods of sending confidential communications that are different from the usual methods (regular mail and facsimile).
   2. Alternate Location.  Alternate location means an address different from that listed as the mailing address in the IHS record.  For example, the patient can ask to be contacted at work, instead of at home, or vice versa.
   3. Confidential Communications.  Confidential communications means transmission of a patient's PHI from the IHS.
4. Procedures.  When a patient requests transmission of PHI by alternate means or to an alternate location:
   1. All requests for confidential communications to be sent by alternate means or to an alternate location shall be in writing and must describe the alternate means or the alternate location.
   2. The CEO or (his or her) designee will approve or disapprove all requests.  (For Areas that provide PRC directly through the Area Office, all references to the CEO are considered references to the Area Director or his or her designee, as applicable.)  Whenever possible, the decision will be given to the patient prior to the patient leaving the facility.  The CEO or (his or her) designee will approve the request if it is reasonable.
   3. Submit a written request to ensure appropriate documentation.
5. Written Request.  The requests will be filed or documented in the medical record after the patient has been notified of the decision.  The IHS 963 form is available at:

   (For Public and Federal access) https://www.ihs.gov/forpatients/patientforms/

   (For IHS staff only) https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2019-05/ihs963.pdf

2-7.7  PROCEDURE FOR THE USE OR DISCLOSURE OF HEALTH INFORMATION PURSUANT TO AUTHORIZATION OR VALID WRITTEN REQUEST

1. Purpose.  This section specifies IHS policy and procedures for disclosing PHI pursuant to the patient's authorization or a valid written request in accordance with the Privacy Act of 1974, as amended, 5 U.S.C. § 552a; HIPAA Privacy Rule, 45 CFR Parts 160 and 164; Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR Part 2; Confidentiality of Mental Health Records, 42 CFR Part 51; and the Freedom of Information Act, 5 U.S.C. § 552.
2. Policy.  It is IHS policy that an IHS-810 form or a valid written request for use and disclosure of PHI from the patient must be honored.
   1. The patient must complete and sign an IHS-810 form, "Authorization for Use or Disclosure of Protected Health Information," prior to disclosing health information for any purpose.

      The form IHS 810 is available at:  (For Public and Federal access) https://www.ihs.gov/forpatients/patientforms/

      (For IHS staff only)  https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2020-09/ihs-810.pdfExit Disclaimer: You Are Leaving www.ihs.gov 

   2. Authorization for use and disclosure of PHI is not required to be completed for disclosures for which authorization is not required (e.g. routine uses).
3. Procedures.  The following procedures will be used when patients authorize disclosures of PHI and will govern how the disclosure of PHI will be accomplished for valid authorizations or written requests received by the IHS. Adherence to the following procedures is required.
   1. Only authorizations with valid signatures will be processed by the Health Information Management Department.
   2. An individual may authorize a release of PHI by completing and signing the authorization IHS 810 form.
   3. Blanket authorization (no specified individual or organization or for a time period which exceeds one year) or duplicated authorizations will not be honored.
   4. The authorization will terminate one year from the date of signature unless the patient specifies a different expiration date or expiration event.
   5. A written request (other than the IHS 810 form) must identify the individual and description of the information desired, such as date of visit or diagnosis/condition. The request must contain the name and address of the requester, date of birth, signature, and date.
   6. If the authorization or written request does not contain sufficient information that identifies the patient or description of the information requested, the requestor may be contacted for additional specific information in order to process the request.
   7. Any additional information received will be documented, dated, and initialed on the original authorization or the written request.
   8. The identity or authority of the individual requesting PHI must be verified, prior to disclosure of such PHI.  (See Section 2-7.24, "Procedure for Verification of Identify Prior to Disclosure of PHI.")
   9. If the authorization is signed by a personal representative of the patient, a description of such representative (e.g., legal guardian, parent, etc.) authorized to act for the patient should be documented.  A copy of the legal document must be filed into the patient's medical record.
   10. A copy of the signed authorization, IHS 810 form, shall be provided to the individual and the signed authorization or valid written request must be filed in the patient's medical record.
   11. Information disclosed shall be accompanied by the following redisclosure statement:

       "This information, except for Alcohol and Drug Abuse Patient Records as defined in 42 Code of Federal Regulations, Part 2, may be subject to redisclosure by the recipient and may no longer be protected by the "Health Insurance Portability and Accountability Act Privacy Rule of 1996 and the Privacy Act of 1974, as amended."

   12. Information disclosed by a designated alcohol/substance abuse facility must be accompanied by the following statement:

       "This information has been disclosed to you from records protected by Federal confidentiality regulations (42 CFR Part 2).  Federal regulations prohibit you from making any further disclosure of it without the specific written consent of the person to whom it pertains, or as otherwise permitted by 42 CFR Part 2.  A general authorization for the release of medical or other information is NOT sufficient for this purpose.  Federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient."

2-7.8  PROCEDURE FOR REQUESTS FOR CORRECTION/AMENDMENT OF PHI

1. Policy.  Pursuant to the requirements set forth in the Privacy Act as amended, 5 U.S.C. § 552a and the HIPAA Privacy Rule, 45 CFR, Parts 160 and 164, every patient receiving healthcare services at an IHS facility has the right to request corrections or amendments to PHI contained in the IHS PASOR (IHS Medical, Health, and Billing Records System Number 09-17-0001) that was created or received by the IHS.
2. Request for Correction/Amendment of PHI.  A patient who believes their health information is inaccurate or incomplete may submit a request to the CEO or (his or her) designee for correction or amendment of the record in question.  (For Areas that provide PRC directly through the Area Office, all references to the CEO should be considered references to the Area Director's designee, as applicable.)
   1. The patient must complete the IHS-917 form, "Request for Correction/Amendment of Protected Health Information."  The IHS 917 form is available at: https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2020-09/ihs-917.pdfExit Disclaimer: You Are Leaving www.ihs.gov 

      (For Public and Federal access) https://www.ihs.gov/forpatients/patientforms/

   2. The CEO or designee receiving the written request will date the IHS-917 form and provide an acknowledgment of receipt of the IHS-917 form.  (See 2-7.9B for a model letter on acknowledgment of receipt.)
   3. The patient must receive a dated copy of the completed IHS-917 form as an acknowledgment of the receipt of the request within 10 working days.
   4. If a decision on the request for correction or amendment can be made within 10 working days of the IHS' receipt of the request, the IHS will notify the patient of the receipt of the patient's correction or amendment request and its decision within that 10 day period.
   5. The CEO or (his or her) designee in consultation with the appropriate staff member will review the request for correction or amendment and will inform the patient in writing within 60 days after receipt of the request, of approval or denial of the request for correction or amendment. The IHS may extend the time frame one time only for no more than 30 days if it informs the patient in writing using one of the reasons for the delay and the date by which the IHS will act on the request. Approvals shall be processed in accordance with the procedures set forth in Section C below.  Denials shall be processed in accordance with the procedures set forth in Sections D and E that follows.
   6. The IHS-917 form will be filed at the site of the contested entry in the individual's medical record and maintained for the life of the record.
3. Approval of Request for Correction or Amendment of PHI.
   1. Approved Correction - Paper Record.  If the request for correction is approved, the health information will be corrected as follows in the paper record:
      1. No erasure or other obliteration shall be made.
      2. Incorrect data shall be lined out with a single line.
      3. The date of correction, the signature of the person making the correction, the corrected information, and the reason for the correction shall be added.
      4. The above is also required for preservation of the health record to meet retention guidelines.
   2. Approved Correction - Electronic Record.  If the request for correction is approved, the health information will be corrected as follows in the electronic health record:
      1. Select the "Amend" action while viewing the note in Test Integration Utility (TIU).
      2. Enter your signature code.
      3. The text editor will open to make edits.
      4. The original note will be retracted and the new note will have a status of Amended.
   3. Approved Correction - Individual Agreement.  Subject to the patient's prior agreement, the IHS shall make reasonable efforts to inform and provide the corrected or amended information within a reasonable time:
      1. to persons or organizations that the IHS knows received the information in the past and who may have relied or may foreseeably rely on such information to the detriment of the patient;
      2. to those persons or organizations identified by the patient as having received the health information and needing the correction or amendment; and
      3. when such information is sent, it should be accompanied by a statement that reads, "This is a correction or amendment to the information that was previously sent on this date." (Note: IHS Form 917 will request/provide the dates).
   4. Documentation.  Disclosure of the corrected or amended health information will be documented in the RPMS ROI software application or on the IHS-505 form, "Disclosure Accounting Record."

      (For Public and Federal access)  https://www.ihs.gov/forpatients/patientforms/

      (For IHS staff only)  https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2019-05/ps505.pdfExit Disclaimer: You Are Leaving www.ihs.gov 

   5. Notification.  The patient will be notified in writing that the request for correction or amendment of the health information has been approved by using the Model Letter Approving Request for Correction or Amendment in 2-7.9A.
4. Denial of Correction or Amendment of PHI.  If the request for correction or amendment is denied, in whole or in part, the CEO or (his or her) designee will document the denial on the IHS-917 form and a copy of the form will be sent to the patient within the time period set forth in Section C above.  The original form will be filed in the patient's medical record.  The IHS will only deny a request for correction or amendment for the following reasons:
   1. The health information is not part of the patient's record.
   2. The IHS did not create the record.

      [However, this fact shall not form the basis of a denial if the patient provides a reasonable basis to believe that the originator of the PHI is no longer available to make the correction or amendment itself (for example, if the PHI received from a physician who is no longer in practice)].

   3. The record is not available to the patient for inspection under applicable Federal law.
   4. The record is accurate and complete.
   5. When the patient is notified of the denial of their request by utilizing the denial model letter in 2-7.9C, they will be notified of applicable appeal rights, as described below.
5. Appeal Rights.
   1. For Patients Who Are Not U.S. Citizens or Aliens Admitted for Permanent Residence.  If the patient is not a U.S. citizen or an alien admitted for permanent residence and the request for correction or amendment is denied, they may submit to the CEO or designee a written statement disagreeing with the denial and the basis of such disagreement within 30 days of the denial.  The law does not allow any further appeal.
      1. The IHS has the right to prepare a written rebuttal to any statement of disagreement and provide a copy of any rebuttal statement to the patient.
      2. If the patient has submitted a statement of disagreement, the IHS must include such statement or an accurate summary thereof with any subsequent disclosure of the health information to which the disagreement relates.
      3. If the patient has not submitted a written statement of disagreement, the IHS shall include the patient's request for correction or amendment and its denial, or any accurate summary of such information, with any subsequent disclosure of the health information only if the patient has requested such action.
   2. For Patients Who Are U.S. Citizens or Aliens Admitted for Permanent Residence.  If the patient is a U.S. citizen or an alien admitted for permanent residence, they may appeal the denial to amend the requested information to the Area Director within 30 days of the date of the denial.
      1. The Area Director must act on the appeal within 30 working days of the receipt of the patient's appeal, unless the Area Director extends the period for up to an additional 30 working days for good cause.  He or she will inform the patient in writing of any extension of the appeal period and the reason(s) for the delay.
      2. When an appeal is denied, the Area Director will inform the patient in writing of the reasons for the denial, and advise the patient of their rights to submit a written statement of disagreement and to seek judicial review of the denial.
      3. The patient may submit a statement of disagreement regardless of whether they elect to appeal.
      4. If the patient submits a written statement of disagreement, that statement, along with a statement of the Area Director's reasons for denying the appeal (if an appeal was filed) will be provided to previous recipients of the disputed record where an accounting of the previous disclosure was made.
6. Permanent Record.  Any written statement or statement of disagreement by the patient, any response by IHS, and any other document pertaining to the appeal will become part of the patient's permanent record.
7. Complaints.  If the patient has a complaint about the IHS policies and procedures regarding health information, he or she may file a complaint with either:
   1. The CEO or (his or her) designee. ___________________________________
      (Insert the Service Unit address, CEO name, Title, and Telephone # here.)

      or

   2. The Secretary, HHS, Washington D.C., 20201.

2-7.9  MODEL LETTERS

---

Thank you.

