Privacy Policy
Client Privacy
The Organization shall insure the privacy of all clients at all sites. It is the Organization's priority to ensure that all clients feel their privacy is protected and the Organization is a safe place for them. As such, the Organization will take all reasonable efforts to protect client privacy.
Waiver of Rights
The Organization does not require clients to waive their rights concerning treatment, payment, or health care operations in order to comply with HIPAA. Any incidents shall be reported immediately to senior staff for corrective action and disciplinary measures.
Notice of Privacy Practices
The Organization shall inform all clients of the Notice of Privacy Practices and make available upon request to all individuals as specified in this policy.
- The Organization shall retain copies of the notices the Organization issues, including the original and subsequent revisions. Copies may be printed or electronic and shall be retained for at least six years from the date the notice was created or was last in effect, whichever is later.
- The Organization shall not use or disclose PHI in a manner inconsistent with the Organization’s Notice of Privacy Practices or those practices described in the Organization’s security policies and procedures.
- The Organization shall promptly revise and distribute the Notice whenever there is a material change in a privacy practice as stated in the Notice. This could include a change to uses or disclosures, the individual’s rights, the Organization’s legal duties, or other privacy practices.
- Revisions to the Notice shall not be implemented prior to the effective date of the revised notice, except as required by law.
- The Organization shall make the notice available on request to any person all individuals as specified in this policy.VI. The Organization shall provide the notice to clients:
- No later than the date of first service delivery, including services delivered electronically;
- If the individual is a client prior to the compliance date of the HIPAA regulations, no later than the date of first service delivery after the compliance date;
- If the individual is a client prior to the compliance date of the HIPAA regulations, no later than the date of first service delivery after the compliance date;
- The Organization shall make a good faith effort to obtain written acknowledgment of receipt of the Privacy Notice. If not obtained, the Organization shall document his or her good faith efforts to obtain written acknowledgment and the reason why it was not obtained.
- The Organization shall post the Privacy Notice in a clear and prominent location where individuals seeking services can reasonably read the Privacy Notice.
- Whenever the Privacy Notice is revised, the revised Privacy Notice shall be made available and posted as described in the policy.
Uses and Disclosures of Protected Health Information (PHI)
- Use and Disclosure
The Organization may use or disclose PHI to carry out The Organization’s own treatment, payment, or related operations.
- The Organization may use or disclose PHI for treatment activities of another healthy are provider as defined in policy. Treatment is defined as the provision, coordination or management of health care and related services by or among providers, providers and third parties, and referrals from one provider to another provider.
- The Organization may use or disclose PHI to another covered entity or health care provider for the payment activities of the entity that receives the information. Payment is defined as activities undertaken by a health plan to obtain premiums or determine responsibility for coverage, or activities of a health care provider or health plan to obtain reimbursement for the provision of health care. Payment activities include billing, claims management, collection activities, eligibility determination and utilization review.
- The Organization may use or disclose PHI to another covered entity or health care provider for the health care operations activities of the entity that receives the information, provided that both The Organization disclosing the information and the entity receiving the information has or had a relationship with the individual who is the subject of the PHI, the PHI pertains to such relationship, and the disclosure is for the purpose of:
- Quality assessment or improvement activities; or
- Population-based activities related to improving health or reducing health care costs; or
- Protocol development; or
- Case management and care coordination; or
- Contacting of health care providers and clients with information about treatment alternatives; or
- Reviewing the competence or qualifications of health care professionals; or
- Evaluating provider performance; or
- Conducting training programs which students, trainees, or practitioners in a areas of health care learn under supervision to practice or improve their skills; or
- Training of non-health care professionals; or
- Accreditation, certification, licensing, or credentialing activities; or
- Health care fraud and abuse detection or compliance.
- The Organization shall make a good faith effort to obtain the individual’s written acknowledgement of receipt of the Notice of Privacy Practices. In routine care, this shall be done at the time the Notice of Privacy Practices is given to the client, at the time the client is first seen by The Organization.
- The Organization is not required to make a good faith effort to obtain the client’s written acknowledgement of the Notice of Privacy Practices in emergency treatment situations, but is encouraged to do so as soon as practicable after the situation is resolved.
- The Organization retains the right to choose to obtain a written authorization from the client in all circumstances.
- Psychotherapy notes may not be disclosed under the provisions of this policy. A separate authorization would be required for their use or disclosure.
- PHI may be shared on a need-to-know basis with personnel within the Behavioral Health Organization for activities related to treatment, payment, or health care operations.
