This week, investigate and evaluate the financial implications of the selected healthcare policy. You should explain why the policy exists and if the main focus is access, cost, or quality. What services are provided? What is the cost of those services? Who and how are the services paid for? Some of you might find specific answers to some of these questions; others will have to make assumptions, backed by research, to answer these questions.

The selected Health Care Policy is Policy Subject: Use and Disclosure of Personal Information in Tennessee. I am attaching the policy below!

PURPOSE OF POLICY This policy addresses how the Division of TennCare (TennCare) uses and discloses applicant and enrollee personal information, including but not limited to personally identifiable information (PII) and protected health information (PHI). TennCare must follow specific guidelines for both required and permitted disclosures pursuant to the Privacy Act of 1974, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other applicable federal and state laws and regulations. POLICY TennCare shall only use and disclose personal information as required or permitted by the Privacy Act, HIPAA and other federal and state laws and regulations. TennCare must seek authorization to use and disclose personal information unless it is expressly required or permitted to use and disclose such information without prior consent. TennCare will provide enrollees with all the privacy rights granted by the Privacy Act, HIPAA and other federal and state laws and regulations. DISCUSSION & LEGAL BASIS Privacy laws outline how TennCare may use and disclose enrollee personal information, including when enrollee notice and approval is necessary. Generally, TennCare must seek authorization from an enrollee to use and disclose enrollee personal information when use or disclosure is not related to treatment, payment, and general healthcare operations activities. Permitted Uses and Disclosures. Under HIPAA, TennCare may use or disclose personal information without an enrollee's prior consent for treatment, payment, and healthcare operations. Treatment activities include but are not limited to the provision of medical services, care coordination and case-management. Payment activities include but are not limited to eligibility determinations, billing, claims processing, and collections and medical necessity 1 PRIV 007 - Information Use and Disclosure Rev: 08/2018 TennCare review. Health care operations activities include but are not limited to quality improvement activities, medical review, credentialing and licensing, training operations, administrative functions, and fraud and abuse detection. Required disclosures. Under HIPAA, TennCare must disclose personal information under several circumstances which include: to the enrollee when requested under applicable regulations and, to the Secretary of the Department of Health and Human Services to investigate or determine TennCare's compliance with HIPAA. Uses and disclosures for which enrollee authorization is required. Except as described above, enrollee authorization is required for any use or disclosure of personal information including any use or disclosure for marketing purposes. If TennCare seeks an authorization form from an enrollee for a use or disclosure of enrollee personal information, then TennCare must subsequently provide the enrollee with a copy of the signed authorization if requested. Uses and disclosures requiring an opportunity for the enrollee to agree or to object (45 CFR $164.510). TennCare may orally inform an individual of or obtain the individual's oral agreement or objection to a use or disclosure permitted under HIPAA. There are two (2) circumstances where an opportunity for the enrollee to agree or to object to the use and disclosure of PHI: Use and disclosure for facility directories; and, Uses and disclosures for involvement in the individual's care and notification. Uses and disclosures for which enrollee authorization or opportunity to agree or object is not required (45 CFR $164.512 and 5 U.S.C. SS 552a). Authorization to use or disclose personal information is not required under the following circumstances: Uses and disclosures required by law; Uses and disclosures for public health activities (or to facilitate public health investigations); Disclosures about victims of abuse, neglect or domestic violence; Uses and disclosures for health oversight activities (e.g. investigation by the DHHS and the Office of Civil Rights); Disclosures for judicial and administrative proceedings; Disclosures for law enforcement purposes; Uses and disclosures about decedents in certain circumstances; Uses and disclosures for cadaveric organs, eye or tissue donation purposes; Uses and disclosures for research purposes when authorization is waived by the institutional review board (IRB) or Privacy Board; . . Uses and disclosures to avert a serious threat to health or safety; Uses and disclosures for specialized government functions, especially to assure proper execution of a military mission, etc.; and, Disclosures for worker's compensation. PROCEDURE 1. Appropriate TennCare staff shall determine whether authorization is required in order to respond to a request to use or disclose enrollee personal information. a) If a request for personal information involves a permitted use and disclosure (e.g. for treatment, payment, or healthcare operations), then the information may be released. b) If a request for personal information involves a required use and disclosure of PII or PHI, then the information should be released. c) If a request for personal information involves a use and disclosure that requires enrollee authorization, then the proper written documentation and approval by the enrollee or their representative must be obtained before releasing the information. d) Whenever authorization is not required, TennCare staff should follow departmental procedures and log or account for the release of specified information to outside entities as applicable. 