About Us
Meet Our Team
Our Facilities
Videos
Newsroom
Scholarship
FAQ
Blog
Newport Beach 
Long Beach 
Meth Rehab
Outpatient Rehab
IOP Rehab
Virtual IOP
PHP Rehab
LGBTQ Friendly Rehab
Device Friendly Rehab
Pet Friendly Rehab
Couples Drug Rehab
Reiki Therapy
Holistic Addiction Therapy
Addiction Therapy
Group Addiction Therapy
EMDR Therapy
CBT Therapy
Mood Disorder Treatment
Panic Disorders/Drinking Problems Treatment
Addictive Personality Disorder Treatment
Hyperfixation Treatments
Hyper Independence Treatment
Check My Insurance
Rehab Insurance Coverage
Financing Options
Cigna
HIPPA Compliance
POLICY
OCHRC maintains confidentiality in accordance with applicable federal and state laws andย regulations;ย including,ย butย notย limitedย to,ย 42ย CF.R.ย partย 2,ย confidentialityย ofย alcoholย andย drugย abuse client records, and the Health Insurance Portability and Accountability Act of 1996.
PROCEDURE
OCHRCย staffย accessย toย anย individualย clientโsย records,ย treatmentย information,ย diagnosisย orย other protected information is limited to access and disclosure in accordance withย applicable federal and state laws and regulations.
Storage of client records shall be in accordance with all applicable and federal state lawsย and regulations. Records will be released to staff only when necessary, appropriate, andย admissibleย byย stateย andย federalย law.ย Recordsย shallย beย storedย inย oneย orย bothย ofย theย following:
1.ย ย ย ย ย ย Theย Clinicalย Directorโsย officeย inย aย lockedย filingย cabinet.
2.ย ย ย ย ย ย HIPPAย compliantย Electronicย Healthย Recordย service,ย KIPU.
KIPU, LLC including KIPU CRM/EMR and OutcomeTools, is fully compliant with the HIPAAย Standardsย forย Privacy, Electronicย Transactionsย and Securityย (includingย theย HITECHย Actย andย the Omnibus Rule of 2013). KIPU has implemented policies, processes, and proceduresย designed to ensure compliance with Federal and State information security laws,ย regulations, and rules, and monitors ongoing compliance efforts with assistance fromย Compliancyย Groupย LLC.ย Thisย processย includesย aย riskย analysisย ofย administrativeย (policiesย andย procedures), technical (all devices connecting to or storing ePHI, e.g., routers, firewalls,
servers,ย workstations)ย andย physicalย (paperย shredding,ย alarmย systems,ย andย generalย securityย of each site) controls as well as disaster recovery planning.
Allย employeesย willย receiveย theย confidentialityย policy,ย includingย summariesย ofย HIPPAย andย 42
C.F.R.ย partย 2.ย Uponย hireย andย orientation,ย employeesย willย signย andย dateย anย acknowledgementย of receipt which will be kept in their employee file.
Healthย Insuranceย Portabilityย andย Accountabilityย Actย ofย 1996ย (HIPAA)ย HIPAA Security Rule
Theย Healthย Insuranceย Portabilityย andย Accountabilityย Actย ofย 1996ย (HIPAA)ย isย aย federalย lawย that required the creation of national standards to protect sensitive patient healthย information from being disclosed without the patientโs consent or knowledge. The USย Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule toย implement the requirements of HIPAA. The HIPAA Security Rule protects a subset ofย information covered by the Privacy Rule.
HIPAAย Privacyย Rule
The Privacy Rule standards address the use and disclosure of individualsโ healthย information (known as โprotected health informationโ) by entities subject to the Privacyย Rule. These individuals and organizations are called โcovered entities.โ The Privacy Ruleย also contains standardsย for individualsโ rights to understand and control howย their healthย information is used. A major goal of the Privacy Rule is to ensure that individualsโ healthย informationย isย properlyย protectedย whileย allowingย theย flowย ofย healthย informationย neededย toย provide and promote high quality health care and to protect the publicโs health and well-ย being.ย Theย Privacyย Ruleย strikesย aย balanceย thatย permitsย importantย usesย ofย informationย whileย protecting the privacy of people who seek care and healing.
