top of page

HIPAA POLICY

HIPAA Compliance policy

 

 

General Policy regarding Confidentiality of Client and Employee Information:

 

It is the policy of IRecover.US to hold all information concerning clients and employees in strict confidence as required by applicable laws and regulations, including 42 CFR Part 2 (governing the confidentiality of client-identifying substance abuse treatment information) and 45 CFR Parts 160 and 164 (governing the security and privacy of protected health information ("PHI") mandated by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Any employee, volunteer, intern or independent contractors who do not maintain the confidentiality of such information or who fails to comply with the policies and procedures set forth below shall be subject to disciplinary action, up to and including termination of employment.

 

THIS POLICY SUPERSEDES ANY OTHER IRECOVER.US POLICIES THAT MAY BE IN EFFECT CONCERNING THE CONFIDENTIALITY OF CLIENT AND EMPLOYEE INFORMATION.

 

Procedure:


 

  1. Definitions:


 

  1. Categories of lnformation Protected by this Policy.


 

  1. Client Protected Health Information (PHI):

1. Except for HIV-related information, which is governed by a Special Rule, ANY information, whether oral, written, or electronic, that identifies:

  1. A client currently in treatment.

  1. A client who was in treatment in the past; or

  1. A person who sought treatment even if the person was not actually admitted into a program.

  1. The following information identifies a client: name, address, city, county, zip code, birthdate, admission date, discharge date, date of death, age, telephone or cell phone numbers, e-mail address, social security number, medical record number, health plan beneficiary number, account number, license number, vehicle identifier, photographic image, or any other unique identifying number, characteristic, or code.

 

Employee PHI: Any health-related information concerning iRecover.US staff that does not concern the staff’s employment, such as information received by the Human Resources Department concerning a staff person's insurance claim

  1. Written PHI:  Any paper records or documents containing Client PHI or

Employee PHI, including but not limited to assessment records, admission records, payment records, clinical, medical, and vocational charts, and any documents prepared for inclusion in these charts.



 

  1. Categories of Employees. This Policy applies to all employees, stipends, interns, volunteers, and temporary staff of iRecover.US. This Policy affords IRecover.US various levels of access to Client PHI based on the following categories:


 

  1. Treatment Staff: The clinical, medical, vocational, educational and admissions staff of IRecover.US whose primary function is to facilitate the provision of substance abuse treatment services to IRecover.US clients, as well as other IRecover.US staff working in a facility that provide other services to run the program and/or facility, such as administrative staff, cooks, drivers, and maintenance workers.


 

  1. Operations Staff: Staff of the following IRecover.US Departments: Operations, Human Resources, Finance, Legal, Facilities Maintenance, Internal Audit, Program Planning and Training.


 

  1. Authorized Operations Staff: Operations Staff with authority to receive Client PHI. The titles of Authorized Operations Staff will be maintained in accordance with IRecover.US' PHI policies.


 

  1. Client Billing Staff: Those IRecover.US staff directly responsible for obtaining payment or reimbursement for the provision of services to IRecover.US clients.


 

  1. Other Staff: Those IRecover.US Staff who do not fit into any of the above categories.



 

  1. Responsible Persons:


 

  1. Quality Assurance: The Director will select an individual or individuals to be the official(s) responsible for the implementation of that entity's privacy policies and procedures, including but not limited to the implementation of all provisions of this Policy and the development and enforcement of all local policies and procedures as provided. Those who select the Quality Assurance officer will ensure that the position is continuously filled and the name of each person holding the position, as well as information on how to contact that person.


