THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT OUR CONSUMERS MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
A federal regulation, known as the “HIPAA Privacy Rule,” requires that we provide detailed notice in writing of our privacy practices. We know that this Notice is long. The HIPAA Privacy Rule requires us to address many specific things in this Notice.
I. OUR COMMITMENT TO PROTECTING HEALTH INFORMATION ABOUT OUR CONSUMERS
In this Notice, we describe the ways that we may use and disclose health information about our consumers. The HIPAA Privacy Rule requires that we protect the privacy of health information that identifies a consumer, or where there is a reasonable basis to believe the information can be used to identify a consumer. This information is called “protected health information” or “PHI”. This Notice describes your rights as the legally responsible person for our consumer and our obligations regarding the use and disclosure of PHI.
We are required by law to:
- Maintain the privacy of PHI about our consumers;
- Give you this Notice of our legal duties and privacy practices with respect to PHI; and
- Comply with the terms of our Notice of Privacy Practices that is currently in effect.
We reserve the right to make changes to this Notice and to make such changes effective for all PHI we may already have about you. If and when this Notice is changed, we will post a copy in our facilities in a prominent location. We will also provide you with a copy of the revised Notice upon your request made to our HIPAA Compliance Official.
II. HOW WE MAY USE AND DISCLOSE PROTECTED HEALTH INFORMATION ABOUT OUR CONSUMERS
The following categories describe the different ways that the HIPAA Rule and N.C. law state that we may use and disclose PHI for treatment, payment, or health care operations. The examples included with each category do not list every type of use or disclosure that may fall within that category.
Treatment: We may use and disclose PHI about our consumers to provide, coordinate or manage their health care and related services. We may share PHI with other health care providers when necessary to coordinate appropriate and effective care, treatment or habilitation for our consumers and when failure to share this information would be detrimental to the care, treatment or habilitation of our consumer. Within our company, employees, students, consultants or volunteers involved in the care, treatment, or habilitation may exchange PHI as needed for the purpose of carrying out their responsibility in serving our consumers. We are required to submit PHI to the State of North Carolina program named NC-TOPPS (N.C. Treatment Outcomes and Program Performance System). This information measures outcome and performance for Mental Health and Substance Abuse consumers in order for continuous quality improvement to occur. We may disclose PHI with a physician or other health care provider who is providing emergency medical services to our consumer. For example, we may use and disclose PHI when our consumers need a prescription, lab work, an xray, or other health care services. In addition, we may use and disclose PHI when referring our consumer to another health care provider. For example, if our consumers are referred to another physician, we may disclose PHI to your new physician regarding whether they are allergic to any medications.
Payment: We may use and disclose PHI so that we can bill and collect payment for the treatment and services provided to consumers. We may use and disclose PHI if there is reason to believe that our consumer is eligible for financial benefits through a governmental agency. For example, we may ask for payment approval or authorization from N.C. Medicaid, Value Options, N.C. Health Choice or a Local Management Entity (local mental health program) before we provide care or services. We may use and disclose PHI for billing, claims management, and collection activities involving these agencies. We may also disclose PHI to another health care provider required to comply with the HIPAA Privacy Rule for the payment activities of that health care provider.
Health Care Operations: We may use and disclose PHI in performing business activities which are called health care operations. For example, we may use and disclose PHI in the following health care operations:
- If a court of competent jurisdiction issues an order compelling disclosure.
- To an attorney who represents either the facility or an employee of the facility, if such information is relevant to litigation, to the operations of the facility, or to the provision of services by the facility. An employee may discuss confidential PHI information with his attorney or with an attorney representing the facility in which he is employed.
- For purposes of complying with abuse and neglect statutes.
- When in our opinion there is an imminent danger to the health or safety of the consumer or another individual or there is a likelihood of the commission of a felony or violent misdemeanor.
- To persons responsible for conducting general research or clinical, financial, or administrative audits if there is a justifiable documented need for this information. A person receiving the information may not directly or indirectly identify any consumer in any report of the research or audit or otherwise disclose consumer identity in any way.
Communication From Our Office: We may contact you to remind you of appointments and to provide you with information about treatment alternatives or other health related benefits and services that may be of interest to you.
