What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law designed to protect your sensitive health information. While it originally helped Montanans maintain insurance coverage when switching jobs, its primary role today is to ensure that your personal medical records remain private and secure.

Who Must Follow These Rules?

HIPAA applies to "Covered Entities," including health insurance plans, doctors, and hospitals that transmit medical information electronically. These organizations are legally required to limit how your health data is shared and stored.

DPHHS as a "Hybrid Entity"

The Montana Department of Public Health and Human Services (DPHHS) is designated as a Hybrid Entity. Because our Department covers a vast range of services, some of our programs handle protected health information, while others do not. For the programs that do, we maintain rigorous security protocols and extra safeguards to ensure your private data is handled with the highest level of integrity.

What is Protected Health Information (PHI)?

The core of HIPAA is the protection of PHI. PHI includes any details regarding your health status, medical conditions, or health care payments that could be used to identify you.

How We Protect Your Privacy

To safeguard your identity, DPHHS strictly limits the amount of PHI we collect or share. In most situations, we are required by law to obtain your written authorization before sharing your medical details with any third party.

When Information May Be Shared

There are specific legal circumstances where DPHHS may share your information without prior written consent. These include instances where the information is:

• Essential for Treatment: To ensure you receive appropriate medical care.
• Requested by You: When you ask for access to your own records.
• Legally Mandated: When reporting is required by state or federal law.
• Program Compliance: To meet the requirements of state or federal program mandates.
• Payment Processing: To process and pay medical claims efficiently.

Your Notice of Privacy Practices

DPHHS is required to provide you with a Notice of Privacy Practices. This document serves as a comprehensive guide on how we use and protect your health data. It also outlines your right to file a complaint if you believe your privacy has been compromised and provides the contact information for our privacy officials to help resolve any concerns.

HIPPA Notices and Statements

• Notice of Privacy Practices (PDF)
• Notice of Use of Protected Health Information Document (PDF)
• Hybrid Entity Designation Statement (PDF)

HIPAA Forms

• Designation of Authorized Personal Representative for Health Information (HPS-401) (PDF)
• Authorization for the Use and Disclosure of Health Information (HPS-402) (PDF)
• Request to Send Protected Health Information to an Alternate Location (HPS-403) (PDF)
• Complaint for Alleged Violation of Disclosure of Protected Health Information (HPS-404) (PDF)
• Request for Personal Health Information (HPS-405) (PDF) 

HIPAA Privacy Officer:
Montana DPHHS Office of Legal Affairs
(406) 444-3026