State of Wyoming
Department of Health
Wyoming Information Practices Rules
Brent D. Sherard, M.D., M.P.H.
Director and State Health Officer
February, 2008
State of Wyoming
Department of Health
Rules and Regulations for Wyoming
Information Practices
Rules and Regulations for Information Practices
are published by the Wyoming Department of Health, Office
of the Director
Brent D. Sherard, M.D., M.P.H., Director and State Health
Officer
Additional information and copies may be obtained from:
De Anna Greene, CIPP/G, HIPAA Compliance Officer
Office of the Director
2300 Capital Avenue, 419
Hathaway Building, Cheyenne, WY 82002
Telephone: (307) 777-7656
Fax: (307) 777-7439
deanna.greene@health.wyo.gov
This document is available in alternative format upon
request
Chapter 1. Rules and Regulations Information Practices
Intend to Adopt Amended Rule
Statement of Reasons
The Wyoming Department of Health is required by state and federal legislation to maintain and protect health and personally identifiable information. This rule defines standards to protect the privacy of personally identifiable information and respect to the rights of individuals who are the subjects of this information, procedures for the exercise of those rights, and the authorized and required uses and disclosures of this information.
As required by W.S. 16-3-103(a)(i)(6), the Information Practices Rules and Regulations meet minimum substantive state statutory requirements. Due to the extreme level of amending, we were unable to strike and underline this document. A synopses of changes follow:
Old Section 1. Introduction. Represents the intent of the Rule.
New Section 1. Authority. Identifies current Federal and State legislation requiring protections for personally identifiable information.
Old Section 2. Definitions. Has been replaced by Applicability.
New Section 2. Applicability. Establishes what the rule applies to and the responsibility of the Department.
Old Section 3. Disclosure. Has been replaced with Definitions.
New Section 3. Definitions. Identifies and defines definitions currently utilized within Federal and State regulations concerning privacy, security, use and disclosure of confidential or protected information.
Old Section 4. Request for Access. Has been replaced with Disclosure.
New Section 4. Disclosure. Current disclosure statement has been updated to reflect current federal and state legislation.
Old Section 5. Procedure for Access. Has been replaced with Notice of Privacy Practices.
New Section 5. Notice of Privacy Practices. Adheres to the federal requirement of notifying individuals as to how confidential or protected data is used and disclosed.
Old Section 6. Correction and Amendment. Has been replaced with Access Requests.
New Section 6. Access Requests. Establishes rights for an individual to obtain and review their health record.
Old Section 7. Personnel Records. Has been replaced with Corrections of Records.
New Section 7. Corrections of Records. Establishes a right for individuals to request corrections to their health record.
Old Section 8. Maintenance of Records. Has been replaced with Use and Disclosure Restrictions.
New Section 8. Use and Disclosure Restrictions. Adheres to federal requirements in which a client may request the disclosure of their health information be restricted.
Old Section 9. Mailing Lists. Has been replaced with Disclosure of Personnel Records.
New section 9. Disclosure of Personnel Records. Identifies under what circumstances personnel records may be disclosed.
New Section 10. Maintenance of Records. Establishes how the Department maintains records.
The use of these standards will improve the efficiency and effectiveness of Wyoming Department of Health by providing enhanced protections for personally identifiable information. These protections will address growing public concerns that are advancing in the evolution of electronic technology, which without protections could result in a substantial erosion of the privacy surrounding personally identifiable information maintained by Wyoming Department of Health.
This rule is to protect and enhance the rights of Wyoming Department of Health consumers by providing them access to their information and controlling the inappropriate use of that information.
WYOMING
DEPARTMENT OF HEALTH
CHAPTER 1
INFORMATION
PRACTICES
Section 1. Authority.
These rules are
promulgated by the Department of Health pursuant to the Wyoming Public Records
Act (W.S. 16-4-201, et seq.), W.S. 14-3-214, 42 CFR 2.53(a)(b) and (d),
42 CFR 2.2 Sec. 290dd-3, 42 CFR 401.134 and 45 CFR Parts 160, 162, and 164, for
the purpose of protecting health and personally identifiable information.
Section 2. Applicability.
(a)
These rules apply to and govern the protection of privacy of personally
identifiable information, to respect the rights of individuals who are the
subject of this information, to develop procedures for the exercise of those
authorized and required uses and disclosures of this information.
(b)
The Department may issue manuals, bulletins, or both to interpret the
provisions of these rules and regulations. Such manuals and bulletins shall be
consistent with and reflect the policies contained in these rules and
regulations. The provisions contained in manuals or bulletins shall be subordinate
to the provisions of these rules and regulations.
(c)
The incorporation by reference of any external standard is intended to
be the incorporation of that standard as it is in effect on the effective date
of these rules and regulations.
Section 3. Definitions.
The following
definitions shall apply in the interpretation and enforcement of these rules.
