Your privacy is a primary concern at Casa Pacifica Centers for Children & Families, Inc. We are committed to ensuring the highest level of confidentiality and security, not just on our Web site, but in all of our interactions with patients or their families. When you provide your personal information to us (such as name, address, phone number, and e-mail address) we will not share this information with any third person or organization without your consent. We will maintain the confidentiality of your personal information and it will be used only to provide the information or services that you request from us.
Additionally, internal policies and procedures help protect your privacy by limiting staff access to your personal information. When we ask for personal information, it is done with the goal of responding to the needs that you directly communicate to us. Our intention is to send e-mail only to persons or organizations that have chosen to receive such e-mails. You have the right, at any time, to stop receipt communications from us.
Privacy and Confidentiality Policy Applies to:
All Employees and All Programs Date: 4/2003 Revised: 3/2007, 5/2011 Authority: 45 CFR Part 164, COA, Employee Handbook, Network Security Manual Authors: Compliance Officer Approved by: Steve Elson, CEO I. Definition and Overview of Process:
A. This policy is intended to facilitate Casa Pacifica's efforts to implement HIPAA and ensure its workforce and business associates:
1. Understand and carry out expected privacy practices,
2. Have a clear understanding of the permissible uses and disclosures of Personal Health Information (PHI),
3. Understand organizational procedures governing uses and disclosures of PHI,
4. Have a clear understanding of their duty to protect the privacy of client's PHI under specific circumstances. B. This policy is to be maintained in writing, including electronic storage, and will be retained for six years from the date of creation.
II. Protected Health Information, or PHI includes the following identifiers:
B. All geographic subdivisions smaller than a state (county, city, street address, zip code);
C. All elements of dates (except year) directly related to an individual;
D. Telephone numbers;
E. Fax numbers; Privacy and Confidentiality Policy Compliance, May 2011
F. Electronic mail addresses; G. Social Security numbers;
H. Medical record numbers;
I. Health-plan beneficiary numbers;
J. Account numbers;
K. Certificate and license numbers;
L. Vehicle identifiers and serial numbers, including license plate numbers;
M. Medical device identifiers and serial numbers;
N. Internet universal resource locators (URLs);
O. Internet protocol (IP) addresses;
P. Biometric identifiers including fingerprints and voice prints;
Q. Full-face photographic images; and
R. Any other unique identifying number, characteristic, or code
III. BUSINESS ASSOCIATES
A. A Business Associate is a person or organization, other than a member of Casa Pacifica workforce, that performs certain functions or activities on behalf of, or provides certain services to, Casa Pacifica that involve the use or disclosure of individually identifiable health information or PHI. All Business Associates are required to enter into a business associate agreement (Attachment 1) which imposes specified written safeguards on the PHI used or disclosed by the business associate.
IV. PROTECTED HEALTH INFORMATION A. Protected Health Information (PHI) is all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. PHI is information, including demographic data, that relates to:
1. The individual's past, present or future physical or mental health or condition
2. The provision of health care to the individual, or Privacy and Confidentiality Policy Compliance, May 2011
3. The past, present, or future payment for the provision of health care to the individual,
4. And that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. This information includes common identifiers such as name, address, birth date, social security number, etc. B. The Privacy Rule (45 CFR part 164) excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to the Family Education Rights and Privacy Act, 20 U.S.C. section 1232g.
5. There are no restrictions on the use or disclosure of de-identified health information.
V. GENERAL PRINCIPLE FOR USES AND DISCLOSURES
A. Basic Principle: Casa Pacifica may not use or disclose PHI, except either:
1) as the Privacy Rule permits or requires; or
2) as the individual who is the subject of the information (or the individual's authorized representative) authorizes in writing.
B. Required Disclosures: Casa Pacifica must disclose PHI in only two situations:
1) to individuals (or their authorized representatives) specifically when they request access to, or an accounting of disclosures of, their PHI; and
2) to the Department of Health and Human Services Agency when it is undertaking a compliance investigation or review or enforcement action.