- Limited PHI (medication history, physical health status and history, summary of course of treatment, summary of treatment needs, and discharge summary) may be used or disclosed for TPO without authorization if disclosure is to another program or facility of The Organization, or to community health agencies and/or CMH/ADAMH Boards with which there is a current agreement for the client’s care or services, and an attempt has been made to obtain the client’s consent to the disclosure.
- Limited PHI (medication history, physical health status and history, summary of course of treatment, summary of treatment needs, and discharge summary) may be disclosed to family members, or other relatives or friends involved in the individual's care, or payment for that care, if the client is notified and does not object to the disclosure.
- Limited PHI may be disclosed the identifies the individual as a client in the Behavioral Health Organization and to disclose his or her location within the facility, and to report a general description of his or her condition to individuals who inquire about him or her by name and to identity his or her religious affiliation to members of the clergy if the client is notified and does not object to the disclosure.
- In emergency treatment situations, necessary information for treatment may be disclosed if an attempt is made to obtain consent to the disclosure as soon as reasonably practicable after the delivery of treatment.
- Use and Disclosure of Psychotherapy Notes
Psychotherapy notes may not be used or disclosed without specificwritten authorization except as otherwise permitted or required by this policy.
- The Organization may only combine an authorization for use or disclosure of psychotherapy notes with another authorization for use or disclosure of psychotherapy notes
- The Organization will keep psychotherapy notes in a clearly defined separate section within the client record.
- Psychotherapy notes may be used by the originator without authorization in the course of treatment.
- The Organization may use or disclose psychotherapy notes without authorization in its own training programs, in which students, trainees, or practitioners learn under supervision to practice or improve their skills in group, joint, family, or individual counseling.
- The Organization may use or disclose psychotherapy notes without authorization to defend itself in a legal action or other proceeding brought by the individual who is the subject of the psychotherapy notes.
- The Organization may use or disclose psychotherapy notes to the Secretary of Health and Human Services without authorization as required to comply with an investigation of The Organization’s compliance with HIPAA regulations.
- The Organization may disclose psychotherapy notes without authorization to a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect.
- The Organization may disclose psychotherapy notes without authorization when required by law, so long as the disclosure is limited to the relevant requirements of such law.
- The Organization may, consistent with applicable laws and standards of ethical conduct, use or disclose psychotherapy notes if, in good faith, The Organization believes the use of disclosure:
- is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; or
- is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.
- The Organization may use or disclose psychotherapy notes to a health oversight agency for health oversight activities authorized by law when such oversight applies to the originator of the psychotherapy notes.
- The Organization may use or disclose psychotherapy notes to a coroner or medical examiner for the purpose of identifying a deceased person, determining the cause of death, or other duties as authorized by law.
- The Organization is permitted to use or disclose PHI without regard to the minimum necessary requirement under the provisions of this policy.
- Minimum Necessary Requirement
The Organization shall limit the use or disclosure of PHI to the minimum necessary to achieve the intended purpose.
- The minimum necessary requirement does not apply to uses and disclosures made or requested for treatment purposes.
- The minimum necessary requirement does not apply when using or disclosing PHI to the individual who is the subject of the PHI.
- The Organization does not need to restrict disclosures of PHI to the minimum necessary requirement upon receipt of or when responding to any valid authorization.
- Request for Information
- When making a request for PHI from another entity, The Organization shall limit its request to that which is reasonably necessary to accomplish the intended purpose.
- The Organization shall not request an entire medical record, except when the entire record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the request.
- Disclosures for which Authorization is not Required
- Employers
The Organization will disclose PHI to an employer about a client who is an employee for the purposes of workplace medical surveillance or evaluating or documenting possible work-related illness or injuries.
- Related discourse may be made without authorization only if the provisions of this policy are met.
- The Organization must be providing a service to the individual at the request of the employer.
- The Organization may disclose the PHI if that information consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance.
- The Organization may disclose the PHI if the employer needs such findings to comply with legal requirements to record work-related illnesses or injuries, or to carry out responsibilities for workplace medical surveillance.
- The Organization shall give written notice to the individual that PHI relating to medical surveillance of the workplace and work-related illnesses or injuries will be disclosed to the employer. The noticed required for employees under this provision must be separate from the Notice of Privacy Practices.
- Victims ofAbuse, Neglect, or Domestic Violence
- No authorization is required for use or disclosure of PHI (including psychotherapy notes) to the extent that such use or disclosure is required by law and is limited to the relevant requirements of such law, provided that the provisions of this policy are met.
- The Organization may disclose PHI about a client when The Organization reasonably believes the client to be a victim of abuse, neglect, or domestic violence under the following circumstances:
- When such disclosure is required by law and the disclosure is limited to the relevant requirements of such law (i.e., minimum necessary); or
- The individual agrees to the disclosure.