1. Model Letter Approving Request for Correction or Amendment. Service Unit Letterhead and Address

   Date:

   Jane Doe
   1234 Main Street
   Main, AZ 12341

   Dear Ms. Doe,

   After reviewing your letter requesting correction or amendment of your health information, I am pleased to inform you that your requested correction or amendment has been approved.  Your record now reflects the correction or amendment requested.

   Thank you for allowing us to continue to serve you.

        Signature of CEO or designee
2. Model Letter of Acknowledgment of Receipt of Request for Correction or Amendment.

   Service Unit Letterhead and Address

   Date:

   Jane Doe
   1234 Main Street
   Main, AZ  12341

   Dear Ms. Doe,

   This is to acknowledge receipt of your request for correction or amendment of your health information.

   1. Your request is being reviewed and a decision will be made and sent to you within 60 days from the date of this letter.
   2. We are currently unable to make a decision on your request for correction or amendment of your health information within 60 days for the following reason(s): [INSERT REASON(S)] therefore, we are extending this period up to an additional 30 days.
   3. The record requested is maintained by another government agency; therefore, your request has been forwarded to the agency responsible for your request.  Please contact the agency at the address below for all future inquiries regarding this request:

      (Insert name and address of the Agency)

3. __________________________________________
   Signature of CEO or (his or her) designee

   ---

4. Model Letter Denying Request for Correction or Amendment Service Unit Letterhead and Address.

   Dear Ms. Doe,

   After reviewing your request for the correction or amendment of your health information, I regret to inform you that your request is denied for the reason(s) specified below:

   1.  Your information is not part of the record.
   2.  The Indian Health Service (IHS) did not create the record.
   3.  Your record is not available for inspection under applicable Federal law.
   4.  Your record is accurate and complete.

   Since your request is denied, you may do the following:

   1. If you are a United States citizen or alien lawfully admitted for permanent resident, you may submit to the Area Director a written statement disagreeing with the denial and the reason of such disagreement within 30 days of the denial.  The IHS has the right to prepare a written rebuttal to any statement of disagreement.  You will be provided a copy of any rebuttal statement.
   2. If you do not submit a statement of disagreement, you may request in writing that the IHS provide this request for correction or amendment (or summary) and the denial with any future disclosures.
   3. If you are not a U.S. citizen or an alien lawfully admitted to permanent residence, you may do the following:
      1. Submit to the Service Unit Chief Executive Officer (CEO) a one page written statement disagreeing with the denial and the basis of such disagreement;
      2. If you do not submit a statement of disagreement, you may request that the IHS provide this request for correction or amendment (or summary) and the denial with any future disclosures;
      3. The IHS has the right to prepare a written rebuttal to any statement of disagreement. You will be provided a copy of any rebuttal statement. Any written rebuttal prepared by the IHS is not subject to correction or amendment.

If the IHS did not create the information and the originator (healthcare provider or facility) is no longer available to act on your correction or amendment and is the basis for this denial, you may submit to the CEO in writing, evidence of the originator's unavailability and request a supplemental review of the IHS decision.

If you are a United States citizen or an alien lawfully admitted for permanent residence, you may also appeal the denial to amend the requested information to the Area Director at the following address:

(Insert address of Area Director)

In the event your appeal is ultimately denied, or if you elect not to appeal, you may submit a statement of disagreement as described above. If you appeal and your appeal is denied, you may also seek judicial review of the denial.

If you have complaints about the IHS' policies and procedures regarding health information, you may file such complaint with the CEO or designee or with the Secretary, Department of Health and Human Services, Washington D.C., 20201.

(Insert address of Service Unit)

Thank you.

     Signature of CEO or (his or her) designee

---

2-7.10  PROCEDURE FOR DE-IDENTIFICATION OF PHI AND SUBSEQUENT RE-IDENTIFICATION

1. Purpose.  This section specifies IHS policy and procedures for determining when health information is not individually identifiable or for the de-identification of PHI, and for any subsequent re-identification.
2. Policy.  The IHS may determine when health information is not individually identifiable or when to de-identify PHI for disclosures other than healthcare purposes in accordance with the HIPAA Privacy Rule, 45 CFR Parts 160 and 164.  The IHS may also determine when it is necessary to re-identify previously de-identified PHI and must comply with the terms of this policy to adequately de-identify PHI and to ensure proper re-identification of PHI.
3. Definitions.
   1. De-identification.  De-identification is the process by which PHI is rendered individually unidentifiable through the removal of such identifiers described in section D below or through a determination based upon statistical and scientific methods.
   2. Re-identification.  Re-identification is the process of assigning a code or other means of record identification in order to allow de-identified PHI to be retrieved or identified by the IHS but still maintaining the anonymity of the patient(s) described in section D that follows.
4. De-identification Procedures.  The following procedures shall be used to de-identify PHI or to determine when health information is not individually identifiable.  The determination of whether health information is individually identifiable or whether PHI may be de-identified will occur when there is no "need to know" the identity of the patient.  This determination will be made on a case-by-case basis depending on the nature of the request.  An example may be a situation related to research where there is no "need to know" the identity of the patient.  The IHS may determine that health information is not individually identifiable in the following two ways:
   1. If a HIM professional or health care professional de-identifies patient records (including electronic records) containing PHI, the de-identification is accomplished by removing the following identifiers of the patient or of the patient's relatives, employers, or household members:
      1. names;
      2. all elements of a street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code for areas that contain over 20,000 people;
      3. all elements of dates (except year) for dates directly related to the patient, (e.g., birth date, admission/discharge dates, date of death);
      4. all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
      5. telephone numbers;
      6. fax numbers;
      7. e-mail address(es);
      8. social security numbers;
      9. medical record numbers;
      10. health plan beneficiary numbers;
      11. account numbers;
      12. certificate/license numbers;
      13. license plate numbers, vehicle identifiers, and serial numbers;
      14. device identifiers and serial numbers;
      15. Uniform Resource Locator (URL) address(es);
      16. Internet Protocol (IP) addresses numbers;
      17. biometric identifiers, including finger, and voice prints;
      18. full-face photographic images and comparable images; and
      19. any other unique identifying number except as created by the IHS to re-identify the information.  This determination also requires that the IHS does NOT have actual knowledge that the remaining information could be used alone or in combination with other information to identify the patient.
   2. If a person with knowledge and experience of generally accepted statistical and scientific methods for rendering information not individually identifiable, designated by the CEO or (his or her) designee (or through a business associate agreement or contract), applies such methods and determines that the risk is very small that the information could be used alone, or in combination with other available information, by an anticipated recipient of such information to identify the patient.  This designated person with knowledge and experience of statistical and scientific methods must document the methods and results of the analysis that justify the determination.
      1. De-identification will be performed at the origin of the data, or, in the case of the determination made by the designated person named in Section D(1)a above, where such person is located, as appropriate.
      2. Hard copy PHI will be de-identified by obliterating (making unreadable and unrecognizable) the individual identifier(s).
      3. The original(s) should not be modified.
5. Re-identification.  The following procedures will be used to re-identify previously de-identified PHI:
   1. The IHS may assign a code or other means of record identification to allow de-identified information to be re-identified by the IHS, provided that:
      1. such code is not derived from or related to information about the patient (e.g., code is not derived from the patient's name, SSN, medical record number, etc., as defined in 45 CFR 164.514(b));
      2. such code is not capable of being used to identify the patient;
      3. the IHS does not use or disclose the code for any other purpose; and
      4. the IHS does not disclose the mechanism for re-identification (tables, algorithms, etc.) that could be used to link the code with the patient.
   2. The IHS must ensure that the re-identification code does not constitute a "unique, identifying number, characteristic, or code."

2-7.11  PROCEDURE FOR USE AND DISCLOSURE OF PHI FOR DIRECTORY PURPOSES

1. Policy.  It is IHS policy that:
   1. An IHS facility may maintain a directory of inpatients and disclose limited PHI from that directory without the individual's written authorization, provided the individual was informed of the intended use or disclosure in advance and had the opportunity to agree to or prohibit or restrict the use or disclosure.
   2. The PHI that may be disclosed from a directory is limited to the individual's name, the individual's location in the facility, and the individual's condition (e.g., stable), described in general terms that do not communicate specific information.  An individual's religious affiliation may be disclosed only to clergy, if the patient has not objected to such disclosure.
2. Procedures.  The following procedures shall be utilized for disclosing information for directory purposes:
   1. Any restriction(s) on the use or disclosure of an individual's PHI will be noted on the IHS 912-1 form, "Request for Restriction(s)," and such information will not be disclosed from the facility's directory of patients.  https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2020-09/ihs-912-1.pdf Exit Disclaimer: You Are Leaving www.ihs.gov 
   2. If there are no stated restrictions to the release of an individual's PHI, the facility may disclose the individual's name, location within the facility, and condition in general terms upon request, by name of individual.  Religious affiliation may be disclosed to clergy who request such information, but clergy need not ask by patient's name.
   3. If the individual is incapacitated or in emergency treatment and does not have the opportunity to restrict or prohibit some or all of the uses or disclosures, the facility may disclose some or all of the directory information if such disclosure is consistent with any previously stated preferences.  Any disclosure of directory information about an individual who has not had an opportunity to agree or object to the use or disclosure must be in the individual's best interest.  The IHS facility must provide the individual with an opportunity to agree or object to any releases of his or her directory information as soon as the individual resumes making decisions.

2-7.12  PROCEDURE FOR THE USE AND DISCLOSURE OF PHI DURING A DISASTER AND FOR DISASTER RELIEF PURPOSES

1. Policy.  The IHS may use or disclose PHI during a disaster and disaster relief to government agencies (Federal, State, local, or Tribe) engaged in disaster relief activities, as well as to private disaster relief or disaster assistance organizations (e.g., Red Cross and Salvation Army) authorized by law or by its charter to assist in disaster relief efforts, for the purposes of coordinating such efforts to allow them to carry out their responsibilities.
2. Disaster.  A disaster is any event that overwhelms normal medical capability of the local facility and/or the community that triggers mass casualty medical readiness of the facility.  A disaster may be declared by the facility leadership or by the Federal, State, local, or Tribal government.
3. Notification.  The IHS may use and disclose PHI for the purpose of notification (or assisting in the notification, identification, or location) of a family member, personal representative of the patient, or another person responsible for the care of the patient, of the patient's location, general condition, or death.
4. Uses and Disclosures when the Patient is Present.  The PHI may be released if the patient is present and/or available and can make health care decisions, if the IHS:
   1. obtains the patient's agreement;
   2. provides the patient the opportunity to object to the disclosure, and the patient does not express an objection; or
   3. reasonably infers from the circumstances, based upon the exercise of professional judgment that the patient does not object to the disclosure.
5. Limited Uses and Disclosures when the Patient is not Present.  When the patient is not present or when the opportunity to agree or object is not possible or practicable due to the patient's incapacity or emergency condition, an IHS provider, using their professional judgment, may determine that the use or disclosure is in the best interests of the patient, and only use or disclose PHI that is directly relevant to the government agency's or disaster relief organization's involvement with the patient's health care.
6. Compliance.  The IHS must comply with the requirements of Section 12B and 12C, above, to the extent that it determines that the requirements do not interfere with the ability to respond to the emergency circumstance.
   1. Verification Procedure for Verification of Identity Prior to Disclosure of PHI.  The verification procedure for verification of identity should be completed prior to disclosing PHI.  (See Section 2-7.24, "Procedure for Verification of Identity Prior to Disclosure of PHI.")
   2. Disclosures for Disaster Relief.  Disclosures for disaster relief should be documented electronically in the RPMS ROI software application or on the IHS-505 form, "Disclosure Accounting Record."  https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2019-05/ps505.pdfExit Disclaimer: You Are Leaving www.ihs.gov 

   (See Section 2-7.5, "Procedure for Matters Related to Accounting of Disclosures of Protected Health Information.")

