Purpose
The purpose of this policy is to describe procedures for protecting the privacy of information about individuals who request, are referred for, or participate in services provided by this organization, in accordance with Ohio laws and administrative rules, and the federal rules authorized by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The Nord Center recognizes that the application of these laws and rules to specific circumstances may be uncertain and difficult, because of ambiguities in the applicability of the laws, conflicting and incomplete information about many treatment situations, and demands on staff members for quick and decisive action. There are ambiguities in the applicability of privacy rules because, under 45 CFR Part 160, sections 160.202 and 160.203, HIPAA preempts state laws and rules in some circumstances, and state law preempts HIPAA in others. The decision to apply a provision of a state or a federal law in a particular circumstance is left to the health care provider. There is no authoritative guide to applicability, and no state or federal governmental office or representative with the authority to make such decisions has been identified. Moreover, a large proportion of the services provided by The Nord Center are to individuals experiencing considerable distress, in situations of crisis. To alleviate the distress, and resolve the crisis, clinical decisions must be made quickly, and services must be provided promptly, even though information about the person and situation may be incomplete, unreliable, and contradictory. Decisions about the disclosure of information in these circumstances cannot wait for a complete body of information about the person and situation, and an exhaustive review of applicable laws.
This is one of several The Nord Center policies and procedures for the implementation of the privacy provisions of HIPAA. These policies attempt to define practical procedures that are in compliance with a complex set of laws and rules, as they are understood at this time.
Definitions:
Health information shall have the definition found in 45 CFR 160.103. Health information means any information (including demographic information), whether oral or recorded in any form, that is created or received by this organization, and that relates to the past, present, or future physical or mental health or condition of an individual, to the provision of health care to an individual, or to the past, present, or future payment for providing health care to an individual.
Protected health information (PHI) shall have the definition found in 45 CFR 164.501. PHI is health information that identifies an individual, or provides a reasonable basis for the identification of an individual. Protected health information includes the individual’s name, street or e-mail address, telephone number, date of birth, or any other information that could reasonably be used to identify the individual, or infer the individual’s identity.
Disclosure means the release, transfer, provision of access to, or in any other manner divulging of information to an individual or organization.
Consent means the informed and written agreement of an individual (or an individual’s parent, legal guardian, or legally authorized personal representative) to participate in services, and for the use and disclosure of protected health information for treatment, payment, and healthcare operations. The individual’s written agreement is documented on a properly completed Consent for Treatment, and for Use and Disclosure of Protected Health Information form, signed and dated by the individual (or parent, guardian, or personal representative), and witnessed and dated by a staff person of this organization. Treatment, payment, and healthcare operations shall have the meanings found in 45 CFR 164.501.
Authorization for disclosure of information means the informed and written agreement of an individual (or an individual’s parent, legal guardian, or legally authorized personal representative) for The Nord Center to disclose protected health information to individuals or entities outside of this organization. The individual’s written agreement is documented on a properly completed Client’s Authorization for Disclosure of Information form (or the Client’s Request and Authorization to Disclose Information to The Nord Center form, or any subsequent revision or modified version of the form), signed and dated by the individual (or the individual’s parent or legal guardian), and witnessed and dated by a staff person of this organization.
Client, for purposes of this policy, shall mean any individual who has at any time requested, been referred for, or participated in services from this organization, and who is the subject of protected health information.
Policy:
It is the policy of The Nord Center to protect the privacy and security of health information by adherence with Federal laws and Ohio laws and rules governing the use and disclosure of information about all persons who have requested or received services from this organizations, or who have been referred to this organization for services.
When using or disclosing protected health information, or when requesting protected health information from another source, it is the policy of The Nord Center to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, except in circumstances described in 45 CFR §164.502 (b)(2).
A. Uses and Disclosures Within the Agency
It is the policy of The Nord Center to use and disclose protected health information within the agency only for treatment, payment, and healthcare operations. An individual’s PHI is shared only with staff members, supervisors, staff members of the Alcohol, Drug Addiction and Mental Health Services Board of Cuyahoga County, the Ohio Department of Mental Health and Addiction Services, or staff members of accreditation organizations who:
- provide, coordinate, supervise, or manage healthcare or related services to the client,
- determine eligibility for services, bill for services, collect, or manage payment for services,
- conduct utilization review activities, including authorization for and review of services,
- conduct quality assessment and improvement activities, including the evaluation of outcomes and development of policies and clinical guidelines,
- review the competence or qualifications of staff members providing services,
- conduct or arrange for medical review, legal services, or auditing functions,
- conduct cost-management or planning analyses that require the use of client information,
- conduct activities related to this organization’s certification or accreditation, or
- investigate and resolve matters of client rights, or investigate and analyze incidents related to a client’s care and services.
