Note: This HIPAA information applies to legacy Iowa Department of Human Services programs and services only.
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. As part of the Act, Congress called for regulations promoting administrative simplification of healthcare transactions as well as regulations ensuring the privacy and security of patient information.
These regulations apply to what are called "covered entities:" healthcare providers, health plans and healthcare clearinghouses who transmit any health information in electronic form in connection with a transaction covered under HIPAA. The Iowa Department of Human Services is considered a covered entity under HIPAA as a health plan.
The HIPAA Privacy Regulations govern the release of protected health information, called PHI. Covered entities must provide notice of privacy policies and procedures to patients, obtain consent and authorization for use of information and tell how information is generally shared and how patients can access, inspect, copy and amend their own medical record.
HIPAA Security Regulations dictate the kind of safeguards covered entities must have in place to ensure the confidentiality and integrity of electronic PHI.
DHS became HIPAA compliant as of April 21, 2005.
List items for HIPAA Resources
The Department of Health and Human Services has designed the following new forms to facilitate compliance with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Clients may use some of these forms to exercise their rights under this law. Department staff use some of these forms to fulfill their responsibilities.
Clients may print and complete applicable forms and mail them to the Privacy Officer, Department of Human Services, 1305 East Walnut, Des Moines, Iowa 50319-0114, or take them to their worker at any of the Department's locations in the field or in the facilities.
Designation of Personal Representative, Form 470-3948 (109.93 KB) .pdf . Clients may use Form 470-3948 when there is a need to designate a personal representative. A "personal representative" is someone designated by another as standing in the other's place or representing the other's interest for one or more purposes.
Record of Disclosure of Health Information, Form 470-4015 (25.21 KB) .pdf . Form 470-4015 is designed to notify the HIPAA Privacy Office or the facility privacy official when Department staff makes a disclosure of protected health information.
HIPAA Complaint, Form 470-3981 (35.98 KB) .pdf . Clients may use Form 470-3981 to complain about the Department's policies or procedures implementing the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, and federal regulations (45 CFR Parts 160 and 164).
Request for Access to Health Information, Form 470-3952 (47.01 KB) .pdf (Revised 08/03). A client may use form 470-3952 to request access to or obtain a copy of the client's protected health information.
Request for List of Disclosures, Form 470-3985 (91.67 KB) .pdf (Revised 08/03). Clients may use form 470-3985 to request a disclosure of the protected health information that the Department has released to another person or agency.
Request to Amend Health Information, Form 470-3950 (105.17 KB) .pdf (Revised 09/03). Clients may use form 470-3950 to request that protected health information in a client's designated record set be amended.
Request to Change How Health Information Is Provided, Form 470-3947 (79.38 KB) .pdf (Revised 09/03). Clients may use form 470-3947 to request that protected health information be shared with them by alternative means, such as by email or fax or at a different location, either by mail or in person.
Request to Restrict Use or Disclosure of Health Information, Form 470-3953 (136.69 KB) .pdf (Revised 09/03). Clients may use form 470-3953 to request that the use or disclosure of protected health information be restricted.
Request to End an Authorization, Form 470-3949 (36.47 KB) .pdf . Clients may use form 470-3949 to request that form 470-3951, Authorization to Obtain or Release Health Care Information, that was previously signed by the client or the client's representative be revoked.
Acknowledgement of Notice of Privacy Rights and Practices, Form 470-3946 (19.87 KB) .pdf . Form 470-3946 is used by Department health care facilities having a direct treatment relationship with a client to obtain written acknowledgement of the client's receipt of the notice of privacy rights and practices.
Authorization to Obtain or Release Health Care Information, Form 470-3951 (228.29 KB) .pdf (Revised 08/03). Form 470-3951 is a two-way release form used to get the permission of the client or the client's legally authorized representative to:
Release health information about the client to a third party.
Obtain health information needed to provide service to the client.
HIPAA requires the Department to provide notices to its customers regarding the uses and disclosures of protected health information that may be made by the Department, the customer's rights, and the legal duties of the Department.
The Department's health plans (Medicaid and Hawki) and providers (facilities) have developed notices to meet these requirements. These notices have been mailed or given to current customers and will be provided to new customers at application. The notices are also available by clicking on the applicable link below in both English and Spanish translations.
It is important to note that the Department will not release our customer's health information any differently than it currently does. In fact, HIPAA does create some additional restrictions on how health information can be used. Existing state and federal laws are as restrictive regarding the release of information as HIPAA.
It is also important to note that no action is required of the Department's customers by these notices. The notices are intended to provide information about customer's new rights. Customers should review these notices and contact the persons listed in the notices with any questions or to exercise their rights.
Medicaid:
Information About Your Privacy Rights - Comm 209 (456.56 KB) .pdf
Informaciobre de Sus Derechos de Privacidad - Comm 209 (Spanish) (609.48 KB) .pdf
Facilities:
Notice of Privacy Practices - Independence Mental Health Institute - Comm 210 (238.52 KB) .pdf
Aviso de Privacidad - Independence Mental Health Institute - Comm 210 (Spanish) (47.05 KB) .pdf
Notice of Privacy Practices - Cherokee Mental Health Institute - Comm 212 (238.19 KB) .pdf
Notice of Privacy Practices - Woodward Resource Center - Comm 215 (238.01 KB) .pdf
Aviso de Practicas de Privacidad" - Woodward Resource Center - Comm 215 (Spanish) (47.04 KB) .pdf
Business Associate Agreement Effective September 30, 2013
BAA effective 9-30-2013 (177.5 KB) .pdf
Business Associate Agreement Effective March 15, 2010
BAA effective 3-15-2010 (107.89 KB) .pdf
HHS Incident Report (470-5134)
In the event of a potential or actual data breach, complete and return the HHS Incident Report (106.31 KB) .pdf form following the instructions in the form.
Historical Information
BAA effective 2-1-2010 (110.78 KB) .pdf
Questions should be referred to the Information Security & Privacy Office at: dcoving@dhs.state.ia.us.
If you have any questions or concerns regarding HIPAA, or how DHS is protecting your health information, please contact: