Client Health Information As per 45 CFR 164.520, this Notice of Privacy Practices (the Notice) describes how medical information about clients may be used or disclosed and how clients can access this information. Clients personal health record contains private and confidential information about you and your health. Both State and Federal laws protect the confidentiality of this information. Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes any individually identifiable health information. PHI relates to clients past, present or future physical or mental health or condition and any related health care services.
How We May Use and Disclose Health Information About Clients
Below are examples of the uses and disclosures that we may make of client Protected Health Information (PHI). These examples are not exhaustive but simply describe the uses and disclosures that may be made.
Uses and Disclosures of PHI for Treatment, Payment and Health Care Operations
Treatment – Client PHI may be used and disclosed by clients physician, counselor, our program staff and others outside of our program that are involved in clients care for the purpose of providing, coordinating or managing clients health care treatment and any related services. Example: Clients care while with us may require coordination or management from a third party, consultation with other health care providers, or referral to another provider for health care treatment. Additionally, we may disclose clients protected health information to another physician or health care provider who becomes involved in clients care.
Payment – With client authorization, we may use and disclose PHI about clients so that we can receive payment for the treatment and services provided to clients from client insurance or other payor sources. Example: We give information about clients to client health insurance, so it will pay for client services.
Healthcare Operations – We may use and share client health info to run our business, improve client care, and contact clients when necessary. This may include quality assessment activities, employee review activities, licensing, and conducting other business activities. Examples: using a sign-in sheet where clients will be asked to sign your name and indicate your physician, counselor or staff. We may share client PHI with third parties that perform various business activities for us, such as a billing company. Also, we may contact clients by phone to remind clients of appointments or to provide clients with additional information regarding your treatment or other health-related benefits.
Special Rules Regarding Disclosure of Behavioral Health, Substance Abuse, and HIV- Related Information: For disclosures concerning protected health information relating to care for psychiatric conditions, substance abuse or HIV-related testing and treatment, special restrictions may apply.
Other Uses and Disclosures That Do Not Require Clients Authorization
Required by Law
We may use or disclose client PHI to the extent that the use or disclosure is required by law, made in compliance with the law, and limited to the relevant requirements of the law. Clients will be notified, as required by law, of any such uses or disclosures. Under the law, we must make disclosures of your PHI to clients upon your request. In addition, we must make disclosures to the Secretary of the Department of Health and Human Services for the purpose of investigating or determining our compliance with the requirements of the Privacy Rule.
We may disclose PHI to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies seeking this information include government agencies and organizations that provide financial assistance to the program (such as third-party payors) and peer review organizations performing utilization and quality control. If we disclose PHI to a health oversight agency, we will have an agreement in place that requires the agency to safeguard the privacy of client information.
We may use or disclose client PHI for public health activities to a public health authority authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, or if directed by a public health authority, to a government agency that is collaborating with that public health authority. In certain circumstances outlined in the Privacy Regulations, we may disclose client PHI to a person who is subject to the jurisdiction of the Food and Drug Administration with respect to the reporting of certain occurrences involving food, drugs, or other products distributed by such person. In certain limited circumstances, we may also disclose client PHI to a person that may have been exposed to a communicable disease or may otherwise be at risk of spreading or contracting such disease, if such disclosure is authorized by law. For example, we may disclose PHI regarding the fact that clients have contracted a certain communicable disease to a public health authority authorized by law to collect or receive such information.
We may use or disclose client protected health information in a medical emergency situation to medical personnel only. Our staff will try to provide clients a copy of this notice as soon as reasonably practicable after the resolution of the emergency. Child Abuse or Neglect. We may disclose client PHI to a state or local agency that is authorized by law to receive reports of child abuse or neglect. However, the information we disclose is limited to only that information which is necessary to make the initial mandated report.
We may disclose PHI regarding deceased patients for the purpose of determining the cause of death, in connection with laws requiring the collection of death or other vital statistics or permitting inquiry into the cause of death.
We may disclose PHI to researchers if:
(a) an Institutional Review Board reviews and approves the research and a waiver to the
(b) the researchers establish protocols to ensure the privacy of client PHI;
(c) the researchers agree to maintain the security of client PHI in accordance with applicable laws and regulations; and
(d) the researchers agree not to re-disclose client protected health information except back to the company.