- The Organization may disclose PHI about a client when The Organization reasonably believes the client to be a victim of abuse, neglect or domestic violence as expressly authorized by statute or regulation, provided that:
- The Organization, using professional judgment, believes this disclosure is necessary to prevent serious harm to the client or other potential victims; or
- If the client cannot agree to disclosure due to incapacity, a law enforcement or other public official authorized to receive the report represents that the PHI is not intended to be used against the client and that an immediate enforcement activity that depends on the disclosure would be materially and adversely affected by waiting until the client is able to agree to the disclosure.
- When the Organization makes a disclosure under this policy it shall promptly inform the client that such a report has been or will be made, unless:
- The Organization, using professional judgment, believes that informing the client would place the client at risk of serious harm; or
- The Organization would be informing a personal representative and The Organization, using professional judgment, believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing the personal representative would not be in the best interest of the client.
- For the purposes described in this policy, The Organization may inform the client orally, and the client’s agreement may be given orally.
- Health Oversight
- The Organization may disclose PHI to health oversight agencies for oversight activities authorized by law if the client is not the subject of the investigation or oversight activity.
- If the client is the subject of the investigation/oversight activity, The Organization may disclose a client’s PHI for health oversight activities only if the investigation or oversight arises out of:
- The receipt of health care; or
- A claim for public benefits related to health; or
- Qualification for or receipt of public benefits or services when the individual’s health is integral to the claim for those benefits or services.
- Judicial/Administrative Proceedings
- The Organization may disclose PHI to health oversight agencies for oversight activities authorized by law if the client is not the subject of the investigation or oversight activity.
- If the client is the subject of the investigation/oversight activity, The Organization may disclose a client’s PHI for health oversight activities only if the investigation or oversight arises out of:
- No authorization is required for use or disclosure of PHI (including psychotherapy notes) to the extent that such use or disclosure is required by law and is limited to the relevant requirements of such law (i.e., the “minimum necessary”), provided that the provisions of this policy are met.
- The Organization may disclose PHI, in response to an order of the court or administrative tribunal, but such disclosure may include only PHI expressly authorized by such order.
- The Organization may disclose PHI in response to a subpoena, discovery request, or other lawful process (not ordered by a court or administrative tribunal) only if The Organization:
- Receives satisfactory assurance from the party seeking the information that reasonable efforts have been made to ensure that the client has been given notice of the request; or
- Receives satisfactory assurance from the party seeking the information that reasonable efforts have been made to secure a “qualified protective order.”
- Law Enforcement
- The Organization may disclose PHI (including psychotherapy notes) to a law enforcement official if such use or disclosure is required by law and is limited to the relevant requirements of such law (i.e., the “minimum necessary”).
- The Organization may disclose PHI as required by laws. Injuries that are the result of child abuse, neglect, or domestic violence may be reported to appropriate public health authorities or social service agencies.
- The Organization may disclose PHI to comply with a court order, a court ordered subpoena, or a grand jury subpoena. Such disclosure shall be limited to the relevant requirements of the order or subpoena.
- The Organization may disclose PHI in compliance with an administrative subpoena, administrative summons, civil or authorized investigative demand, or similar process authorized by the law provided that:
- The PHI is relevant and material to a legitimate law enforcement inquiry; and
- The request is specific and limited in scope to the extent reasonably practicable for its purpose; and
- De-identified information could not reasonably by used.
- The Organization may disclose PHI, in response to a law fugitive, material witness, or missing person, provided that the disclosed information enforcement official’s request, for the purpose of identifying or locating a suspect, is limited to:
- Name and address;
- Date and place of birth;
- Social security number;
- Date and time of treatment;
- Date and time of death, if applicable;
- A description of distinguishing characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars, and tattoos.
- The Organization may disclose PHI in response to a law enforcement official's request when the client is, or is suspected to be, a victim of a crime if the individual agrees to the disclosure of The Organization is unable to obtain the client’s agreement due to incapacity or other emergency circumstances, and the law enforcement official represents that:
- The information is needed to determine if a crime was committed by someone other than the victim; and
- The information will not be used against the victim; and
- Immediate law enforcement activity would be seriously impeded by waiting until the client is able to agree to the disclosure; and
- The Organization, using professional judgment, determines the disclosure is in the best interest of the client.
- Research
- The Organization may use or disclose PHI for research without authorization, provided that The Organization obtains from the researcher assurance that:
- The PHI is sought solely to prepare a research protocol or for similar purposes preparatory to research; and
- No PHI will be removed from the premises/systems of The Organization in the course of the review; and
- The PHI is necessary for the research purposes.
- Marketing
- The Organization may not use or disclose PHI for marketing without a valid authorization, except as specified in this policy.
