Privacy Policy

Policy Number: 3-1
Title: Confidentiality and Privacy Practices
Applicable Standards:  OMHAS 5122-26-04, OMHAS 5122-26-08, OMHAS 5122-27-06 HIPAA Guidelines



Policy

The MODE is committed to the confidentiality and privacy of all clients. The agency and all agency Personnel shall comply with agency, state, and federal laws regarding the confidentiality of client records and privacy practices. Agency Personnel will ensure that all patient medical records are handled in a professional manner that is designed to prevent loss, misfiling, tampering, alteration, destruction, and unauthorized or inadvertent disclosure of any information in the absence of the patient’s written consent.

Confidentiality is defined as the minimum written policies and procedures for maintaining confidentiality in accordance with applicable Ohio and federal laws and regulations; including, but not limited to, 42 C.F.R. part 2, confidentiality of alcohol and drug abuse client records, and the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”).

Protected Health Information (“PHI”) of a client is defined as any data that could be used to identify a client. PHI includes, but is not limited to:

• Date of birth
• Address
• Social security number
• Email address
• Phone number
• Personal medical records
• Payment/bills
• Driver’s license number
• Photographs
• Diagnostic codes

Procedures

A. New Personnel shall review all agency policies and procedures regarding confidentiality, privacy practices, and client records within one week from date of hire and shall address any questions regarding privacy with the Privacy Officer.

B. The MODE staff is prohibited from using or disclosing PHI except as consented or authorized by the client, client’s guardian, or client’s legal representative.

C. The MODE staff shall not convey to a person outside of The MODE that a client attends or receives services from the program or disclose any information identifying a client as an alcohol or other drug services client unless the client consents in writing for the release of information, the disclosure is allowed by a court order, or the disclosure is made to a qualified person for a medical emergency, research, audit or program evaluation purposes.

D. The MODE must obtain a general consent from the client, guardian or legal representative in order to use or disclose PHI about the client for treatment, payment and health care operations.

E. The MODE can disclose PHI to the client, or representative of the client, without any condition.

F. The MODE can disclose PHI for purposes other than payment, treatment and health care operations only if it obtains a written authorization from the client.

G. The MODE must disclose PHI in two instances: when requested by the client and when requested by the Health and Human Service Secretary or other health oversight agency, such as Medicaid, for compliance and enforcement purposes.

H. The MODE must make all reasonable efforts not to use or disclose more than the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure. This is known as minimum necessary disclosure.

I. Federal laws and regulations do not protect any threat to commit a crime, or any information about a crime committed by a client either at the agency or program or against any person who works for the agency or program.

J. Federal laws and regulations do not protect any information about known or suspected child abuse or neglect from being reported under state law to appropriate state or local authorities. If a clinician of The MODE knows or suspects the occurrence of abuse or neglect involving an individual under age 18 years, involving an individual under 21 years who is developmentally disabled, or physically impaired, or involving an adult who is elderly, developmentally disabled or physically impaired, the clinician will report that information to the public children services agency or adult service agency in the county in which the child or adult resides or in which the abuse or neglect has occurred.

K. When another entity requests the release of PHI of a client through an authorization, The MODE must verify the identity and authority of the person requesting the PHI. This may include a known place of business, address, phone or fax number as well as a known human being. The authorization must be valid.

L. PHI of deceased clients will be maintained for as long as the MODE maintains the records.

M. The MODE will destroy any unnecessary documentation that contain PHI in a timely fashion. This includes, but is not limited to, incorrect documentation, and messages from clients that are no longer needed.

N. The MODE staff members will not disseminate any client or company information to an outside source (attorney, press and any other entity outside of The MODE ).

O. Unless specifically a part of their job description, The MODE staff shall not leave The MODE offices with a client unless being instructed to do so because of evacuation or emergency procedures.