2-7.13  PROCEDURE FOR SENDING AND RECEIVING PHI BY FACSIMILE

1. Purpose.  This section outlines the procedures which will best safeguard the information and transmitting PHI by facsimile (FAX).  Due to the complex and distinct issues related to computer based electronic transmission of PHI, this section is not intended to address the safeguards necessary to ensure the confidentiality of that particular form of PHI transmission.
2. Policy.  It is the policy of the IHS to ensure that PHI sent or received by IHS employees are handled in a manner that protects against unauthorized disclosure of such PHI to third parties.
3. Definitions.
   1. Medical Record.  Medical record of a patient's medical information (as medical history, care or treatments received, test results, diagnoses, and medications taken).
   2. Medical Record Categories.  As found in the IHS PASOR, Medical, Health, and Billing Records, 09 17 0001, 75 Federal Register 1625-1632 (January 12, 2010).
      1. Records relating to claims by and against the HHS are maintained in the PASOR.
      2. Health and medical records containing examination, diagnostic and treatment data, proof of IHS eligibility, social data (such as, name, address, date of birth, SSN, Tribe), laboratory test results, and dental, social service, domestic violence, sexual abuse, and/or assault, mental health, and nursing information.,/li>
      3. Follow-up registers of individuals with a specific health condition or a particular health status such as cancer, diabetes, communicable diseases, suspected, and confirmed abuse and neglect, immunizations, suicidal behavior, or disabilities.
      4. Logs of individuals provided health care by staff of specific hospital or clinic departments such as surgery, emergency, obstetric delivery, medical imaging, and laboratory.
      5. Surgery and/or disease indices for individual facilities that list each relevant individual by the surgery or disease.
      6. Third-party reimbursement and billing records containing name, address, date of birth, dates of service, third-party insurer claim numbers, SSN, health plan name, insurance number, employment status, and other relevant claim information necessary to process and validate third-party reimbursement claims.name, address, date of birth, dates of care, Medicare or Medicaid claim numbers, SSN, health plan name, insurance number, employment status, and other relevant claim information necessary to determine PRC eligibility and to process PRC claims.
      7. Monitoring strips and tapes such as fetal monitoring strips and Electroencephalogram and Electrocardiogram tapes.
   3. Emergency Medical Condition.  A medical condition manifesting itself by acute symptoms of sufficient severity (including severe pain) such that the absence of immediate medical attention could reasonably be expected to result in:
      1. placing the health of the individual (or, with respect to a pregnant woman, the health of the woman or her unborn child) in serious jeopardy;
      2. serious impairment to bodily functions; or
      3. serious dysfunction of any bodily organ or part.
   4. Fax Activity Confirmation Report.  The Fax Activity Confirmation (FAC) report is a document automatically generated by the fax machine that confirms whether the fax transmission has been successful and which prints the destination fax number.
   5. Fax Activity Report Journal.  The Fax Activity Report Journal (ARJ) is a manually generated log that may be used to identify how each incoming fax was handled, confirm the successful transmission of each outgoing fax, and/or identify errors that have occurred in sending or receiving faxes.
   6. Highly Sensitive PHI.  Any PHI relating to:
      1. testing for and/or treatment related to HIV/AIDS or other STD;
      2. testing for cancer or other life threatening illnesses; or
      3. the diagnosis, treatment, or referral for treatment of sexual abuse or assault, mental health, and/or alcohol or substance abuse.
4. Procedures.
   1. Mail.  All IHS facilities are encouraged to send and receive PHI by mail whenever practical.
   2. Fax Machines.  The use of fax machines to send and receive PHI poses certain risks of improper disclosure.  Whenever it is necessary to fax PHI, the transmission should be limited to the minimum amount necessary to accomplish the intended purpose.  Furthermore, the means by which PHI is to be transmitted depends on the clinical circumstances.  In any case involving a question as to the appropriateness of using the fax machine to transmit PHI, the appropriate clinician shall make the final determination.  The fax machine shall be physically located so that it is not in a public area and its use can be monitored by HIM personnel; only authorized staff can have direct access to the fax machine.
   3. FAX Cover Sheet.  Before transmitting any PHI, the sender must fill out a fax cover sheet containing, at a minimum, the following information:
      1. Facility's identification
      2. Date of transmission
      3. Number of pages being transmitted (including cover sheet)
      4. To:
         1. Receiver's name
         2. Receiver's telephone number
         3. Receiver's fax number
      5. From:
         1. Sender's name
         2. Provider's name (if applicable)
         3. Sender's telephone number
         4. Sender's fax number
   4. Remarks or Special Instructions (if appropriate)
   5. Confidentiality Statement.  The following is an example of an acceptable statement:  "This fax is intended only for the use of the person or office to which it is addressed and contains privileged or confidential information protected by law.  All recipients are hereby notified that inadvertent or unauthorized receipt does not waive such privilege and that unauthorized dissemination, distribution, or copying of this communication is prohibited by Federal law.  If you have received this fax in error, please destroy the attached document(s) and notify the sender of the error by calling (enter applicable phone number and extension)."
5. Sending Information.  Whenever the facility's fax user intends to send a fax, they must comply with the following:
   1. Telephone the receiving facility to inform them that PHI is being faxed, confirm the fax number, and determine whether the fax machine is located in a secured area.
   2. If the fax machine is not in a secured area, request the individual at the receiving facility to stand by the fax machine.
   3. Reconfirm the destination fax number prior to transmission by checking the telephone number displayed on the fax machine screen before transmitting the fax.
   4. Confirm the success of the transmission by calling the intended recipient or by checking the FAC Report.
   5. In the event that the fax is erroneously transmitted to the wrong fax number and the sender is aware that this error has occurred, they should immediately contact the erroneous recipient and request that the fax be destroyed by shredding.
   6. A copy of the fax cover sheet shall be placed in the patient's medical record. The fax cover sheet shall include confirmation of receipt of fax.
6. Receiving Information.  Whenever the facility's fax user receives an incoming fax, they must comply with the following:
   1. Remove the faxed PHI from the fax machine as soon as possible, once they are aware that the fax has been received.
   2. Count the number of pages received to verify the number of pages against the fax cover sheet.  If page(s) are missing, the sender must be contacted and requested to retransmit the document.
   3. Read the fax cover sheet and follow any instructions.
   4. If the facility maintains an ARJ, document receipt of the faxed document on the ARJ.
   5. Notify the intended recipient that a fax was received.
   6. Unless the faxed PHI will at all times remain in a secured area, the faxed PHI must be hand delivered or placed in a sealed envelope and delivered to the intended recipient as soon as possible.
   7. If a fax has been erroneously transmitted to an IHS facility, the recipient of the fax shall inform the sender of the error.  The fax must then be destroyed by shredding.

2-7.14  PROCEDURE FOR CREATING A LIMITED DATA SET

1. Purpose.  This section specifies IHS policy and procedures for creating a limited data set for the use or disclosure of PHI only for the purposes of research, public health, or health care operations.
2. Policy.  For purposes of research, public health, or health care operations, the IHS may disclose information that is not fully de identified if it creates a limited data set that complies with the terms of the HIPAA Privacy Rule, 45 CFR 164.514(e).  Any use or disclosure by the IHS must be made pursuant to a Data Use Agreement with the recipient of the limited data set.  All use or disclosures must be made in accordance with Section 2-7.16, "Procedure for Limiting the Use or Disclosure of and Requests for PHI to the Minimum Necessary."
3. Definitions.
   1. Health Care Operations.  Any of the following activities of the covered entity to the extent that the activities are related to covered functions:
      1. Conducting quality assessment and improvement activities, including:
         1. Outcomes evaluation and development of clinical guidelines provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities.
         2. Population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives.
         3. Related functions that do not include treatment.
      2. Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.
      3. Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of 45 CFR § 164.514(g) are met, if applicable.
      4. Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs.
      5. Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies.
      6. Business management and general administrative activities of the entity, including, but not limited to:
         1. Management activities relating to implementation of and compliance with the requirements of this subchapter.
         2. Customer service, including the provision of data analyses for policyholders, plan sponsors, or other customers, provided that PHI is not disclosed to such policyholder, plan sponsor, or customer.
         3. Resolution of internal grievances.
         4. The sale, transfer, merger, or consolidation of all or part of a covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity.
         5. Consistent with the applicable requirements of 45 CFR § 164.514, creating de-identified health information or a limited data set, and fund-raising for the benefit of the covered entity.
   2. Public Health Activities.  Public health activities are generally authorized by law through a public health authority or other appropriate authority for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions, and to include receiving reports of child abuse or neglect.
   3. Limited Data Set.  A limited data set is PHI that excludes specified identifiers such as, the patient's name, chart number, or SSN, but that can still potentially be linked to a particular patient because it contains dates (including birth date, admission date, discharge date, and date of death) and/or information about the patient's city, State, or nine digit zip code.
   4. Public Health Authority.  Public health authority means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian Tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.
   5. Protected Health Information.  Protected Health Information means individually identifiable health information:
      1. Except as provided in paragraph b of this definition, that is:
         1. Transmitted by electronic media;
         2. Maintained in electronic media; or
         3. Transmitted or maintained in any other form or medium.
      2. Protected Health Information excludes individually identifiable health information in:
         1. Education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.C. § 1232g;
         2. Records described at 20 U.S.C. § 1232g (a)(4)(B)(iv); and
         3. Employment records held by a covered entity in its role as an employer.
   6. Research.  Research means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
4. Procedures.  The following procedures shall be used to create a limited data set, which may be created only for the purposes of research, public health, or health care operations.
   1. Information Not Permitted in a Limited Data Set.  A limited data set is composed of PHI that excludes the following direct identifiers of the patient or relatives, employers, or household members of the patient:
      1. Names
      2. Postal addresses (may retain city, State, and nine digit zip code)
      3. Telephone numbers
      4. Fax numbers
      5. Electronic mail addresses
      6. Social security numbers
      7. Medical record numbers
      8. Health plan beneficiary numbers
      9. Account numbers
      10. Certificate/license numbers
      11. Vehicle identifiers and serial numbers, including license plate numbers
      12. Device identifiers and serial numbers
      13. Web URL
      14. Internet Protocol address numbers
      15. Biometric identifiers, including finger and voice prints
      16. Full face photographic images and/or any comparable images
   2. Information Permitted in a Limited Data Set.  A limited data set may contain:
      1. Dates of admission and discharge, as well as dates of birth and death.
      2. Nine digit zip code, city, and State information.
   3. Disclosure.  The IHS may only disclose PHI in a limited data set pursuant to a Data Use Agreement (DUA).
   4. Agreement.  A limited data set recipient must agree, in writing, to use or disclose the information only for the purposes of research, public health, or health care operations.  A written DUA (See Section 2-7.15 that follows) between the IHS and the limited data set recipient must also:
      1. Establish the permitted uses and disclosures of such information by the limited data set recipient.
      2. Prevent and not authorize the limited data set recipient to use or further disclose the information in any manner that IHS could not use or disclose.
      3. Establish who is permitted to use or disclose the limited data set.
      4. Provide that the limited data set recipient will:
         1. Not use or further disclose the information other than as permitted by the DUA or as otherwise required by law.
         2. Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the DUA.
         3. Report in writing to the IHS employee named in the Agreement any improper use or disclosure of the information.
         4. Ensure its agents or subcontractors agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information.
         5. Not identify the information or contact the patients.
   5. Compliance.  If the IHS becomes aware of a pattern of activity or practice of the recipient of the limited data set that constitutes a material breach or violation of the DUA, the IHS must take reasonable steps to cure the breach or end the violation, as applicable.  If the steps are unsuccessful, the IHS must:
      1. Discontinue disclosure of PHI to the recipient; and
      2. Report the problem to the HHS, Office for Civil Rights.
   6. The IHS as Recipient of Limited Data Set.  The IHS must comply with the terms of any DUA under which it receives information.
   7. Questions.  Specific questions regarding the implementation of this policy should be directed to the Area Statistician, the Area Institutional Review Board (IRB), or Area Privacy Act Advocate/ HIPAA Privacy Coordinator.

---

2-7.15  DATA USE AGREEMENT - EXAMPLE

DATA USE AGREEMENT 45 Code of Federal Regulations 164.514 (e)

This Data Use Agreement ("Agreement") effective the _____ day of ____________, 20__ ("Effective Date") by and between Indian Health Service ("Covered Entity") and _____________________________________, the Limited Data Set recipient ("Recipient").