- It must be stated in the authorization if and when The Organization receives direct or indirect remuneration from a third party for using or disclosing PHI for marketing.
- It is not considered marketing, and no authorization is required, when communicating with a client for the purpose of:
- Treatment of the client; or
- Case management or care coordination for the client; or
- Directing or recommending alternative therapies, providers, or settings of care to the client; or
- Describing the entities participating in a provider network or health plan network; or
- Describing if a product or service is provided by a covered entity; or
- Describing the extent to which a product or service will repaid for by health plan or included in a plan of benefits.
- The Organization may use or disclose PHI without authorization when making a marketing communication to a client that:
- Occurs in a face-to-face encounter with the client; or
- Concerns promotional gifts of nominal value (i.e., calendars, pens, etc.).
- Correctional Institutes
- The Organization may disclose to a correctional institution or law enforcement official the PHI of a client who is an inmate or otherwise in lawful custody, if informed that the disclosure is necessary for:
- The provision of health care to the client;
- The health and safety of the client or other inmates;
- The health and safety of the officers, employees, or others at the correctional institution;
- The health and safety of officers or other persons responsible for transporting inmates;
- Law enforcement on the premises of the correctional institution;
- The administration and maintenance of the safety, security, and good order of the correctional institution.
- To Avert a Threat to Health or Safety
- The Organization may disclose PHI without authorization to law enforcement or other persons who can reasonably prevent or lessen the threat of harm.
- The Organization will abide by the minimum necessary requirement when disclosing PHI when averting a threat to health or safety.
- Workers’ Compensation Purposes
- The Organization may release PHI for workers’ compensation as required by the law of the State of Ohio.
- Relating to Decedents
- The Organization may disclose PHI related to a death to coroners, medical examiners, or funeral directors, and to organ procurement organizations relating to organ, eye, or tissue donation or transplants.
- Requesting PHI Verification Requirements
The Organization shall verify the identity of all persons requesting PHI.
- Prior to any disclosure permitted, The Organization shall verify the identity of the person requesting the PHI and the authority of any such person to access the requested information if that person’s identity is not known to The Organization.
- Prior to any disclosure permitted The Organization shall obtain any documentation, statements, or representations (written or oral) from the person requesting the PHI.
- When the Organization receives an order/release that appears to meet all requirements, The Organization may rely on that order as meeting the specified requirements.
- When the Organization receives a request for uses or disclosures of PHI for research purposes, The Organization may be satisfied that verification requirements are met only if The Organization receives one or more written statements that the requirement for individual authorization has been waived, provided that the statement identifies the Institutional Review Board (IRB) or privacy board that granted the alteration or waiver, gives the date on which it was approved, and is signed by the chair or designated member of the IRB or privacy board.
- The Organization may also rely on any of the following to verify identity when the disclosure of PHI to a public official or to a person acting on behalf of the public official:
- Presentation of an agency identification badge or other credentials; or
- A written request using the appropriate government letterhead; or
- Any document that establishes that the person is acting on the behalf of a government official, such as a contract for services, memorandum of understanding, or purchase order.
- The Organization may rely, if reasonable under the circumstances, on any of the following to verify authority when disclosing PHI to a public official or a person acting on behalf of the public official:
- written statement of the legal authority under which the information is requested; or
- If a written statement would be impractical, an oral statement of the legal authority under which the information is requested; or
- A legal warrant, subpoena, order, or other legal processes issued by a grand jury, court, or administrative record.
- Verification requirements are met if The Organization relies on the exercise of professional judgment when making use or disclosure in accordance with policy.
- Verification requirements are met if The Organization acts on a good faith belief when making a disclosure in accordance with policy.
- Release of Information Authorization
The Organization will not use or disclose PHI without competition of Release of Information form or other valid authorization except as otherwise permitted or required under law.
- In compliance with HIPAA, all uses and disclosures of PHI beyond those otherwise permitted or required by law and specified in the policies related to disclosure of PHI requires a signed authorization according to the provisions of this policy. An authorization is required for each entity that is to receive PHI.
- Upon receipt of a valid Authorization for Release of Information Form, The Organization will ensure that any use of disclosure of PHI is consistent with such authorization.
- An Authorization is not valid, if any one of the following are true:
- The expiration date has passed;
- The Organization knows the expiration event has occurred;
- The Organization knows the authorization has been revoked;
- Any required element is not included;
- Any information required in the authorization is not filled out completely;
- The Organization knows that any information in the authorization is false.
- These authorizations are for any use or disclosure of PHI for purposes other than those limited cases related to treatment, payment, and health care operations where authorization is not required as defined by policy, and for all purposes other than treatment, payment, or related health care operations.