P. The MODE will provide paper copies of client records upon legally valid requests.

Q. Any allegations of a transgression of this matter shall be addressed immediately. (See Policy 3-3)

R. All electronic health records (EHRs) will be held in a system that is certified in accordance with the Public Health Service Act (PHSA) and will also comply with section 3701.75 of the Revised Code. The MODE’s computer-based clinical records system shall include consideration of the following components by all staff:

  • Authentication. All users of the system must be so authorized by utilizing the proper user ID and/or password. Sharing of or using another’s user ID and/or password will result in disciplinary action.
  • Authorization. All users of the system will only access the functions, information, and privileges outlined for their position. Accessing functions, information, and privileges not outlined for one’s position will result in disciplinary action.
  • Integrity. Confidential client information/Protected Health Information (PHI)s only to be changed by authorized Personnel and done so in the correct manner discussed in training.
  • Audit Trails. All user actions will be recorded by the system and a chronological record of said activities will be kept on file.
  • Disaster Recovery. All files will be backed up so that in the case of natural or manmade disaster, all client records will still be accessible.
  • Electronic Signatures. All users will be issued a combination of letters, numbers, characters, or symbols or an electronic image of the user’s signature to be used as a signature on all computerized filing. Client record systems utilizing electronic signatures shall comply with section 3701.75 of the Revised Code. Share of or using another’s electronic signature will result in disciplinary action.
  • See Policy 3-6 for a copy of the HIPPA Notice of Privacy Practices.

Policy Number: 3-6
Title: Consent for Release of Information
Applicable Standards: OMHAS 5122-27-06, HIPAA Guidelines



Policy

A HIPAA release form will be obtained from a client before their protected health information is disclosed for any purpose (other than those detailed in 45 CFR §164.506, which are specifically covered in 45 CFR §164.508). These purposes include: prior to the disclosure of PHI to a third party for reasons other than the provision of treatment, payment or other standard healthcare operations – E.g. disclosing information to an insurance underwriter; prior to PHI being used for marketing or fund-raising purposes; prior to PHI being provided to a research organization; prior to psychotherapy notes being disclosed; and prior to the sale of PHI or sharing that involves remuneration.

Procedures

A. The MODE will provide a HIPAA release form, written in plain language, and a copy of the signed form will be provided to the patient.

B. The authorization for release of information shall include:

  • The full name of the client
  • Date of birth of the client
  • The specific information to be disclosed, and the purpose of the disclosure
  • The name of the person or entity disclosing the information (The MODE)
  • The name of the person or entity receiving the information
  • The date, event, or condition upon which the authorization shall expire
  • Statement that the consent is subject to revocation at any time except to the extent the provider or person who is to make the disclosure has already acted in reliance on it
  • Either a statement that The MODE will not condition treatment, payment, enrollment, or eligibility on client’s authorization for the release of information, or a statement of the consequences to the client if client refuses to sign an authorization for the release of information
  • The dated signature of the client or, as appropriate, a legally authorized agent and the agent’s relationship to the client.
  • For clients receiving addiction services treatment, either of the following statements: “This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR part 2). The federal rules prohibit you from making any further disclosure of information in this record that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another person unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is not sufficient for this purpose (see 42 CFR 2.31 ). The federal rules restrict any use of the information to investigate or prosecute with regard to a crime any patient with a substance use disorder, except as provided at 42 CFR 2.12(c)(5) and 42 CFR 2.65.”; or (b) “42 CFR part 2 prohibits unauthorized disclosure of these records.”
  • For records relating to mental health services, information from other providers that is contained in the individual client record may be released from the individual client record with the written authorization provided in accordance with the provisions of this rule. For records relating to addiction services, information from other providers that is contained in the individual client record may be released from the individual client record only if the written authorization provided in accordance with this rule explicitly authorizes both the disclosure of provider’s records and the re-disclosure of the other provider’s records.

C. If the client is a minor, the release of information shall either:

  • Be signed by the client’s parent or legal guardian;
  • In the case of providers who are certified to provide mental health services, may be signed by a client of fourteen years of age or older if all other requirements of section 5122.04 of the Revised Code are met;
  • In the case of providers who are certified to provide addiction treatment services, be signed by the client and the client’s parent or legal guardian; or,
  • In the case of providers who are certified to provide addiction treatment services and minor client’s providing consent to treatment pursuant to section 3719.012 of the Revised Code, the client shall sign the release of information.
  • In the case of providers who are certified to provide addiction treatment services, when providing services to clients who are minors but who are not providing consent pursuant to section 3719.012 of the Revised code; the provider must either obtain the client’s authorization to contact the client’s parent or legal guardian or find the minor lacks in capacity to make a rational choice in accordance with 42 C.F.R. part 2.14(c)(2).

