NY Manual
SHP Manual

New York Provider Manual
5.2 Medical Record Reviews and Documentation Standards | 5.4 Advance Directives/Healthcare Proxy

5.3 Confidentiality

A member’s protected health information (PHI) is protected under the contractual relationships between Healthfirst and the member and between Healthfirst and the provider. PHI encompasses enrollment data with Healthfirst, medical records, treatment documentation and information, and/or payment for the provision of health services that are derived in whole or in part using personally identifiable information that is not otherwise publicly available. Such PHI must be safeguarded and held in strict confidence in order to comply with applicable privacy provisions of state and federal laws, including the Health Insurance Portability and Accountability Act (HIPAA), specifically, 45 C.F.R. parts 160 and 164, Subpart E (the “Privacy Rule”), and Subpart C (the “Security Rule”), and the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009 (“HITECH”)  (collectively hereinafter referred to as “HIPAA Rules”).

Upon enrollment, Healthfirst members authorize Healthfirst to review, release, and use their respective PHI. A member’s written acknowledgment—to be maintained in the provider’s records and subject to periodic audit by Healthfirst—is required upon receipt of the Privacy Notice. Providers should take all reasonable measures to protect the privacy and confidentiality of members’ nonpublic personal information and PHI at all times and to prevent the unauthorized use or disclosure to any unaffiliated third party.

All of Healthfirst’s contracted providers agree and understand that a member’s protected health information and records for quality assurance/utilization review pursuant to Section 2.5 and encounter data pursuant to Section 2.6 are healthcare operations pursuant to 45 CFR 501, and therefore the enrollee’s consent is not required for the release of such records and information to Healthfirst.

All providers should remain aware that PHI related to behavioral health and/or substance abuse services and PHI that identifies the presence of behavioral health, substance use disorders, and/or HIV-related illness are governed by a special set of confidentiality rules. Without a special individualized authorization these records and data should be released to no one but the member except under tightly defined and controlled circumstances. If you have any questions regarding the disclosure of a Healthfirst member’s information, please call 1-888-801-1660.

All Medicaid providers are required to develop policies and procedures to assure the confidentiality of behavioral health, substance abuse, and HIV-related information, including the following information:

• Initial and annual in-service education of staff, contractors

• Identification of staff allowed access, and limits of access

• Procedure to limit access to trained staff (including contractors)

• Protocol for secure storage (including electronic storage)

• Procedures for handling requests for behavioral health, substance abuse, and HIV-related information

• Protocols to protect from discrimination persons with, or suspected of having, behavioral health, substance use disorders, and/or HIV infection