Privacy Policy

Introduction

Complete Healthcare for Women Inc. ensures that it is bound to Implement the Public Health Service Act, now title 42, Federal Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR Part 2), HIPAA Regulations (45 CFR Parts 160 & 164) and Ohio law and its implementing regulations restrict  us  the abilities to use and disclose protected health information (PHI).

Use and Disclosure of Protected Health Information

DEFINITIONS

Protected Health Information: Protected health information means information that is created or received by the Company and relates to the past, present, or future physical or mental health condition of a Patient/Client; the provision of health care to a participant; or the past, present, or future payment for the provision of health care to a participant; and that identifies the participant or for which there is a reasonable basis to believe the information can be used to identify the participant. Protected health information includes information of persons living or deceased.

Some examples of PHI are:

  • Client’s medical record number
  • Client’s demographic information (e.g. address, telephone number)
  • Information doctors, nurses and other health care providers put in a Client’s medical record
  • Images of the client
  • Conversations a provider has about a client’s care or treatment with nurses and others
  • Information about a client in a provider’s computer system or a health insurer’s computer system
  • Billing information about a client at a clinic
  • Any health information that can lead to the identity of an individual or the contents of the information can be used to make a reasonable assumption as to the identity of the individual

Disclosure of Client-Identifying Information:

A disclosure of patient-identifying information is any communication that directly or indirectly identifies someone as being in, having been in, or having applied for treatment in a substance abuse program. This Includes disclosure of a client’s record, permits an employee to testify about a client’s treatment, allows a receptionist to confirm that a particular person is a client of the program, uses stationery that suggests that the addressee may be one of its PATIENTS, or discloses anecdotal material from which a client’s identity may be inferred.

Client:

A patient is anyone who has applied for or received a diagnostic examination or interview, treatment, or referral for treatment for drug or alcohol abuse from a drug or alcohol program. Applicants for such services are covered by the regulations even if they fail to show for their initial appointment or evaluation or, having been interviewed or diagnosed, elect not to follow up or enter treatment. The regulations protect current, former, and deceased patients.

Qualified Service Organization Agreement

A “service organization” is a person or agency that provides services—such as data processing, dosage preparation, laboratory analyses, vocational counseling, or legal, medical, accounting, or other professional services—to a program that the program does not provide for itself.

PURPOSE:    To identify the Protected Health Information (PHI) may be used and disclosed strictly under 42 CFR, Part 2 of the regulations for the purpose of treatment, payment, and healthcare operations limited only to the requirement necessary to carry out the purpose of disclosure.

Complete Healthcare for Women Inc. understands the unconditional compliance required per 42 CFR part 2 regulations and will not disclose any PHI that is not permitted by the regulations in this part.

POLICY:

I. It is the policy of COMPLETE HEALTH CARE FOR WOMEN INC., its workforce (employees, students, and contract employees), and business associates that confidential and protected health information shall not be used or disclosed unless authorized by the client or is otherwise specifically permitted as defined under the Federal Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR Part 2), HIPAA Regulations (45 CFR Parts 160 & 164) and Ohio law.

II. All staffs (employees, students, contract employees) at Complete Healthcare for Women Inc. must be trained on Acknowledging the presence of patients: Responding to Requests. This includes :

  • The presence of an identified patient in a health care facility or component of a health care facility which is publicly identified as a place where only substance use disorder diagnosis, treatment, or referral for treatment is provided may be acknowledged only if the patient’s written consent is obtained in accordance with subpart C of this part or if an authorizing court order is entered in accordance with subpart E of this part.
  • Answering to a request for a disclosure of patient’s records which are not permissible under the regulations in 42 CFR Part 2 must be made in a way that will not affirmatively reveal that an identified individual has been, or is being, diagnosed or treated for a substance use disorder. An inquiring party may be provided a copy of the regulations in this part and advised that they restrict the disclosure of substance use disorder patient records, but may not be told affirmatively that the regulations restrict the disclosure of the records of an identified patient.

III. PHI for PATIENTS receiving substance abuse treatment may not be disclosed without the client’s expressed written authorization to release information related to alcohol and drug addiction diagnosis and treatment pursuant to 42 CFR, Part 2.

IV. PHI related to a client’s HIV status, HIV related illness, AIDS, or AIDS related condition may not be disclosed, except as required or permitted by law, without the client’s expressed written authorization to disclose the information.

V. Upon request, patients who have consented to disclose their patient identifying information using a general designation pursuant to § 2.31(a)(4)(iii)(B)(3) must be provided a list of entities to which their information has been disclosed pursuant to the general designation.