Policy Number: 3-7
Title: Grievance Process for HIPPA Violations
Applicable Standards: OMHAS 5122-26-06, OMHAS 5122-26-18, HIPAA Guidelines



Policy

If a HIPAA-covered entity or its business associate violates health information privacy rights or committed another violation against an individual’s right for privacy an individual may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities and their business associates.

Procedure

A. Anyone can file a health information privacy or security complaint. The complaint must:

  • Be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal
  • Name the covered entity or business associate involved, and describe the acts or omissions, the individual believed violated the requirements of the Privacy, Security, or Breach Notification Rules Be filed within 180 days of when the individual knew that the act or omission complained of occurred. (OCR may extend the 180-day period if the individual can show “good cause”)

B. HIPAA Prohibits Retaliation- under HIPAA an entity cannot retaliate against an individual for filing a complaint. The individual should notify OCR immediately in the event of any retaliatory action.

Procedure:

A. How to file a Health Information Privacy Complaint Online:

  • Open the OCR Complaint Portal and select the type of complaint you would
    like to file.
  • Complete as much information as possible, including:
  • Information about you, the complainant
  • Details of the complaint
  • Any additional information that might help OCR when reviewing your complaint
  • You will then need to electronically sign the complaint and complete the consent form.
  • After completing the consent form you will be able to print out a copy of your complaint to keep for your records

B. How to file a Health Information Privacy Complaint in Writing:

  • Open and fill out the Health Information Privacy Complaint Form Package PDF in PDF format. You will need Adobe Reader software to fill out the complaint and consent forms. You may either:
    • Print and mail the completed complaint and consent forms to:

Centralized Case Management Operations
U.S. Department of Health and Human Services 200 Independence
Avenue, S.W. Room 509F HHH Bldg.
Washington, D.C. 20201

    • Email the completed complaint and consent forms to [email protected] (Please note that communication by unencrypted email presents a risk that personally identifiable information contained in such an email, may be intercepted by unauthorized third parties)

C. How to file A Complaint Without Using Our Health Information Privacy Complaint
Package:

  • If you prefer, you may submit a written complaint in your own format by
    either:
  • Print and mail the completed complaint and consent forms to:

Centralized Case Management Operations
U.S. Department of Health and Human Services
200 Independence Avenue, S.W. Room 509F HHH Bldg.
Washington, D.C. 20201

  • Email to [email protected]
  • Be sure to include:
    • Your name
    • Full address
    • Telephone numbers (include area code)
    • E-mail address (if available)
    • Name, full address and telephone number of the person, agency, or
      organization you believe violated your (or someone else’s) health
      information privacy rights or committed another violation of the Privacy
      or Security Rule
    • Brief description of what happened. How, why, and when do you believe your (or someone else’s) health information privacy rights were violated, or how the Privacy or Security Rule otherwise was violated
    • Any other relevant information
    • Your signature and date of complaint
    • NOTE: If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.
    • You may also include:
      • If you need special accommodations for us to communicate with you about this complaint
      • Contact information for someone who can help us reach you if we cannot
        reach you directly
        • If you have filed your complaint somewhere else and where you’ve filed
        https://cf-assets-thredup.thredup.com/assets/251641035/retina.jpg
        D. How to file a Security Rule Complaint
        • You may file a Security Rule complaint electronically via the OCR Complaint
        Portal, or by using the downloadable PDF Health Information Privacy
        Complaint Package.
        • If you mail or fax the complaint, be sure to send it to the appropriate OCR
        regional office based on where the alleged violation took place. OCR has
        ten regional offices, and each regional office covers specific states. Send
        your complaint to the attention of the OCR Regional Manager. You do not
        need to sign the complaint and consent forms when you submit them by
        e-mail because submission by e-mail represents your signature.
        • Before You File a Complaint.
        • According to HIPAA, an individual should not file a complaint that cannot
        be investigated. Review these questions before filing a health information
        privacy or security complaint with OCR:
        • Does your complaint describe an activity that might violate the Privacy or
        Security Rule? If you are not sure, go ahead and file your complaint. But,
        OCR can only investigate complaints that allege an action or omission that
        fails to comply with the Privacy or Security Rules. For example, a doctor
        POLICY AND PROCEDURE MANUAL | 125
        can send your medical test results to another doctor without your
        permission if the doctor needs the information to treat you; this is not a
        violation of the Privacy Rule, so we would not investigate a complaint that
        described this situation.
        • Are you willing to give OCR your name and contact information? OCR does
        not investigate complaints filed without a name and contact information
        on the complaint. If you want OCR to keep your name and contact
        information confidential during the investigation, you may specify that on
        the consent form.