- Proper utilization of a Release of Information will grant permission for this agency, another agency, organization or individual to release the appropriate personal client information for a time period not to exceed ninety (90) days.
- Upon release of information, The Organization staff should only respond with documentation in the client’s account of disclosures, release of only specific information requested in compliance with HIPAA minimum necessary requirements if applicable, the date and name of the person or agency to whom information was released, and the signature of the staff member releasing the PHI.
- In most cases, a summary of relevant information will be the most optimal approach. Copies of entire records may not always be considered an acceptable means of supplying information.
- An original copy of the request for release of information shall be maintained in the client's record. The information forwarded shall also be included in the client record.
- Staff shall not disclose information if there is reasonable doubt as to the validity of the Authorization form. i.e., if it has been over ninety days since the client’s signature, if the signature is not an original, if the signature is not witnessed or parts of the document appear unofficially altered.
- When requesting information from other sources, the agency should specify exactly what information is to be disclosed before the client adds his or her signature to the Request for Information form.
- In the case of a life-threatening situation, or where the individual’s condition or situation precludes the possibility of obtaining written consent, The Organization may release pertinent medical or clinical information to the medical personnel responsible for the individual’s care without the client’s authorization and without administrative authorization from the Executive Director or her designee, if obtaining such authorization would cause an excessive delay in delivering treatment to the individual.
- In the event information has been released without initial authorization, the staff member responsible shall notify the Executive Director as well as enter documentation of all details pertinent to the situation into the client record within 24 hours. This documentation shall include but be limited to:
- Date and time the information was released;
- Person’s name and title to whom the information was released;
- Justification for the release of information;
- Reason written authorization could not be duly obtained;
- Nature and details of the information given.
- After the release of such information, the client shall be informed as soon as possible by the Executive Director that such information was related and was documented in the client record.
- The provision of treatment, payment, enrollment in a health plan or eligibility for benefits may not be conditioned on the individual’s provision of an authorization for the use or disclosure of PHI unless it is relating to the provision of research related treatment, or relating to health are that is solely for the purpose of creating PHI for disclosure to a third party.
- Content of the Authorization Form
- All client authorizations for use or disclosure must be singular and not combined with other authorizations or documents. Exceptions:
- An authorization for use or disclosure of PHI for research may be combined with a consent to participate in the research or with any other authorization for the same research study.
- An authorization for use or disclosure of psychotherapy notes may only be combined with another authorization for use and disclosure of psychotherapy notes.
- Each authorization for the use or disclosure of an individual’s PHI shall be written in plain language and shall include at least the following information:
- A specific and meaningful description of the information to be used or disclosed;
- The name or identification of the person or class of person(s) authorized to make the use or disclosure.
- The name or identification of the person or class of person(s) to whom the requested use or disclosure may be made.
- Purpose of the disclosure or statement that disclosure is at the request of the individual.
- An expiration date, condition or event that relates to the individual or the purpose of the use or disclosure; the authorization shall state that it will expire after ninety (90) days unless the individual has opted for a shorter or longer time. An individual may specify a longer period of time for the duration of the authorization only if the person:
- Is part of an approved research study and has given authorization for a longer period of time; or
- Is expected to continue receiving services beyond ninety (90) days and has given authorization for a longer period of time which maybe be up to one hundred and eighty (180) days.
- A statement of the individual's right to revoke the authorization in writing, and exceptions to the right to revoke, together with a description of how the individual may revoke the authorization. Upon written notice of revocation, further use or disclosure of PHI shall cease immediately except to the extent that the office, facility, program or employee has acted in reliance upon the authorization or to the extent that use or disclosure is otherwise permitted or required by law.
- Other statement that treatment, payment, enrollment eligibility in a health plan cannot be conditioned on the individual signing the authorization or statement setting forth consequences of not signing.
- A statement that the information may only be re-released with the written authorization of the individual, except as required by law.
- The dated signature of the individual, and if the authorization is signed by a personal representative of the individual, a description of the representative’s authority to act on behalf of the individual.
- Accounting of Disclosures
It is the policy of The Organization to account for all disclosures as required by HIPAA regulations.
- The individual has the right to receive an accounting of disclosures of PHI made by The Organization in the six (6) years prior to the date on which the accounting is requested.
- The Organization is not required to give an accounting of disclosures made:
- To carry out treatment, payment, and health care operations as permitted under law; or
- To the individual about his or her own information; or
- To the facility directory; or
- To persons involved in the individual’s care; or
- For national security or intelligence purposes; or
- To law enforcement officials or correctional facilities as permitted under law; or
- Other notification purposes permitted under law; or
- Pursuant to the individual's authorization.
