Carolina Dunes Behavioral Health NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY!
Carolina Dunes Behavioral Health (CDBH) understands that medical information about you and your health is personal. We are committed to protecting medical information about you. CDBH creates a record of the care and services you receive. We need this record to provide you with quality care and to comply with certain legal requirements. This Notice of Privacy Practices applies to all of the records of your care generated and/or maintained by CDBH, including the following people and organizations.
- Any health care professional who is authorized to enter information in your medical record;
- Any member of a volunteer group that we allow to help you while you are receiving services;
- All providers that CDBH contracts with to provide services to our clients.
- All doctors, clinical staff, employees, Business associates (outside contractors we hire), their subcontractors and other involved parties follow the policies set forth in this notice.
This Notice will tell you about the ways in which we may use and disclose medical information about you. We also describe your rights and certain obligations we have regarding the use and disclosure of medical information.
CDBH is required by law to:
- Make sure that medical information that identifies you is kept private
- Make sure that you are given notice of our legal duties and privacy practices with respect to medical information about you
- Make certain that notice is provided to you if there is a breach of your protected health information
- Make certain that CDBH follow the terms of the notice that is currently in effect.
NOTE: In reading this Notice, “you” also refers to “your medical care decision maker”.
PROTECTED HEALTH INFORMATION (PHI)
Under the Health Insurance Portability and Accountability Act of 2013, HIPAA Omnibus rule (formally HIPAA 1996 & HITECH 2004)), requires us to maintain the confidentiality of your PHI used by or disclosed to us in any form, whether electronic, on paper, or spoken. The federal HIPAA Omnibus rule and state law provide penalties for covered entities, business associates, and their subcontractors and records owners, respectively that misuse or improperly disclose PHI. PHI is the term used to refer to any information that is maintained by CDBH that can be used to identify you such as your name, address, Social Security number, ID numbers, or other unique identifiers. Your PHI also includes symptoms, test results, diagnosis, treatment, other related medical information, payments, billing and insurance information.
HOW WE USE YOUR PROTECTED HEALTH INFORMATION
We use health information about you for treatment, to obtain payment, and for health care operations. These are often referred to as “TPO.” The following are ways that CDBH will use or disclose your PHI:
We will use and disclose your health information to provide you with medical/clinical treatment or services provided within the Center. For example, nurses, physicians, therapists, and other members of your treatment team will record information in your record and use it to determine the most appropriate course of care. We may also disclose health information to other health care providers to assist you in a medical emergency.
We will use and disclose your health information for payment purposes. For example, we will submit bills and maintain records of payments from your health plan. We may need to give your insurance company or a third party, medical information about treatment you received so that the insurance company or third party can make a payment. You will however be able to restrict disclosures to your insurance carrier for services for which you wish to pay “out of pocket” under Omnibus Rule.
Health Care Operations:
We will use and disclose your health information to conduct our standard internal operations, including proper administration of records, evaluation of the quality of treatment, and to assess the care and outcomes of your case and others like it. As part of our operations, we may disclose your information to qualified personnel for audit and program evaluation. For example, we use your PHI in measuring and evaluating how many of our consumers have received certain services (such as therapy, a combination of therapy and community supports), we may send you a member satisfaction survey to determine how we can improve our services, or we may use your PHI in the course of an accreditation survey, or for fraud and abuse prevention activities.
Additionally you should be made aware of these protection laws on your behalf, under the new HIPAA Omnibus Rule:
That Health Insurance plans that underwrite cannot use or disclose genetic information for underwriting purposes (this excludes certain long-term care plans). Health plans that post their notice on their web sites must post these Omnibus Rule changes on their sites by the effective date of the Omnibus Rule, as well as notify you by US Mail by the Omnibus Rules effective date. Plans that do not post their notices on their Web sites must provide you information about Omnibus Rule changes within 60 days of these federal revisions.
Psychotherapy Notes maintained can be release for “use and disclosure” only with your written authorization.
Individuals Involved in Your Care: We may release limited information about you to a person including a family member actively involved in your care and treatment or supervision as allowed under State law and in accordance with CDBH policies and procedures. For example, we may release the type and dose of medication you are receiving to your parent, legal guardian, spouse or caregiver if that person is actively involved in your care and treatment.
