Skip Navigation
acfbanner  
ACF
Department of Health and Human Services Administration for Children and Families
          
ACF Home   |   Services   |   Working with ACF   |   Policy/Planning   |   About ACF   |   ACF News   |   HHS Home

  Questions?  |  Privacy  |  Site Index  |  Contact Us  |  Download Reader™Download Reader  |  Print Print      

Office of Head Start skip to primary page contentActing Director Patricia Brown

Information Memorandums (IMs) - 2003

Information on Privacy Regulations for the Health Insurance Portability and Accountability Act (HIPAA) (ACYF-IM-HS-03-04)

ACYF
Administration on Children, Youth, and Families		 U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
Administration for Children and Families
1. Log No. ACYF-IM-HS-03-04 2. Issuance Date: 05/02/2003
3. Originating Office: Head Start Bureau
4. Key Word: Health Services; Record-keeping

INFORMATION MEMORANDUM: [See Attachment at the bottom]

TO: Head Start and Early Head Start Grantees and Delegate Agencies

SUBJECT: Information on Privacy Regulations for the Health Insurance Portability and Accountability Act (HIPAA)

BACKGROUND:

This Information Memorandum is provided to advise of new Health Insurance Portability and Accountability Act (HIPAA) privacy regulations that certain health care providers, health plans, and health care clearinghouses must comply with beginning April 14, 2003.

The privacy provisions of the federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), apply to health information created or maintained by health care providers who engage in certain electronic transactions, and to health plans and health care clearinghouses. The Department of Health and Human Services (HHS) has issued the regulation, "Standards for Privacy of Individually Identifiable Health Information," applicable to entities covered by HIPAA. Most "covered entities" (certain health care providers, health plans, and health care clearinghouses) are required to comply with the HIPAA Privacy Rule on and after the compliance date of April 14, 2003.

INFORMATION:

Most Head Start and Early Head Start grantees may not themselves be regarded as "covered entities," as they do not function as health plans or health care clearinghouses. Some grantees, however, may fall under the definition of a health care provider, i.e., an agency that furnishes, bills or receives payment for health care in the normal course of business, and engages in certain electronic transactions (see "Am I a Covered Entity?" decision tool at: http://www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp). Head Start and Early Head Start grantees should also be aware that the health providers collaborating with their program may be revising some procedures (e.g., claim forms for health services) to comply with the new privacy regulations. Head Start programs, in concert with their Health Services Advisory Committee, should discuss with their health provider partners any procedural changes they are undertaking to comply with the new HIPAA privacy regulations. This communication can help assure that children and families can continue to receive needed health services in a timely manner.

Head Start programs are also reminded of the Head Start Program Performance Standards on protecting the privacy of information on children and families served. These regulations include:

45 CFR 1304.51(g) Record-keeping systems. Grantee and delegate agencies must establish and maintain efficient and effective record-keeping systems to provide accurate and timely information regarding children, families, and staff and to ensure confidentiality of this information; and,
45 CFR 1304.52(h)(1) Grantee and delegate agencies must ensure that all staff, consultants, and volunteers abide by the program's standards of conduct. These standards must specify that:. (ii) They will follow program confidentiality policies concerning information about children, families, and other staff members;

Sound program policies and practices to implement these requirements include:

  • Establishing and implementing a written policy regarding the confidentiality of, and access to, the records of staff, volunteers, families, and children, which meets Federal, State and local laws;
  • Informing parents/guardians of the child and family data to be collected and how it will be used, and providing assurances that the use will be restricted to the stated purposes;
  • Obtaining and storing signed parent consent forms for releases of family or child information to and from other agencies, child placements or schools;
  • Controlling access to record files, and prohibiting record review and sharing beyond that required to perform program duties; and,
  • Familiarizing relevant staff with all laws governing confidentiality policies, particularly as they pertain to interagency collaborations in which information about children and families is shared.

The HHS Office for Civil Rights (OCR) is responsible for implementing and enforcing the HIPAA privacy regulation. Attached please find the Office for Civil Rights' General Overview of the HIPAA privacy regulation (with frequently asked questions). For more information on this regulation, visit OCR's website, Medical Privacy - National Standards to Protect the Privacy of Personal Health Information, at: http://www.hhs.gov/ocr/hipaa/.

/ Windy M. Hill /
Windy M. Hill
Associate Commissioner
Head Start Bureau

(Download in PDF)

Attachment:
"General Overview of Standards for Privacy of Individually Identifiable Health Information," [PDF, 87KB] HHS Office for Civil Rights, (04-03-2003).