POLICY

The agency will ensure that all persons who have access to or control over confidential information are trained prior to starting work, and take affirmative measures to safeguard such information.

Only the Chief Compliance Officer (or designee) may release written confidential information. All requests for information shall be routed to this Coordinator/designee. The Coordinator has 5 working days to release the information. A disclosure log will be kept in service recipient's charts to record when, what and to whom information was released.

Confidential information means any personally identifiable health information, whether oral or recorded in any form or medium, that is created or received by the agency and relates to the past, present, or future physical or mental health or condition of an individual; the provision of care to an individual; or the past, present, or future payment for the provision of health care to a service recipient. This includes any data transmitted or maintained in any other form or medium by covered entities, including paper records, fax documents and all oral communications, or any other form, i.e. screen prints of eligibility information, printed e-mails that have identified individual's health information, claim or billing information, hard copy birth or death certificates.

Confidential information may be released under these conditions:

• By a court order (see Policy AD 08 warrant on subpoenas and warrants).
• By the recipient's written, informed consent for release of information.
• If the recipient has been declared legally incompetent, his/her legal representative must provide written consent.
• An agency may use material from recipient records for educational purposes if names are deleted, and any other identifying information is removed.
• Confidential information regarding substance use treatment shall be released or disclosed in accordance with federal regulation 42 C.F.R Part 2,

• Confidential information relative to a person with HIV infection, AIDS or AIDS related conditions is only released in accordance with 42 CFR Part 2 Federal Confidentiality Regulations. Whenever authorization is required for release of this information, the consent must specify that the information to be released includes information relative to HIV infection, AIDS or AIDS related conditions.

• Agency employees, interns and volunteers are subject to suspension, dismissal or disciplinary action for failure to comply with agency policy.
• Individuals, other than employees, but including interns and volunteers and those who are agents of the agency who have access to confidential information and who fail to comply with agency policy, shall be denied access to further confidential information by the agency.

• All records, including those which contain confidential information which are generated in connection with the performance of any function of the agency, are the property of the agency.

Original service recipient records may be removed from the agency premises only under the following conditions:I

• n accordance with a subpoena to produce document or object or other order of the court (See Policy AD 08).
• Whenever service recipient records are needed for treatment/habilitation or audit purposes, records may be transported within the agency facility or between agency sites
• In situations where the agency determines it is not feasible or practical to copy the service recipient record, or portions thereof, service recipient records may be securely transported to a local health care provider, provided the record remains in the custody of a delegated employee;
• Whenever a service recipient expires at the agency and an autopsy is to be conducted, the service recipient record may be transported to the agency wherein the autopsy will be performed .

• The agency does not charge fees for reproduction of records requested by: physicians, psychologists, hospitals or other health care providers; 3rd party payors; providers of support services; attorneys representing the Attorney General's office and Special Counsel; situations determined by the CEO to be for good cause; when indigent service recipient's request pertinent portions of their records necessary for the purpose of establishing eligibility for legitimate aid; or if a private agency is used for photocopying and the agency directly bills the person receiving the copies.

A service recipient, or a service recipient's legally responsible person, may contest the accuracy, completeness or relevancy of information in the service recipient record and may request alteration of such information. Alterations shall be made as follows:

• whenever clinical personnel concurs that such alteration is justified, the agency shall identify the contested portion of the record and allow the insertion of the alteration as an addendum to the contested portion of the service recipient record; however, the original portion of the written record may not be deleted;

• whenever clinical personnel do not concur that such alteration is justified, the agency shall identify the contested portion of the record and allow a statement relative to the contested portion to be added to the service recipient record, which shall be recorded on a separate form and not on the original portion of the record which is being contested. Such a statement shall be made a permanent part of the service recipient 's record and shall be released or disclosed along with the contested portion of the record.

• Faxes containing confidential information are not used for routine releases of information when using regular mail delivery would suffice. A fax machine for sending and receiving individual's information is located in a secure area, rather than a common area where the information could inadvertently be mixed with other papers or read by unauthorized persons. The fax cover sheet contains a statement prohibiting re-disclosure. Whenever confidential information is faxed, the sender ensures that a designated receiver is available before transmitting information, e.g. telephone call. The receipt of the information is confirmed.

• E-mail does not contain a person's identifying confidential information. Informality of e-mail often causes laxness in protecting confidential information. Information can only be sent via email if the email is encrypted and confidentiality is ensured. E-mail notices include a non-disclosure statement.

• Desktop computers and other electronic devices are used for word processing and accessing the electronic medical record. All electronic devices are password protected. Only those persons who are authorized are allowed to enter and have access to the electronic devices. Each person authorized to have access to the electronic device is assigned a security code or password and sign a confidentiality statement. Security codes or passwords shall be changed periodically or as determined by the IT Director/designee or CEO. Information backed up is also password protected.

• Records many be removed from the premises only when: following a subpoena' when record is needed for treatment, habilitation or audit purposes; when the agency decides it is not feasible to copy record/portion of record to transport to local healthcare provider or purposes of autopsy. When records are taken to a healthcare provider the record must remain in the hands of the designated employee. Transported records must be in locked box and transported in a locked vehicle.