C. PERMITTED USES AND DISCLOSURES
1. Casa Pacifica is permitted, but not required, to use and disclose protected health information, without an individual's authorization, for the following purposes or situations:
a) To the individual.
b) Treatment, payment, health care operations. Casa Pacifica may use and disclose PHI for its own treatment, payment, and health care operations activities. Casa Pacifica may also disclose PHI for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the PHI pertains to the relationship.
c) Treatment: is the provision, coordination, or management of health care and related services by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another. Privacy and Confidentiality Policy Compliance
d) Payment: encompasses activities of Casa Pacifica to obtain payment or be reimbursed for the provision of health care to an individual.
e) Health care operations are any of the following activities:
(1) Quality assessment and improvement activities including case management and care coordination;
(2) Competency assurance activities including performance evaluation, credentialing, and accreditation;
(3) Conducting or arranging for medical reviews, audits, or legal services including fraud and abuse detection and compliance programs;
(4) Specified insurance functions, such as underwriting, risk rating, and reinsuring risk;
(5) Business planning, development, management, and administration;
(6) And business management and general administrative activities of Casa Pacifica including but not limited to: de-identifying PHI, creating a limited data set, and certain fundraising for the benefit of Casa Pacifica.
2. Most use and disclosures of psychotherapy notes for treatment, payment and health care operations require separate authorization.
D. Uses and disclosures with opportunity to agree or object
1. Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. Where the individual is incapacitated, in an emergency situation, or not available, Casa Pacifica may make such uses and disclosures, if in the exercise of their professional judgment, the use of disclosure is determined to be in the best interests of the individual. E. Incidental use and disclosure
1. Privacy Rule does not require that every risk of an incidental use or disclosure of PHI be eliminated, though Casa Pacifica adopts reasonable safeguards as required by the Privacy Rule.
F. Public interest and benefit activities
1. The Privacy Rule permits (but does not require) use and disclosure of PHI, without an individual's authorization or permission, for 12 national priority purposes:
G. Casa Pacifica may use and disclose PHI without individual authorization as required by law Privacy and Confidentiality Policy Compliance, May 2011 H. Casa Pacifica may disclose PHI for Public Health Activities
1. To public health authorities who collect information to prevent or control disease, injury, or disability or, to other government authorities authorized to receive reports of child abuse and neglector, to entities subject to FDA regulation for adverse event reporting, tracking of products, product recalls, and post marketing surveillance or, Regarding individuals who may have contracted or been exposed to a communicable disease when such notification is authorized by law or, for employers, regarding employees, when requested by employers, for information concerning a work-related illness or injury because such information is needed by the employer to comply with the Occupational Safety and Health Administration (OSHA).
I. Casa Pacifica will disclose PHI to appropriate government authorities regarding victims of child abuse and neglect, victims of elder abuse and neglect, and the intended victim of a direct and plausible threat to harm. J. Casa Pacifica may disclose PHI to health oversight agencies for purposes such as audits and investigations necessary for oversight of the health care system and government benefit programs.
K. Casa Pacifica may disclose PHI in a judicial or administrative proceeding if the request for the information is through an order from a court.
L. Casa Pacifica may disclose PHI to law enforcement officials under the following six circumstances:
1. As required by law
2. To identify or locate a suspect, fugitive, material witness, or missing person
3. In response to a law enforcement official's request for information about a victim or suspected victim of a crime
4. To alert law enforcement of a person's death, if it is suspected that criminal activity caused the death
5. When Casa Pacifica believes that PHI is evidence of a crime that occurred on its premises By a covered health care provider in a medical emergency not occurring on its premises,
6. When necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime. M. Casa Pacifica may disclose PHI to funeral directors as needed to identify a deceased person, determine the cause of death, etc.
N. The Privacy Rule permits use and disclosure of PHI for research purposes, without an individual's authorization, provided the following: Privacy and Confidentiality Policy Compliance, May 2011
1. Documentation that an alteration or waiver of individual's authorization for the use or disclosure of PHI about them fore research purposes has been approved by an Institutional Review Board or Privacy Board,
2. Representations from the researcher that the use or disclosure of the PHI is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any PHI from Casa Pacifica, and that PHI for which access is sought is necessary for the research 3. Representations from the researcher that the use or disclosure sought is solely for research on the PHI of decedents, that PHI is necessary for the research,
4. And at the request of Casa Pacifica, documentation of the death of the individuals about whom information is sought.
O. Casa Pacifica may disclose PHI we believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone we believe can prevent or lessen the threat (including the target of the threat).
