12VAC30-20-90. Confidentiality and disclosure of information concerning Medicaid applicants and recipients.
A. Definitions. The following words and terms when used in these regulations shall have the following meanings, unless the context clearly indicates otherwise:
"Agency" or "the Medicaid agency" means the Department of Medical Assistance Services or its designee.
"Client" means an applicant for, or recipient of, Medicaid benefits.
"Client information" or "client record" means any information, including information stored in computer data banks or computer files relating to a recipient or applicant, which was received in connection with the performance of any function of the agency and which either identifies a client or describes a client such that the client could be specifically identified.
"Provider" means any individual or organization that delivers a medical service to a recipient of, or applicant for, Medicaid benefits.
"The Plan" means the State Plan for Medical Assistance.
B. Purpose. Section 1902(a)(7) of the Social Security Act and 42 CFR 431.300 et seq. require a State Plan for Medical Assistance to provide safeguards to restrict the use or disclosure of information concerning applicants and recipients to purposes directly connected with the administration of the Plan. The rules herein are established to protect the rights of clients to confidentiality of their Medicaid information. Section 32.1-325.3 of the Code of Virginia requires the Board of Medical Assistance Services to promulgate regulations consistent with the foregoing.
C. Release of client information. Except as otherwise provided in these rules, no person shall obtain, disclose or use, or authorize, permit or acquiesce the use of any client information that is directly or indirectly derived from the records, files, or communications of the agency, except for purposes directly connected with the administration of the Plan or as otherwise provided by federal and state law. The agency can conduct all of the above administrative activities itself or it can contract some or all of them to other state agencies or private companies. These other entities must maintain client information confidential in accordance with the terms of these regulations. Purposes directly related to the administration of the Plan include; but are not limited to:
1. Establishing eligibility;
2. Determining the amount of medical assistance;
3. Providing services for recipients; and
4. Conducting or assisting in an investigation, prosecution or a civil or criminal proceeding related to the administration of the Plan.
D. Safeguarding client information. All information associated with an applicant or recipient that could disclose the individual's identity is confidential and shall be safeguarded. Such information shall include, but is not limited to:
1. Name, address and all types of identification numbers assigned to the client;
2. Medical services provided to the client;
3. Social and economic conditions or circumstances of the client;
4. Agency evaluation of the client's personal information;
5. Medical data about the client, including diagnoses and past histories of disease or disabilities;
6. Information received for verifying income, eligibility, and amount of medical assistance payments; and
7. Information received in connection with identification of legally liable third party resources, and information received in connection with processing and rendering decisions of recipient appeals.
E. Ownership of records.
1. All client information contained in the agency records is the property of the agency, and employees of the agency shall protect and preserve such information from dissemination except as provided herein.
2. Original client records are not to be removed from the premises by individuals other than authorized staff of the agency, except by a court order. The agency may destroy records pursuant to records retention schedules consistent with state and federal regulations.
F. Disclosure of client information.
1. Conditions for releasing information. Access to information concerning applicants or recipients must be restricted to persons or agency representatives who are subject to the standards of confidentiality that are consistent with that of the agency.
a. Consent. As part of the application process for Medicaid, the client shall be informed of the need to consent to the release of information necessary for verifying eligibility. Whenever a person, agency or organization that is not performing one or more of the functions delineated in subsection C of this section requests client information, the Medicaid agency must obtain written permission to disseminate the information from the client or the person legally responsible for the client whenever possible. A release for information obtained from the client by the requesting agency also satisfies this requirement.
b. Client information may be released without the client's written permission under the following conditions:
(1) An emergency exists and prior attempts to contact the client or legally responsible persons for permission have been unsuccessful;
(2) A court of competent jurisdiction has ordered the production of information and the agency does not have sufficient time to notify the client or legally responsible person before responding to the order;
(3) The release of such client information is necessary to prevent loss of, or risk to, life or health of the client;
(4) In the case of third party liability, as explained in subdivision G 2 of this section; or
(5) Release is not otherwise prohibited by law or regulation.
c. Notification. If one of the conditions above is met and consent is not obtained before the release of the information, the agency must provide written notification to the client or legally responsible person within five work days after disclosure.
d. Consent process. The consent for release of information shall contain the following:
(1) The name of the agency or entity supplying the information and the name of the requesting party;
(2) A description of the information to be released;
(3) A statement that the consent is limited to the purpose designated;
(4) The length of time the consent is valid; and
(5) The consent must be signed and dated by the client. The client may add other information which may include, but is not limited to, a statement specifying the date, event or condition upon which the consent expires.