Information Regarding Deceased Individuals: Your death may increase the accessibility to your records. Besides your health care decision maker, your records may be disclosed to your personal representative or administrator of you estate, if there is not one then you spouse unless you were legally separated, then the trustee of a trust created by you where you were the trust beneficiary, then an adult child, then and adult sibling, then a guardian at the time of death. If an authorization is required, it must be obtained from the decedent’s personal representative. The general privacy protections will only be provided for a period of 50 years from the date of death.
Proof of immunization: We may disclose proof of immunization to a school when legally required for attendance, No HIPAA authorization is required, but permission must be received. Permission can be provided orally and documented as received.
Substance Abuse Health Information: The confidentiality/privacy of alcohol and drug abuse client records related to the diagnosis, treatment, referral for treatment or prevention, is protected by federal law and regulations (42 U.S.C. 290dd-3 and 42 U.S.C. 290ee-3) and regulation (42 CFR Part 2). Generally, a substance abuse program may not disclose to anyone outside the program that a client attends the program or disclose any information identifying a client as an alcohol or drug abuser, unless the client authorizes in writing. A general authorization for the release of medical or other information is not sufficient for this purpose; the disclosure is allowed by a court order; the disclosure is made to medical personnel in a medical emergency; the disclosure is made to qualified personnel for research or to oversight agencies, funders and other authorized auditors for audit or program evaluation; the client commits or threatens to commit a crime either at the program or against any person who works for the program and the disclosure is made to report suspected child abuse or neglect.
Communicable Disease Related Information. Communicable disease related information, including HIV-related information, is kept strictly confidential and released only in conformance with the requirements of state law. A general authorization for the release of medical or other communicable disease related information is not sufficient to release HIV-related information. A written authorization must specifically indicate that it is for the release of confidential HIV-related information.
Special Uses: We may use your information to contact you about appointment reminders. We may also contact you to provide information about treatment alternatives or other health-related benefits and services that may be of interest to you.
OTHER USES AND DISCLOSURES
We may use or disclose identifiable health information about you for other reasons, even without your consent. Subject to certain requirements, we are permitted to give out health information without your permission for the following purposes:
Business associates include vendors, agents, or subcontractors and their subcontractors with whom we have contracted to assist us in providing your health care services by creating, receiving, maintaining or transmitting PHI on our behalf.
Research: Under certain limited circumstances, we may use and disclose medical information about you for research purposes. For example, a research project may involve the care and recovery of all members who receive one medication for the same condition. All research projects are subject to a special approval process. We will ask for your specific permission if the researcher will have access to your name, address or other information that reveals who you are.
As required by law: We may disclose medical information about you when required to do so by federal, state, or local law, and or as require for national security or protective services.
For public health reasons: We may disclose medical information about you for public health activities, when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. These activities generally include prevention or control disease, injury or disability; to report births or deaths; to report child abuse or neglect; to report reactions to medications; to notify people of recalls of medications they may be using; to notify a person who may have been exposed to a disease or may be at risk for contracting a disease or condition; to avert a serious threat to the health and safety of a person or the public; or to notify the appropriate government authority if we believe a member has been the victim of abuse, neglect or domestic violence. We will make this disclosure as required by law.
In cases of abuse or neglect: We may disclose your medical information if a government agency or social services agency contacted us concerning a case of domestic violence and asked us for records or information; we would comply with the request.
For health oversight activities: We may disclose medical information about you to a health oversight agency for activities authorized by law. These oversight activities may include audits, investigations, inspections, accreditation and licensure. These activities are necessary for the government or other agencies that monitor the behavioral health care system, government programs, and compliance with civil rights laws.
Legal proceedings: If you are involved in a law suit or legal action, we may disclose medical information about you in a response to the court order.
Law enforcement: We may release medical information about you if asked to do so by a law enforcement official. It may be in response to a court order, warrant, summons, or similar lawful process in accordance state law and CDBH policies and procedures; it may be about crimes committed on the premises of the agencies covered by this notice, it may be about crimes committed against staff of the agencies covered by this notice or it may be to avert a serious threat to the health or safety of a person or the public (Duty to Warn).