(1) Patient Requests:

(i) Must be made in writing; and

(ii) Are limited to disclosures made within the past two years;

(2) Complete healthcare for Women Inc. in compliance with 42 CFR Part 2 must:

(i) Respond in 30 or fewer days of receipt of the written request; and

(ii) Provide, for each disclosure, the name(s) of the entity(-ies) to which the disclosure was made, the date of the disclosure, and a brief description of the patient identifying information disclosed.

VI. MINOR PATIENT:

a) Complete healthcare for Women Inc. requires consent of a parent, guardian, or other individual for a minor to obtain treatment for a substance use disorder, any written consent for disclosure authorized under subpart C of 42 CFR Part 2 must be given by both the minor and their parent, guardian, or other individual authorized under state law to act in the minor’s behalf.

b) The minor’s application for treatment may be communicated to the minor’s parent, guardian, or other individual authorized under state law to act in the minor’s behalf only if:

  • The minor has given written consent to the disclosure in accordance with subpart C of this part; or
  • The minor lacks the capacity to make a rational choice regarding such consent as judged by the part 2 program director under paragraph (c) of this section.

c) the Minor applicant for services lacks capacity for rational choice, Facts relevant to reducing a substantial threat to the life or physical well-being of the minor applicant or any other individual may be disclosed to the parent, guardian, or other individual authorized under state law to act in the minor’s behalf if the part 2 program director judges that:

  • A minor applicant for services lacks capacity because of extreme youthor mental or physical condition to make a rational decision on whether to consent to a disclosure under subpart C of this part to their parent, guardian, or other individual authorized under state law to act in the minor’s behalf; and
  • The minor applicant’s situation poses a substantial threat to the life or physical well-being of the minor applicant or any other individual which may be reduced by communicating relevant facts to the minor’s parent, guardian, or other individual authorized under state law to act in the

VII. INCOMPETENT AND DECEASED PATIENTS.

(a)Incompetent patients other than minors

  • Adjudication of incompetence. In the case of a patient who has been adjudicated as lacking the capacity, for any reason other than insufficient age, to manage their own affairs, any consent which is required under the regulations in this part may be given by the guardian or other individual authorized under state law to act in the patient’s behalf.
  • No adjudication of incompetency. In the case of a patient, other than a minor or one who has been adjudicated incompetent, that for any period suffers from a medical condition that prevents knowing or effective action on their own behalf, the part 2 program director may exercise the right of the patient to consent to a disclosure under subpart C of this part for the sole purpose of obtaining payment for services from a third-party payer.

(b)Deceased patients

  • Vital statistics. These regulations do not restrict the disclosure of patient identifying information relating to the cause of death of a patient under laws requiring the collection of death or other vital statistics or permitting inquiry into the cause of death.

Consent by personal representative. Any other disclosure of information identifying a deceased patient as having a substance use disorder is subject to the regulations in this part. If a written consent to the disclosure is required, that consent may be given by an executor, administrator, or

  • other personal representative appointed under applicable state law. If there is no such applicable state law appointment, the consent may be given by the patient’s spouse or, if none, by any responsible member of the patient’s family.

82 FR 6115, Jan. 18, 2017, as amended at 83 FR 251, Jan. 3, 2018]

VIII. Center will provide education and training for all workforce members on use and disclosure of PHI policies and procedures and any subsequent revisions.

The Chief Executive Officer( CEO) is responsible for the communication and implementation of this policy and any subsequent procedures that are applicable.

Consent requirements.

Complete Healthcare for women Inc. in Compliance with federal law 42 CFR Part 2, HIPPA and Ohio Law requires all patients to provide written consent prior to disclosing any patient Identifying Information.

(a) A written consent to a disclosure under the regulations in this part may be paper or electronic and must include:

  • The full name of the patient
  • The name/ designation of the staff permitted to make disclosure
  • The extent and kind of disclosure including an explicit description of the substance use disorder information that may be disclosed
  • The name of the individual, agency, or organization to which the disclosure is being made.
  • The purpose or need for disclosure
  • The original/faxed signature of the client and date signed, or as appropriate, the parent/legal guardian and the relationship to the client. Receipt of a faxed signature will be considered as an original signature.
  • The signature and date of signature of the staff facilitating the request.
  • The date, event, or condition upon which the authorization will expire.
  • A statement that authorization for use and disclosure may be revoked at any time by the client or parent/legal guardian except to the extent that Complete Healthcare for Women Inc. or other lawful holder of PHI is permitted to make the disclosure has already been made.
  • A statement that the authorization for use and disclosure shall expire 180 days after authorization, unless the client selected a date, event, or condition for a shorter period of time.
  • The date on which the consent is signed.