- The Organization has the right to suspend the individual's right to receive an accounting of disclosures of PHI to a health oversight agency or law enforcement official for the time period specified by such agency or official if the agency or official provides a written statement asserting that the provision of an accounting would be reasonably likely to impede the activities of the agency or official and specifying the time period of the suspension.
- If the request for suspension is made orally, the suspension may last only thirty (30) days. Such an oral request must be documented, including the identity of the agency or official making the request. The suspension may not extend beyond thirty (30) days unless the written statement described previously is submitted during that time period.
- The Organization shall document and retain documentation, in written or electronic form, for a period of six (6) years:
- All written information required to be included in an accounting of disclosures of PHI.
- All written accountings provided to individuals.
- Titles of persons or offices responsible for receiving and processing requests for an accounting from individuals.
- The Organization will respond to a client's written request for a list of disclosures within sixty (60) days of receiving the request as follows:
- Provide the accounting as requested; or
- If unable to provide the accounting within sixty (60) days, the time for response may be extended by no more than thirty (30) additional days, provided that:
- Within the first sixty (60) days, the individual is given a written statement of the reasons for the delay and the date by which the accounting will be provided; and
- There are no additional extensions of time for response.
- The first accounting in any twelve (12) month period must be provided to the individual without charge. A reasonable, cost-based fee may be charged for additional accountings within the twelve-month period, provided the individual is informed in advance of the fee, and is permitted an opportunity to withdraw or amend the request.
- The accounting for each disclosure shall include:
- The date of the disclosure;
- The name of the person or entity who received the PHI, and, if known, the address of such entity or person;
- A brief description of the PHI disclosed;
- A brief statement of the purpose of the disclosure of PHI that reasonably informs the individual of the basis for the disclosure; or
- In lieu of a statement of the purpose of the disclosure, a copy of the individual's authorization or the request for a disclosure.
- If during the time period for the accounting The Organization has made multiple disclosures to the same entity or person for a single purpose, or pursuant to a singe authorization, the accounting may provide the information as set forth above for the first disclosure, and then summarize the frequency, periodicity, or number of disclosures made during the accounting period and the date of the last such disclosure during the accounting period.
Client Access to PHI
- Access to PHI
The Organization shall recognize the client's right to access their PHI.
- The client will be advised of his or her right to access and obtain a copy of his or her own PHI in a record held by The Organization and its business associates for as long as the PHI is maintained in the record, except as disallowed under policies. If the PHI is contained in more than one record set, The Organization need only provide the PHI once in response to the request for access.
- The client will be provided access to PHI in the form and format requested by the individual if it is readily producible in such form and format. If the PHI is maintained in an electronic format the client may request an electronic copy of the information. The Organization will provide the PHI electronically if it is readily producible in that form. If not readily producible electronically The Organization will provide the PHI in a readable electronic form or format as agreed, to by The Organization and the client.
- The Organization will require that the client's request to access their records be made in writing.
- The Organization shall document the name of the person accessing the PHI (i.e., the client or personal representative), the date it is accessed, what information is accessed, and whether the person is provided a copy of the information.
- The Organization shall act on a request to PHI that is maintained and accessible on-site within thirty (30) days of receiving the request, either by providing access or by informing the individual in writing of the denial.
- If the request for access is for PHI that is not maintained or accessible to The Organization on-site. The Organization shall act on the request within sixty (60) days after receiving request.
- The Organization may extend the allowed time for responding to the request by no more than thirty (30) days if:
- The Organization is unable to take action within the allowed time frame; and
- The Organization, within the allowed time frame, provides a written statement of the reasons for the delay and the date by which the provider will act on the request.
- The Organization may impose the following fees as permitted under Policy
- The cost of copying, including labor and supplies.
- Postage, if a request has been made for the information to be mailed.
- Preparation of a summary or explanation, if agreed to by the individual.
- Denial of Access
The Organization shall recognize the client's right to access their PHI.
- The Organization maintains the right to deny access to client PHI. The Organization will provide the client a written denial in a timely manner that contains the basis for the denial, a statement of the client’s right to request a review of the denial and how to do so, and a statement that the client may file a complaint to The Organization or to the Department of Health and Human Services, including the name (or title) and telephone number of the contact person designated to receive complaints.
- Denial of access in the following cases is subject to review:
- If a licensed healthcare professional believes that access to the requested information may endanger the life or safety of the individual or to any other person.
- If the PHI refers to another person and a licensed healthcare provider believes access may cause substantial harm to the individual or to any other person.
- If the request is made by the individual’s personal representative and the licensed healthcare provider believes access may cause substantial harm to the individual or to any other person.