Coroners, Medical Examiners and funeral directors: We may release information to a coroner or medical examiner. This may be necessary to identify a deceased person or determine the cause of death. We may also release medical information about members to funeral directors as necessary to carry out their duties.
Workers’ compensation: We may disclose medical information about you that we may need to report information relevant to any job-related injuries that by state law are considered to be involved in workers’ compensation coverage.
Any and all uses or disclosures of your PHI other than described above require your prior written authorization. CDBH will honor the specific requirements of your authorizations—including any revocation of an authorization that you have previously given us.
If we need to obtain your authorization for any use or disclosure beyond those needed for treatment, payment, or operations, we will contact you to request your written authorization.
MARKETING AND FUND RAISING RULES
Limitations on the disclosure of PHI regarding Remuneration The disclosure or sale of your PHI without authorization is prohibited. Under the HIPAA Omnibus Rule, this would exclude disclosures for public health purposes, for treatment / payment for healthcare, for the sale, transfer, merger, or consolidation of all or part of this facility and for related due diligence, to any of our Business Associates, in connection with the business associate’s performance of activities for this facility, to a patient or beneficiary upon request, and as required by law. In addition, the disclosure of your PHI for research purposes or for any other purpose permitted by HIPAA will not be considered a prohibited disclosure if the only reimbursement received is “a reasonable, cost-based fee” to cover the cost to prepare and transmit your PHI which would be expressly permitted by law. Notably, under the Omnibus Rule, an authorization to disclose PHI must state that the disclosure will result in remuneration to CDBH. Notwithstanding the changes in the Omnibus Rule, the disclosure of limited data sets (a form of PHI with a number of identifiers removed in accordance with specific HIPAA requirements) for remuneration pursuant to existing agreements is permissible until September 22, 2014, so long as the agreement is not modified within one year before that date.
LIMITATION ON THE USE OF PHI FOR PAID MARKETING
We will, in accordance with Federal and State Laws, obtain your written authorization to use or disclose your PHI for marketing purposes, (i.e.: to use your photo in ads) but not for activities that constitute treatment or healthcare operations. To clarify, Marketing is defined by HIPAA’s Omnibus Rule, as “a communication about a product or service that encourages recipients . . . to purchase or use the product or service.” Under the Omnibus Rule, we will obtain a written authorization from you prior to recommending you to an alternative therapist, or non-associated Healthcare Covered Entity.
Under Omnibus Rule we will obtain your written authorization prior to using your PHI or making any treatment or healthcare recommendations, should financial remuneration for making the communication be involved from a third party whose product or service we might promote (i.e.: businesses offering this facility incentives to promote their products or services to you). This will also apply to our Business Associate who may receive such remuneration for making a treatment or healthcare recommendations to you. All such recommendations will be limited without your expressed written permission.
We must clarify to you that financial remuneration does not include “as in-kind payments” and payments for a purpose to implement a disease management program. Any promotional gifts of nominal value are not subject to the authorization requirement, and we will abide by the set terms of the law to accept or reject these.
The only exclusion to this would include: “refill reminders”, so long as the remuneration for making such a communication is “reasonably related to our cost” for making such a communication. In accordance with law, this facility and our Business Associates will only ever seek reimbursement from you for permissible costs that include: labor, supplies, and postage. Please note that “generic equivalents” , “adherence to take medication as directed” and “self-administered drug or delivery system communications” are all considered to be “refill reminders.”
Face-to-face marketing communications, such as sharing with you, a written product brochure or pamphlet, is permissible under current HIPAA Law.
Fundraising CDBH may contact you for fundraising activities. The privacy rules permits us to use certain PHI in fundraising activities without receiving an authorization Information that may be used or disclosed to include not only demographic information, health insurance status, and dates of service, but also information about service and treatment outcomes. You may opt of current or future fundraising activities.
Improvements to Requirements for Authorizations Related to Research under HIPAA Omnibus Rule, we may seek authorizations from you for the use of your PHI for future research. However, we would have to make clear what those uses are in detail.