The Covered Entity is willing to provide Recipient with a Limited Data Set of Protected Health Information (PHI) as defined by 45 Code of Federal Regulations (CFR) 164.514 (e)(2) for public health, health care operations or research purposes; and

Recipient warrants that it shall use or disclose the Limited Data Set exclusively for the purposes set forth herein:

1. Permitted Users.  Recipient agrees to allow access to the Limited Data Set only to the following individuals and classes of individuals:  (Name the individuals)
2. Permitted Uses.  Recipient agrees to use and allow access to the Limited Data Set solely as described in the research protocol attached as Exhibit A and entitled:  (Attach the research protocol and title of the proposed research.)
3. Other Use or Disclosure.  Recipient agrees that Recipient will not disclose or allow access to the Limited Data Set to anyone other than Permitted Users except as required by law.  Recipient also agrees that it will not sell the Limited Data Set or any portion of the Limited Data Set.
4. Safeguards.  Recipient agrees to and shall ensure that all Permitted Users use reasonable and appropriate administrative, physical and technical safeguards to prevent use, access to, or disclosure of the Limited Data Set other than as provided for by this Agreement.  Recipient shall protect the confidentiality of the Limited Data Set with the same level of care it used to protect its own confidential information. Recipient further agrees to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic Limited Data Set that it creates, receives, maintains or transmits.

   Such security measures shall be as stringent as those required by the Security Rule promulgated pursuant to the, "The Health Insurance Portability and Accountability Act," (HIPAA) of 1996, Public Law (P.L.) 104-191.

5. Recipient's Responsibility for Permitted Users.  Recipient shall ensure that:
   1. Its Permitted Users have received training regarding the confidentiality of PHI under the Privacy Rule and all other
            applicable Federal or State laws and will protect the Limited Data Set in compliance with the
            Privacy Rule, applicable laws and this Agreement.
   2. Its Permitted Users shall only access the Limited Data Set for purposes as approved by the Covered Entity.
   3. Its Permitted Users have agreed to hold any passwords or other means for accessing the Limited Data
            Set, in a confidential manner and to release them to no other individual.
   4. Its Permitted Users understand that failure to comply with the terms of this Agreement may result in exclusion
            from access to the Limited Data Set.
   5. It has restricted access to the Limited Data Set only to the Permitted Users identified in Section 1, Permitted Users.
6. Reporting.  Recipient agrees to report in writing to the IRB of the Covered Entity any unauthorized use or disclosure of the Limited Data Set that it becomes aware of within five (5) business days of its discovery.
7. Agents and Subcontractors.  Recipient ensures that its agents and subcontractors to whom it provides the Limited Data Set agree in writing to adhere to the same restrictions and conditions contained herein regarding its use and disclosure. Recipient will notify Covered Entity when Limited Data Set is made available to agents and subcontractors.
8. Contact/Identification.  Recipient ensures that all Permitted Users shall agree to not identify the information in the Limited Data Set or contact any individual who is a subject of the Limited Data Set or his or her relatives, employers, or household members.
9. Publication.  Recipient shall have the right to publish, present, or use Limited Data Set for his or her own instruction, research or publication.  Provided however, all identifiers as outlined in 45 CFR 164.514 (b)(2)(i) are removed, and

   Check all that apply:

   _____    Recipient is not intending to publish.

   _____    Recipient is intending to publish.  Any proposed publication or presentation shall be provided to the Covered Entity for review at least sixty (60) days prior to the submission.  Any publication of any materials by Recipient, Permitted User, or other person or entity affiliated in any manner with this Agreement is strictly prohibited except by prior approval by the Covered Entity.  In the event approval is obtained, published materials shall clearly state that the opinions or assertions contained therein are those of the author and do not reflect any official or unofficial view or opinion of the Covered Entity.  Additionally, no such materials shall infringe upon, violate, or otherwise compromise patient's rights to privacy under the Privacy Act, the HIPAA, or any applicable Federal or State statute or regulation.

10. Publicity.  Neither party will use the name of the other party in any publicity, advertising, or new release without the prior written approval of the authorized representative of the other party.
11. Indemnification.  Recipient shall indemnify, hold harmless and defend the Covered Entity from and against any and all claims, losses, liabilities, costs and other expenses resulting from or relating to the acts or omissions of Recipient in connection with the PHI provided to Recipient under this Agreement.
12. No Guarantees or Warranties.  Covered Entity in no way guarantees Limited Data Set pursuant to this Agreement and makes no warranties, express or implied, regarding the quality of any product produced under this Agreement.  Recipient agrees to indemnify and hold harmless Covered Entity against any claims arising out of Recipient's commercial sale or distribution of products or processed developed under this Agreement, or its reliance upon the Limited Data Set provided.
13. No Third-Party Beneficiaries.  Nothing express or implied in this Agreement is intended or shall be deemed to confer upon any individual or entity other than the Covered Entity and Recipient, any rights, obligations, remedies or liabilities.  Neither party shall have the right to assign or transfer their rights to any third-party under this Agreement.
14. Relationship of the Parties.  The Parties mutually understand and agree that in performing their respective duties and obligations hereunder, the Parties are at all other times acting as separate entities with respect to each other.  Nothing in this Agreement shall constitute or be construed to create a partnership, joint venture, or any form of organized health care arrangement between the Parties.
15. Audit.  Recipient agrees that it may be audited by the Covered Entity to ensure that it and the Permitted Users are using the Limited Data Set as approved and have returned the data upon the conclusion of the approved project.
16. Term.  This Agreement shall become effective on the Effective Date of the Agreement and shall continue in effect for a period of five years or until all obligations of the Parties have been met.  Upon completion of the Agreement, the limited Data Set shall be returned to the Covered Entity.  The terms and conditions of this Agreement shall survive the expiration or termination of the Agreement.
17. Termination.  Either party may terminate this Agreement upon thirty (30) days notice to the other.  Either party may terminate this Agreement immediately in the event that the other party is in material breach of its terms.  Upon termination of this agreement, the Limited Data Set shall be returned to the Covered Entity.
18. Law.  The parties agree that the Federal law shall apply to any problem or dispute arising out of this Agreement.
19. Entirety of Agreement.  It is expressly agreed that this written agreement represents the entire understanding between the parties and supersedes any prior agreements or understanding with respect to the subject matter herein. Any changes or modifications to this Agreement must be in writing and be signed by both parties.

IN WITNESS WHEREOF:  the Parties hereto have duly executed this Agreement in accordance with the terms and provisions contained herein.  The persons signing this Agreement warrant that they have read the Agreement and have full authority to sign this Agreement and that their signatures shall bind the Parties for which they sign.

By Authorized Representative of Recipient:

_____________________________________________________________________________________________
Name:

_____________________________________________________________________________________________
Title:

_____________________________________________________________________________________________
Signature:

_____________________________________________________________________________________________
Date:

By Covered Entity's Authorized Representatives:

Indian Health Service

_____________________________________________________________________________________________
By: (Name)

_____________________________________________________________________________________________
Title:

_____________________________________________________________________________________________
Signature:

_____________________________________________________________________________________________
Date:

---

2-7.16  PROCEDURE FOR LIMITING THE USE OR DISCLOSURE OF AND REQUESTS FOR PHI TO THE MINIMUM
            NECESSARY

1. Purpose.  This section specifies the IHS policy and procedures for limiting PHI to the minimum necessary for the use and disclosure of PHI and for all PHI requested from other health care providers and health plans.
2. Policy.  The medical record shall be maintained confidentially and shall not be disclosed except as provided by the Privacy Act of 1974 as amended, 5 U.S.C. § 552a; the HIPAA Privacy Rule (45 CFR Parts 160 and 164); the FOIA as amended, 5 U.S.C. § 552; and other relevant Federal laws and guidance.
3. Responsibilities.
   1. Chief Executive Officer.  For Areas that provide PRC directly through the Area Office, references to the CEO must be considered references to the Area Director's designee, as applicable.  The CEO or (his or her) designee shall identify, in writing, the following:
      1. individual staff or classes of staff who need access to PHI in order to perform their official duties; and
      2. the category or categories of PHI for each staff person or class of staff who need access and any conditions appropriate for access.
   2. Designated IHS Staff Person.  The responsible IHS staff person, as designated by the CEO, shall monitor compliance with the "minimum necessary" requirements.
4. Procedures.  The IHS must make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary in order to accomplish the intended purpose of the use, disclosure, or request.
   1. Minimum Necessary Requirement.  The "minimum necessary" requirement does not apply to:
      1. disclosures to or requests by a healthcare provider for treatment purposes;
      2. disclosures to the patient;
      3. uses or disclosures made pursuant to a valid authorization signed by the patient or personal representative, so long as the use or disclosure is consistent with the authorization;
      4. uses or disclosures that are required by Federal law, including applicable provisions of the HIPAA Privacy Rule; or
      5. disclosures to the Secretary, HHS, required under HIPAA Privacy Rule for enforcement purposes.
   2. Reasonable Requests for Disclosures.  The IHS may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary when making a disclosure to:
      1. A public official for a disclosure permitted under 45 CFR §164.512 (Uses and disclosures for which an authorization or opportunity to agree or object is not required), if such official represents that the information requested is the minimum necessary for the stated purpose;
      2. Another covered health care provider, health plan, or health care clearinghouse;
      3. A professional who is an employee or contractor (business associate) of IHS, for the purpose of providing professional services to IHS, if the professional represents that the information requested is the minimum necessary for the stated purpose; or
      4. A researcher with appropriate documentation from an IRB.
   3. Requesting PHI.
      1. When requesting PHI from other covered entities, the IHS must limit any such request to that which is reasonably necessary to accomplish the purpose for which the request is made.
      2. For requests made on a routine and recurring basis, the IHS must limit the PHI requested to the amount reasonably necessary to accomplish the purpose for which the request is made.
      3. All other requests must be reviewed on an individual basis to determine that the PHI sought is limited to the information reasonably necessary to accomplish the purpose for which the request is made.
      4. The entire medical record shall only be requested when specifically justified as the amount that is reasonably necessary to accomplish the purpose of the request.

   2-7.17  PROCEDURE FOR PROVIDING IHS NOTICE OF PRIVACY PRACTICES

   1. Purpose.  This section specifies IHS policy and procedure for providing the "Notice of Privacy Practices" (Notice) to all patients.
   2. Policy.  It is IHS policy to provide adequate notice of its uses and disclosures of PHI and of the individual's rights and IHS' legal duties with respect to PHI.
   3. Display.  The IHS shall prominently and clearly display the Notice (2-7.18) in every facility.  https://www.ihs.gov/sites/HIPAA/documents/NoticePrivacyPracticePamphlet.pdf
   4. Notice Distribution.  A copy of the Notice shall be provided to new patients, patients whose charts are reactivated, and patients who reach legal age.
      1. The Patient Registration Office or other appropriate department will provide a copy of the current Notice to the patient.
      2. A staff member will briefly summarize the purpose of the Notice, in a statement such as the following:  "The purpose of the Notice is to inform you of the uses and disclosures which IHS may make of your protected health information, and it tells you of your rights and IHS' legal duties with respect to such information."
      3. The staff member should answer any questions as best they can and refer unanswered questions to the service unit Privacy Official or designee.
      4. The staff member should ask the patient to acknowledge receipt of the Notice by signing the Acknowledgment of Receipt of IHS Notice of Privacy Practices.  (Section 2-7.18)
         1. If the patient refuses to sign the Acknowledgement form, the staff member should document the efforts made to obtain the acknowledgment and the reason(s) why it was not obtained.
         2. If a person is acting as the patient's representative in making healthcare decisions on behalf of the patient, the staff member should provide that person with the Notice and have that person sign the acknowledgment form.
         3. If the patient cannot be provided with the Notice due to incapacitation or emergency, the staff member should document the reason on the acknowledgment form.  An IHS staff member shall provide the patient with the Notice and have the patient sign the acknowledgment form as soon as the patient is no longer incapacitated or the emergency situation has passed.
      5. The Acknowledgement form must also be signed and dated by the appropriate IHS staff.
      6. The staff member should file the signed "Acknowledgement of Receipt of IHS Notice of Privacy Practices" into the patient's medical record.
      7. No less than every three years, IHS will provide notification of the availability of the Notice and how to obtain the Notice.
      8. If the Notice is revised by a material change, the revised Notice must be posted in clear and prominent locations in every facility and on its web site, on or after the effective date of the revision. The revised Notice will be posted on the IHS website within the 60 days of a material revision. The revised Notice will also be given to all patients who come into the facility after the effective date of the revision and will be available upon request on or after the effective date of the revision. Additionally, IHS will provide the revised notice to all eligible patients registered in the patient registration system within 60 days of the revision of the Notice.