2. TennCare shall seek authorization from an enrollee to use and disclose enrollee personal information and utilize the appropriate forms provided on TennCare's website (See "Permission to Release Information" form). 3. Authorization forms. a) Authorizations will be made utilizing the appropriate form approved by the TennCare Privacy Office and the Office of General Counsel, or equivalent documents. b) If TennCare requires a signed authorization form from an individual for a use or disclosure of personal information, then TennCare must provide that individual with a copy of the signed authorization form if requested. 4. The appropriate forms are available on the TennCare website. As appropriate, TennCare may require authentication and verification of identity for an enrollee who calls requesting their own personal information. 5. Each division within TennCare shall develop procedures related to the job functions of the employees that comply with the guidelines of TennCare regarding uses and disclosures of enrollee personal information. 6. Any questions regarding required and/or permitted uses and disclosures of enrollee personal information should be directed to the TennCare Privacy Office. DEFINITIONS Enrollee: An individual applying for or currently enrolled in any category of State of Tennessee's Medicaid program (TennCare), and Children's Health Insurance Program (CHIP, 3 known as CoverKids in Tennessee), or in any Tennessee federal Medicaid waiver program approved pursuant to Sections 1115 or 1915 of the Social Security Act; and, for purposes of TennCare privacy policies, the term may also be used to reference one who was previously an enrollee during a period for which there is a privacy request or compliance inquiry. HIPAA: Health Insurance Portability and Accountability Act of 1996, for which administrative simplification, privacy and security regulations are codified at 45 CFR SS 160-164. The Privacy Act of 1974: A United States federal law, enacted December 31, 1974, and codified at 5 U.S.C. 552a which establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information. Protected Health Information (PHI): Information that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium, including demographic information that identifies or may be used to identify an individual and that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the physical or mental health or condition of an individual. Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. OFFICE OF PRIMARY RESPONSIBILITY TennCare Privacy Office, Office of General Counsel RELATED FORMS Permission to Release Records REFERENCES 45 CFR 164.501, 45 CFR 164.502, 45 CFR 164.506, 45 CFR 164.508, 45 CFR 164.512 The Privacy Act of 1974 5 U.S.C. SS 552a (c)(3), (d)(5), (e) (4); (j), (k), (t) OMB Circular A-130 PURPOSE OF POLICY This policy addresses how the Division of TennCare (TennCare) uses and discloses applicant and enrollee personal information, including but not limited to personally identifiable information (PII) and protected health information (PHI). TennCare must follow specific guidelines for both required and permitted disclosures pursuant to the Privacy Act of 1974, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other applicable federal and state laws and regulations. POLICY TennCare shall only use and disclose personal information as required or permitted by the Privacy Act, HIPAA and other federal and state laws and regulations. TennCare must seek authorization to use and disclose personal information unless it is expressly required or permitted to use and disclose such information without prior consent. TennCare will provide enrollees with all the privacy rights granted by the Privacy Act, HIPAA and other federal and state laws and regulations. DISCUSSION & LEGAL BASIS Privacy laws outline how TennCare may use and disclose enrollee personal information, including when enrollee notice and approval is necessary. Generally, TennCare must seek authorization from an enrollee to use and disclose enrollee personal information when use or disclosure is not related to treatment, payment, and general healthcare operations activities. Permitted Uses and Disclosures. Under HIPAA, TennCare may use or disclose personal information without an enrollee's prior consent for treatment, payment, and healthcare operations. Treatment activities include but are not limited to the provision of medical services, care coordination and case-management. Payment activities include but are not limited to eligibility determinations, billing, claims processing, and collections and medical necessity 1 PRIV 007 - Information Use and Disclosure Rev: 08/2018 TennCare review. Health care operations activities include but are not limited to quality improvement activities, medical review, credentialing and licensing, training operations, administrative functions, and fraud and abuse detection. Required disclosures. Under HIPAA, TennCare must disclose personal information under several circumstances which include: to the enrollee when requested under applicable regulations and, to the Secretary of the Department of Health and Human Services to investigate or determine TennCare's compliance with HIPAA. Uses and disclosures for which enrollee authorization is required. Except as described above, enrollee authorization is required for any use or disclosure