 

  1. Disclosure of Client PHI:


 

  1. When Client PHI May Be Disclosed. IRecover.US Staff shall not acknowledge the identity of any client or disclose any Client PHI to ANYONE, UNLESS:

    1. To clients, for legitimate treatment purposes (on a "need to know" basis);


 

  1. To Treatment Staff for legitimate treatment purposes (on a "need to know" basis), as permitted by the procedure set forth below;

  1. To Operations Staff, as permitted by the procedure set forth below;

  1. To Client Billing Staff, as permitted by the procedure set forth below;

  1. The client has given valid written authorization (consent) that specifically permits that disclosure;

  1. The disclosure is made to medical personnel in a medical emergency;

  1. The disclosure is to a funding/licensing and/or monitoring agency for audit or evaluation purposes at the facility; provided the auditor signs a statement of release or assurance of confidentiality;

  1. To report a crime that occurred on program premises or against program personnel;

  1. When reporting information pertaining to an alleged child abuser or neglector, when fulfilling mandated child abuse reporting requirements;

J.  To a business contact who has signed a Qualified Service Organization/Business

Associate Agreement as permitted by the procedure set forth below;

  1. The disclosure is authorized by an appropriate court order as defined in the federal regulations (not a subpoena or warrant) or

    1. For research purposes, through the use of a Limited Data Set as defined in HIPAA.


 

  1. Special Rules for HIV-Related Information. Information related to a client's HIV status may only be disclosed to other IRecover.US Staff or anyone outside of IRecover.US pursuant to a special written authorization that meets the requirements of applicable State law.

    1. Consult the Regional Policy on HIV-Related Information or the Legal Department regarding questions concerning the disclosure of HIV-related information.


 

  1. Accounting Required. Each time Client PHI is disclosed, without the client's written authorization but as permitted above (i.e., disclosures related to: an audit/evaluation, reporting a crime on program premises, fulfilling mandated child abuse reporting requirements, a court order, or a waiver from the IRB), and each time Client PHI is disclosed in violation of this Policy, an accounting of the disclosure must be recorded and maintained in the client's chart that includes:

    1. the date of the disclosure of the Client PHI;

  1. the nature of the Client PHI disclosed;

  1. the person, agency, or other entity to whom the Client PHI was disclosed; and

  1. the purpose for such disclosure.


 

  1. No Other Disclosures Permitted. Unless specifically permitted above, IRecover.US Staff may NOT disclose any Client PHI.


 

Ill.               Rules Concerning the Internal Use and Disclosure of Client PHI (Within IRecover.US):


 

  1. Rules for Treatment Staff:


 

  1. Treatment Staff Access to Client PHI. Except with respect to HIV-related information as set forth above, Treatment Staff may access or share Client PHI with other Treatment Staff for legitimate treatment purposes (on a "need to know" basis).


 

  1. Treatment Staff Disclosures to Line Staff. Any Agency director or other Treatment Staff designated by the Agency director may disclose Client PHI to Authorized Line Staff as long as the Treatment Staff only provides the specific information requested and/or needed to be disclosed. Irrelevant Client PHI or a client's entire chart (unless an entire chart is specifically requested) should not be disclosed.


 

  1. Treatment Staff Disclosures to Client Billing Staff. Any Agency director or other Treatment Staff designated by the Agency director may disclose Client PHI to Client Billing Staff as long as only the minimum necessary information to accomplish the purpose of the disclosure is provided.


 

  1. Treatment Staff Disclosures to Other Staff. Treatment Staff may not disclose Client PHI to Other Staff unless:

    1. As permitted by a valid written authorization (consent); or

  1. For research purposes, pursuant to a waiver or the use of a Limited Data Set as defined in HIPAA.


 

  1. No Other Access Permitted. Except as set forth above, Treatment Staff shall not have access to Client PHI or share Client PHI.


 

  1. Record-Keeping. All Client PH[ maintained by Treatment Staff must be safeguarded pursuant to the Record-Keeping Requirements set forth below.


 

  1. Rules for Operations Staff:


 

  1. Authorized Operations Staff Access to Client PHI. Authorized Operations Staff may access or share Client PHI as long as:

    1. The Client PHI is only accessed from or shared with:

      1. The Agency director of the Program holding or maintaining the Client PHI;

  1. Treatment Staff specifically authorized by the Agency director;

  1. Other Authorized Operations Staff; OR

  1. Any Client Billing Staff; AND

11.  The Client PHI is accessed or shared only in connection with a regular job function of the Authorized Operations Staff; AND

  1. Authorized Operations Staff requesting Client PHI only requests the minimum necessary to accomplish the intended purpose.