Permittedย Usesย andย Disclosures
A covered entity is permitted, but not required, to use and disclose protected healthย information,ย withoutย anย individualโsย authorization,ย forย theย followingย purposesย orย situations:
ยทย ย Disclosureย toย theย individualย (ifย theย informationย isย requiredย forย accessย orย accountingย of disclosures, the entity MUST disclose to the individual)
ยทย ย Treatment,ย payment,ย andย healthcareย operations
ยทย ย Opportunityย toย agreeย orย objectย toย theย disclosureย ofย PHIย (Informalย permissionย mayย beย obtained by asking the individual outright, or by circumstances that clearly giveย the individual the opportunity to agree, acquiesce, or object)
ยทย ย Incidentย toย anย otherwiseย permittedย useย andย disclosure
Public interest and benefit activitiesโThe Privacy Rule permits use and disclosure ofย protectedย healthย information,ย withoutย anย individualโsย authorizationย orย permission,ย forย 12ย national priority purposes:
ยทย ย Whenย requiredย byย law
ยทย ย Publicย healthย activities
ยทย ย Victimsย ofย abuseย orย neglectย orย domesticย violence
ยทย ย Healthย oversightย activities
ยทย ย Judicialย andย administrativeย proceedings
ยทย ย Lawย enforcement
ยทย ย Functionsย (suchย asย identification)ย concerningย deceasedย persons
ยทย ย Cadavericย organ,ย eye,ย orย tissueย donation
ยทย ย Research,ย underย certainย conditions
ยทย ย Toย preventย orย lessenย aย seriousย threatย toย healthย orย safety
ยทย ย Essentialย governmentย functions
ยทย ย Workersย compensation
ยทย ย Limitedย datasetย forย research,ย publicย health,ย orย healthcareย operations
HIPAAย Securityย Rule
While the HIPAA Privacy Rule safeguards protected health information (PHI), the Securityย Rule protects a subset of information covered by the Privacy Rule. This subset is allย individuallyย identifiableย healthย informationย aย coveredย entityย creates,ย receives,ย maintains,ย orย transmits in electronic form. This information is called โelectronic protected healthย informationโ (e-PHI). The Security Rule does not apply to PHI transmitted orally or inย writing.
Toย complyย withย theย HIPAAย Securityย Rule,ย allย coveredย entitiesย mustย doย theย following:
ยทย ย Ensureย theย confidentiality,ย integrity,ย andย availabilityย ofย allย electronicย protectedย health information
ยทย ย Detectย andย safeguardย againstย anticipatedย threatsย toย theย securityย ofย theย information
ยทย ย Protectย againstย anticipatedย impermissibleย usesย orย disclosures
ยทย ย Certifyย complianceย byย theirย workforce
Covered entities should rely on professional ethics and best judgment when consideringย requestsย forย theseย permissiveย usesย andย disclosures.ย Theย HHSย Officeย forย Civilย Rightsย enforcesย HIPAA rules, and all complaints should be reported to that office. HIPAA violations mayย result in civil monetary or criminal penalties.
Forย moreย information,ย visitย theย Departmentย ofย Healthย andย Humanย Servicesย HIPAAย website.
42ย C.F.R.ย Partย 2
42 C.F.R. Part 2 applies to any individual or entity that is federally assisted and holds itselfย out as providing, and provides, alcohol or drug abuse diagnosis, treatment, or referral forย treatment. It protects client identifying information that would identify a client as anย alcoholย orย drugย client,ย eitherย directlyย orย indirectlyย andย anyย information,ย whetherย orย written,ย that would directly or indirectly reveal a personโs status as a current or former client.
Part 2 generally requires a patientโs written consent before making a disclosure ofย protectedย records.ย Patientย consentย mustย alwaysย beย writtenย andย includeย specificย informationย about the recipient of the records and the records to be shared.
Part 2 generally requires a special court order before your records can be shared with lawย enforcementย orย aย court.ย Aย subpoena,ย generalย courtย order,ย searchย warrant,ย orย officialย requestย is not enough for law enforcement to access your treatment information.
Partย 2ย permitsย theย disclosureย ofย informationย underย certainย circumstancesย withoutย consentย during a medical emergency or in other limited situations. If a Part 2 program (or aย healthcareย providerย thatย hasย received Partย 2ย patientย information)ย believesย thatย thereย isย anย immediateย threatย toย theย healthย orย safetyย ofย anyย individual,ย thereย areย stepsย describedย belowย that the Part 2 program or healthcare provider can take in such a situation:
Notificationsย toย medicalย personnelย inย aย medicalย emergency:ย Aย Partย 2ย programย canย makeย disclosures to medical personnel if there is a determination that a medical emergencyย exists, i.e. there isย a situation that posesย an immediate threat toย the healthย ofย anyย individualย and requires immediate medical intervention [42 CFR ยง2.51(a)]. Information disclosed toย the medical personnel who are treating such a medical emergency may be redisclosed byย such personnel for treatment purposes as needed.
Notifications to law enforcement:ย Law enforcement agencies can be notified if anย immediate threatย to theย health or safety of an individual existsย due to aย crime on programย premisesย orย againstย programย personnel.ย Aย Partย 2ย programย isย permittedย toย reportย theย crimeย or attempted crime to a law enforcement agency or to seek its assistance [42 CFR
ยง2.12(c)(5)].ย Partย 2ย permitsย aย programย toย discloseย informationย regardingย theย circumstancesย of such an incident, including the suspectโs name, address, last known whereabouts, andย status as a patient in the program.