The agency will conduct mandatory training on confidentiality policies for all personnel during agency orientation. At the conclusion of mandatory agency orientation, personnel trained will indicate an understanding of the requirements by signing a statement of understanding and compliance prior to starting work. This statement is signed again whenever revisions are made in requirements. The statement contains the following information:

• name of the agency
• date and signature of the service recipient and his/her title;
• statement of understanding;
• agreement to hold information confidential; and
• acknowledgement of civil penalties and disciplinary action for improper release or disclosure.

• Service recipient's, service recipients' legally responsible persons, or agency personnel may request a review of any decisions made under this policy by the Chief Compliance Officer.

• Whenever the agency receives confidential information from another facility, agency or individual, then such information shall be treated as any other confidential information generated by the agency. Release or disclosure of such information shall be governed by the rules of this policy.

• In an exigent circumstance, information may be provided to the next of kin or other family member who has a legitimate role in the therapeutic services offered, or to another person designated by the service recipient or his legally responsible person in accordance with prevailing HIPAA regulation.

Consent for Release

• The agency may not release any confidential information until a Consent for Release form has been obtained. Disclosure without authorization shall be in accordance with the procedure for exceptions below.

• service recipient 's name;
• name of the agency;
• name of service recipient or individuals, agency or agencies to whom information is being released;
• specific information to be released;
• purpose for the release;
• length of time consent is valid;
• a statement that the consent is subject to revocation at any time except to the extent that action has been taken in reliance on the consent;
• signature of the service recipient or the service recipient 's legally responsible person; and
• date consent is signed.

• a consent to continue established financial benefits shall be considered valid until cessation of benefits; or
• a consent for release of information to the Division, Division of Motor Vehicles, the Court and the Department of Correction for information needed in order to reinstate a service recipient 's driving privilege shall be considered valid until reinstatement of the service recipient 's driving privilege.
• A consent for release of information received from another service recipient or agency does not have to be on the form utilized by the agency; however, the agency must determine, prior to release of information, that the content of the consent form substantially conforms to the requirements set forth in this policy.

The following persons may sign a consent for release of confidential information:

• a competent adult service recipient;
• the service recipient 's legally responsible person;
• a minor service recipient under the following conditions:
• when married or divorced;
• when emancipated by a decree issued by a court of competent jurisdiction;
• when a member of the armed forces;
• in accordance with requirements under federal laws pertaining to confidentiality of substance abuse records

• personal representative of a deceased service recipient if the estate is being settled, or next of kin of a deceased service recipient if the estate is not being settled.

• If the person requesting information is recognized under the law as a guardian or legal custodian of the service recipient and is authorized by the law to have access to the service recipient's information the agency will release information to the requestor.
• Entities or advocates who are authorized under Federal or State laws to advocate for service recipient's or participants will be given access to information on the service recipient they represent to the extent allowed under the applicable Federal or State law, but only to the extent necessary to perform the task or duty that the advocate has been charged under law to do on behalf of the service recipient or participant.

• The agency may disclose confidential information to an attorney who represents either the agency or an employee of the agency, if requested information is relevant to litigation, to the operations of the agency or to the provision of services by the agency. An employee may discuss confidential information with his/her attorney or with an attorney representing the agency.
• A responsible professional may disclose confidential information when in his/her opinion there is an imminent danger to the health or safety of the service recipient, or another service recipient, or there is a likelihood of the commission of a felony or violent misdemeanor.
• A responsible professional may exchange confidential information with a physician or other health care provider who is providing emergency medical services to a service recipient. Disclosure of the information is limited to that necessary to meet the emergency as determined by the responsible professional.
• A responsible professional may disclose an advance instruction for mental health treatment, or confidential information from an advance instruction, to a physician, psychologist, or other qualified professional when the responsible professional determines that disclosure is necessary to give effect to or provide treatment in accordance with the advance instruction.
• The agency may disclose confidential information to persons responsible for conducting general research or clinical, financial, or administrative audits if there is a justifiable documented need for this information. A person receiving the information may not directly or indirectly identify any service recipient in any report of the research or audit or otherwise disclose service recipient identity in any way.
• Other purposes or activities for which confidential information may be disclosed include, but are not limited to: internal quality assessment and improvement activities; provider accreditation & staff credentialing; developing contracts and negotiating rates; investigating and responding to grievances and complaints lodged by individuals receiving services; evaluating practitioner and provider performance; auditing functions; on-site monitoring; conducting satisfaction studies; and collecting and analyzing performance data.

• Whenever the validity of an authorization is in question, the agency will contact the service recipient or the service recipient's legally responsible person, to confirm that the consent is valid. Such determination of validity of the consent shall be documented in the service recipient record.

• The agency shall inform the recipient that re-disclosure of information is prohibited without service recipient consent. A stamp may be used to fulfill this requirement when releasing approved information.

• An accounting of disclosures the agency has made of persons served PHI for will be kept for up to six years prior to the date of requesting such accounting.

• If a service recipient or legally responsible person believes that any portion of this policy or procedure has been breached, they may follow the agency's grievance process to seek resolution.

• The agency identifies "Business Associates" and develops agreements that limit the business associate's uses and disclosures of individually identifiable health information to those permitted by the agreements

• A privacy notice is provided to each service recipient and/or legally responsible person upon admission in the Service Recipient Handbook and updated annually to inform him/her of the right to privacy of information and of the conditions under which information may be shared including the requirement of informed consent. Agency staff explains what confidential information may be disclosed without consent, and they document this explanation in the record.