Health Insurance Portability & Accountability Act

The Department of Health and Human Services has designed the following new forms to facilitate compliance with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Clients may use some of these forms to exercise their rights under this law. Department staff use some of these forms to fulfill their responsibilities.

Clients may print and complete applicable forms and mail them to the Privacy Officer, Department of Human Services, 1305 East Walnut, Des Moines, Iowa 50319-0114, or take them to their worker at any of the Department's locations in the field or in the facilities.

Designation of Personal Representative, Form 470-3948. Clients may use Form 470-3948 when there is a need to designate a personal representative. A "personal representative" is someone designated by another as standing in the other's place or representing the other's interest for one or more purposes.

Record of Disclosure of Health Information, Form 470-4015. Form 470-4015 is designed to notify the HIPAA Privacy Office or the facility privacy official when Department staff makes a disclosure of protected health information.

HIPAA Complaint, Form 470-3981. Clients may use Form 470-3981 to complain about the Department's policies or procedures implementing the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, and federal regulations (45 CFR Parts 160 and 164).

Request for Access to Health Information, Form 470-3952 (Revised 08/03). A client may use form 470-3952 to request access to or obtain a copy of the client's protected health information.

Request for List of Disclosures, Form 470-3985 (Revised 08/03). Clients may use form 470-3985 to request a disclosure of the protected health information that the Department has released to another person or agency.

Request to Amend Health Information, Form 470-3950 (Revised 09/03). Clients may use form 470-3950 to request that protected health information in a client's designated record set be amended.

Request to Change How Health Information Is Provided, Form 470-3947 (Revised 09/03). Clients may use form 470-3947 to request that protected health information be shared with them by alternative means, such as by email or fax or at a different location, either by mail or in person.

Request to Restrict Use or Disclosure of Health Information, Form 470-3953 (Revised 09/03). Clients may use form 470-3953 to request that the use or disclosure of protected health information be restricted.

Request to End an Authorization, Form 470-3949. Clients may use form 470-3949 to request that form 470-3951, Authorization to Obtain or Release Health Care Information, that was previously signed by the client or the client's representative be revoked.

Acknowledgement of Notice of Privacy Rights and Practices, Form 470-3946. Form 470-3946 is used by Department health care facilities having a direct treatment relationship with a client to obtain written acknowledgement of the client's receipt of the notice of privacy rights and practices.

Authorization to Obtain or Release Health Care Information, Form 470-3951 (Revised 08/03). Form 470-3951 is a two-way release form used to get the permission of the client or the client's legally authorized representative to:

Release health information about the client to a third party.

Obtain health information needed to provide service to the client.

HIPAA requires the Department to provide notices to its customers regarding the uses and disclosures of protected health information that may be made by the Department, the customer's rights, and the legal duties of the Department.

The Department's health plans (Medicaid and Hawki) and providers (facilities) have developed notices to meet these requirements. These notices have been mailed or given to current customers and will be provided to new customers at application. The notices are also available by clicking on the applicable link below in both English and Spanish translations.

It is important to note that the Department will not release our customer's health information any differently than it currently does. In fact, HIPAA does create some additional restrictions on how health information can be used. Existing state and federal laws are as restrictive regarding the release of information as HIPAA.

It is also important to note that no action is required of the Department's customers by these notices. The notices are intended to provide information about customer's new rights. Customers should review these notices and contact the persons listed in the notices with any questions or to exercise their rights.

Medicaid:

Information About Your Privacy Rights - Comm 209

Informaciobre de Sus Derechos de Privacidad - Comm 209 (Spanish)

Facilities:

Privacy Notice - Independence Mental Health Institute - Comm 210

Aviso de Privacidad - Independence Mental Health Institute - Comm 210 (Spanish)

Notice of Privacy Practices - Mt. Pleasant Mental Health Institute - Comm 211 

Aviso de Practicas de Privacidad - Mt. Pleasant Mental Health Institute - Comm 211 (Spanish)

Notice of Privacy Practices - Cherokee Mental Health Institute - Comm 212

Aviso de Practicas de Privacidad - Cherokee Mental Health Institute - Comm 212 (Spanish)

Notice of Privacy Practices - Clarinda Mental Health Institute - Comm 213

Aviso de Practicas de Privacidad - Clarinda Mental Health Institute - Comm 213 (Spanish)

Notice of Privacy Practices - Glenwood Resource Center - Comm 214

Aviso de Practicas de Privacidad" - Glenwood Resource Center - Comm 214 (Spanish)

Notice of Privacy Practices" - Woodward Resource Center - Comm 215

Aviso de Practicas de Privacidad" - Woodward Resource Center - Comm 215 (Spanish)

Business Associate Agreement Effective September 30, 2013

BAA effective 9-30-2013

Business Associate Agreement Effective March 15, 2010

BAA effective 3-15-2010 

HHS Incident Report (470-5134)

In the event of a potential or actual data breach, complete and return the HHS Incident Report form following the instructions in the form.

Historical Information

BAA effective 2-1-2010

Questions should be referred to the Information Security & Privacy Office at: dcoving@dhs.state.ia.us.

HIPAA Statute

HIPAA Privacy Rule

HIPAA Security Rule

Office For Civil Rights

Centers for Medicare & Medicaid Services