- Denial of access in the following cases may be made without providing the client with an opportunity for review:
- If the Organization is acting under the direction of a correctional institution and the client is an inmate, and it is determined that obtaining a copy of the PHI would jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates or the safety of the person who is at the correctional institution or responsible for transporting the inmate; or
- For PHI that is created or obtained in the course of ongoing research that includes treatment if the client has agreed to the denial when consenting to participate as long as the client has been informed of the eventual reinstatement of access at the end of the research; or
- If the record containing PHI is subject to the Privacy Act, 5 USC 552a; or
- If the PHI was obtained from someone other than a healthcare provider under a promise of confidentiality and access would be reasonably likely to reveal the source of the information.
- When a decision has been made to deny access for a reason that may be reviewed The Organization shall designate a licensed healthcare professional who was not involved in the denial to review the decision to deny access. A designated reviewer will promptly make a decision and subsequently provide the client with a written notice of the decision.
- Client Request — Restrictions
It is the policy of The Organization to restrict its use and/or disclosure of PHI upon the request of the client.
- Clients may request restrictions on disclosures to individuals who otherwise may be permitted access to certain PHI.
- The Organization is not required to agree to a requested restriction with exception. The Organization must agree with the client to restrict disclosure of PHI for the following:
- When a client requests to restrict disclosure of PHI to a health plan if the purpose of carrying out payment or healthcare operations and is not otherwise required by law, and
- When the PHI pertains to a health care item or service which the client or other person has paid The Organization in full.
- If the Organization agrees to a restriction, it is binding that The Organization may not use or disclose protected PHI in violation of the agreement unless otherwise allowed or required under this policy.
- If the client is in need of emergency treatment and the restricted health information is needed for such treatment, The Organization may use or disclose the restricted PHI.
- If restricted PHI is disclosed to another health care provider as allowed for emergency treatment, The Organization shall request that the other provider not make further use or disclosure of the information.
- The Organization shall not be bound to restrictions on uses or disclosures of PHI when the disclosure is:
- To the individual, when requested under and required by The Organization’s policies; or
- Allowed or required under special conditions described in policy.
- The Organization may terminate its agreement to a restriction if:
- The individual agrees to or requests the termination in writing; or
- The individual orally agrees to the termination and the oral agreement is documented.
- The Organization may terminate its agreement to a restriction without the individual’s agreement if The Organization informs the individual that it is terminating the restriction, but such termination is only effective with respect to PHI created or received after the individual has been so informed.
- The Organization shall document any restriction to which it agrees and shall retain that documentation for at least six (6) years from the date it was created.
- Client Amendments
The Organization shall permit the client to amend his or her PHI or a record about the client for as long as the information is maintained in the designated record set, except as provided for in policy.
- The Organization will require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that he or she is informed in advance of such requirements.
- If the Organization grants the request to amend the record, the amended information is added to the record; the original information is not replaced or deleted.
- The Organization shall document the title of the person responsible for receiving and processing requests for amendment.
- The Organization shall act on a request for amendment no later than sixty (60) days after the receipt of the request.
- The Organization may extend the allowed time for responding to the request by no more than thirty (30) days if:
- The Organization is unable to take action within the allowed time frame; and
- The Organization, within the allowed time frame, provides a written statement of the reasons for the delay and the date by which the provider will act on the request.
- Accepting Amendments
- The Organization shall inform the individual that the amendment has been accepted.
- At a minimum, The Organization shall identify the records in the designated record set that are affected by the amendment and shall append the amendment or otherwise provide a link to the amendment.
- The Organization shall request from the individual:
- The identities of others who should receive the amendment; and
- The individual's agreement to have the provider share the amendment with relevant persons.
- The Organization shall make reasonable efforts to inform and provide the amendment within a reasonable time to:
- Persons identified by the individual as having received the PHI and needing the amendment; and
- Persons, including business associates, whom The Organization knows have the PHI that has been amended and at may have relied on, or could conceivably rely on, such information to the detriment of the individual.
- If the Organization is informed by another covered entity of an amendment to the individual’s PHI, it shall amend the PHI in its record set within seventy-two (72) hours of notification.
- Denial of Amendments
- The Organization may deny amendments to a record containing PHI as follows:
- If it is determined that the PHI or record is accurate and complete; or
- If it is determined that the PHI or record was not created by The Organization, unless the individual provides a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment;
- If it is determined that the PHI or record is not part of the designated record set.
- The Organization shall provide to the individual a timely, written denial. The denial will be in plain language and contain:
- The basis for the denial; and
- A statement that the individual may submit a written statement disagreeing with the denial, including a description of how the individual may file such a statement; and
- A statement that if the individual does not submit a statement of disagreement, the individual may request that The Organization include the request for amendment and the denial with any future disclosure of the PHI that is the subject of the requested amendment; and
- A description of how the individual may complain to The Organization or to the Secretary of Health and Human Services, including the name (or title) and telephone number of the contact person designated to receive complaints.