Also, if we request of you a compound authorization with regards to research, this facility would clarify that when a compound authorization is used, and research-related treatment is conditioned upon your authorization, the compound authorization will differentiate between the conditioned and unconditioned components.
YOUR INDIVIDUAL RIGHTS REGARDING YOUR PHI
Right to Request Restrictions: You have the right to request a restriction or limitation on the medical information we use or disclose about you. We are not required to agree to your request, but if we do agree we will comply with your request unless the information is needed to provide you emergency treatment. To request restrictions, you must make your request in writing to the CDBH privacy Officer. In your request, you must tell us what information you want to restrict, and to whom you want the restriction to apply.
Restricted Disclosures: You may request that PHI concerning a health care service for which you have paid in full not be disclosed to a health plan for payment, or health care operations regardless who pays for the service.
We also take special precaution to ensure that your employer does not get any individual PHI. We provide employers only with the information allowed under the federal law. This information includes summary data about their group and information concerning premiums and enrollment data. The only way that we would disclose your PHI to your employer is if you signed a written authorization directing us to do so.
Right to Request Confidential Communications: You have the right to request that we communicate with you about medical matters in a certain way or at a certain location if you believe that you will otherwise be endangered. For example, you can ask that we only contact you at a certain telephone number or address. To request confidential communications, you must make your request in writing to the CDBH Privacy Officer. We will accommodate all reasonable requests. You request must specify how or where you wish to be contacted.
Right to Access: You have the right to inspect and copy medical information that may be used to make decisions about your care. Usually, this includes progress notes, evaluations/assessments, treatment plans, and billing information, but is not limited to only that information. To inspect and obtain a copy of your medical information, you may request in writing or electronically, contact the CDBH Privacy Officer. You have a right to access electronic records or to direct that they be sent to another person to include electronic health records. If you request an electronic copy of the information, you may receive in the format requested or in a mutually agreed-upon format. You may be charged for the cost of electronic media used to provide a copy of electronic PHI. You may be charged a fee for the costs of copying, mailing, or other supplies associated with your request. Your request to inspect and copy your information may be denied in certain very limited circumstances. If you are denied access to any part of your medical information, you may request that the denial be reviewed. Information regarding how to initiate that review process will be provided in writing at the time of any denial of your access to the information.
Right to Amend: If you feel that medical information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as your medical information is kept by CDBH. To request an amendment, your request must be made in writing and submitted to the CDBH Privacy Officer. You must provide a reason that supports your request. We may deny your request if you ask us to amend information that was not created by us, unless the person or entity that created the information is no longer available to make the amendment; is not part of the medical information kept by or for CDBH; is not part of the information which you would be permitted to inspect or copy; or is accurate and complete. Right to an Accounting of Disclosures: You have the right to request an accounting of disclosures. This is a list of the disclosures we made of medical information about you to others. The accounting does not include information disclosed based on your written permission or as a part of treatment, payment, or health care operations. To request this accounting, you must submit your request in writing or electronic to the CDBH Privacy Officer. Your request must state a period of time for the accounting that may not be longer than six years and may not include dates before April 14, 2003.
Right to Paper Copy of this Notice: You have the right to a paper copy of this Privacy Notice. You may ask us to give you a copy of this Privacy Notice at any time by requesting a copy from a front desk staff member.
Changes to this Notice: CDBH reserves the right to change this notice. CDBH reserves the right to make the revised notice effective for medical information that CDBH already have about you as well as any information we will receive in the future. CDBH will post a copy of the current notice at the facility and on its website. The notice will contain the effective date at the bottom of each page. CDBH will make you aware of any revisions by posting a revised notice in above-mentioned areas.
If you are concerned that we have violated your privacy rights, or you disagree with a decision we made about your records, you may contact the person listed below. You may also send a written compliant to the Secretary U.S. Department of Health and Human Services, Office of Civil Rights. The person listed below will provide you with the appropriate address upon request. You will not be penalized in any way for filing a complaint.
Chief Compliance Officer
Strategic Behavioral Health
sbh.privacy [at] strategicbh [dot] com
Speak Up number: 1-888-590-1164