         Note:  The patient is not required to sign a second Acknowledgement of Receipt if the Notice was revised.

   5. Inmates and the "Notice".  Any individual, whether or not a patient, has the right to request and receive a copy of the Notice at any time, except an inmate.  Inmates have no rights to the Notice.  45 CFR § 164.520 (a)(3).

   ---

   2-7.18  NOTICE

   INDIAN HEALTH SERVICE
   
   Notice of Privacy Practices
   "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE
   USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
   PLEASE REVIEW IT CAREFULLY."

   SUMMARY OF YOUR PRIVACY RIGHTS

   1. Understand Your Medical Record/Information.  Each time you visit an Indian Health Service (IHS) facility for services, a record of your visit is made.  If you are referred by the IHS through the PRC program, the IHS also keeps a record of your PRC visit.  Typically, this record contains your symptoms, examination, test results, diagnoses, treatment, and a plan for future care.  This information, often referred to as your medical record, serves as a:
      1. Plan for your care and treatment.
      2. Communication source between health care professionals.
      3. Tool with which we can check results and continually work to improve the care we provide.
      4. Means by which Medicare, Medicaid, or private insurance payers can verify the services billed.
      5. Tool for education of health care professionals.
      6. Source of information for public health authorities charged with improving the health of the people.
      7. Source of data for medical research, facility planning, and marketing.
      8. Legal document that describes the care you receive.
   2. Understanding what is in your medical record and how the information is used helps you to:
      1. Ensure its accuracy.
      2. Better understand why others may review your health information.
      3. Make an informed decision when authorizing disclosures.
   3. Your Medical Record/Information Rights.  Your medical record is the physical property of the IHS, but the information belongs to you.  You have the right to:
      1. Inspect and receive a paper or electronic copy of your health information.
      2. Receive notification of a breach of your unsecured protected health information.
      3. Request a restriction on certain uses and disclosures of your health information to include certain disclosures of protected health information to your health plan.  The IHS is not required to agree to the requested restriction except when the disclosure would be for the purpose of carrying out payment or health care operations and is not otherwise required by law and the PHI relates solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.
      4. Request a correction or amendment to your health information.  The IHS may amend your record or include your Statement of Disagreement.
      5. Request confidential communications about your health information.
      6. Request and obtain a listing of certain disclosures the IHS has made of your health information.
      7. Revoke your written authorization to use or disclose health information.
      8. Request and obtain a paper or electronic copy of the IHS Notice of Privacy Practices.
      9. Request and obtain a paper or electronic copy of the patient's medical record from the IHS Medical, Health and Billing Records, System Notice Number 09-17-0001.
   4. Indian Health Service Responsibilities.  The IHS understands that health information about you is personal and is committed to protecting your health information.  The IHS is required by law to:
      1. Maintain the privacy of your health information.
      2. Inform you about our privacy practices regarding health information we collect and maintain about you.
      3. Notify you if we do not agree to a requested restriction.
      4. Notify you of our decision regarding a request for correction or amendment.
      5. Accommodate reasonable requests you may have to communicate health information by alternate means or to an alternate location.
      6. Promptly notify you of a breach of unsecured protected health information (PHI).
      7. Honor the terms of this Notice or any subsequent revisions of this Notice.

   ---

   REVISED NOTICE OF PRIVACY PRACTICES

   The Indian Health Service (IHS) reserves the right to change its privacy practices and to make the new provisions effective for all PHI it maintains.  The IHS will post any revised Notice of Privacy Practices at public places within its facilities and on the IHS web site at:  https://www.ihs.gov/HIPAA/

   1. How the IHS may use and disclose health information about you.  The IHS will not use or disclose your health information without your permission, except as described in this Notice and as permitted by the HHS Privacy Act regulations, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, Genetic Information Nondiscrimination Act (GINA) of 2008, and the IHS Medical, Health, and Billing Records, System Notice 09 17 0001.  The following categories describe how we may use and/or disclose your health information.
      1. Treatment.  We will use and/or disclose your health information to provide your treatment.  For example:
         1. Your personal information will be recorded in your medical record and used to determine the course of treatment for you.  Your health care provider will document in your medical record their instructions to members of your healthcare team.  The actions taken and the observations made by the members of your healthcare team will be recorded in your medical record so your health care provider will know how you are responding to treatment.
         2. If you are referred or transferred to another facility or provider for further care and treatment, the IHS may disclose information to that facility or provider to enable them to know the extent of treatment you have received and other information about your condition.
         3. Your health care provider(s) may give copies of your health information to others, including health care professionals or personal representatives, to assist in your treatment.
      2. Payment Purposes.  We will use and disclose your health information for payment purposes.  For example:
         1. If you have private insurance, Medicare, or Medicaid, a bill will be sent to your health plan for payment.  The information on or accompanying the bill will include information that identifies you, as well as your diagnosis, procedures, and supplies used for your treatment.
         2. If you are referred to another health care provider under the Purchased/Referred Care (PRC) program, the IHS may disclose your health information to that provider for health care payment purposes.
      3. Health Care Operations.  We will use and disclose your health information for health care operations.  For example:
         1. We may use your health information to evaluate your care and treatment outcomes with our quality improvement team.  This information will be used to continually improve the quality and effectiveness of the services we provide.
      4. Health Information Exchange(HIE).  The IHS HIE may make your health information available electronically through an information exchange network to other providers involved in your care who request your electronic health information.  Participation in the national eHealth Exchange network is voluntary.  If you want your health information to be accessible to authorized health care providers through the IHS HIE to the national eHealth Exchange, you must authorize this use and disclosure.  More information is available at https://www.ihs.gov/hie/
      5. Personal Health Record.  The Personal Health Record (PHR) is a secure web based application that provides patient access to their health care information.  The PHR is accessible to any patient who receives care at an IHS facility and requests a PHR account.
      6. Direct.  The IHS may share your health information between providers and between healthcare providers, patients and/or patients' authorized representatives, using the DIRECT secure, web-based messaging service.
      7. Business Associates.  The IHS provides some healthcare services and related functions through the use of contracts with business associates.  For example, the IHS may have contracts for medical transcription.  When these services are contracted, the IHS may disclose your health information to business associates so that they can perform their jobs.  The IHS requires our business associates to protect and safeguard your health information in accordance with applicable Federal laws.
      8. Directory.  If you are admitted to an IHS inpatient facility, the IHS may use your name, general condition, and location within our facility, for facility directory purposes, unless you notify us that you object to this information being listed.  If an individual asks for you by name, the IHS may disclose your name, general condition, and location within our facility, unless you notify us that you object to this information being listed.  The IHS may provide your religious affiliation only to members of the clergy.
      9. Notification.  The IHS may use or disclose your health information to notify or assist in the notification of a family member, personal representative, or other authorized person(s) responsible for your care, unless you notify us that you object.
      10. Communication with Family.  All IHS health providers may use or disclose your health information to others involved with and/or responsible for your care unless you object.  For example, the IHS may provide your family members, other relatives, close personal friends, or any other person you identify, with health information that is relevant to that person's involvement with your care or payment for such care.
      11. Adults and Emancipated Minors with Personal Representatives.  The IHS may disclose health information to a personal representative of an individual who has been declared incompetent due to physical or mental incapacity by a court of competent jurisdiction.
      12. Interpreters.  In order to provide you proper care and services, the IHS may use the services of an interpreter.   This may require the disclosure of your health information to the interpreter.
      13. Research.  The IHS may use or disclose your health information for research purposes when approved by an IHS Institutional Review Board (IRB) that has reviewed the research proposal and established protocols to ensure the privacy of your health information. The IHS may also use or disclose your health information for non-IRB approved research purposes based on your written authorization.
      14. Organ Procurement Organizations.  The IHS may use or disclose your health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs for the purpose of facilitating organ, eye, or tissue donation and transplant.
      15. Uses and Disclosures about Decedents.  The IHS may use or disclose health information about decedents to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law.  The IHS also may disclose health information to funeral directors consistent with applicable law as necessary to carry out their duties.  In addition, the IHS may disclose health information about decedents where required under the Freedom of Information Act or otherwise required by law.
      16. Treatment Alternatives and Other Health Related Benefits and Services.  The IHS may contact you to provide information about treatment alternatives or other types of health related benefits and services that may be of interest to you.  For example, we may contact you about the availability of new treatment or services for diabetes.
      17. Appointment Reminders.  The IHS may contact you with a reminder that you have an appointment for medical care at an IHS facility or to advise you of a missed appointment.
      18. Food and Drug Administration.  The IHS may disclose your health information to the Food and Drug Administration (FDA) in connection with a FDA regulated product or activity. For example, we may disclose to the FDA information concerning adverse events involving food, dietary supplements, product defects or problems, and information needed to track FDA regulated products or to conduct product recalls, repairs, replacements, or look-backs (including locating people who have received products that have been recalled or withdrawn), or post-marketing surveillance.
      19. Workers Compensation.  The IHS may disclose your health information for workers compensation purposes as authorized or required by law.
      20. Public Health.  The IHS may use or disclose your health information to public health or other appropriate government authorities (Federal, State, local or Tribal) as follows:
          1. to government authorities that are authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, or conducting public health surveillance, investigations, and interventions;
          2. to government authorities that are authorized by law to receive reports of child abuse or neglect; and
          3. to government authorities that are authorized by law to receive reports of other abuse, neglect, or domestic violence, or as authorized by law if the IHS believes it is necessary to prevent serious harm. Where authorized by law, the IHS may disclose your health information to an individual who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition. In some situations (for example, if you are employed by IHS or another component of the Department of Health and Human Services (HHS), or if necessary to prevent or lessen a serious and imminent threat to the health and safety of an individual or the public), the IHS may disclose to your employer health information concerning a work related illness or injury or a workplace related medical surveillance.
      21. Correctional Institution.  If you are an inmate of a correctional institution, the IHS may disclose to the institution, health information necessary for your health and the health and safety of other individuals such as officers, employees, or other inmates.
      22. Law Enforcement.  The IHS may disclose your health information for law enforcement activities as authorized by law or in response to an order of a court of competent jurisdiction.
      23. Health Oversight Authorities.  The IHS may disclose your health information to health oversight agencies for activities authorized by law.  These oversight activities may include: investigations, audits, inspections, and other actions.  These are necessary for the government to monitor the health care system, government benefit programs, and entities subject to government regulatory programs and/or civil rights laws for which health information is necessary to determine compliance.  The IHS is required by law to disclose health information to the Secretary, HHS to investigate or determine compliance with the HIPAA privacy standards.
      24. Members of the Military.  If you are a member of the military services, the IHS may disclose your health information if necessary to the appropriate military command authorities as authorized by law.
      25. Compelling Circumstances.  The IHS may disclose your health information in certain other situations involving compelling circumstances affecting the health or safety of an individual.  For example, in certain circumstances:
          1. The IHS may disclose limited health information where requested by a law enforcement official for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person;
          2. If you are believed to be a victim of a crime and a law enforcement official requests information about you and we are unable to obtain your agreement because of incapacity or other emergency circumstances, we may disclose the requested information if we determine that such disclosure would be in your best interests;
          3. The IHS may use or disclose health information that we believe is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person;
          4. The IHS may disclose health information in the course of judiciary and administrative proceedings if required or authorized by law;
          5. The IHS may disclose health information to report a crime committed on IHS health facility premises or when the IHS is providing emergency health care; and
          6. The IHS may use or disclose health information during a disaster and for disaster relief purposes.
      26. Required by Law.  The IHS may use or disclose health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
      27. ANon-Violation of this Notice.  The IHS is not in violation of this Notice or the HIPAA Privacy Rule if any of its employees or its contractors (business associates) discloses health information under the following circumstances:
          1. Disclosures by Whistleblowers.  If an IHS employee or business associate in good faith believes that the IHS has engaged in conduct that is unlawful or otherwise violates clinical and professional standards or that the care or services provided by the IHS has the potential of endangering one or more patients, members of the workplace, or the public and discloses such information to:
             1. A Public Health Authority or Health Oversight Authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions, or the suspected violation, or an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the IHS; or
             2. An attorney on behalf of the workforce member, or contractor (business associate) or hired by the workforce member or contractor (business associate) for the purpose of determining their legal options regarding the suspected violation.
          2. Disclosures by Workforce Member Crime Victims.  Under certain circumstances, an IHS workforce member (either an employee or contractor) who is a victim of a crime on or off the IHS facility premises may disclose information about the suspect to law enforcement officials provided that:
             1. The information disclosed is about the suspect who committed the criminal act.
             2. The information disclosed is limited to identifying and locating the suspect.
      28. BAny Other Uses and Disclosures.  Most uses and disclosures of psychotherapy notes (where appropriate) require authorization.  Other uses and disclosures of PHI not listed in this Notice will be made only with your written authorization, which you may later revoke in writing at any time.  Such revocation would not apply where the health information already has been disclosed or used or in circumstances where the IHS has taken action in reliance on your authorization or the authorization was obtained as a condition of obtaining insurance coverage and the insurer has a legal right to contest a claim under the policy or the policy itself.