B. Disclosures to Those Outside the Agency
Except in certain emergency and special situations described in (C) below, or when disclosure is required by law, it is the policy of The Nord Center to obtain the written authorization of the individual (or the individual’s parent, legal guardian, or legally-authorized personal representative) before the disclosure of protected health information to individuals or entities outside of this organization. Written permission is documented on a properly completed Client’s Authorization for Disclosure of Information form (including all elements in accordance with 42 C.F.R. part 2), signed and dated by the individual, and witnessed and dated by a staff person of this organization. Agency staff shall not convey to a person outside of the agency that a client attends or receives services from the agency or any of its programs or disclose any information identifying a client as an alcohol or other drug or mental health services client unless the client consents in writing for the release of information, the disclosure is allowed by a court order, or the disclosure is made to a qualified personnel for a medical emergency, research, audit or program evaluation purposes.
C. Clients from the LGBTQIA community shall have a choice to release documents that disclose their preferred identity or sexuality. Please use the Nord Center’s current release’s “other” area for reason to disclose and specify the reason of the release. Exceptions of release of records apply if the records is subpoena or legal guardian inquire records. Clinician and client must discuss the careful documentation of sexual orientation and disclosure and discus possible instances in which records are mandatory to be released.
D. Disclosures For Which Authorization is Not Required
It is the policy of The Nord Center to use and disclose protected health information, without the written authorization of the individual,
(1) To protect an individual believed to be incapacitated or in an emergency circumstance.
It is the policy of The Nord Center to disclose protected health information without the individual’s written permission when available information suggests an individual’s incapacity or an emergency circumstance, and the disclosure is believed to be in the best interest of the health or safety of the individual or community, as determined by a staff member in the reasonable exercise of professional judgment.
(2) To protect a child.
Protected health information about a child who is alleged or suspected to be or have been the subject of neglect, abuse, or exploitation is disclosed without written authorization to the Department of Child and Family Services, and to law enforcement personnel. Procedures for disclosure, and definitions of abuse, neglect, and exploitation are found in the policy “Reporting Alleged Abuse or Neglect of Clients.”
(3) To protect an impaired adult.
Protected health information about a physically or mentally impaired adult who resides in an independent or assisted living arrangement, and who is alleged or suspected to be or have been the subject of neglect, self-neglect, abuse, or exploitation is disclosed without written authorization to the Adult Protective Services (APS) of the Department of Senior and Adult Services, and to law enforcement personnel. Procedures for disclosure, and definitions of abuse, neglect, and exploitation are found in the policy “Reporting Alleged Abuse or Neglect of Clients.”
(4) To take action on an explicit threat.
Protected health information is disclosed without an individual’s written authorization when a client or knowledgeable person communicates to a direct-service provider of this organization an explicit threat of inflicting imminent and serious physical harm to, or causing the death of, a clearly identifiable potential victim. Procedures for responding to this type of situation are described in the policy “Client Risk Precautions.” In circumstances of such a threat, a staff member must take timely action to predict, warn of, or take precautions to prevent the violent behavior of the individual.
(5) In response to a law enforcement official’s request.
Protected health information may be disclosed without written authorization, in response to a law enforcement official’s request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that the information disclosed is limited to the individual’s
(a) name and address;
(b) date and place of birth;
(c) Social Security number;
(d) blood type and Rh factor;
(e) type of injury;
(f) date and time of treatment;
(g) date and time of death (if applicable); and
(h) distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence of absence of facial hair, scars, and tattoos.
For those receiving alcohol and other drug addiction services, the rules of 42 CFR will be followed. The federal rules restricts any use of information to criminally investigate or prosecute any alcohol or drug abuse client.
(6) In response to a court order, court-ordered warrant, subpoena, summons issued by a judicial officer, grand jury subpoena, administrative subpoena or summons, civil or authorized investigative demand, or similar process authorized under law, as described in 45 CFR Part 164.512 (f).
- For public health activities and purposes described in 45 CFR Part 164.512 (b), such as preventing or controlling disease, and conducting public health investigations or surveillance.
E. Use of Social Media, Cell Phones & PHI : Staff are not to include client PHI in any form of social media (Facebook, Twitter, blogging). When using cell phones for business purposes to text or email client information to a supervisor/concerned other, only client initials and client ID numbers will be used to identify the client.
F. Tracking of Information Released: All authorizations for disclosure of
information are entered in the Information Request Tracking share point list on the Nord Center’s intranet. A module is also created in the client’s health record in the Release of Information tab, to document valid authorizations for disclosure of information. The module in EMR creates a record of the requestor’s name or name of agency, when the module was created, and the specific records that were released for printing.