A disclosure may not be made on the basis of consent which:

(1) Has expired;

(2) On its face substantially fails to conform to any of the requirements set forth in paragraph (a) of this section;

(3) Is known to have been revoked; or

(4) Is known, or through reasonable diligence could be known, by the individual or entity holding the records to be materially false.

Use and Disclosure of Protected Healthcare Information Requiring Client Authorization

PURPOSE:    To ensure that an Authorization is obtained from the client before using or disclosing PHI for purposes other than treatment, payment, and healthcare operations

PROCEDURE:

I. The Center will obtain an Authorization from a client before using of disclosing PHI for purpose other than treatment, payment or health operations.

Upon receipt of a valid Authorization, the following process shall be followed:

A. The Primary Provider, in consultation with the Supervisor or Program Director, will review and approve the request for use and disclosure of PHI to ensure compliance with the minimum necessary requirements.

B. The Office Manager or designee will receive the approved request and proceed as follows:

(a) If a patient consents to a disclosure of their records, complete healthcare for women Inc.  may disclose those records in accordance to 42 CFR part 2, except that disclosures to central registries and in connection with criminal justice referrals must meet the requirements of §§ 2.34 and 2.35, respectively.

(b) If a patient consents to a disclosure of their records under § 2.31 for payment and/or health care operations activities, a lawful holder who receives such records under the terms of the written consent may further disclose those records as may be necessary for its contractors, subcontractors, or legal representatives to carry out payment and/or health care operations on behalf of such lawful holder. Disclosures to contractors, subcontractors, and legal representatives to carry out other purposes such as substance use disorder patient diagnosis, treatment, or referral for treatment are PROHIBITED under this section. These disclosures must be limited to only  information which is necessary to carry out the stated purpose of the disclosure.

(c) Lawful holders (example contractor, subcontractor, or voluntary legal representative) must furnish a written authorization or a subpoena to disclose any patient identifying Information. These disclosures must be limited to only information which is necessary to carry out the stated purpose of the disclosure under federal law 42 CFR part

2.

C. The valid authorization must be filed in the ICR with a copy of the Response to PHI form attached, and will indicate the method of disclosure (mail, fax, in person) on the Response to PHI form. If PHI is faxed, the fax confirmation receipt will also be attached to the Response to PHI form.

Disclosures to prevent multiple enrollments.

Complete Healthcare for women Inc. may disclose patient records to a central registry or to any withdrawal management or maintenance treatment program not more than 200 miles away for the purpose of preventing the multiple enrollment of a patient only if:

1 . The disclosure is made when:

a. The patient is accepted for treatment;

b. The type or dosage of the drug is changed; or

c. The treatment is interrupted, resumed or terminated.

(2)  The disclosure is limited to:

(i)Patient identifying information;

(ii) Type and dosage of the drug; and

(iii) Relevant dates.

(3) The disclosure is made with the patient’s written consent meeting the requirements of § 2.31, except that:

(i) The consent must list the name and address of each central registry and each known withdrawal management or maintenance treatment program to which a disclosure will be made; and

(ii) The consent may authorize a disclosure to any withdrawal management or maintenance treatment program established within 200 miles of the program, but does not need to individually name all programs.

A central registry and any withdrawal management or maintenance treatment program to which information is disclosed to prevent multiple enrollments may not re-disclose or use patient identifying information for any purpose other than the prevention of multiple enrollments unless authorized by a court order under subpart E of this part.

Disclosures to elements of the criminal justice system which have referred patients.

a)  Complete Healthcare for Women Inc. may disclose information about a patient to those individuals within the criminal justice system who have made participation in the OTP Program at CHCW a condition of the disposition of any criminal proceedings against the patient or of the patient’s parole or other release from custody if:

(1) The disclosure is made only to those individuals within the criminal justice system who have a need for the information in connection with their duty to monitor the patient’s progress (e.g., a prosecuting attorney who is withholding charges against the patient, a court granting pretrial or post-trial release, probation or parole officers responsible for supervision of the patient); and

(2) The patient has signed a written consent meeting the requirements

(b)Duration of consent.

(1) The anticipated length of the treatment;

(2) The type of criminal proceeding involved, the need for the information in connection with the final disposition of that proceeding, and when the final disposition will occur; and

(3) Such other factors as the Complete Healthcare for women Inc., the patient, and the individual(s) within the criminal justice system who will receive the disclosure consider pertinent.