          Rights under this Notice or to Request Information or Report a Problem

   To exercise your rights under this Notice, to ask for more information, or to report a problem contact the Service Unit Chief Executive Officer or the appropriate Privacy official at:

   (Facility name, address, and local phone number)

   If you believe your privacy rights have been violated, you may file a written complaint with the above individual or the Secretary, Department of Health and Human Services, Washington, D.C. 20201.  There will be no retaliation for filing a complaint.  Effective Date:  September 23, 2013

   Acknowledgment of Receipt of Indian Health Service Notice of Privacy Practices

   I hereby acknowledge receipt of the Indian Health Service (IHS) Notice of Privacy Practices at:

   [Stamped facility name and address]

   _____________________________________________ Signature of Patient	________________________________________ Date

   _____________________________________________ Signature of Patient Personal Representative (State Relationship to Patient)	________________________________________ Date

   _____________________________________________ Or Witness (if signature is by thumbprint or mark)	________________________________________ Date

   _____________________________________________ Signature of and Title of IHS Employee	________________________________________ Date

   For Patients Unable to Acknowledge Receipt

   I hereby certify that the patient was unable to acknowledge receipt of the Indian Health Service (IHS) Notice of Privacy Practices because:

   _____________________________________________ Signature of IHS staff	________________________________________ Date

   ---

   2-7.19  PROCEDURE FOR THE USE AND DISCLOSURE OF PHI FOR INVOLVEMENT IN THE PATIENT'S CARE AND FOR
               NOTIFICATION PURPOSES

   1. Purpose.  This section specifies IHS policy and procedure on the uses and disclosures of PHI for involvement in the patient's care and for notification purposes.
   2. Policy.  The IHS may use or disclose PHI to family members, relatives, close personal friends, personal representative, or any other person identified by the patient, directly relevant to that person's involvement in the patient's health care or payment.
   3. Procedures.
      1. Notification.  The IHS may use or disclose PHI related to the patient's location, general condition, or death in order to notify or assist in the notification of (including identifying or locating) a family member, relative, close personal friend, personal representative, or another person responsible for the care of the patient.
      2. Uses or Disclosures When the Patient is Present.  If the patient is present and/or available and can make health care decisions, the IHS may release the information if it:
         1. obtains the patient's agreement;
         2. provides the patient the opportunity to object to the disclosure, and the patient does not express an objection; or
         3. reasonably infers from the circumstances, based upon the exercise of professional judgment that the patient does not object to the disclosure.
      3. Limited Uses or Disclosures When the Patient Is Not Present.  When the patient is not present or when opportunity to agree or object is not possible or practicable due to the patient's incapacity or emergency condition, the following procedures shall be used:
         1. An IHS provider, using their professional judgment, may determine that the use or disclosure is in the best interests of the patient, and only use or disclose PHI that is directly relevant to the person's (family member, relative, close personal friend, personal representative, or any other person identified by the patient) involvement.
         2. An IHS provider, using their professional judgment and experience with common practice, may make inferences as to the patient's best interests and allow the patient's family member, relative, close personal friend, personal representative, or any other person identified by the patient to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of PHI.
         3. Verification of identity should be completed prior to disclosing PHI of a patient.  (See Section 2-7.24, "Procedure for Verification of Identity Prior to Disclosure of PHI.")
         4. Disclosures for notification purposes should be noted.  (See Section 2-7.5, "Procedure for Matters Related to Accounting of Disclosures of PHI."

   2-7.20  PROCEDURE FOR THE USE AND DISCLOSURE OF PHI FOR RESEARCH PURPOSES

   1. Purpose.  This section specifies the IHS policy and procedures on how the IHS may use or disclose PHI for research purposes without authorization by a patient.
   2. Policy.  It is IHS policy to use or disclose PHI for research purposes in accordance with the HIPAA Privacy Rule and the Privacy Act.
   3. Procedures.  The following procedures will be used for the use or disclosure of PHI for research purposes.  The IHS will use or disclose PHI for research upon receipt of an IHS or Tribal-registered Institutional Review Board (IRB) memorandum entitled "Approval of Waiver of Authorization."

      Note:  In Special circumstances, the IHS National IRB may establish itself as the IHS National Privacy Board as defined under 45 CFR 164.512(i) (1) and (2).

      1. Approval of Waiver of Authorization Memorandum.  The Approval of Waiver of Authorization memorandum must include the following:
         1. Identification.  A statement identifying the IRB and the PHI the IRB determined that the use or disclosure is necessary.
         2. Date of Action.  The date the memorandum was approved.
         3. Minimal Risk.  The IRB must include a statement in the memorandum that the use or disclosure of PHI involves no more than minimal risk to the privacy of individuals based on, at least, the presence of the following elements:
            1. Adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law for authorized oversight of the research study if personal identifiers are removed at the earliest opportunity consistent with the oversight activity or for other research for which the use or disclosure of PHI would be permitted under the HIPAA Privacy Rule, the Privacy Act and any other applicable law.
            2. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law.
            3. An adequate plan to protect the identifiers from improper use and disclosure, including reasonable administrative, technical, and physical safeguards against unauthorized use and disclosure.
         4. Practicality.
            1. The research could not practicably be conducted without the waiver.
            2. The research could not practicably be conducted without access to and use of the PHI.
      2. Review/Approval Process.  The IRB Chairperson, or his or her designee, shall sign a statement that the waiver was reviewed and approved under either normal or expedited review procedures.  The statement shall also set out that the IRB followed the requirements of the Common Rule (45 CFR Part 46), as applicable.
      3. Reviews Prior To Research.  An IHS facility may allow PHI to be reviewed in preparation for research if the researcher represents that:
         1. The use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes in preparation for research.
         2. No PHI will be removed from the facility by the researcher in the course of the review.
         3. The PHI for which use or disclosure is sought is necessary for the research purposes.
      4. Research Involving Decedents' PHI.  The IHS may use or disclose PHI if the researcher represents that:
         1. The use or disclosure is sought solely for research on the PHI of decedents.
         2. The PHI for which use or disclosure is sought is necessary for the research purposes.
         3. The IHS may require the researcher to provide documentation of the subject individuals' death.

   2-7.21  PROCEDURE FOR THE MAINTENANCE, USE, AND DISCLOSURE OF PSYCHOTHERAPY NOTES

   1. Purpose.  This section specifies the IHS policy and procedure on the maintenance, use, and disclosure of psychotherapy notes.
   2. Policy.  All psychotherapy notes recorded on any medium (i.e., paper, electronic) by a mental health professional, such as a psychologist or psychiatrist, must be kept by the author and filed separately from the rest of the patient's medical record to maintain a higher standard of protection.
   3. Definition.  Psychotherapy notes means process notes (not progress notes) recorded in any medium by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session for their use only, and are separated from the rest of the patient's medical record.
   4. Procedures.  Psychotherapy notes may be used or disclosed:
      1. Disclosure Authorization.  When disclosing psychotherapy notes to the patient or to another individual, the IHS-810 form, "Authorization for Use and Disclosure of Protected Health Information," must be dated and signed by the patient, legal guardian (if the patient is a minor or incompetent), or other personal representative.  The box for "Psychotherapy Notes" must be checked.  The authorization should not be used in conjunction with other disclosures or uses.  The form IHS-810 is available at:

         (For Public and Federal access)  https://www.ihs.gov/forpatients/patientforms/

         (For IHS staff only)  https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2020-09/ihs-810.pdfExit Disclaimer: You Are Leaving www.ihs.gov 

      2. Authorization Not Required.  An authorization is not needed to use or disclose psychotherapy notes for the following treatment, payment, or health care operations:
         1. use by the originator of the notes for treatment;
         2. use or disclosure for mental health training programs under supervision within the IHS facility;
         3. use or disclosure by the IHS to defend itself in a legal action or other proceedings brought by the patient;
         4. use or disclosure that is required by law, authorized disclosure to a health oversight authority with respect to the oversight of the originator of the psychotherapy notes, or the use or disclosure to report a serious and imminent threat to the health and safety of the patient or a third party;
         5. use or disclosure required by the Secretary, HHS, to investigate IHS facility compliance with the Privacy Act and HIPAA Privacy Rule; or
         6. use or disclosures to medical examiners or coroners about deceased patients to determine identity, cause of death, or to perform other duties as authorized by law.
   5. Exclusions.  Psychotherapy notes do not include:
      1. Medication prescription and monitoring.
      2. Counseling session start and stop times.
      3. The modalities and frequencies of treatment furnished.
      4. Results of clinical tests.
      5. Any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

   2-7.22  PROCEDURE FOR THE REQUEST FOR RESTRICTION(S) OF THE USE AND/OR DISCLOSURE OF PHI

   1. Purpose.  This section specifies the rights of patients to request restriction(s) of the use and/or disclosure of their PHI.
   2. Policy.  Under the HIPAA Privacy Rule, patients have the right to request restriction(s) of the use and/or disclosure of their PHI to carry out treatment; payment and health care operations; inpatient hospital directory; and disclosures to relatives, family members, personal representatives, close friends, health care givers, and any other person involved in the patient's care or payment who is identified by the patient.

      The IHS is not required to agree to the request.  However, a patient still may object to the disclosure of information for the inpatient hospital directory and to relatives, friends, and others involved in patient care under 45 CFR 164.510(b).  See Section 2-7.19, "Procedure for the Uses and Disclosures of Protected Health Information for Involvement in the Patient's Care and for Notification Purposes."

   3. Procedures.  The following procedures will govern how restrictions will be requested and processed.
      1. Request.  The request for restriction must be in writing using IHS 912-1 form, "Request for Restriction(s)."  (See https://www.ihs.gov/forpatients/patientforms/ for IHS-912-1 form.)

         NOTE:  The patient is not required to provide a reason for the request.

      2. Processing.  The CEO or (his or her) designee, in consultation with an appropriate official, must review the request, before the patient is notified of the decision, except for acceptance of the request to omit PHI from hospital directories.

         (For Areas that provide PRC directly through the Area Office, references to the CEO should be considered references to the Area Director's designee, as applicable.)  The IHS is not required to agree to the requested restriction.  Before agreeing to the restriction, the IHS must contact the OGC.