Where the context in which words are used in these rules indicates that such is
the intent, words in the singular number shall include the plural and vice
versa. Throughout these rules, gender pronouns are used interchangeably,
except where the context dictates otherwise. The drafters have attempted to
utilize each gender pronoun in equal numbers, in random distribution. Words in
each gender shall include individuals of the other gender.
(a) “Access.”
The ability to view and/or obtain copies of personal information held by the
Department, as the records custodian.
(b) “Agency.”
Any bureau, board, commission, committee, or sub-agency of the state, county,
municipality, or other political subdivision which is created by or pursuant to
the Wyoming Constitution, statute, or ordinance, other than the state
legislature and the judiciary.
(c) “Confidential.”
The status of personal information according to federal regulations, state
statutes, executive order, or agency regulations that connotes some commitment
to withhold from authorized users information obtained from an individual or
institution.
(d) “Department.”
Shall refer to the Department of Health and/or its component divisions.
(e) “Disclosure.”
To permit access to, or the release, transfer, or other communication of
confidential information contained in Department records to any party, by oral,
written, electronic or any other means.
(f) “File.”
Any aggregation of individual records gathered for a particular purpose and
organized or indexed as a unit. Information pertaining to an individual
recorded and retained by the agency.
(g) “Information.”
Any communication or representation of knowledge such as facts, data, or
opinions in any medium or form, including textual, numerical, graphic,
cartographic, narrative, or audiovisual forms.
(h) “Personal
Information.” All information that describes anything about an individual,
such as records of financial transactions, medical treatments, or other
services; any information that is or can be retrieved from a record or
record-keeping system by reference to the name, number, or some other
identifying feature associated with the individual to whom the information
pertains.
(i) "Personnel Record" includes, but is not limited to,
hiring records, basic employee information, payroll records, tax records,
employment actions, general benefits information and any other relevant
documents that can legally be used to make employment-related decisions.
(j) “Record.”
Any grouping of information about an individual that is maintained by the
Department in a file that contains a name or identifying number or symbol
assigned to the individual used to make a decision about the rights, character,
opportunities, benefits, or liabilities of the individual to whom the record
pertains.
(k) “Right to Privacy.”
An individual’s right to decide what information about themselves may be shared
with others.
(l) “Right to Request
Restriction of Use and Disclosure.” The right of an individual to request that
their personal information not be divulged or used by others.
(m) “Routine Use.”
The use of a record for the purpose for which it was collected according to
statutory authority or agency regulation.
(n) “Subject.”
An individual or legal entity about whom personal information is maintained in
an information system.
Section 4. Disclosure.
Records that are
determined by the Department to be public records shall be available for
inspection during normal business hours of the Department. Records that are
determined by the Department to be confidential or not otherwise subject to
disclosure pursuant to the Public Records Act or other federal or state law,
shall not be disclosed without authorization from the individual or a legal
representative of the individual about whom the information pertains or in
accordance with state and federal regulations.
Section 5. Notice
of Use and Disclosure.
The Department provides
individuals with notices of use and disclosure processes in accordance with State
and Federal legislation. Requests may be made to the appropriate authority. Such
requests will be provided in a timely manner.
Section 6. Access
Requests.
The individual who is
the subject of a confidential record are afforded the opportunity to see or
receive a copy of their record in accordance with State and Federal
regulations. Requests shall be submitted in writing to the appropriate authority.
Forms are available through the Department.
Section 7. Correction
of Records.
The individual who is
the subject of the record has the right to bring to the attention of the
custodian of the record any erroneous, inaccurate, or misleading information
that is contained in the record, subject to access restrictions imposed by the
Wyoming Public Records Act (W.S. 16-4-201, et seq.) and 45 CFR 164.526.
Individuals have the right to petition to correct inaccuracies by submitting a
written request to the Department’s Staff Physician identifying the specific
record to be corrected, the erroneous portion of the record, and the proposed
correction.
Section 8. Use
and Disclosure Restrictions.
The Department may
permit an individual to request that the Department restrict the use and/or
disclosure of personally identifiable information, subject to State and Federal
law and Department policy and procedure. Such a request shall be submitted in
writing to the appropriate custodian of records within the Department or to the
Department’s Staff Physician or the State Health Officer.
Section 9. Disclosure of Personnel Records.
Contents of an individual’s personnel records are made
available in accordance with W.S. 16-4-201, et seq.:
Section 10. Maintenance
of Records.
The Department in
maintaining records will:
(a) Maintain
any record used to make determinations about an individual with such accuracy,
relevance, timeliness, and completeness as is reasonably necessary to assure
fairness to the individual.
(b) Establish
physical, administrative and technical safeguards and specific policies for the
protection of data maintained by the Department.
(c) Maintain
all systems containing personal information in a manner that is conducive to
disclosure and access subject to state and federal law, including, but not
limited to the Wyoming Public Records Act (W.S. 16-4-201, et seq.) and
45 CFR Parts 160, 162 and 164.
(d) Only
maintain information about an individual necessary to accomplish the department's
purposes as authorized by statute.