Ky.gov
Effective: 10/15/2024

G1.17 Confidentiality and Safeguards Regarding Client, DPP Office, Program and Facility Information

Legal Authority

Introduction

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​All information obtained through the process of providing services to clients/individuals of the Division of Protection and Permanency (DPP), conducting adult or child abuse, neglect or dependency investigations, foster or adoptive home studies, and adoption where judgment has been rendered, is deemed confidential.

Applicants for services and clients of DPP are made aware of the information maintained in their case records. Information contained in a client’s case record will not be released outside DPP except as specified by KRS 61.870-61.884, the Open Records Act, and HIPAA regulations. When statutes conflict, the federal law prevails.

Each DPP office, facility, and program has in place appropriate administrative, technical, and physical safeguards to reasonably secure all information pertaining to a client’s case records and protected health information (PHI) from intentional and unintentional unauthorized use or disclosure.

Any person requesting disclosure of information about a client’s case record follows the procedures outlined in SOP 30.10 CPS Open Records Request and Disclosure of Information and SOP 30.11 APS Open Records and Confidentiality. Information regarding notice of privacy practices and access to and obtaining a copy of protected health information is located on the  Health Insurance Portability and Accountability Act Tip Sheet linked in this section.

Practice Guidance

  • Each new workforce staff receives HIPAA training elements within six (6) months after joining DPP;
  • Each new workforce staff, whose job requirements are impacted by a material change in the policies and procedures relating to protected health information (PHI), or by a change in position or job description, receives the training as described above within a reasonable time after the change becomes effective;
  • Upon employment each workforce staff signs the CHFS-219- Employee Confidentiality/Security Agreement, indicating their understanding and compliance to applicable policies and procedures relating to confidentiality and security;
  • The CHFS-219 is then maintained in their personnel file.
  • The Training Branch maintains documentation of each staff member’s completion of HIPAA training.
  • Hard copy cases should never be removed from the local office unless they are being transported from one approved DCBS location to another. Examples include: 
    • 2nd level case reviews;
    • Case transfers; 
    • Fatalities;
    • Service complaints/CAPTA appeals;
    • Pre-Permanency conferences;
    • Sealed adoption cases to central office.

Procedure

Related Information

The department designates an individual from the Office of Legal Services (OLS) at central office as a HIPAA privacy officer, responsible for overseeing, counseling, and approving the development and implementation of DPP standards of practice relating to the safeguarding of PHI. The department designates the Office of the Ombudsman, in coordination with the Records Management Section, at central office as the body responsible for receiving complaints concerning HIPAA privacy regulations, validating and approving or denying client or the client’s personal representative’s access to protected health information.​

DPP, offices, programs, and facilities of the division maintain required standards of practice and procedures in written or electronic form and copies of all communications, actions, activities, or designations as are required to be documented under HIPAA privacy regulations, for a minimum period of six (6) years from the later of the date of creation or the last effective date.

The Office of the Ombudsman, in conjunction with the Division of Administration and Finacial Management (DAFM) Records Management Section, local offices, and workforce staff documents:

  • Any and all signed authorizations;
  • All complaints and their disposition if any;
  • Any sanctions that are applied as a result of non-compliance to HIPAA privacy regulations;
  • Any use or disclosure of PHI for research without the client’s authorization; and
  • Compliance with the Notice of Privacy Practices by retaining:
    • Copies of current and past notices it issues;
    • Written acknowledgements of the receipt of notice;
    • Written documentation of good faith efforts that failed to obtain written acknowledgment; and
    • Any SOP required to implement compliance.
  • Designated case records that are subject to access by clients/individuals and the titles of persons or offices responsible for receiving and processing requests for access.
  • All agreements with the client or personal representative by DPP regarding restriction of use and disclosure of PHI about the client to carry out treatment, payment or health care operations and the titles of persons or offices responsible for receiving and processing requests for restrictions.
  • All agreements with the client or personal representative by DPP regarding amendments to the client’s PHI and the titles of persons or offices responsible for receiving and processing requests for amendments.
  • Accounting of disclosures of PHI required by HIPAA privacy regulations made by DPP to include:
    • The date of the disclosure;
    • The name of the entity or individual who received the PHI and, if known, the address of such entity or individual;
    • A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis of the disclosure;
    • The written accounting of disclosure that is provided the individual; and
    • The titles of persons or offices responsible for receiving and processing requests for an accounting of disclosure by clients.

Documents

Revisions