(c) Revocation of consent. The written consent must state that it is revocable upon the passage of a specified amount of time or the occurrence of a specified, ascertainable event. The time or occurrence upon which consent becomes revocable may be no later than the final disposition of the conditional release or other action in connection with which consent was given.

(d) An individual within the criminal justice system who receives patient information under this section may re-disclose and use it only to carry out that individual’s official duties with regard to the patient’s conditional release or other action in connection with which the consent was given.

PHI for clients receiving substance abuse treatment may not be disclosed without the client’s expressed written authorization to release information related to alcohol and drug addiction diagnosis and treatment pursuant to 42 CFR, Part 2.

PHI related to a client’s HIV status, HIV related illness, AIDS, or AIDS related condition may not be disclosed, except as required or permitted by law 42 CFR part 2, without the client’s expressed written authorization to disclose the information and includes information such as the identity of any client tested for HIV, the results of HIV testing, and the identity of any individual diagnoses with AIDS or AIDS related conditions.  All disclosures of a client’s HIV status, HIV related illness, AIDS, or AIDS related condition must contain the following statement:  “This information has been disclosed from confidential records protected from disclosure by state law.  You shall make no further disclosure of this information without the specific, written, and informed release of the individual to whom it pertains, or as otherwise permitted by state law.  A general authorization for the release of medical or other information is not sufficient for the purpose of the release of HIV test results or diagnosis.”

EXCEPTIONS ON HOW WE DISCLOSE YOUR PHI WITHOUT AUTHORIZATION

PURPOSE:     To define those circumstances in which client authorization is NOT required to disclose Protected Health Information (PHI) under the HIPAA Privacy Standards and Ohio Law.

PROCEDURE:

I.  Complete Healthcare for Women Inc. use or disclose certain PHI without written consent, authorization, or agreement other than for purposes of treatment, payment and healthcare operations, when required and/or permitted by law to the extent that the use and disclosure complies with and is limited to the relevant requirements of the law. The Center is committed to only using or disclosing the limited necessary PHI required in these situations. Staffs at Complete Healthcare for Women Inc. are strongly encouraged to consult with their immediate supervisor prior to disclosing PHI when required or permitted by law without written authorization of the individual to whom the PHI relates. Questions related to disclosing PHI without written consent, authorization, or agreement MUST be immediately directed to the employee’s immediate supervisor, Program Director, Privacy Officer, or Chief Executive Officer( CEO) prior to the disclosure of any PHI.

II.  Any disclosure of PHI in any of the following circumstances must be clearly documented in the client’s ICR either in an individual service note (ISN), Crisis Assessment form, or ECW EMR.

III.  The following uses and disclosures of PHI that do NOT require authorization include:

Medical emergencies.

(a)General rule. Under the procedures required by paragraph (c) of this section, patient identifying information may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency in which the patient’s prior informed consent cannot be obtained.

(b)Special rule.Patient identifying information may be disclosed to medical personnel of the Food and Drug Administration (FDA) who assert a reason to believe that the health of any individual may be threatened by an error in the manufacture, labeling, or sale of a product under FDA jurisdiction, and that the information will be used for the exclusive purpose of notifying patients or their physicians of potential dangers.

Procedures.

Immediately following disclosure, the part 2 program shall document, in writing, the disclosure in the patient’s records, including:

  1. The name of the medical personnel to whom disclosure was made and their affiliation with any health care facility;
  2. The name of the individual making the disclosure;
  3. The date and time of the disclosure; and
  4. The nature of the emergency (or error, if the report was to FDA).

Research:

Complete Healthcare for Women Inc. may disclose the patient identifying Information for the purpose of conducting scientific research if the medical director or managing director, or chief executive officer or their designee makes a determination that the recipient of the patient identifying information:

(1) If a HIPAA-covered entity or business associate, has obtained and documented authorization from the patient, or a waiver or alteration of authorization, consistent with the HIPAA Privacy Rule at 45 CFR 164.508 or 164.512(i), as applicable; or

(2) If subject to the HHS regulations regarding the protection of human subjects (45 CFR part 46), either provides documentation that the researcher is in compliance with the requirements of the HHS regulations, including the requirements related to informed consent or a waiver of consent (45 CFR 46.111 and 46.116) or that the research qualifies for exemption under the HHS regulations (45 CFR 46.101(b) and any successor regulations; or

(3) If both a HIPAA covered entity or business associate and subject to the HHS regulations regarding the protection of human subjects, has met the requirements of paragraphs (a)(1) and (2) of this section; and

(b) Any individual or entity conducting scientific research using patient identifying information obtained under paragraph (a) of this section must fully be  bound by the regulations in 42 CFR Part 2 regulations; and  Must not re-disclose patient identifying information except back to the individual or entity from whom that patient identifying information was obtained or as permitted under paragraph (c) of this section.