P. An authorization is not required to use or disclose PHI for certain essential government functions such as: execution of a military mission, conducting intelligence and national security activities, determining eligibility for or conducting enrollment in certain government benefit programs. Q. Casa Pacifica may disclose PHI as authorized by, and to comply with, workers compensation laws
R. Limited Data Set: a limited data set is PHI from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A limited data set may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for the PHI within the limited data set.
VI. AUTHORIZED USES AND DISCLOSURES
A. Casa Pacifica must obtain the individual's written authorization for any use or disclosure of PHI that is not for treatment, payment or health care operations
B. Casa Pacifica will obtain an individual's authorization to use or disclose psychotherapy notes with the following exceptions:
1. The covered entity who originated the notes may use them for treatment
2. Casa Pacifica may use or disclose, without an individual's authorization, the psychotherapy notes for its own training and to defend itself in legal proceedings brought by the individual, for HHS to investigate or determine Casa Pacifica's compliance with Privacy Privacy and Confidentiality Policy Compliance, May 2011 Rules, to avert a serious and imminent threat to public health or safety, to a health oversight agency for lawful oversight of the originator of the psychotherapy notes, for the lawful activities of a coroner or medical examiner or as required by law.
VII. LIMITING USES AND DISCLOSURES TO THE MINIMUM NECESSARY
A. A central aspect of the Privacy Rule is the principle of "minimum necessary" use and disclosure. Casa Pacifica makes reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish the intended purpose of the use, disclosure, or request. Casa Pacifica may not use, disclose, or request the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose. B. Access and uses: Casa Pacifica assumes all of its employees working in direct care with our clients has access to PHI and requires all personnel sign a confidentiality statement and an acknowledgment of Casa Pacifica's Privacy Policies.
C. Disclosures and Requests for Disclosures: Casa Pacifica procedure for routine, recurring disclosures, or requests for disclosures limits the PHI to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure VIII.
NOTICE AND OTHER INDIVIDUAL RIGHTS
A. Casa Pacifica provides a notice of our privacy practices to all service recipients upon the first service encounter. We also post this notice at each delivery site in a clear and prominent place where people seeking service may reasonable be expected to be able to read the notice and to anyone upon request. Casa Pacifica makes a good faith effort to obtain written acknowledgement from service recipients of receipt of the privacy practices notice. If Casa Pacifica fails to obtain written acknowledgement, the reason is documented.
B. Casa Pacifica acknowledges that individuals have the right to review and obtain a copy of their PHI in our records. The Privacy Rules exempts from the right of access: psychotherapy notes, information compiled for legal proceedings, laboratory results to which the Clinical Laboratory Improvement Act (CLIA) prohibits access. Casa may deny an individual access when it is believed access could cause harm to the individual or another, in this case the individual has the right to have such denial reviewed by a licensed health care professional for a second opinion. Casa Pacifica may charge reasonable, cost-based fees for the cost of copying and postage. C. Casa Pacifica acknowledges that individuals have the right to amend their PHI when it is inaccurate or incomplete. The service recipient may use the Request to Amend PHI form and Casa Pacifica will make reasonable efforts to provide the amendment to persons that the individual has Privacy and Confidentiality Policy Compliance, May 2011 identified as needing it. If the request is denied, Casa Pacifica allows the service recipient to submit a statement of disagreement for inclusion in the record. Casa Pacifica will amend PHI in its records upon receipt of notice to amend from another covered entity.
D. Casa Pacifica acknowledges individuals have a right to an accounting of the disclosures of the PHI. The maximum disclosure accounting period is the six years immediately preceding the accounting request. The Privacy Rule does not require accounting for disclosures for treatment, payment or health care operations, to the individual or authorized representative; pursuant to an authorization, for national security or otherwise incident to permitted or required uses or disclosures stated above.
E. Casa Pacifica acknowledges individuals have the right to request that we restrict use or disclosure of PHI for any of the permitted uses or disclosures stated above. Casa is under no obligation to agree to requests for restrictions, but if agreed to will comply with the restrictions, except for purposes of treating the individual in a medical emergency.