OTHER USES AND DISCLOSURES WE CAN MAKE WITHOUT YOUR WRITTEN AUTHORIZATION
- Individuals Involved in Consumer’s Care: Upon request of the next of kin or other family member who has a legitimate role in the therapeutic services offered, or other person designated by the consumer or his legally responsible person, the responsible professional shall provide the next of kin or other family member or the designee with notification of the consumer’s diagnosis, the prognosis, the medications prescribed, the dosage of the medications prescribed, the side effects of the medications prescribed, if any, and the progress of the consumer, provided that the consumer or his legally responsible person has consented in writing, or the consumer has consented orally in the presence of a witness selected by the consumer prior to the release of this information. Both the consumer or the legally responsible person’s consent and the release of this information shall be valid for a specified length of time only and is subject to revocation by the consenting individual.
OTHER USES AND DISCLOSURES WE CAN MAKE WITHOUT YOUR WRITTEN AUTHORIZATION OR OPPORTUNITY TO AGREE OR OBJECT
We may use and disclose PHI in the following circumstances without your authorization or opportunity to agree or object, provided that we comply with certain conditions that may apply.
Required By Law: We may use and disclose PHI as required by federal, state, or local law. This will include any state communicable disease laws. Any disclosure complies with the law and is limited to the requirements of the law.Re-disclosure is prohibited without authorization.
Disclosures required by HIPAA Privacy Rule: We are required to disclose PHI to the Secretary of the United States Department of Health and Human Services when requested by the Secretary to review our compliance with the HIPAA Privacy Rule. We are also required in certain cases to disclose PHI to you upon your request to access PHI or for an accounting of certain disclosures of PHI (those requests are described in Section III of this Notice).
These situations of use and disclosure without authorization are not all inclusive butare examples of the most appropriate ones pertaining to our services at the presenttime.
OTHER USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION REQUIRE YOUR AUTHORIZATION
Worker’s Compensation: We may disclose PHI as authorized by workers’ compensation laws or other similar programs that provide benefits for work-related injuries or illness.
Substance Abuse Services: Federal law restricts the use and disclosure of patient information that is received by an alcohol or drug abuse treatment program. Generally, substance abuse information that we obtain for the purpose of providing substance abuse treatment, diagnosis, or referral for treatment must not be disclosed without written authorization. For example, we would need written authorization before we could disclose substance abuse information to the insurance provider for the purpose of obtaining reimbursement for the cost of services provided.
The federal law protecting substance abuse treatment information applies only to information that would identify a substance abuse patient, directly or indirectly, as an alcohol or drug abuser or a recipient of alcohol or drug services. In addition to restricting disclosure, the federal law places restrictions on the use of information to initiate or substantiate any criminal charges against a patient or to conduct a criminalinvestigation of a patient.
As stated above, federal law generally requires that we obtain written consent before we may disclose information that would identify a patient as a substance abuser or a patient of substance abuse services. But, there are some important exceptions to this requirement. We can disclose information within our program to members of our workforce as needed to coordinate care and to agencies or individuals that help us carry out our responsibilities in serving a patient. We may disclose information to medical personnel in a medical emergency. If we suspect that a child is abused or neglected, state law requires us to report the abuse or neglect to the department of social services, and we may disclose substance abuse treatment information when making the report. We will disclose information about a patient if a court orders us to do so. If a patient commits a crime, or threatens to commit a crime, on the premises ofour program or against our program personnel, we may disclose information about that patient to talk to law enforcement officers about the crime or threat.
Infant-Toddler Program: The Family Educational Rights and Privacy Act (FERPA), 34CFR Part 99, applies to all agencies and providers providing early intervention services for children with or at risk for disabilities from birth to age three and their families under Part C of the Individuals with Disabilities Education Act (IDEA), Public Law 99-457. In North Carolina, part C of the IDEA is called the Infant-Toddler Program.
FERPA ensures the privacy of individuals by setting forth requirements related to the sharing of confidential and personally identifiable information among providers of services. Information generated and used by agencies and providers in all media (written, electronic, and oral) must comply with the requirements of the FERPA.
Agencies, private provider organizations, and other individuals providing earlyintervention services under agreements with these agencies are also covered by FERPA. FERPA protections are extended to children and families enrolled in or seeking enrollment in the Infant-Toddler Program. These protections cover information shared during referral and eligibility determination, evaluation and assessment, service planning and service delivery.