CHCW May include part 2 data in research reports only in aggregate form in which patient identifying information has been rendered non-identifiable such that the information cannot be re-identified and serve as an unauthorized means to identify a patient, directly or indirectly, as having or having had a substance use disorder.

CHCW Must maintain and destroy patient identifying information in accordance with the security policies and procedures established under § 2.16.

CHCW Must retain records in compliance with applicable federal, state, and local record retention laws.

(c)Data linkages – CHCW Strictly prohibits Data Linkages to researchers in compliance to Federal Law 42 CFR PART 2.

A researcher may not re- disclose patient identifying information for data linkages purposes.

Audit and evaluation.

Complete Healthcare for Women Inc. In compliance with FEDERAL Law 42 CFR PART 2 may disclose the patient identifying Information during Audit and Evaluation under following conditions:

(a)Records not copied or removed. If patient records are not downloaded, copied or removed from the premises of a part 2 program or other lawful holder, or forwarded electronically to another electronic system or device, patient identifying information, as defined in § 2.11, may be disclosed in the course of a review of records on the premises of Complete Healthcare for Women Inc.  to any individual or entity who agrees in writing to comply with the limitations on re-disclosure and use in paragraph (d) of this section and who:

(1) Performs the audit or evaluation on behalf of:

(i) Any federal, state, or local governmental agency that provides financial assistance to Complete Healthcare for Women Inc. to regulate the activities of the company.

(ii) Any individual or entity which provides financial assistance to Complete Healthcare for Women Inc., which is a third-party payer covering patients in OTP program, or which is a quality improvement organization performing a utilization or quality control review, or such individual’s or entity’s or quality improvement organization’s contractors, subcontractors, or legal representatives.

(2) Is determined by the Complete Healthcare for Women Inc. to be qualified to conduct an audit or evaluation of the OTP program.

(b)Copying, removing, downloading, or forwarding patient records: Records containing patient identifying information, as defined in § 2.11, may be copied or removed from the premises of a Complete Healthcare for Women or downloaded or forwarded to another electronic system or device from the Company’s electronic records by any individual or entity who:

(1) Agrees in writing to:

(i) Maintain and destroy the patient identifying information in a manner consistent with the policies and procedures established under § 2.16;

(ii) Retain records in compliance with applicable federal, state, and local record retention laws; and

(iii) Comply with the limitations on disclosure and use in paragraph (d) of this section; and

(2) Performs the audit or evaluation on behalf of:

(i) Any federal, state, or local governmental agency that provides financial assistance to the Complete Healthcare for Women Inc, or is authorized by law to regulate the activities of the company.

(ii) Any individual or entity which provides financial assistance to the Complete Healthcare for Women Inc., which is a third-party payer covering patients in the OTP program, or which is a quality improvement organization performing a utilization or quality control review, or such individual’s or entity’s or quality improvement organization’s contractors, subcontractors, or legal representatives.

(c)Medicare, Medicaid, Children’s Health Insurance Program (CHIP), or related audit or evaluation.

(1)Patient identifying information, as defined in § 2.11, may be disclosed under paragraph (c) of this section to any individual or entity for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation, including an audit or evaluation necessary to meet the requirements for a Centers for Medicare & Medicaid Services (CMS)-regulated accountable care organization (CMS-regulated ACO) or similar CMS-regulated organization (including a CMS-regulated Qualified Entity (QE)), if the individual or entity agrees in writing to comply with the following:

(i) Maintain and destroy the patient identifying information in a manner consistent with the policies and procedures established under § 2.16;

(ii) Retain records in compliance with applicable federal, state, and local record retention laws; and

(iii) Comply with the limitations on disclosure and use in paragraph (d) of this section.

(2) A Medicare, Medicaid, or CHIP audit or evaluation under this section includes a civil or administrative investigation of Complete Healthcare for Women Inc. by any federal, state, or local government agency with oversight responsibilities for Medicare, Medicaid, or CHIP and includes administrative enforcement, against the OTP program by the government agency, of any remedy authorized by law to be imposed as a result of the findings of the investigation.

