NY Manual
SHP Manual

New York Provider Manual
5.2 Medical Record Reviews and Documentation Standards | 5.4 Advance Directives/Healthcare Proxy

5.3 Confidentiality

A member’s Protected Health Information (PHI) is sheltered under the contractual relationships between Healthfirst and the member and between Healthfirst and the provider. PHI includes enrollment with Healthfirst, medical records, and/or the payment for the provision of health services that are derived in whole or in part using personally identifiable information that is not otherwise publicly available. Such PHI must be safeguarded and held in strict confidence so as to comply with applicable privacy provisions of state and federal laws, including the Health Insurance Portability and Accountability Act (HIPAA).

Healthfirst members sign an authorization at the time of enrollment that allows Healthfirst to review, release, and use their respective PHI. In addition, at the time of the initial encounter with each Healthfirst member, providers are required to obtain the member’s written consent to disclose personal health information to Healthfirst or provide the member with a copy of their Privacy Notice indicating that their PHI will be shared with Healthfirst and other entities. This written consent or the member’s written acknowledgment of the provider’s Privacy Notice is to be maintained in the provider’s records and is subject to audit by Healthfirst. All providers should take all reasonable measures to protect the privacy and confidentiality of members’ nonpublic personal information at all times and to prevent the use or disclosure to any nonaffiliated third party. 

The provider understands and agrees that the provision of the enrollee’s personal health information and records for quality assurance/utilization review pursuant to Section 2.5 and encounter data pursuant to Section 2.6 are healthcare operations pursuant to 45 CFR 501, and therefore the enrollee’s consent is not required for the release of such records and information to Healthfirst.

All providers should remain aware that PHI about the provision of behavioral health and/or substance abuse services and PHI that identifies the presence of behavioral health, substance use disorders and/or HIV-related illness are governed by a special set of confidentiality rules. Release of these records requires a special authorization. They should not be released to anyone other than the member except under tightly defined and controlled circumstances. If you have any questions regarding the disclosure of a Healthfirst member’s information, please call 1-888-801-1660.

All Medicaid providers are required to develop policies and procedures to assure confidentiality of behavioral health, substance abuse and HIV-related information, including the following information:
·         Initial and annual in-service education of staff, contractors
·         Identification of staff allowed access and limits of access
·         Procedure to limit access to trained staff (including contractors)
·         Protocol for secure storage (including electronic storage)
·         Procedures for handling requests for behavioral health, substance abuse and HIV-related information
·         Protocols to protect persons with or suspected of having behavioral health, substance use disorders and/or HIV infection from discrimination