Home | DRS Services | What's New | Disability Resource Guide | Site Menu | Contact Us | Links | State Link | Commission Information | En Español

Information For: Job Seekers | Employers |  Students | Others

HIPAA PRIVACY RULES

OKLAHOMA DEPARTMENT OF REHABILITATION SERVICES

The purpose of this notice is to explain the impact of the HIPAA Privacy Rule (45 CFR Parts 160 and 164) on the various programs administered by the Oklahoma Department of Rehabilitation Services (“DRS”). DRS provides assistance to Oklahomans with disabilities through vocational rehabilitation, independent living and education programs. DRS also determines medical eligibility for social security disability benefits.

The privacy regulations adopted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are designed to protect the confidentiality of health care information maintained by health care providers, health care plans, and health care clearinghouses. These entities may not disclose protected health information without written authorization from the patient. Because DRS must obtain medical information from medical providers to determine the eligibility of applicants for its various programs, DRS has modified its authorization forms to comply with the HIPAA requirements for authorization forms. In addition, as medical providers, the clinics at the Oklahoma School for the Blind and Oklahoma School for the Deaf have adopted policies to comply with HIPAA privacy regulations to protect the confidentiality of students' medical records. HIPAA-related information for DRS's various programs is outlined below.

Disability Determination Division of the Department of Rehabilitation Services

The Disability Determination Division (DDD) determines eligibility for disability programs under the Social Security Act. The work of the DDD is performed on behalf of the Social Security Administration. The DDD collects medical evidence necessary to determine whether applicants for benefits are disabled. In order for DDD to obtain the necessary records, applicants must authorize the disclosure of medical and other evidence in order to support their claims. The DDD uses Form SSA-827 to authorize disclosure of medical information. This form was developed by the Social Security Administration in consultation with the Department of Health and Human Services to ensure compliance with the HIPAA privacy regulations. The DDD is not a covered entity under the HIPAA Privacy Rules when processing claims for disability benefits because the DDD is neither a health care provider, health care plan, or health care clearinghouse as defined in the Privacy Rules. However, the personal information obtained by DDD is protected under the Privacy Act of 1974, as amended.

Vocational Rehabilitation Division and Visual Services Division

The Vocational Rehabilitation Division and Visual Services Division provides services to individuals with disabilities pursuant to the Rehabilitation Act of 1973, as amended. This Act provides funds to assist states in administering a program designed to help individuals with disabilities obtain employment. The Visual Services Division (VS) serves clients with visual impairments, while the Vocational Rehabilitation Division (VR) serves clients with all other disabilities. The VR and VS Divisions must obtain medical information from applicants and clients in order to determine eligibility of applicants for the program and to determine the vocational needs of its clients. These Divisions must comply with the HIPAA Privacy Rule applicable to authorization forms in order to obtain the necessary medical information from health care providers. The VR and VS Divisions have adopted an authorization form that meets HIPAA requirements.

The VR and VS Divisions also may pay for the cost of certain medical expenses for their clients if such medical services are included in an Individualized Plan for Employment (IPE). However, the provision of health care is not the principal purpose of these programs. Since the principal purpose of the vocational rehabilitation program is to assist individuals with disabilities in obtaining employment, the program does not fall under the definition of a health care provider under the HIPAA Privacy Rule. 45 CFR § 160.103. Like the DDD, the VR and VS Divisions are not covered entities under the Privacy Rules when administering their programs – they are neither a health care provider or health care plan or health care clearinghouse. However, all medical and other information relating to the agency's applicants and clients is confidential under the Rehabilitation Act of 1973, as amended, and the federal and state rules that govern the program. DRS may not release these records without a court order or the written consent of the client. 34 C.F.R. § 361.38; OAC 612:10-1-5.

Oklahoma School for the Blind and Oklahoma School for the Deaf

The Oklahoma School for the Blind in Muskogee and the Oklahoma School for the Deaf in Sulphur provide elementary and secondary education to both residential and day students. Both schools have medical clinics that serve the student population. The schools have adopted policies and forms to comply with the HIPAA requirements to protect the confidentiality of students' health information maintained by the clinics.