When Subpoenas and/or court orders are received, they are forwarded to the Manager of CAS and logged in a spreadsheet. Department Directors notify the Manager of CAS of the decision about what to release. This activates the release of records if there is a medical record. For clients in the Sexual Assault Services (SAS) without a Nord Center medical record, SAS tells the CAS Manager what was released and this is logged in the spreadsheet.
Procedures:
- An individual who requests or is referred for face-to-face services from this organization is provided with the Notice of Privacy Practices for Protected Health Information, and is given the opportunity to review this document before providing written consent for services and the use and disclosure of protected health information. If the individual has impaired vision or reading skills, staff members shall offer to read the Notice to the individual. When the individual who is to receive services is under the age of 18, the Notice shall be given to the individual’s parent or legal guardian. When an individual who requests or is referred for services is an adult who has a legal guardian, the Notice shall be given to the legal guardian.
- After the individual has had an opportunity to review the Notice of Privacy Practices for Protected Health Information, the Consent for Treatment, and for Use and Disclosure of Protected Health Information document is reviewed with the individual. A policy by that name describes procedures for documenting consent.
- When a service provider or other staff member determines the need to request or disclose protected health information about an individual, the individual (or the individual’s parent or legal guardian) shall be fully informed about the specific information to be obtained or disclosed, the name of the organizations and persons from whom the information is to be requested or to whom it is to be disclosed, and the intended use of this information.
- Should the individual (or the individual’s parent or legal guardian) agree to the request for or disclosure of information, the Client’s Authorization for the Disclosure of Information form (or its revision or modification) is reviewed and completed with the individual, and a photocopy is given to the individual. On the form are written the full name of the individual, the individual’s date of birth and Social Security Number, and identification number. The names of the persons and/or organizations from whom information is to be obtained, and/or to whom it is to be disclosed, are legibly recorded on the appropriate section of the form. The full name of an organization is recorded, along with the specific information/content to be obtained and/or disclosed, and the purpose of the request for or disclosure of information. Also documented on this form is the date, event, or condition upon which the authorization expires. The service provider must advise the client of his/her ability to revoke the authorization at any time. The specific information to be disclosed, the purpose of the disclosure and the period of time/time limitation that the written disclosure covers is included on the form.
- The signature of the individual (or the individual’s parent or legal guardian) is obtained, indicating the individual’s authorization for the disclosure of the information indicated in the previous section, and the date recorded. The signature of the agency representative obtaining the authorization is also recorded on the form, along with the date the authorization was obtained.
- The original copies of the Consent for Treatment, and for Use and Disclosure of Protected Health Information, and the Client’s Authorization for Disclosure of Information are filed in the appropriate section of the client’s Integrated Clinical Record (ICR). A photocopy is acceptable, if the person or organization from whom information is requested, or to whom information is disclosed, requires receipt of an original, signed form.
- In the course of a telephone conversation or in response to any other form of inquiry, staff members and agency representatives ensure that a completed Client’s Authorization for Disclosure of Information form is in the client’s ICR, and that it has not expired, prior to the disclosure of the identity of a client, or any information about the client, unless the law permits or requires disclosure without written authorization, as described in section C of this Policy statement.
- Staff members or agency representatives who are uncertain about the application or interpretation of Ohio laws, Federal laws, or this organization’s policies regarding the disclosure of protected health information, consult with a Program Manager or Supervisor prior to the disclosure of information. Program Managers or Supervisors are available 24 hours per day for this purpose.
- Requests for information about a client from a Court or attorney are forwarded immediately to the Director of Quality Improvement or Quality Improvement Manager.
- (10)Staff attends annual training to review the agency’s Social Media/Cell Phone & PHI protocols. During the monthly “birthday bash” training, staff reviews the confidentiality concerns related to the use of Facebook, Twitter, and blogging and the correct way of identifying clients when texting and emailing.
In addition:
In case of a need to disclose, LGBTQIA clients must be given the option to disclose, and a specific release of information regarding client’s sexual preference or sexuality shall follow. Careful precautions shall be taken if client is at risk of danger by disclosing his/her sexual preference.
Minors from the LGBTQI community shall have protection against disclosing information of sexual preference and sexuality from individuals who might be authorized to receive information from client’s chart, as identified by the child/adolescent as a potential risk for violence. (i.e. not documenting specific sexual orientation or preferences disclosure on progress note or any other instrument, without letting client know that records can be seen by legal guardian or if chart requires subpoena by a judge).
Staff will protect LGBTQI A client’s confidentiality, sexual preference and/or gender identification. (i.e. if staff member knows a client and find out of his/hers sexual preference)
** Note that these procedures are not intended to apply to situations involving a referral to the Center by an outside agent during which the agent is providing information to the Center necessary to determine whether a referral is appropriate and/or to facilitate a referral.