Skip Navigation  
acfbanner  
blueline
Department of Health and Human Services Administration for Children and Families
          
ACF Home   |   Services   |   Working with ACF   |   Policy/Planning   |   About ACF   |   ACF News   |   HHS Home

  Questions?  |  Privacy  |  Site Index  |  Contact Us  |  Download Reader™Download Reader  |  Print Print      


Children's Bureau Safety, Permanency, Well-being  Advanced
 Search

Home > Laws & Policies > Policy/Program Issuances > Information Memoranda > IM-04-01


ACF
Administration for Children and Families		 U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
Administration for Children, Youth and Families
1. Log No.: ACYF-CB-IM-04-01 2. Issuance Date: February 17, 2004
3. Originating Office: Children's Bureau
4. Key Words: HIPAA; Privacy Regulations; Health Services; Record-keeping

INFORMATION MEMORANDUM

To: State and Territorial Agencies Administering or Supervising the Administration of title IV-B and title IV-E of the Social Security Act and ACF Regional Administrators
Subject: Information on Privacy Regulations for the Health Insurance Portability and Accountability Act (HIPAA)
Legal and Related References: P.L. 104-191 (Health Insurance Portability and Accountability Act of 1996); Sections 1171 through 1179 of the Social Security Act (P.L. 107-105 (the "Administrative Simplification Act")); 45 CFR § 160; 45 CFR § 164.
Background: This Information Memorandum is provided to advise of new Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations with which certain health care providers, health plans and health care clearinghouses must comply beginning on April 14, 2003. HIPAA's privacy regulations affect health information created or maintained by health care providers who engage in certain electronic transactions. The Department of Health and Human Services (HHS) has issued the regulation, "Standards for Privacy of Individually Identifiable Health Information," applicable to entities covered by HIPAA. (See 45 CFR Parts 160 and 164 or http://www.hhs.gov/ocr/hipaa/finalmaster.html). Most "covered entities" (certain health care providers, health plans and health care clearinghouses) are required to comply with the HIPAA Privacy Rule on and after the compliance date of April 14, 2003.

Information:

Some title IV-E child welfare agencies may be defined as health care providers, which is an agency that furnishes, bills or receives payment for health care in the normal course of business, and engages in certain electronic transactions. In order to determine whether a State child welfare agency is a covered entity, please refer to the "Am I a Covered Entity’" decision tool at: http://www.hhs.gov/ocr/hipaa/assist.html. Child welfare agencies also should be aware that the health care providers that collaborate with the agency are likely to be revising some procedures (e.g., claim forms for health services) to comply with the new privacy regulations. Child welfare agencies should discuss with their health provider partners any procedural changes that they are undertaking to comply with the new HIPAA privacy regulations. This communication can help ensure that children in the agency's care continue to receive needed health services in an efficient and timely manner.

States organize their child welfare agencies differently. Consequently, HHS and the Children's Bureau cannot determine whether all child welfare agencies are subject to the HIPAA regulations. We understand that some States have concluded that by virtue of their organizational structure, their child welfare agencies are "covered entities" subject to HIPAA's regulations. Some States have determined that because they are a "business associate" of a covered entity, their child welfare agency is subject to HIPAA regulations. Other States, however, have concluded the opposite.

Regardless of whether a child welfare agency is a covered entity or otherwise subject to HIPAA's regulations, such agencies must adhere to the confidentiality requirements that govern titles IV-E and IV-B of the Social Security Act and the Child Abuse Prevention and Treatment Act (CAPTA). Specifically, the State plans for both titles IV-E and IV-B must meet the requirements of Section 471 (a)(8) of the Social Security Act. (Also see 45 CFR § 1355.21(a)). Similarly, CAPTA requires that States that receive CAPTA grants establish "methods to preserve the confidentiality of all records in order to protect the rights of the child and of the child's parents or guardians (See CAPTA §106(b)(2)(A)(ix)).

As always, it is sound practice to train and inform staff about all applicable Federal laws and regulations that address confidentiality and privacy issues.

The HHS Office for Civil Rights (OCR) is responsible for implementing and enforcing the HIPAA privacy regulation. Attached please find the Office for Civil Rights' General Overview of the HIPAA privacy regulation (with frequently asked questions). For more information on this regulation, visit OCR's website, Medical Privacy - National Standards to Protect the Privacy of Personal Health Information, at: http://www.hhs.gov/ocr/hipaa/.

         
Joan E. Ohl
Commissioner

Attachment: "General Overview of Standards for Privacy of Individually Identifiable Health Information" HHS Office for Civil Rights, (12-3-2002) http://www.hhs.gov/ocr/hipaa/guidelines/overview.pdf