        Policy Number: 3-8
        Tracking Disclosures of Protected HIPAA Information
        Applicable Standards: HIPAA Guidelines
        Policy:
        The HIPAA Notice of Privacy Practices gives an individual the right to request a written record
        when a covered entity has made certain disclosures of that individual’s PHI. The accounting must
        include all covered disclosures in the six years prior to the date of the individual’s request.
        Disclosures occur whenever PHI is shared with a person or organization outside the covered
        entities, unless the covered entity has designated a recipient as a “workforce member” of the
        covered entity.
        “Covered Entity” is defined as anyone who provides treatment, payment and operations in
        healthcare.
        Procedure:
        A. The MODE is required to:
        • Track certain disclosures of an individual’s PHI
        • Provide the disclosure tracking information to the Privacy Officer
        B. The Privacy Officer responds to client requests for accountings and uses the
        information provided by the outside entity for this purpose.
        C. General disclosures of PHI include those made as required by or authorized by
        other law (such as disclosures to public health authorities or law enforcement), or
        made in response to court orders, subpoenas, etc (with certain exceptions, as
        noted above).
        D. An outside entity, who will make a general disclosure of PHI from clinical records,
        should consult the Privacy Officer.
        E. How to track PHI disclosures
        • The outside entity should maintain a record of all disclosures that are
        subject to the HIPAA tracking requirement.
        • The outside entity must also transmit this tracking information promptly
        to the Privacy Officer (via fax or email).
        POLICY AND PROCEDURE MANUAL | 127
        F. Requests for written records of disclosures must be in writing and signed by the
        individual and clearly identify the designated person or entity and where to send
        the PHI. The individual will specify where they want the information to be sent.
        G. The covered entity must respond to a request within 30 days of the request.

Policy Number: 3-8
Tracking Disclosures of Protected HIPAA Information
Applicable Standards: HIPAA Guidelines


Policy:

The HIPAA Notice of Privacy Practices gives an individual the right to request a written record when a covered entity has made certain disclosures of that individual’s PHI. The accounting must include all covered disclosures in the six years prior to the date of the individual’s request.

Disclosures occur whenever PHI is shared with a person or organization outside the covered entities, unless the covered entity has designated a recipient as a “workforce member” of the covered entity.

“Covered Entity” is defined as anyone who provides treatment, payment and operations in healthcare.

Procedure:

A. The MODE is required to:

  • Track certain disclosures of an individual’s PHI
  • Provide the disclosure tracking information to the Privacy Officer

B. The Privacy Officer responds to client requests for accountings and uses the information provided by the outside entity for this purpose.

C. General disclosures of PHI include those made as required by or authorized by other law (such as disclosures to public health authorities or law enforcement), or made in response to court orders, subpoenas, etc (with certain exceptions, as noted above).

D. An outside entity, who will make a general disclosure of PHI from clinical records,
 should consult the Privacy Officer.

E. How to track PHI disclosures:

  • The outside entity should maintain a record of all disclosures that are
    subject to the HIPAA tracking requirement.
  • The outside entity must also transmit this tracking information promptly to the Privacy Officer (via fax or email).

F. Requests for written records of disclosures must be in writing and signed by the individual and clearly identify the designated person or entity and where to send the PHI. The individual will specify where they want the information to be sent.

G. The covered entity must respond to a request within 30 days of the request.

Scroll to Top