(3) An audit or evaluation necessary to meet the requirements for a CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must be conducted in accordance with the following:

(i) A CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must:

(A) Have in place administrative and/or clinical systems; and

(B) Have in place a leadership and management structure, including a governing body and chief executive officer with responsibility for oversight of the organization’s management and for ensuring compliance with and adherence to the terms and conditions of the Participation Agreement or similar documentation with CMS; and

(ii) A CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must have a signed Participation Agreement or similar documentation with CMS, which provides that the CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE):

(A) Is subject to periodic evaluations by CMS or its agents, or is required by CMS to evaluate participants in the CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) relative to CMS-defined or approved quality and/or cost measures;

(B) Must designate an executive who has the authority to legally bind the organization to ensure compliance with 42 U.S.C. 290dd-2 and this part and the terms and conditions of the Participation Agreement in order to receive patient identifying information from CMS or its agents;

(C) Agrees to comply with all applicable provisions of 42 U.S.C. 290dd-2 and this part;

(D) Must ensure that any audit or evaluation involving patient identifying information occurs in a confidential and controlled setting approved by the designated executive;

(E) Must ensure that any communications or reports or other documents resulting from an audit or evaluation under this section do not allow for the direct or indirect identification (e.g., through the use of codes) of a patient as having or having had a substance use disorder; and

(F) Must establish policies and procedures to protect the confidentiality of the patient identifying information consistent with this part, the terms and conditions of the Participation Agreement, and the requirements set forth in paragraph (c)(1) of this section.

(4)Program, as defined in § 2.11, includes an employee of, or provider of medical services under the program when the employee or provider is the subject of a civil investigation or administrative remedy, as those terms are used in paragraph (c)(2) of this section.

(5) If a disclosure to an individual or entity is authorized under this section for a Medicare, Medicaid, or CHIP audit or evaluation, including a civil investigation or administrative remedy, as those terms are used in paragraph (c)(2) of this section, the individual or entity may further disclose the patient identifying information that is received for such purposes to its contractor(s), subcontractor(s), or legal representative(s), to carry out the audit or evaluation, and a quality improvement organization which obtains such information under paragraph (a) or (b) of this section may disclose the information to that individual or entity (or, to such individual’s or entity’s contractors, subcontractors, or legal representatives, but only for the purposes of this section).

(6) The provisions of this paragraph do not authorize the COMPLETE HEALTHCARE FOR WOMEN Inc, the federal, state, or local government agency, or any other individual or entity to disclose or use patient identifying information obtained during the audit or evaluation for any purposes other than those necessary to complete the audit or evaluation as specified in paragraph (c) of this section.

(d) Limitations on disclosure and use.

Except as provided in paragraph (c) of this section, patient identifying information disclosed under this section may be disclosed only back to the Complete Healthcare for Women Inc. from which it was obtained and may be used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under § 2.66.

[82 FR 6115, Jan. 18, 2017, as amended at 83 FR 252, Jan. 3, 2018]

COURT ORDER:

Complete Healthcare for Women Inc. in compliance with 42 CFR Part 2 will not disclose any patient Identifying Information until and unless a subpoena or a similar legal mandate has been issued in order to compel disclosure.

The request for PHI must be specific and limited in scope to the PHI expressly authorized by the order, AND the requesting entity has provided the Center with written documentation( subpoena) that it has made a good faith effort to notify the client that the request for PHI has been made AND

a) No objections were filed or all objections filed have been resolved and disclosure is consistent with such resolution.

b) All court orders shall be forwarded to the Center’s Program Director Chief Compliance Officer and/or Executive Director for review prior to the disclosure of any information.

2)         CHCW Staff members must account for these disclosures of PHI if Authorization to Use and Disclose PHI was not obtained from the client.

Confidential communications.

Complete Hea;thcare for Women Inc. may disclose confidential communications made by a patient to a OTP Program in the course of diagnosis, treatment, or referral for treatment only if:

(1) The disclosure is necessary to protect against an existing threat to life or of serious bodily injury, including circumstances which constitute suspected child abuse and neglect and verbal threats against third parties;

(2) The disclosure is necessary in connection with investigation or prosecution of an extremely serious crime allegedly committed by the patient, such as one which directly threatens loss of life or serious bodily injury, including homicide, rape, kidnapping, armed robbery, assault with a deadly weapon, or child abuse and neglect; or

(3) The disclosure is in connection with litigation or an administrative proceeding in which the patient offers testimony or other evidence pertaining to the content of the confidential communications.

