POLICY

OCHRC maintains confidentiality in accordance with applicable federal and state laws and regulations; including, but not limited to, 42 CF.R. part 2, confidentiality of alcohol and drug abuse client records, and the Health Insurance Portability and Accountability Act of 1996.

PROCEDURE

OCHRC staff access to an individual client’s records, treatment information, diagnosis or other protected information is limited to access and disclosure in accordance with applicable federal and state laws and regulations.

Storage of client records shall be in accordance with all applicable and federal state laws and regulations. Records will be released to staff only when necessary, appropriate, and admissible by state and federal law. Records shall be stored in one or both of the following:

1.      The Clinical Director’s office in a locked filing cabinet.

2.      HIPPA compliant Electronic Health Record service, KIPU.

KIPU, LLC including KIPU CRM/EMR and OutcomeTools, is fully compliant with the HIPAA Standards for Privacy, Electronic Transactions and Security (including the HITECH Act and the Omnibus Rule of 2013). KIPU has implemented policies, processes, and procedures designed to ensure compliance with Federal and State information security laws, regulations, and rules, and monitors ongoing compliance efforts with assistance from Compliancy Group LLC. This process includes a risk analysis of administrative (policies and procedures), technical (all devices connecting to or storing ePHI, e.g., routers, firewalls,

servers, workstations) and physical (paper shredding, alarm systems, and general security of each site) controls as well as disaster recovery planning.

All employees will receive the confidentiality policy, including summaries of HIPPA and 42

C.F.R. part 2. Upon hire and orientation, employees will sign and date an acknowledgement of receipt which will be kept in their employee file.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA Security Rule

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

HIPAA Privacy Rule

The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well- being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.

Permitted Uses and Disclosures

A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:

·  Disclosure to the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual)

·  Treatment, payment, and healthcare operations

·  Opportunity to agree or object to the disclosure of PHI (Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object)

·  Incident to an otherwise permitted use and disclosure

Public interest and benefit activities—The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes:

·  When required by law

·  Public health activities

·  Victims of abuse or neglect or domestic violence

·  Health oversight activities

·  Judicial and administrative proceedings

·  Law enforcement

·  Functions (such as identification) concerning deceased persons

·  Cadaveric organ, eye, or tissue donation

·  Research, under certain conditions

·  To prevent or lessen a serious threat to health or safety

·  Essential government functions

·  Workers compensation

·  Limited dataset for research, public health, or healthcare operations

HIPAA Security Rule

While the HIPAA Privacy Rule safeguards protected health information (PHI), the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.

To comply with the HIPAA Security Rule, all covered entities must do the following:

·  Ensure the confidentiality, integrity, and availability of all electronic protected health information

·  Detect and safeguard against anticipated threats to the security of the information

·  Protect against anticipated impermissible uses or disclosures

·  Certify compliance by their workforce

Covered entities should rely on professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in civil monetary or criminal penalties.

For more information, visit the Department of Health and Human Services HIPAA website.

42 C.F.R. Part 2

42 C.F.R. Part 2 applies to any individual or entity that is federally assisted and holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment, or referral for treatment. It protects client identifying information that would identify a client as an alcohol or drug client, either directly or indirectly and any information, whether or written, that would directly or indirectly reveal a person’s status as a current or former client.

Part 2 generally requires a patient’s written consent before making a disclosure of protected records. Patient consent must always be written and include specific information about the recipient of the records and the records to be shared.

Part 2 generally requires a special court order before your records can be shared with law enforcement or a court. A subpoena, general court order, search warrant, or official request is not enough for law enforcement to access your treatment information.

Part 2 permits the disclosure of information under certain circumstances without consent during a medical emergency or in other limited situations. If a Part 2 program (or a healthcare provider that has received Part 2 patient information) believes that there is an immediate threat to the health or safety of any individual, there are steps described below that the Part 2 program or healthcare provider can take in such a situation:

Notifications to medical personnel in a medical emergency: A Part 2 program can make disclosures to medical personnel if there is a determination that a medical emergency exists, i.e. there is a situation that poses an immediate threat to the health of any individual and requires immediate medical intervention [42 CFR §2.51(a)]. Information disclosed to the medical personnel who are treating such a medical emergency may be redisclosed by such personnel for treatment purposes as needed.