- The Organization shall accept the individual’s written statement of disagreement, if submitted, including the basis for the disagreement. The Organization may reasonably limit the length of a statement of disagreement.
- The Organization will prepare a written rebuttal to the individual’s statement of disagreement. If this is done, The Organization shall provide a copy to the individual who submitted the statement of disagreement.
- The Organization shall, as appropriate, identify the record or PHI in the designated record set that is the subject of the disputed amendment and shall append or otherwise link:
- The individual's request for an amendment; and
- The Organization’s denial of the request; and
- The individual statement of disagreement, if any; and
- The Organization's rebuttal, if any.
- If a statement of disagreement has been submitted, The Organization shall include those materials, or summary of such information, with any subsequent disclosure of the PHI to which the disagreement relates.
- If the individual has not submitted a written statement of disagreement, The Organization shall include the individual’s request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the disputed PHI only if the individual has requested such action.
- If the Organization makes a subsequent disclosure of the disputed PHI using a standard transaction that does not permit the addition material to be included, The Organization may separately transmit the required material to the recipient of the standard transaction.
- PHI Client Complaints and Grievances
The Organization's client grievance process shall be used to respond toall PHI-related complaints.
- The client grievance process can be used to make complaints concerning The Organization’s policies and procedures or actions with respect to PHI.
- In the case that the client grievance process is not sufficient to solve the client grievance or complaint, the client may file a written complaint with the Secretary of the Department of Health and Human Services.
- The Organization will document all complaints received, and their disposition, in written or electronic form in accordance with the client rights and grievance policy.
- Client Communications Preference
It is the policy of The Organization to accommodate reasonable requests by clients to receive communications of PHI from The Organization by alternative means or at alternative locations.
The Organization shall allow clients to request in writing or orally that PHI from The Organization be received by an alternative means or sent to an alternative location. If the request is received orally The Organization will document in writing the request.
The client does not have to provide an explanation as to the basis of the request.
- The Organization must accommodate all reasonable requests by clients to receive PHI by an alternative means or sent to an alternative location.
- The client must provide The Organization with the specific address to the alternative location.
- The Organization may determine how payment, if any, will be handled.
Non-Client Access to PHI
- The Organization may discuss the scope, format, and other aspects of the request for access with the individual as necessary to facilitate the provision of timely access.
- In lieu of providing access to the PHI, The Organization may provide the individual with a summary of the requested PHI, or with an explanation of the PHI, if:
- The individual agrees in advance to such a summary or explanation;
- The individual agrees in advance to any fees imposed by The Organization for such a summary or explanation.
- The Organization shall provide access to the requested PHI within thirty (30) days as long as it is reasonable for the agency to do so. If thirty (30) days is deemed unreasonable, The Organization will provide reasoning for the delay to the entity and determine an extended time frame in which the PHI will be provided.
- The Organization shall arrange with the individual for a convenient time and place to inspect or obtain a copy of the PHI or shall mail a copy of the PHI at the individual’s request.
- If the individual requests a copy of the PHI, or agrees to a summary or explanation, The Organization shall impose a reasonable, cost-base fee.
- Fees permitted may include:
- The cost of copying, including labor and supplies;
- Postage, if the individual requests that the information be mailed;
- Preparing a summary or explanation, if agreed to by the individual.
Personal Representatives
It is the policy of The Organization to confirm and verify all client personal representative relationships.
The Organization shall treat the valid personal representative of a client as if he or she was the client regarding client access to his or her PHI as well as all relative proceedings, i.e., client amendments, etc. The personal representative must provide verifiable proof for all other types of authority to represent on behalf of the client, i.e., power of attorney.
Adults and Emancipated Minors
The Organization shall treat a person as the personal representative, under applicable law, if the person has verifiable authority to act on behalf of the individual in making decisions related to health care. The Organization shall require identification and certification of authority and document and photocopy such within the client case record.
Deceased Individuals
The Organization shall only treat a person as a personal representative of a deceased individual upon receipt of a valid authorization that certifies that person to act on behalf of the deceased individual or the individual's estate.
Refusal to Recognize Personal Representatives
The Organization may decide that a person will not be treated as the personal representative of an individual if The Organization determines that it is not in the best interest of the individual to treat that person as the personal representative when The Organization has reasonable belief that:
- The individual has been or may be subjected to abuse, neglect, or domestic violence by that person; or
- Treating the person as the personal representative could endanger the individual.
In such instances applicable reporting laws of the State of Ohio shall be followed by The Organization.