G. Information exchanges.
1. Governmental agencies.
a. Confidential information can be released to other governmental agencies without the consent of the client for purposes of complying with state or federal statutes or regulations pursuant to written data exchange agreements. Such agreements will (i) specify the information to be exchanged; (ii) the titles of all agency officials with the authority to request income and eligibility information; (iii) the methods, including the formats to be used, and the timing for requesting and providing the information; (iv) the safeguards limiting the use and disclosure of the information as required by federal or state law or regulations; (v) the method, if any, the agency will use to reimburse reasonable costs of furnishing the information; and (vi) in the case of an agreement between a SWICA or a UC agency and the Medicaid agency, that the Medicaid agency will obtain information on applicants at least twice monthly. Such information exchanged by governmental agencies is made available only to the extent necessary to assist in the valid administrative needs of the governmental agency receiving the information and adequate safeguards shall be maintained to protect the information from further disclosure. Information received under § 6103(1) of the Internal Revenue Code of 1954 is exchanged only with agencies or delegated entities authorized to receive such information.
b. Medical assistance information contained in the records of the local departments of social services may be disclosed for purposes directly connected with the Medicaid program to providers of services enrolled in the Medical Assistance Program for the purpose of verifying a client's status as a Medicaid recipient.
2. Information exchanged in third party liability cases. Client information may be disclosed without consent in the recovery of monies for which third parties are liable for payment of claims. All such third parties shall be notified of the rules for safeguarding client information. The notification shall incorporate a written statement which advises third parties of the Medicaid program's client confidentiality regulations, specifies that clients' names, addresses and medical services data are confidential, must only be used in the administration of the Medicaid program and must not be released to any other person or entity in a manner inconsistent with the governing regulations. The notice shall further include the following statement. "Any willful violation of the governing regulations constitutes a Class 1 misdemeanor and may be punishable accordingly."
H. Client's right of access to information.
1. Client's right to access. Any client has the right to obtain personal information held by the agency or its representative. Upon written or verbal request, the client shall be permitted to review or obtain a copy of the information in his record with the following exceptions:
a. Information that the agency is required to keep confidential from the client pursuant to subdivision 1 of § 2.2-3705.5 of the Code of Virginia, or any other applicable law; or;
b. Information that would breach another individual's right to confidentiality.
2. Process for disclosure. Consistent with the Virginia Freedom of Information Act, § 2.2-3704, Code of Virginia, the agency shall provide access within five work days after the receipt of the request. The agency shall make disclosures to applicants and recipients during normal business hours. Copies of the requested documents shall be provided to the client or a representative at reasonable standard charges for document search and duplication.
3. Types of information available for client access. The client shall be permitted to be accompanied by a person or persons of the client's choice and may grant permission verbally or in writing to the agency to discuss the client's file in such person's presence. Upon request and proper identification of any client or agent of the client, the agency shall grant to the client or agent the right to review the following:
a. All personal information about the client except as provided in subdivision 1 of § 2.2-3705.5 of the Code of Virginia; and
b. The identity of all individuals and organizations not having regular access authority that request access to the client's personal information.
4. Contested information. Pursuant to § 2.2-3806 of the Government Data Collection and Dissemination Practices Act, a client may contest the accuracy, completeness or relevancy of the information in his record. Correction of the contested information, but not the deletion of the original information if it is required to support receipt of state or federal financial participation, shall be inserted in the record when the agency concurs that such correction is justified. When the agency does not concur, the client shall be allowed to enter a statement in the record refuting such information. Corrections and statements shall be made a permanent part of the record and shall be disclosed to any person or entity that receives the disputed information.
I. Distribution of information to applicants and recipients. All materials distributed to applicants, recipients, or medical providers must directly relate to the administration of the Medicaid program and have no political implications. The agency must not distribute materials such as holiday greetings, general public announcements, voting information, or alien registration notices. The agency may distribute materials directly related to the health and welfare of applicants and recipients, such as announcements of free medical examinations, availability of surplus food and consumer protection information.
J. Publicizing safeguarding requirements. The agency shall inform clients in writing as follows:
Personal information regarding applicants for or recipients of Medicaid must be maintained confidential pursuant to state and federal law. Consistent with §§ 32.1-325.4 and 18.2-11 of the Code of Virginia, any violation of state regulations governing applicant or recipient confidentiality is punishable by up to 12 months in jail and a $2,500 fine.
Statutory Authority
§§ 32.1-324 and 32.1-325 of the Code of Virginia.
Historical Notes
Derived from VR460-02-4.3100, eff. February 26, 1992; amended, Virginia Register Volume 25, Issue 14, eff. April 15, 2009.