Notifications to law enforcement: Law enforcement agencies can be notified if an immediate threat to the health or safety of an individual exists due to a crime on program premises or against program personnel. A Part 2 program is permitted to report the crime or attempted crime to a law enforcement agency or to seek its assistance [42 CFR

§2.12(c)(5)]. Part 2 permits a program to disclose information regarding the circumstances of such an incident, including the suspect’s name, address, last known whereabouts, and status as a patient in the program.

Reports of child abuse and neglect: The restrictions on disclosure do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities. However, Part 2 restrictions continue to apply to the original alcohol or drug abuse patient records maintained by the program including their disclosure and use for civil or criminal proceedings which may arise out of the report of suspected child abuse and neglect [42 CFR § 2.12(c)(6)]. Also, a court order under Part 2 may authorize disclosure of confidential communications made by a patient to a program in the course of diagnosis, treatment, or referral for treatment if, among other reasons, the disclosure is necessary to protect against an existing threat of life or of serious bodily injury, including circumstances which constitute suspected child abuse and neglect [42 CFR

§ 2.63(a)(1)].

Court ordered disclosures: Under the regulations, Part 2 programs or “any person having a legally recognized interest in the disclosure which is sought” may apply to a court for an order authorizing disclosure of protected patient information [42 CFR § 2.64]. Thus,if there

is an existing threat to life or serious bodily injury, a Part 2 program or “any person having a legally recognized interest in the disclosure which is sought” can apply for a court order to disclose information.

Once Part 2 information has been initially disclosed (with or without patient consent), no redisclosure is permitted without the patient’s express consent to redisclose or unless otherwise permitted under Part 2. Disclosures made with patient consent must be accompanied by a statement notifying the recipient that Part 2 redisclosure is prohibited, unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by Part 2 (42 CFR § 2.32). When disclosures are made without patient consent under the following circumstances, limited redisclosures without obtaining the patient’s consent: are permitted, such as medical emergencies [42 CFR § 2.51], child abuse reporting [42 CFR § 2.12(c)(6)], crimes on program premises or against program personnel [42 CFR § 2.12(c)(5)], and court ordered disclosures when procedures and criteria are met [42 CFR §§ 2.61-2.67]. When disclosures are made under the following circumstances the recipient is prohibited from redisclosing the information without consent, except under the following restricted circumstances:

Research: Researchers who receive patient identifying information are prohibited from redisclosing the patient-identifying information to anyone except back to the program [42 CFR § 2.52(b)].

Audits and Evaluations: Part 2 permits disclosures to persons and organizations authorized to conduct audits and evaluation activities, but imposes limitations by requiring any person or organization conducting the audit or evaluation to agree in writing that it will redisclose patient identifying information only (1) back to the program, or (2) pursuant to a court order to investigate or prosecute the program (not a patient), or (3) to a government agency that is overseeing a Medicare or Medicaid audit or evaluation [42 CFR

§ 2.53(c)(d)].

Qualified Service Organization Agreements (QSOAs): Part 2 requires the QSO to agree in writing that in receiving, storing, processing, or otherwise dealing with any information from the program about patients, it is fully bound by Part 2, it will resist, in judicial proceedings if necessary, any efforts to obtain access to information pertaining to patients except as permitted by Part 2, and will use appropriate safeguards to prevent the unauthorized use or disclosure of the protected information [42 CFR § 2.11]. In addition, QSOAs may allow disclosure in certain circumstances.

Authorizing Court Orders: When information is disclosed pursuant to an authorizing court order, Part 2 requires that steps be taken to protect patient confidentiality. In a civil case, Part 2 requires that the court order authorizing a disclosure include measures necessary to limit disclosure for the patient’s protection, which could include sealing from public scrutiny the record of any proceeding for which disclosure of a patient’s record has been ordered [42 CFR § 2.64(e)(3)]. In a criminal case, such an order must limit disclosure

to those law enforcement and prosecutorial officials who are responsible for or are conducting the investigation or prosecution, and must limit their use of the record to cases involving extremely serious crimes or suspected crimes. For additional information regarding the contents of court orders authorizing disclosure, see 42 CFR § 2.65(e).