of personal information including any use or disclosure for marketing purposes. If TennCare seeks an authorization form from an enrollee for a use or disclosure of enrollee personal information, then TennCare must subsequently provide the enrollee with a copy of the signed authorization if requested. Uses and disclosures requiring an opportunity for the enrollee to agree or to object (45 CFR $164.510). TennCare may orally inform an individual of or obtain the individual's oral agreement or objection to a use or disclosure permitted under HIPAA. There are two (2) circumstances where an opportunity for the enrollee to agree or to object to the use and disclosure of PHI: Use and disclosure for facility directories; and, Uses and disclosures for involvement in the individual's care and notification. Uses and disclosures for which enrollee authorization or opportunity to agree or object is not required (45 CFR $164.512 and 5 U.S.C. SS 552a). Authorization to use or disclose personal information is not required under the following circumstances: Uses and disclosures required by law; Uses and disclosures for public health activities (or to facilitate public health investigations); Disclosures about victims of abuse, neglect or domestic violence; Uses and disclosures for health oversight activities (e.g. investigation by the DHHS and the Office of Civil Rights); Disclosures for judicial and administrative proceedings; Disclosures for law enforcement purposes; Uses and disclosures about decedents in certain circumstances; Uses and disclosures for cadaveric organs, eye or tissue donation purposes; Uses and disclosures for research purposes when authorization is waived by the institutional review board (IRB) or Privacy Board; . . Uses and disclosures to avert a serious threat to health or safety; Uses and disclosures for specialized government functions, especially to assure proper execution of a military mission, etc.; and, Disclosures for worker's compensation. PROCEDURE 1. Appropriate TennCare staff shall determine whether authorization is required in order to respond to a request to use or disclose enrollee personal information. a) If a request for personal information involves a permitted use and disclosure (e.g. for treatment, payment, or healthcare operations), then the information may be released. b) If a request for personal information involves a required use and disclosure of PII or PHI, then the information should be released. c) If a request for personal information involves a use and disclosure that requires enrollee authorization, then the proper written documentation and approval by the enrollee or their representative must be obtained before releasing the information. d) Whenever authorization is not required, TennCare staff should follow departmental procedures and log or account for the release of specified information to outside entities as applicable. 2. TennCare shall seek authorization from an enrollee to use and disclose enrollee personal information and utilize the appropriate forms provided on TennCare's website (See "Permission to Release Information" form). 3. Authorization forms. a) Authorizations will be made utilizing the appropriate form approved by the TennCare Privacy Office and the Office of General Counsel, or equivalent documents. b) If TennCare requires a signed authorization form from an individual for a use or disclosure of personal information, then TennCare must provide that individual with a copy of the signed authorization form if requested. 4. The appropriate forms are available on the TennCare website. As appropriate, TennCare may require authentication and verification of identity for an enrollee who calls requesting their own personal information. 5. Each division within TennCare shall develop procedures related to the job functions of the employees that comply with the guidelines of TennCare regarding uses and disclosures of enrollee personal information. 6. Any questions regarding required and/or permitted uses and disclosures of enrollee personal information should be directed to the TennCare Privacy Office. DEFINITIONS Enrollee: An individual applying for or currently enrolled in any category of State of Tennessee's Medicaid program (TennCare), and Children's Health Insurance Program (CHIP, 3 known as CoverKids in Tennessee), or in any Tennessee federal Medicaid waiver program approved pursuant to Sections 1115 or 1915 of the Social Security Act; and, for purposes of TennCare privacy policies, the term may also be used to reference one who was previously an enrollee during a period for which there is a privacy request or compliance inquiry. HIPAA: Health Insurance Portability and Accountability Act of 1996, for which administrative simplification, privacy and security regulations are codified at 45 CFR SS 160-164. The Privacy Act of 1974: A United States federal law, enacted December 31, 1974, and codified at 5 U.S.C. 552a which establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information. Protected Health Information (PHI): Information that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium, including demographic information that identifies or may be used to identify an individual and that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the physical or mental health or condition of an individual. Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. OFFICE OF PRIMARY RESPONSIBILITY TennCare Privacy Office, Office of General Counsel RELATED FORMS Permission to Release Records REFERENCES 45 CFR 164.501, 45 CFR 164.502, 45 CFR 164.506, 45 CFR 164.508, 45 CFR 164.512 The Privacy Act of 1974 5 U.S.C. SS 552a (c)(3), (d)(5), (e) (4); (j), (k), (t) OMB Circular A-130