The North Carolina Infant-Toddler Program has established confidentiality and privacy guidelines and requirements that participating agencies and providers must follow. These are outlined in the North Carolina Infant-Toddler Program Manual and include compliance with FERPA, safeguards to ensure confidentiality of individually identifiable information at all stages, notification to families of their rights, written parental authorization for the release of information, the establishment of interagency confidentiality agreements, individual provider confidentiality statements, and confidentiality related to child find and referral to the Infant-Toddler Program.
Each Infant-Toddler Program agency must have a written policy regarding how the agency meets the requirements of FERPA. The agency is also responsible for ensuring that private providers follow the standards in the Infant-Toddler Program Manual to meet FERPA compliance.
The FERPA compliance policy contains the following:
- A parent may inspect and review records of the child and family;
- Personally identifiable information will not be released from a record without prior written authorization of the parent except where it is allowed by law (e.g., child find activities).
- A record of disclosure will be maintained and that the parent may inspect and review the record.
- The Infant-Toddler program maintains certain information as directory information, including the child’s name, date of birth, the parent’s name, address, telephone number, and dates of enrollment, but that this information is not released without written authorization from the parent except where it is allowed by law (e.g., child find activities).
- The agency permits a parent to request correction of the records, to obtain a hearing, and to add a statement to the record.
OTHERS USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION REQUIRE YOUR AUTHORIZATION
All other uses and disclosures of PHI will only be made with your written authorization. If you have authorized us to use or disclose PHI, you may revoke your authorization at any time, except to the extent we have taken action based on the authorization.
III.YOUR RIGHTS REGARDING PROTECTED HEALTH INFORMATION ABOUT OUR CONSUMERS
Under federal law, you have the following rights regarding PHI:
Right to Request Restrictions: You have the right to request additional restrictions on the PHI that we may use for treatment, payment and health care operations. You may also request additional restrictions on our disclosure of PHI to certain individuals involved in your care that otherwise are permitted by the Privacy Rule. We are not required to agree to your request. If we do agree to your request, we are required to comply with our agreement except in certain cases, including where the information is needed to treat consumers in the case of an emergency. To request restrictions, you must make your request in writing to our HIPAA Compliance Official. Please contact the HIPAA Compliance Official for the form to complete.
Right to Receive Confidential Communications: You have the right to request that you receive communications regarding PHI in a certain manner or at a certain location. Please contact the HIPAA Compliance Official for the form to complete. We are required to accommodate reasonable requests.Right to Inspect and Copy: You have the right to request the opportunity to inspect and receive a copy of PHI in certain records that we maintain. This includes medical and billing records but does not include psychotherapy notes or information gathered or prepared for a civil, criminal, or administrative proceeding. To inspect and copy PHI, please contact our HIPAA Compliance Official. If you request a copy of PHI, we may charge you a reasonable fee for the copying, postage, labor and supplies used inmeeting your request.
Right to Amend: You have the right to request that we amend PHI about consumers as long as such information is kept by or for our office. To make this type of request you must submit your request in writing to our HIPAA Compliance Official. Your amendment will be added to the consumer’s record.
Right to Receive an Accounting of Disclosures: You have the right to request an “accounting” of certain disclosures that we have made of PHI. This is a list of disclosures made by us other than disclosures made: for certain treatment, payment, and health care operations; and, pursuant to an authorization by you. If you wish to make such a request, please contact our HIPAA Compliance Official identified on the last page of this Notice. The first list that you request in a 12-month period will be free, but we may charge you for our reasonable costs of providing additional lists in the same 12-month period. We will tell you about these costs, and you may choose to cancel your request at any time before costs are incurred.
Right to a Paper Copy of this Notice: You have a right to receive a paper copy of this Notice at any time. You are entitled to a paper copy of this Notice even if you have previously agreed to receive this Notice electronically. This copy is for your records.
If you believe your privacy rights have been violated, you may file a complaint with us or the Secretary of the United States Department of Health and Human Services. To file a complaint with our office, please contact our HIPAA Compliance Official at the address and number listed below. We will not retaliate or take action against you for filing a complaint.
If you have any questions about this Notice, please contact our HIPAA ComplianceOfficial at the address and telephone number listed below.
VI. HIPAA COMPLIANCE OFFICIAL CONTACT INFORMATION
You may contact our HIPAA Compliance Official at the following address and phone number:
Wilson Raynor, Executive Vice-President
2609 Royall Avenue, Goldsboro, NC 27534
This notice was published and first became effective April 14, 2003.