         1. If the IHS agrees to a restriction, PHI may not be used or disclosed by the IHS or its business associate(s), except if the restricted PHI is needed by the IHS or another health care provider to provide emergency treatment of the patient.
         2. If the IHS agrees to a restriction, the IHS-912-1 form will be processed accordingly and subsequently filed in the record.
         3. If the IHS denies a restriction, the IHS-912-1 form will be processed accordingly and subsequently filed in the record.
         4. If restricted information is disclosed to a health care provider for emergency treatment, the IHS must request that the receiving health care provider not further use or disclose the PHI, using the following language:

            "This is restricted information, provided for the purpose of emergency treatment, which should not be further disclosed or used without the permission of the patient to whom the information pertains."

   4. Restriction.  A restriction agreed to by the IHS shall not prevent the use or disclosure for which authorization is not required as outlined in the IHS Notice of Privacy Practices:
      1. To a patient who requests access to their own PHI.
      2. As required by the Secretary, HHS, to investigate or determine compliance by the IHS with the HIPAA Privacy Rule.
      3. For an inpatient hospital directory where the patient has not objected to such uses or disclosures.
      4. As required by law.
      5. For public health activities.
      6. About victims of abuse, neglect, or domestic violence.
      7. For health oversight activities.
      8. For judicial and administrative proceedings.
      9. For law enforcement purposes.
      10. About decedents.
      11. For organ, eye, or tissue donation purposes.
      12. For research purposes.
      13. To avert a serious threat to health or safety.
      14. For specialized government functions.
      15. For workers' compensation.
   5. Restriction Agreement.  If the IHS has agreed to a requested restriction, it may terminate its agreement if:
      1. The patient is informed that the IHS is terminating the agreement.
         1. The termination will be effective with respect to PHI created or received after IHS has so informed the patient.
         2. The method of informing, together with the date and signature of the CEO or (his or her) designee, shall be noted in the file.
      2. The patient agrees to or requests the termination in writing using the IHS-912-2 form, "Request for Revocation of Restriction(s)."   https://www.ihs.gov/forpatients/patientforms/

         (For IHS staff only) https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2020-09/ihs-810.pdf Exit Disclaimer: You Are Leaving www.ihs.gov 

   2-7.23  PROCEDURE FOR ACCESS TO OR DISCLOSURE OF PHI OF UNEMANCIPATED MINORS

   1. Purpose.  This section specifies IHS policy and procedure for disclosing and providing access to PHI of un-emancipated minors and the creation of Personal Health Records (PHR) for such minors.
   2. Policy.  The Director, HIM or designee shall be responsible for access to and disclosure of PHI of an un-emancipated minor, hereinafter referred to as a "Minor," as authorized under applicable law. In all cases, whether a patient is a minor and whether a minor is emancipated shall be determined by applicable law.  If it is unclear which law applies, consult the Area HIM Consultant or the OGC.
   3. Definitions.
      1. Disclosure is the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.
      2. Personal Health Record is a secure internet application that enables verified patients to view their clinical information and use this information to interact with their medical team.
   4. Procedures for Access to or Disclosure of a Minor's PHI.  The following procedures shall be followed for requests for access to or disclosure of the PHI of minors:
      1. Requests for Access by Minors.
         1. Except as described in 2-7.23D(2), a minor who requests access to their health information shall, at the time of the request, designate a personal representative in writing who would be willing to review the record and inform the minor of its contents (e.g., physician or other health representative or responsible person, including an IHS practitioner).  The Minor shall complete and sign the IHS-810 form or submit a written request for access to their PHI.  See "IHS HIPAA Policy and Procedure for Patient's Rights to Access, Inspect, and Obtain a Copy of their PHI" located at:

            (For Public and Federal access)  https://www.ihs.gov/forpatients/patientforms/

            (For IHS staff only)  https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2020-09/ihs-810.pdfExit Disclaimer: You Are Leaving www.ihs.gov 

         2. Upon receipt of the request and designation of a personal representative, the Responsible Department Official (RDO), i.e., the HIM Director, reviews the request to determine whether direct access will have an adverse effect on the minor.  The minor will be granted direct access to their health information if the RDO determines that direct access is not likely to have an adverse effect on the minor.
         3. If the RDO believes they are not qualified to determine, or has determined, that access by the minor is likely to have an adverse effect on the minor, the record will be sent to the designated personal representative.  The minor will be informed in writing that the record has been sent.  The minor will be allowed access to their record consistent with a determination by the RDO of the manner of disclosure, if any, that would limit any likely adverse effect on the minor.
      2. A minor who requests access to their PHI shall be treated the same as an adult for purposes of determining whether to grant access, under the following circumstances:
         1. The minor has consented to health care services, authorized under applicable law; or
         2. A court of competent jurisdiction or other authorized person (other than the minor's parent, guardian or individual acting in loco parentis) has consented to the health care services, authorized under applicable law; or
         3. The minor's parent, guardian or individual acting in loco parentis previously concurred to confidentiality between the IHS provider(s) and the minor to which the requested PHI pertain.
         4. If either a, b, or c are met, the patient is not considered a minor by IHS and the requirements of this policy and procedure will not apply.  The IHS will apply the "IHS HIPAA Policy and Procedure for Patient's Rights to Access, Inspect, and Obtain a Copy of their Protected Health Information."

            (For Public and Federal access)  https://www.ihs.gov/forpatients/patientforms/

            (For IHS staff only)  https://intranet.hhs.gov/sites/default/files/s3fs-public/s3fs-public/2020-09/ihs-810.pdfExit Disclaimer: You Are Leaving www.ihs.gov 

   5. Requests for Access to the Minor's PHI by a Parent, Guardian, or Individual Acting in Loco Parentis.

      Note:  Although a state law may permit a parent or legal guardian to have access to an un-emancipated minor's medical record, the Privacy Act prohibits a parent or legal guardian to authorize a disclosure by the IHS of an un-emancipated minor's medical record to a third party.

   6. 1. In accordance with applicable Federal law, including 45 CFR 5b.6(c), the parent, guardian, or individual acting in loco parentis, shall designate in writing, using the IHS-810 form or a written request, a health professional (other than a family member) who will review the PHI and determine whether to disclose the PHI.  The designated health professional may be an IHS practitioner.
      2. The designated health professional will be asked to consider the effect the access of the PHI would have on the minor with regard to any safety or privacy concerns.
      3. The parent, guardian, or individual acting in loco parentis will be notified of approval or denial of PHI access.
      4. Reasonable efforts will be made to inform the minor of the request.
   7. Creation of a Personal Health Record for a Minor.
      1. A minor's parent, guardian, or individual acting in loco parentis must sign up for a PHR on behalf of a minor and agree to the terms and conditions of the PHR on behalf of the minor.
      2. The PHI will not be made available as part of the PHR unless the requirements of 2-7.23D have been met.
      3. The PHI must be treated as if it has been requested by the minor and the minor's parent, guardian, or individual acting in loco parentis.
      4. After successful completion of steps 2-7.23E(1) - 2-7.23E(3), the Policy for Processing Patient Access to the Personal Health Record shall be followed.
      5. When the minor reaches the age of majority or is emancipated, according to applicable law, access to the PHR by a parent, guardian or individual acting in loco parentis will be terminated or continued based on the minor's delegation to access the PHR.  It is highly recommended that facilities develop operational procedures to ensure:
         1. Emancipated minors are identified and documented in the RPMS Patient Registration Module.
         2. Determine the age of majority for applicable legal requirements.
         3. Educate staff on rights of minors, to include, applicable age of majority and access to and disclosure of their PHI.
         4. Facilities shall determine the age a minor may create a PHR according to Section D.
   8. Requests by Other Third Parties.
      1. Subpoena/Court Order.  Upon receipt of a subpoena/court order for a minor's medical record, the Area HIM Consultant must be consulted before any release is made.
      2. Law Enforcement.  Requests from law enforcement will be accommodated pursuant to the requirements of the law enforcement exception contained in the Privacy Act, 5 U.S.C. § 552a (b)(7) and the HIPAA Privacy Rule, including 45 CFR §164.512 (f)(1)(ii)(C).
      3. Law Firms or Insurance Companies.  A signed authorization by the minor patient must accompany any request from a law firm or insurance company for the minor's health record; However, if the parent or legal guardian wishes to disclose health records to a third party (e.g., attorney or insurance company), then the parent or legal guardian must request access to the minor's medical record following the procedures in section D.4., above.  Upon the receipt of the minor's health record, the parent or legal guardian may disclose it to the third party.
      4. Medical Examiners.  Medical Examiners may access relevant health information about deceased minors necessary for the performance of their duties as required by law.
   9. Requests for Access to or Disclosure of PHI.
      1. The authorization (Form IHS-810) or written request shall be completed by the minor patient and/or the parent or legal guardian, as appropriate and filed in the patient's medical record.  See HIPAA Privacy Rule and the Privacy Act Part 2, Chapter 7, Section 7, "Policy and Procedures for Authorization for Use or Disclosure of Protected Health Information Pursuant to Authorization or Valid Written Request."
      2. The information released will be documented electronically utilizing the RPMS ROI or by use of the IHS-505, "Disclosure Accounting Record Form."  See HIPAA Privacy Rule and the Privacy Act Part 2, Chapter 7, Section 5 "Policy and Procedures for Matters Related to Accountings of Disclosures of Protected Health Information."
      3. All requests for notification or access to a minor's record will comply with the HIPAA Privacy Rule and the Privacy Act, Section 2-7.24 "Policy and Procedures on Verification of Identity Prior to Disclosure of Protected Health Information."

   2-7.24  PROCEDURE FOR VERIFICATION OF IDENTITY PRIOR TO DISCLOSURE OF PHI

   1. Purpose.  This section specifies IHS policy and procedure for verifying the identity or authority of any person requesting PHI prior to the disclosure of such PHI.
   2. Policy.  All IHS facilities will verify the identity of any person requesting PHI and the authority of any such person to have access to the requested PHI, if the identity or such authority is not known.
   3. Disclosure.  In all cases, any disclosure of PHI will be made in accordance with:
      1. Section 2-7.5, "Procedure for Matters Related to Accounting of Disclosures of PHI"
      2. Section 2-7.16, "Procedure for Limiting the Use or Disclosure of PHI to the Minimum Necessary"
      3. Section 2-7.23, "Procedure for Access to, or Disclosure of, PHI of Unemancipated Minors"
   4. Responsibilities.  The responsible individual staff member(s) will:
      1. Account for all disclosures, file all requests in the medical record, and release the PHI (where applicable).
      2. Verify the identity of any person, entity, or organization requesting PHI.
   5. Procedure. The patient's identity shall be verified as follows upon completing the IHS 810 form.
      1. In-Person Request.  If the request is made in person by the patient and:
         1. the identity of the patient requesting PHI is personally known to the responsible IHS staff member, the patient's representation regarding their identity will be sufficient verification if it is reasonable under the circumstances.
         2. the patient's identity is not personally known to the responsible IHS staff member.  The patient shall provide one piece of tangible identification (preferably picture ID), such as, the individual's driver's license, military identification card, Tribal identification card, employment identification card or badge, passport, or alien registration card.  If a patient is requesting their own PHI, the name on the identification must match the name of the patient whose record is being sought.  If the patient's name has been legally changed, evidence documenting the name change must be presented.  Additionally, the patient shall provide particulars which can be verified by information already included in the record, such as place of birth, names of parents, an occupation, rank attained in Uniformed Services, or specific times the patient received medical treatment.
         3. If the patient cannot produce identification, in addition to providing the particulars noted above, they shall certify in writing that they are the individual who they claim to be, and they understand that the knowing and willful request for or acquisition of a record under false pretenses is a criminal offense under the Privacy Act and subject to a $5,000 fine.  (5 U.S.C. § 552a (I))
      2. Request Made In Person by an Individual (Third-Party).
         1. If a request is made by a law enforcement official, the official must verify their identity by producing a badge, official identification, or some other identification that shows that the law enforcement official has the authority to accept the PHI on behalf of the law enforcement agency.  The law enforcement official must also produce the law enforcement request or court order requesting the release of PHI if it is not already on file.  See Section 2-7.26, "Procedure for the Disclosure of PHI to Law Enforcement Officials."
         2. If a patient authorizes in writing (e.g., IHS 810 form or valid written request) PHI to be disclosed to an attorney, and the attorney comes to the IHS facility in person to pick up the records, the attorney must present valid photo identification and authority that is consistent with the patient authorization regarding to whom the PHI may be disclosed.  If a representative of the attorney comes in the attorney's place, the representative must submit proof that the representative has authority to act on behalf of the attorney (e.g., agreement between a records company and an attorney).  This provision also applies to patient authorizations to disclose PHI to an insurance company representative.
         3. If a patient authorizes (in writing) PHI to be disclosed to another individual (e.g., family member or friend), the individual must verify their identity with photo identification that matches the patient authorization to whom the PHI may be disclosed.
      3. Requests Made In Person by Parents, Legal Guardians, or Other Personal Representative.  An individual who makes a request for PHI on behalf of a minor, a person who is legally incompetent, or another individual, shall verify that he has authority to act by providing a copy of a birth certificate, a court order, or other evidence of the relationship or authority, e.g., health care power of attorney, in addition to verifying their own identity with photo identification (unless personally known to the IHS employee), unless the responsible IHS staff person can establish that evidence of the relationship or authority has previously been provided.  The type of identification and any documentation of authority used will be documented on the completed IHS 810 form, e.g., "Verified Driver's License."  The staff making the verification must initial and date the form.
      4. Request Made by Mail.
         1. PHI sent to Patient.  If the patient is requesting PHI to be sent to them, verify that the name, address, particular information, and signature on the request are the same as those in the patient file.
         2. PHI sent to Another Individual.  If the patient is requesting PHI to be sent to another individual, verify the identity in accordance with E(2)c above and release the information only to the name and address of the individual authorized to receive the PHI.
         3. PHI requested by Another Individual.  If another individual requests (including requests by law enforcement, attorneys, or insurance company representatives) PHI of a patient, the requestor must include documentation of authority (e.g., law enforcement requests must be on letterhead in accordance with E(2)a (above), and requests by attorneys must include a completed patient authorization verified in accordance with E(2)b above).  See Section 2-7.26, "Procedure for the Disclosure of PHI to Law Enforcement Officials."
      5. Telephone Request by an Unknown Healthcare Provider Made for Treatment Purposes.  The responsible IHS staff member must:
         1. Obtain the requesting provider's name, the caller's name (if different), facility name, location, and the telephone number of the requesting provider.
         2. Independently verify the above information and document the method of verification.
         3. Document the information being sought or requested.
         4. Document the reason for the request.
      6. Requests by Subpoena or a Court Order.  Contact the IHS Area HIM Consultant.