F. Casa Pacifica permits service recipients to request alternative means or location for receiving communications of PHI by means other than those we typically employ. IX.
ADMINISTRATIVE REQUIREMENTS A. Casa Pacifica's Compliance Officer is the primary designate for developing and implementing privacy policies and procedures, and is also the contact person responsible for receiving complaints and providing individuals with information on our Privacy Practices.
C. Casa Pacifica will attempt to mitigate, to any extent practical, any harmful effect it learns was caused by use or disclosure of PHI by its workforce or business associates in violation of our privacy policies or the privacy rule.
D. Casa Pacifica maintains a separate Security Policy intended to prevent intentional or unintentional use or disclosure of PHI.
E. Casa Pacifica has identified the Compliance Officer and the person to whom complaints about privacy policies and procedures can be submitted. These complaints may also be sent directly to the Secretary of HHS. F. Casa Pacifica will not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by the HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. Privacy and Confidentiality Policy Compliance, May 2011
G. Casa Pacifica maintains, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities and designations that the Privacy Rule requires to be documented.
H. All email generated from Casa Pacifica shall have the following privacy statement attached: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential or exempt from disclosure under applicable federal or state law. No confidentiality or privilege is waived or lost by any mis-transmission. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, please immediately delete it together with any attachments and all copies of it from your system, destroy any hard copies and notify Casa Pacifica by telephone at (805) 445-7800. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient.
I. All email will not have the client's name at all in the subject bar. In the body of the email the client's first name and last initial only will be used.
1. Users are aware that email is not a confidential means of communication. Casa Pacifica can not guarantee that electronic communications will be private.
a) Users are aware that email can be forwarded, intercepted, printed, and stored by others.
b) Users are aware that once an email has been sent it may be altered.
c) Deleting an email from an individual workstation will not eliminate it from the various systems across which it has been transmitted.
X. ACCESS TO CASE RECORDS
A. Access to confidential case records is limited to:
1. The client or his/her parent, guardian or authorized representative;
2. Personnel authorized to access specific information on a "need-to-know" basis
3. Former service recipients; and
A. If Casa Pacifica determines that it would be harmful for a service recipient to review his/her case record, and applicable law provides no guidance on case record access, then senior management reviews, approves in writing, and enters into the case record the reasons for refusal. A qualified professional may review records on behalf of a service recipient, provided the professional signs a statement that information determined to be harmful will be withheld.
B. Reviews of case records by service recipients are:
1. Conducted in the presence of professional personnel on Casa Pacifica premises; and
2. Carried out in a manner that protects the confidentiality of family members and others whose information may be contained in the record XII.
CONFIDENTIAL CASE RECORD PHYSICAL SAFEGUARDS
A. During normal work hours, printed confidential information may not be left unattended. If left an area, including one's desk, will be unattended, even for only a few minutes, confidential information must be locked up.
B. Program staff must escort visitors, and confidential information including PHI must be kept out of sight while they are in the area.
C. During non-working hours, all client paper charts and other confidential information, including PHI, must be kept in a locked file cabinet in a secured building.
D. A designated employee will ensure all file cabinets are locked at the end of the business day.
E. All staff who are authorized to have access to client charts will follow the following record procedure:
1. Prior to removing a chart from the file cabinet, a sign out card will be completed and placed in the charts space.
2. Charts will be checked out with the assumption they will be used immediately and returned in a timely manner to reduce the chance of the chart being left unattended on a desk.
3. Employees will follow their department's chart check-out procedures.
4. All charts are to be returned to the main file cabinet by the end of the business day.
5. Should a chart need to be used after the end of the business day, staff will ensure the chart is locked in a file or desk drawer for temporary overnight storage.
6. Under no circumstances shall a chart be left on one's desk overnight Privacy and Confidentiality Policy Compliance, May 2011
7. Records shall not be removed from the office unless the following are occurs:
a) The client is discharged.
b) The record is subpoenaed or court ordered (see Subpoena policy).
c) Copies of the record/information are needed for disclosure of information.
d) 11.4.4. There are risk/legal issues and the record must be secured.
f) Casa Pacifica's Network Security Policy outlines user access safeguards in the electronic health record.