Prohibition on re-disclosure:

Complete Healthcare for Women Inc. in compliance with 42 CFR Part 2 Regulations ascertains each disclosure made with the patient’s written consent must be accompanied by one of the following written statements:

(1) This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR part 2). The federal rules prohibit you from making any further disclosure of information in this record that identifies a patient as having or having had a substance use disorder either directly, by reference to publicly available information, or through verification of such identification by another personunless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by 42 CFR part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose (see § 2.31). The federal rules restrict any use of the information to investigate or prosecute with regard to a crime any patient with a substance use disorder, except as provided at §§ 2.12(c)(5) and 2.65; or

(2) 42 CFR part 2 prohibits unauthorized disclosure of these records

CLIENT ACCESS TO PHI

PURPOSE:

To establish authority and responsibility for creating procedures that address PATIENTS rights regarding access to PHI

POLICY:

COMPLETE HEALTH CARE FOR WOMEN INC. will ensure that PATIENTS, their parent(s) and/or legal guardian have access to their protected health information as defined in state and federal laws, unless access is restricted by state and/or federal law.

COMPLETE HEALTH CARE FOR WOMEN INC. will consider all requests from our PATIENTS or previous PATIENTS for access to their PHI that is maintained in the ECW EMR.  We will consider client requests to either inspect or obtain a copy of their PHI for as long as we maintain their PHI in the ECW EMR.

Complete Healthcare for Women do not require written consent or authorization from the patient to access their self-records in compliance with 42 CFR PART 2.

Certain information, however, is exempt from this right of access:

  • Psychotherapy notes;
  • Information compiled in reasonable anticipation of or for use in a civil, criminal, or administrative action or proceeding; and
  • Information that may be subject to or exempt from certain Clinical Laboratory Improvement Amendment (CLIA) provisions.

The Chief Executive Officer( CEO) is responsible for the communication and implementation of this policy and any subsequent procedures that are applicable.

Training Employees on Privacy Practices

PURPOSE:     To ensure all workforce members are familiar with the Center’s Privacy Practices and comply with the Privacy Rules established under 42 CFR PART 2 Regulations.

POLICY:

I. COMPLETE HEALTH CARE FOR WOMEN INC. will provide training to all the employees on the policies and procedures with respect to PHI. Training must be to the extent necessary to allow the members of the workforce to carry out their specific job functions.

II. All employees MUST attend training related to the Center’s Privacy Practices within 2 weeks of their hiring date.

III. CHCW may amend its Privacy Practices and will provide training to all workforce members affected by a change in the policies and procedures. Training will be provided within thirty (30) days after the change(s) become effective.

IV. The Privacy Officer designated by the CEO or his designee is responsible for training employees on the Center’s privacy policies and procedures. All training related to the CHCW’s privacy policies and procedures will be documented and filed in each employee’s personnel file and the Privacy Officer will maintain a training roster for a period of at least six (6) years.

The Chief Executive Officer (CEO) is responsible for the communication and implementation of this policy and any subsequent procedures that are applicable.

Complaint/Grievance Process for Alleged Violations of Privacy Practices

PURPOSE:     To provide a mechanism for any individual or person served employees, and business associates to report complaints regarding the Complete Healthcare for Women Inc.’s privacy practices without fear of retaliation.

POLICY:

To allow violations of protected Health Information in compliance to 42 CFR Part 2 regulations.

The report of any violation of these regulations may be directed to the

  1. United States Attorney for the judicial district in which the violation occurs.
  2. Regional Offices of the Food and Drug Administration.

Procedure:

I. The Center’s Client Rights Officer (CRO) is responsible for receiving complaints/ grievances, responding to the complaint/grievance by investigating and resolving the complaint/grievance, and documenting the outcome of the complaint/grievance process. The CRO will also provide the grievant with information about his/her right to file a complaint with the U.S. Secretary of Health and Human Services.

II. If the result of an investigation indicates that an employee violated the privacy policies and/or procedures amended by CHCW, the CRO will report such findings to the Chief Executive Officer( CEO) and the Employee’s immediate supervisor.  The employee will be subjected to disciplinary action.

III. Documentation of 42 CFR Part 2 related complaints/grievances, their resolution, and any actions resulting therein will be maintained for a period of six (6) years.

IV. There will be no retaliation against any individual or person served, employee, or CRO for having filed or assisted in the filing of a complaint/grievance, or for investigating or acting upon a complaint/grievance. Any employee who becomes aware of any such retaliatory actions shall immediately contact the Chief Executive Officer( CEO).

The Chief Executive Officer ( CEO) is responsible for the communication and implementation of this policy and any subsequent procedures that are applicable.