 

  1. Other Operations/Line Staff Access to Client PHI. Other Operations/Line Staff may receive specific authorization from an Authorized Operations Staff in the same Department to access or share Client PHI for a, limited purpose.


 

  1. Special Rule Concerning Interns. All Operations/Line Staff may have access to the name, status and location of any client assigned to work in the Operations Staffs Department as an intern.


 

  1. Non-Routine Requests. When Operations/Line Staff needs access to Client PHI for a purpose that is not a regular job function of that Operations Staff, Operations Staff shall contact the Director, who shall then authorize the disclosure of the Client PHI only if:

1. S/he determines that the need for the disclosure outweighs the need to keep the information confidential; and

11. S/he determines that the information requested is the minimum information necessary to accomplish the stated purpose of the request.


 

  1. Operations Staff Disclosures to Other Staff. Operations Staff may not disclose Client PHI to Other Staff unless:

    1. As permitted by a valid written authorization (consent); or

  1. For research purposes, pursuant to a waiver or the use of a Limited Data Set as defined in HIPAA.


 

  1. No Other Access Permitted. Unless permitted by this Policy, Operations Staff shall not have access to Client PHI or share Client PHI with anyone.


 

  1. Record-Keeping. All Client PHI maintained by Operations Staff must be safeguarded pursuant to the Record-Keeping Requirements set forth below.


 

  1. Rules for Client Billing Staff:


 

  1. Client Billing Staff Access to Client PHI. Client Billing Staff may access Client PHI as long as only the minimum necessary information needed to obtain payment or reimbursement for the provision of services to IRecover.US clients is accessed or shared.


 

  1. Authorization Required to Seek Reimbursement from Third Party Payors. Client Billing Staff must not disclose any PHI to a third party payor without making sure that there is a valid written authorization (consent) for that client on file that authorizes the release of that information.


 

  1. Client Billing Staff Disclosures to Operations Staff. Client Billing Staff may only disclose Client PHI to Authorized Operations Staff as long as only the minimum necessary information to accomplish the purpose of the disclosure is provided.


 

  1. Client Billing Staff Disclosures to Other Staff.           Client Billing Staff may not disclose Client PHI to Other Staff unless:

1.  As permitted by a valid written authorization (consent); or

  1. For research purposes, pursuant to a waiver or the use of a Limited Data Set as defined in HIPAA.


 

  1. No Other Access Permitted. Except as set forth above, Client Billing Staff shall not have access to Client PHI or share Client PHI with anyone.


 

  1. Record-Keeping.  All Client PHI maintained by Client Billing Staff must be safeguarded pursuant to the Record-Keeping Requirements set forth below.


 

  1. Rules for Other Staff:


 

  1. Other Staff Access to PHI. Other Staff shall not be afforded access to or share Client PHI except:

    1. As permitted by a valid written authorization (consent); or

  1. For research purposes, pursuant to a waiver or the use of a Limited Data Set as defined in HIPAA.


 

  1. No Other Access Permitted. Except as set forth above, Other Staff shall not have access to Client PHI or share Client PHI with anyone.


 

  1. Record-Keeping. All Client PHI maintained by Other Staff must be safeguarded pursuant to the Record-Keeping Requirements set forth below.



 

  1. Rules Concerning the External Disclosure of Client PHI (Outside of IRecover.US):


 

  1. Third Party Requests


 

  1. Any requests for Client PHI by third parties (agencies or persons who are not IRecover.US Staff) must be:

    1. In writing;

  1. On official letterhead if from an agency, organization or business; and

  1. Signed by the person making the request or an authorized representative of the agency, organization or business.


 

  1. Before responding to any request for Client PHI by a third party, appropriate Staff must ensure that any disclosure in response to the request would not violate this Policy, including ensuring that any disclosure pursuant to a written authorization meets the requirements below.