   2-7.25  PROCEDURE FOR THE USE AND DISCLOSURE OF PHI FOR EMANCIPATED MINORS AND ADULTS WITH PERSONAL REPRESENTATIVES OR LEGAL GUARDIANS

   1. Purpose.  This section is to specify IHS policy and procedure for the use and disclosure of PHI of emancipated minors and adults with personal representatives, including legal guardians.

      NOTE:  This section does not govern the procedures to follow in cases involving requests for access to the PHI of an unemancipated minor by the parent, personal representative, or legal guardian of such unemancipated minor.  In those instances, follow the procedures set forth in Section 2-7.23, "Access to or Disclosure of PHI of Unemancipated Minors."

   2. Policy.  Except as expressly provided in this policy, the IHS shall treat a personal representative of an emancipated minor or adult the same as the emancipated minor or adult for the purposes of the use and disclosure of PHI as it relates to such personal representation.
   3. Definition of a Personal Representative.  Any person who, under applicable law, has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care.  A personal representative may include, but is not necessarily limited to, the legal guardian of any such individual who has been declared incompetent due to physical or mental incapacity by a court of competent jurisdiction.  (5 U.S.C. § 552a (h); and (45 CFR § 164.502(g)(2))
   4. Procedures.  The following procedures shall be used when determining whether to disclose PHI to a personal representative of an emancipated minor or adult:
      1. Confirming the Status of the Personal Representative.  Before disclosure of the PHI of an adult or emancipated minor may be made to any individual claiming to have authority to access such PHI as the personal representative of such individual, the facility must obtain adequate documentation to support the determination that the requestor has the authority under applicable law to act as the patient's personal representative. See Section 2-7.24, "Procedure for Verification of Identity Prior to Disclosure of PHI."

         The CEO may contact the appropriate OGC where there is doubt regarding an individual's personal representative status, including whether a court of competent jurisdiction has appointed the individual to serve as the patient's legal guardian.

      2. Disclosure of PHI to Personal Representatives.  If the CEO determines that an individual is the personal representative of an emancipated minor or adult, then the service unit must treat the personal representative as the patient for purposes of access under HIPAA Privacy Rule and the Privacy Act.  Any requests for access by the personal representative shall be handled pursuant to the IHS policy governing access to patient medical records.  (Section 2-7.4, "Procedure for Patients' Rights to Access, Inspect, and Obtain a Copy of Their PHI.")
      3. Exceptions.  The IHS does not have to inform the personal representative of an emancipated minor or an adult that it made a disclosure of the individual's PHI to a government authority which is authorized by law to receive reports of abuse, neglect or domestic violence, if it reasonably believes the personal representative is responsible for the abuse, neglect or other injury and, in the exercise of its professional judgment, it believes that informing the legal representative would not be in the best interests of the individual.  (45 CFR §§ 164.512(c)(1) and (2)(ii))
      4. Requests for Disclosure of Alcohol/Drug Abuse Records.  Requests by a personal representative for access to records governed by the Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR Part 2, shall only be released in compliance with those regulations.
      5. Accounting Requirements.  Any PHI released to a personal representative (First party requestor) will be documented on the IHS-505, Disclosure Accounting Record, or in the RPMS, ROI software application.  See Section 2-7.5, "Procedure for Matters Related to Accounting of Disclosures of PHI."

   2-7.26  PROCEDURE FOR THE DISCLOSURE OF PHI TO LAW ENFORCEMENT OFFICIALS

   1. Purpose.  This section specifies IHS policy and procedure on the disclosure of PHI to law enforcement agencies.  (This section is not applicable to disclosures governed by the regulations found in the Federal Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR Part 2.)
   2. Policy.  It is IHS policy to disclose PHI to law enforcement agencies in accordance with the requirements of the HIPAA Privacy Rule; the Privacy Act of 1974 as amended; the HHS Privacy Act regulations; and the IHS Medical, Health, and Billing Records System of Records, Privacy Act System Notice 09-17-0001.  The IHS may disclose PHI to law enforcement agencies under certain conditions and certain situations as outlined below.
   3. Procedures.

      Except as permitted in Subsections C(3)(a)-(h) above, an IHS facility may not disclose for the purposes of identification or location any PHI related to the individual's DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue.

      1. Law Enforcement Requests.  Indian Health Service facilities will from time to time receive requests from Federal, State, or Tribal law enforcement officials to release PHI that is in the possession of the IHS to such law enforcement officials.  These may arise in a number of circumstances, including but not limited to: child abuse and neglect; domestic violence; sexual assault; and criminal vehicular assault.  The Privacy Act of 1974, as amended, 5 U.S.C. § 552a (b)(7); the HHS Privacy Act regulations, 45 CFR § 5b.9(b)(7); and the HIPAA Privacy Rule, 45 CFR § 164.512(f)(1), generally authorize the release of PHI to law enforcement officials if the activity is required or authorized by law and if the law enforcement request meets the following basic criteria:
         1. The request is in writing.
         2. The request identifies the specific nature of the law enforcement activity (for example: investigation of sexual assault, child abuse, etc.).
         3. The facility is able to determine that the information sought is relevant and material to the particular law enforcement inquiry.
         4. De-identified information could not be used.
         5. The request is specific and limited in scope to the extent possible.
         6. The request is signed by the head of the law enforcement agency.

            Note:  This requirement has been interpreted to extend to the head of the local division of a law enforcement agency, for example the Chief of the Criminal Division of the local U.S. Attorney's office or the head of the Tribal prosecutor's office.

      2. Special Circumstances.  While the appropriate personnel at an IHS facility may generally release PHI to law enforcement officials pursuant to a law enforcement request that meets the requirements set forth in Section a-f above, in some instances the law enforcement request will need to satisfy certain additional criteria set forth in the HIPAA Privacy Rule before PHI can be released to law enforcement officials.  This section sets forth those instances where such additional requirements must be satisfied before the IHS facility may release PHI to law enforcement officials.
      3. Identifying or Locating a Suspect, Fugitive, Missing Person, etc.  The IHS facility may disclose PHI in response to an otherwise valid law enforcement request for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that the facility may disclose only the following information:
         1. Name and address
         2. Date and place of birth
         3. Social security number
         4. ABO blood type and Rh factor
         5. Type of injury
         6. Date and time of treatment
         7. Date and time of death, if applicable
         8. A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.
      4. Victims of a Crime.  Except for disclosures required by law, an IHS facility may disclose PHI in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, if:
         1. The individual agrees to the disclosure; or
         2. the IHS facility is unable to obtain the individual's agreement because of incapacity or other emergency, and:
            1. The law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim;
            2. The law enforcement official represents that current, ongoing law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and
            3. the disclosure is in the best interests of the individual as determined by the IHS facility, in the exercise of professional judgment.
   4. Disclosures of PHI to Law Enforcement Official that do not Require a Law Enforcement Request.  The HIPAA Privacy Rule, 45 CFR § 164.512(f)(4)-(6), provides several instances where an IHS facility may voluntarily disclose PHI to law enforcement officials in the absence of a law enforcement request for such records.  The IHS facility may proactively disclose PHI to law enforcement officials without first receiving a request from a law enforcement official if:
      1. Decedents.  An IHS facility may disclose PHI on a deceased individual to law enforcement official for the purpose of alerting law enforcement of the death of the individual if the facility has a suspicion that such death may have resulted from criminal conduct.
      2. Crime on Premises.An IHS facility may disclose to law enforcement officials PHI that the facility believes in good faith constitutes evidence of criminal conduct that occurred on the facility's premises.
      3. Reporting a Crime in Emergencies.  An IHS facility providing emergency health care in response to a medical emergency, other than such emergency on its own premises, may disclose PHI to a law enforcement official if such disclosure appears necessary to alert law enforcement to:
         1. The commission and nature of a crime;
         2. The location of such crime or of the victim(s) of such crime; and
         3. The identity, description, and location of the perpetrator of such crime.
   5. Members of the IHS Workforce Who Are Victims of Crime.  Members of the IHS workforce who are victims of a crime may disclose PHI to law enforcement officials under certain conditions regardless of whether the crime has occurred at the IHS facility or off premises.  The IHS is not in violation of the HIPAA Privacy Rule if its workforce members who are victims of a crime disclose PHI to law enforcement officials provided that:
      1. The PHI disclosed is about the suspected perpetrator of the criminal act.
      2. The information provided is limited to the perpetrator's:
         1. Name and address
         2. Date and place of birth
         3. Social security number
         4. ABO Blood type and rh factor
         5. Type of injury
         6. Date and time of treatment
         7. Date and time of death, if applicable
         8. A description of distinguishing characteristics (height, weight, eye and hair color, etc.)
   6. Verification of Identity of Law Enforcement Official.  A law enforcement official must verify his or her identity by producing a badge, official identification, or some other identification that shows that the law enforcement official has the authority to accept the PHI on behalf of the law enforcement agency.  See Section 2-7.24, "Procedure for Verification of Identity Prior to Disclosure of PHI."
   7. Temporary Suspensions of Accounting for Disclosures to Law Enforcement Officials
      1. A law enforcement official may request IHS to suspend a patient's right to receive an accounting of disclosures if the Agency or official provides a written statement that such an accounting to the patient would be reasonable likely to impede the Agency or official's duties.  The Agency or official must specify how long to suspend the accounting. During the period of accounting, any disclosures requiring an accounting must still be accounted (documented).  At the end of the suspension, a patient's right to receive an accounting is reinstated.
      2. If the request for temporary suspension is made orally, the IHS must document the identity of the Agency Official or the Official who made the request and must exclude the disclosure(s) for no longer than 30 days from the date of the request, unless a written request is provided during that time. If the Agency Official or official provides a written request that meets the requirement of G(1) above, the IHS must temporarily suspend the patient's right to an accounting for the time period specified in the written request.