Safeguarding PHI Against Unauthorized Use and Disclosure

PURPOSE:     To establish guidelines and procedures for the security and integrity of all PHI while ensuring compliance with all applicable laws and certification and licensure standards.

POLICY:

I. COMPLETE HEALTH CARE FOR WOMEN INC. will have appropriate administrative, technical, and physical safeguards necessary to reasonably protect any intentional or unintentional use and disclosure in violation of the Privacy Practices. The Chief Executive Officer( CEO) is responsible to establish procedures to ensure the security and integrity of all PHI maintained by the Center and its workforce according to the Privacy Standards (45 CFR parts 160 and 164) that shall include, but not be limited to, the following:

A. Administrative safeguards

B. Electronic Data Security and Management

C. Physical Safeguards

II. CHCW recognizes that additional security measures and safeguards will be developed and implemented based on the final Security Rules, currently under review, as defined 42 CFR Part 2 Complete Healthcare for women Inc.  intends to comply with the Security Standards by the compliance date established in the final Security rule.

III. Complete Healthcare for Women Inc. provides training to all employees regarding procedures for maintaining confidentiality and safeguarding PHI.  Questions or concerns regarding ensuring the security and integrity of all PHI shall be directed to the Privacy Officer or Chief Executive Officer( CEO).

The Chief Executive Officer( CEO) is responsible for the communication and implementation of this policy and any subsequent procedures that are applicable.

Violations, Mitigation and Sanctions for Privacy Practices

PURPOSE:  To establish guidelines with the employees at Complete Healthcare for Women for the purpose of safeguarding the use and disclosure of Protected Health Information (PHI).

POLICY STATEMENT:

I.  It is the policy of COMPLETE HEALTH CARE FOR WOMEN INC. Inc. to develop policies and procedures with its workforce to ensure compliance with all applicable laws, regulations, and standards including 42 CFR Part 2 Regulations, HIPAA regulations governing the privacy and security of Protected Health Information.

II.  APPLICABILITY: This policy applies to all employees of COMPLETE HEALTH CARE FOR WOMEN INC.

III.  CHCW must have, apply, and document application of appropriate sanctions against its workforce members who fail to comply with the CHCW’s privacy policies and procedures or the requirements of the privacy regulations.

IV.  CHCW must mitigate, to extent practicable, any harmful effects that are known to the center of unauthorized uses/disclosures of PHI in violation of its policies and procedures or the requirements of the privacy regulations by either the Center or a Business Associate.

V.  Staff or management of CHCW may not intimidate, threaten, coerce, discriminate against or take other retaliatory action against:

A. Any individual for exercise of any right or participation in any process established by the privacy regulations; or

B. Any individual or other person for: filing a complaint with the Secretary of HHS; testifying, assisting, or participating in investigation, compliance review, or proceeding/hearing under the regulations, or; engaging in reasonable opposition to any act or practice that the person in good faith believes to be unlawful under the regulations, as long as such opposition does not involve the disclosure of PHI in violation of privacy regulations

The Chief Executive Officer( CEO) is responsible for the communication and implementation of this policy and any subsequent procedures that are applicable.

Required Documentation for Privacy Practices

PURPOSE:     To assure the Center’s documentation of its privacy practices is maintained in accordance with the Privacy Rule (45 CFR part 160)

POLICY:

I.  COMPLETE HEALTH CARE FOR WOMEN INC. will maintain all required privacy policies and procedures in written or electronic form and all written or electronic copies of all communications, actions, activities, or designations that are required to be documented under the Privacy Rule for at least a period of six (6) years from the date of creation OR the last effective date, whichever is later.

A.  Documentation to be maintained includes, but is not limited to, to following:

B.  A manual of privacy policies and procedures

C.  A client Notice of Privacy Practices

D.  Release of Information authorization forms

E.  Consent for Treatment forms

F.  Designation of a Privacy Officer (PO), and a PO Position Description

G.  Documentation of all workforce training and orientation activities

H.  Complaints and responses/resolutions to/of complaints

I.  All security measures and practices

J.  Any revisions to privacy policies and procedures

K.  An accounting of disclosures of PHI

L.  Disciplinary action taken for privacy practice violations

M.  Requests for and responses to disclosure, use and amendment of PHI

II.  PHI maintained in the client’s ECW EMR shall be maintained according to the Center’s Record Retention and Disposal Policy

The Chief Executive Officer( CEO) is responsible for the communication and implementation of this policy and any subsequent procedures that are applicable.