Criminal Activity on Program Premises/Against Program Personnel
We may disclose client PHI to law enforcement officials if clients have committed a crime on program premises or against program personnel or its agents. Court Order. We may disclose client PHI if a court of competent jurisdiction issues an appropriate court order and the disclosure of PHI is explicitly permitted under Federal and State law.
Limited PHI may be disclosed for the purpose of coordinating services among government programs that provide mental health services where those programs have entered into an interagency agreement.
If clients are in a mental health treatment program only, we may disclose PHI to avert a serious threat to health or safety, such as physical or mental injury being inflicted on clients or someone else.
Specialized Government Functions
If clients are or have been a member of the U.S. Armed Forces, we may disclose client PHI as required by military command authorities. We may disclose client PHI to authorized federal officials for national security and intelligence reasons and to the Department of State for medical suitability determinations.
Family and Friends
We may disclose health information about clients to your family members or friends if we obtain clients verbal agreement to do so or if we give clients an opportunity to object to such a disclosure and clients do not raise an objection. We may also disclose health information to clients family or friends if we can infer from the circumstances, based on our professional judgment that clients would not object. For example, we may assume clients agree to our disclosure of client personal health information to clients spouse when clients bring their spouse into treatment center or while treatment is discussed. In situations where clients are not capable of giving consent (because clients are not present or due to client incapacity or medical emergency), we may, using our professional judgment, determine that a disclosure to clients family member or friend is in the clients best interest. In that situation, we will disclose only health information relevant to the person’s involvement in your care.
Uses and Disclosures of PHI That Require Client Written Authorization
Other uses and disclosures of client PHI will be made only with client written authorization. Clients may revoke this authorization at any time, unless the program or its staff has taken an action in reliance on the authorization of the use or disclosure clients permitted. If clients revoke it, we will no longer use or disclose protected health information about clients for the reasons covered by clients written authorization, unless required to do so by law. Clients should understand that we are unable to take back any disclosures we have already made with client authorization and that we are required to retain our records of the treatment and care that we have provided to clients.
Client Rights Regarding Client Protected Health Information
Clients rights with respect to client protected health information are explained below. Any requests with respect to these rights must be in writing and made to the attention of the Privacy Officer. A brief description of how clients may exercise these rights is included:
Clients have the right to inspect and copy client PHI – Clients may inspect and obtain a copy of client PHI that is contained in a designated record set for as long as we maintain the record. A “designated record set” contains medical and billing records and any other records that the program uses for making decisions about clients. Client request must be in writing. We may charge clients a reasonable cost-based fee for the copies. We can deny clients access to client PHI in certain circumstances. In some of those cases, clients will have a right to appeal the denial of access.
Clients may have the right to amend client PHI – Clients may request, in writing, that we amend client PHI that has been included in a designated record set. In certain cases, we may deny clients request for an amendment. If we deny clients request for amendment, clients have the right to file a statement of disagreement with us. We may prepare a rebuttal to clients statement and will provide clients with a copy of it.
Clients have the right to receive an accounting of some types of PHI disclosures. Clients may request an accounting of disclosures for a period of up to six years, excluding disclosures made to clients, made for treatment purposes or made as a result of client authorization. We may charge clients a reasonable fee if clients request more than one accounting in any 12-month period.
Clients have a right to receive a paper copy of this notice. Clients have the right to obtain a copy of this notice from us whether by paper or via email.
Clients have the right to request added restrictions on disclosures and uses of client PHI – Clients have the right to ask us not to use or disclose any part of client PHI for treatment, payment or health care operations or to family members involved in client care. Client request for restrictions must be in writing and we are not required to agree to such restrictions.
Clients have a right to request confidential communications. Clients have the right to request to receive confidential communications from us by alternative means or at an alternative location. We will accommodate reasonable, written requests. We may also condition this accommodation by asking clients for information regarding how payment will be handled or specification of an alternative address or other method of contact. We will not ask clients why clients are making the request.
Clients have a right to receive notification of unauthorized disclosure of client PHI (Breach Notification). We are required to notify clients upon a breach of any unsecured PHI. The notice must be made without unreasonable delay, but no later than 60 days from when we discover the breach.