Privacy Policy (HIPAA)

Privacy Policy

How and Why We Collect Protected Health Information (PHI)

1) We collect PHI only when appropriate to provide services or for another specific purpose of our organization, or when required by law. We may collect information for these purposes:

a) to provide individual case management
b) to produce aggregate-level reports regarding use of services.
c) to track individual program-level outcomes.
d) to identify unfilled service needs and plan for the provision of new services.
e) to conduct research for planning and/or education purposes
f) to accomplish any and all other purposes deemed appropriate by CSB & Juvenile Courts.

2) We use only lawful and fair means to collect PHI.
3) We normally collect PHI with the knowledge or consent of our clients. If you seek our assistance and provide us with PHI, we assume that you consent to the collection of information described in this policy.
4) We may also receive PHI about you from: county CSB & Juvenile Court.
5) We post a sign at our intake desk or other location explaining the reasons we ask for PHI. The sign says:

"We collect personal information directly from you for reasons that are discussed in our privacy policy. We may be required to collect some personal information by law or by organizations that give us money to operate this program. Other personal information that we collect is important to run our programs, to improve services for individuals, and to better understand the needs of individuals. We only collect information that we consider to be appropriate. If you would like to see our privacy policy, our staff will provide you with a copy."

 

How We Use and Disclose PHI

1) We use or disclose PHI for activities described in this part of the policy. We may or may not make any of these uses or disclosures of your PHI. We assume that you consent to the use or disclosure of your PHI for the purposes described below and for other uses and disclosures that we determine to be compatible with these uses or disclosures:

a) to provide or coordinate services to individuals;
b) for functions related to payment or reimbursement for services;
c) to carry out administrative functions such as legal, audit, personnel, oversight and management functions;
d) to create de-identified (anonymous) information or aggregate information that can be used for research and statistical purposes without identifying clients;
e) when required by law to the extent that use or disclosure complies with and is limited to the requirements of the law;
f) to avert a serious threat to health or safety if:

     i) we believe that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public; and
     ii) the use or disclosure is made to a person reasonably able to prevent or lessen the threat, including the target of the threat.

g) to report about an individual we reasonably believe to be a victim of abuse, neglect or domestic violence to a governmental authority (including a social service or protective services agency) authorized by law to receive reports of abuse, neglect or domestic violence in any of the following three circumstances:

     i) where the disclosure is required by law and the disclosure complies with and is limited to the requirements of the law;
     ii) if the individual agrees to the disclosure; or
     iii) to the extent that the disclosure is expressly authorized by statute or regulation and either of the following are applicable:

          (1) we believe the disclosure is necessary to prevent serious harm to the individual or other potential victims; or
          (2) if the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the PHI for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure. --When we make a permitted disclosure under subparagraph (g) about a victim of abuse, neglect, we will promptly inform the individual who is the victim that a disclosure has been or will be made, except if:

               (a) we, in the exercise of professional judgment, believe informing the individual would place the individual at risk of serious harm; or
               (b) we would be informing a personal representative (such as a family member or friend), and we reasonably believe the personal representative is responsible for the abuse, neglect or other injury, and that informing the personal representative would not be in the best interests of the individual as we determine in the exercise of our professional judgment.

h) to a law enforcement official for a law enforcement purpose (if consistent with applicable law and standards of ethical conduct) under any of these circumstances:

     i) in response to a lawful court order, court-ordered warrant, subpoena or summons issued by a judicial officer, or a grand jury subpoena;
     ii) if the law enforcement official makes a written request for PHI that:

          (1) is signed by a supervisory official of the law enforcement agency seeking the PHI;
          (2) states that the information is relevant and material to a legitimate law enforcement investigation;
          (3) identifies the PHI sought;
          (4) is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and
          (5) states that de-identified information could not be used to accomplish the purpose of the disclosure.

iii) if we believe in good faith that the PHI constitutes evidence of criminal conduct that occurred on our premises;
iv) in response to an oral request for the purpose of identifying or locating a suspect, fugitive, material witness or missing person and the PHI disclosed consists only of name, address, date of birth, place of birth, social security number and distinguishing physical characteristics; or if:

          (1) the official is an authorized federal official seeking PHI for the provision of protective services or other persons authorized by 18 U.S.C. 3056, or to foreign heads of state or other persons authorized by 22 U.S.C. 2709(a)(3), or for the conduct of investigations authorized by 18 U.S.C. 871 and 879 (threats against the President and others);
          (2) and the information requested is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought to comply with government reporting obligations for HMIS and for oversight of compliance with HMIS requirements. Before we make any use or disclosure of your PHI that is not described here, we seek your consent first.

How to Inspect and Correct PHI

1) You may inspect and have a copy of your PHI that we maintain. We will offer to explain any information that you may not understand.

2) We will consider a request from you for correction of inaccurate or incomplete PHI that we maintain about you. If we agree that the information is inaccurate or incomplete, we may delete it or we may choose to mark it as inaccurate or incomplete and to supplement it with additional information.
3) We may deny your request for inspection or copying of PHI if:

     a) the information was compiled in reasonable anticipation of litigation or comparable proceedings;
     b) the information is about another individual (other than a healthcare provider);
     c) the information was obtained under a promise of confidentiality (other than a promise from a health care provider) and if the disclosure would reveal the source of the information;
     d) or disclosure of the information would be reasonably likely to endanger the life or physical safety of any individual.

4) If we deny a request for access or correction, we will explain the reason for the denial. We will also include, as part of the PHI that we maintain, documentation of the request and the reason for the denial.
5) We may reject repeated or harassing requests for access to or correction of PHI.

 

Data Quality

1) We collect only PHI that is relevant to the purposes for which we plan to use it. To the extent necessary for those purposes, we seek to maintain only PHI that is accurate, complete and timely.
2) We are developing and implementing a plan to dispose of PHI not in current use seven years after the information was created or last changed. As an alternative to disposal, we may choose to remove identifiers from the PHI.
3) We may keep information for a longer period if required to do so by an applicable statute, regulation, contract or other requirement.

 

Complaints and Accountability

1) We accept and consider questions or complaints about our privacy and security policies and practices.
2) All members of our staff (including employees, volunteers, affiliates, contractors and associates) are required to comply with this privacy policy. Each staff member must receive and acknowledge receipt of a copy of this privacy policy.