Reports of child abuse and neglect:ย The restrictions on disclosure do not apply to theย reporting under State law of incidents of suspected child abuse and neglect to theย appropriateย State or local authorities. However,ย Part 2 restrictions continue to apply to theย original alcohol or drug abuse patient records maintained by the program including theirย disclosure and use for civil or criminal proceedings which may arise out of the report ofย suspected child abuse and neglect [42 CFR ยง 2.12(c)(6)]. Also, a court order under Part 2ย may authorize disclosure of confidential communications made by a patient to a programย in the course of diagnosis, treatment, or referral for treatment if, among other reasons, theย disclosure is necessary to protect against an existing threat of life or of serious bodilyย injury,ย includingย circumstancesย whichย constituteย suspectedย childย abuseย andย neglectย [42ย CFR
ยงย 2.63(a)(1)].
Courtย orderedย disclosures:ย Underย theย regulations,ย Partย 2ย programsย orย โanyย personย havingย a legally recognized interest in the disclosure which is soughtโ may apply to a court for anย orderย authorizingย disclosureย ofย protectedย patientย informationย [42ย CFRย ยงย 2.64].ย Thus,ifย there
isย anย existingย threatย toย lifeย orย seriousย bodilyย injury,ย aย Partย 2ย programย orย โanyย personย havingย a legally recognized interest in the disclosure which is soughtโ can apply for a court orderย to disclose information.
Once Part 2 information has been initially disclosed (with or without patient consent), noย redisclosure is permitted without the patientโs express consent to redisclose or unlessย otherwise permitted under Part 2. Disclosures made with patient consent must beย accompanied by a statement notifying the recipient that Part 2 redisclosure is prohibited,ย unless further disclosure is expressly permitted by the written consent of the person toย whom it pertains or as otherwise permitted by Part 2 (42 CFR ยง 2.32). When disclosuresย areย madeย withoutย patientย consentย underย theย followingย circumstances,ย limitedย redisclosuresย without obtaining the patientโs consent: are permitted, such as medical emergencies [42ย CFR ยง 2.51], child abuse reporting [42 CFR ยง 2.12(c)(6)], crimes on program premises orย against program personnel [42 CFR ยง 2.12(c)(5)], and court ordered disclosures whenย procedures and criteria are met [42 CFR ยงยง 2.61-2.67]. When disclosures are made underย the following circumstances the recipient is prohibited from redisclosing the informationย without consent, except under the following restricted circumstances:
Research: Researchers who receive patient identifying information are prohibited fromย redisclosingย theย patient-identifyingย informationย toย anyoneย exceptย backย toย theย programย [42ย CFR ยง 2.52(b)].
Audits and Evaluations:ย Part 2 permits disclosures to persons and organizationsย authorizedย toย conductย auditsย andย evaluationย activities,ย butย imposesย limitationsย byย requiringย any person or organization conducting the audit or evaluation to agree in writing that itย will redisclose patient identifying information only (1) back to the program, or (2)ย pursuant to a court order to investigate or prosecute the program (not a patient), or (3) toย aย governmentย agencyย thatย isย overseeingย aย Medicareย orย Medicaidย auditย orย evaluationย [42ย CFR
ยงย 2.53(c)(d)].
Qualified Serviceย Organizationย Agreements (QSOAs):ย Part 2ย requires the QSOย toย agreeย inย writingย thatย inย receiving,ย storing,ย processing,ย orย otherwiseย dealingย withย anyย informationย from the program about patients, it is fully bound by Part 2, it will resist, in judicialย proceedingsย ifย necessary,ย anyย effortsย toย obtainย accessย toย informationย pertainingย toย patientsย except as permitted by Part 2, and will use appropriate safeguards to prevent theย unauthorized use or disclosure of the protected information [42 CFR ยง 2.11]. In addition,ย QSOAs may allow disclosure in certain circumstances.
Authorizing Court Orders:ย When information is disclosed pursuant to an authorizingย courtย order, Partย 2ย requiresย thatย stepsย beย takenย toย protectย patientย confidentiality. Inย aย civilย case, Part 2 requires that the court order authorizing a disclosure include measuresย necessaryย toย limitย disclosureย forย theย patientโsย protection,ย whichย couldย includeย sealingย fromย publicย scrutinyย theย recordย ofย anyย proceedingย forย whichย disclosureย ofย a patientโsย recordย hasย beenย orderedย [42ย CFRย ยงย 2.64(e)(3)].ย Inย aย criminalย case,ย suchย anย orderย mustย limitย disclosure
to those law enforcement and prosecutorial officials who are responsible for or areย conductingย theย investigationย orย prosecution,ย andย mustย limitย theirย useย ofย theย recordย toย casesย involving extremely serious crimes or suspected crimes. For additional informationย regarding the contents of court orders authorizing disclosure, see 42 CFR ยง 2.65(e).