 

  1. Disclosures Pursuant to a Written Authorization:


 

  1. Authorization Must Be Reviewed. Before releasing any Client PHI pursuant to a written authorization (consent), staff must:

1.  review the authorization to ensure that the authorization has been

filled out and signed by the client.

11. review the authorization to ensure that the authorization permits the relevant category of information to be released for the specified purpose.

  1. review the authorization to ensure that the authorization has not expired; and

  1. review the client's file to ensure that there has been no written revocation

of the authorization.

  1. Requirement for the Release of Client PHI Pursuant to Authorization. Any letter or other document leaving the facility which contains Client PHI must carry the following "written notice of prohibition on redisclosure" required by federal law if the information is being released pursuant to an authorization:

 

This information has been disclosed to you from records protected by Federal Confidentiality Rules (42 CFR Part 2). The Federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is NOT sufficient for this purpose. The Federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient.


 

  1. Client to Receive Copies of Authorizations. Clients must have access to copies of any authorizations that they have signed.


 

  1. Revocation of Authorization. Clients seeking to revoke an authorization (consent) must revoke such authorization in writing.

    1. Treatment staff should assist the client in completing a written revocation, whether it is written directly on the authorization or on a separate piece of paper.

  1. The revocation should be dated and signed by the client. If the revocation is on a separate piece of paper, the revocation should reference the specific authorization being revoked.

  1. A note concerning the revocation should be written on the authorization, including the effective date of the revocation. If the revocation was written on a separate piece of paper, the revocation should also be stapled to the authorization.

1v. No authorizations should be thrown out or destroyed after they have been revoked.


 

  1. Qualified Service Organizations/Business Associate Agreements:


 

  1. Certain persons or agencies that provide services to IRecover.US or its clients, including consultants and independent contractors, may be able to receive Client PHI pursuant to a Qualified Service Organization/Business Associate Agreement ("QSO/BAA"). The following exceptions should be noted:

    1. Third party payors for client billing may not enter into a QSO/BAA with IRecover.US for client billing purposes.


 

  1. The Legal Department should be contacted to ascertain whether a QSO/BAA would be appropriate and for assistance with having an appropriate QSO/BAA written.


 

  1. Court Orders and Subpoenas


 

  1. Only special kinds of court orders that meet the requirements of federal law may authorize the release of Client PHI.

  1. Subpoenas and other legal documents purporting to require the release of Client PHI should be forwarded to the Legal Department for review before any Client PHI is released in response. (Staff should also notify the Agency director and CEO regarding the receipt of such documents.)


 

  1. Reporting Crimes on Program Premises or Against Program Personnel


 

  1. When reporting a crime on the program premises or against program personnel as permitted above, only information regarding the circumstances of the crime, including the suspects name, address, last known whereabouts, and status as a patient in the program, may be disclosed. Clinical information that is unrelated to the crime may not be disclosed.


 

  1. Client-identifying information about the victim remains confidential and should not be disclosed without the client victim's consent.


 

  1. Government Audits


 

  1. Client PHI may not be released to an official conducting an audit on behalf of a government agency, unless:

    1. The client has signed a valid written authorization (consent) that permits the release of the information to the government for audit purposes; OR

  1. The government agency auditor has signed an Audit Agreement.     (A copy of the Audit Agreement is attached to this Policy.)



 

  1. Employee PHI and other Employee Information:


 

  1. Unless permitted by a written authorization that is reviewed by the Legal Department, Employee PHI may not be disclosed except to the employee to whom the information relates. However, Staff in the Human Resources Department may share Employee PHI as necessary


 

  1. All Human Resource-related forms, such as reference checks, salaries, medical information, and assessments, are strictly confidential and are not to be shared with staff outside of the Human Resources Department. Such forms shall be used for business-related purposes only by authorized staff.


 

  1. Conviction records will be used only for Human Resources purposes and only to the extent permitted by applicable law.


 

  1. Other IRecover.US Information:

 

All employees have the responsibility to avoid the unnecessary disclosure of information regarding IRecover.US' programming or business, including staff information.    All employees must safeguard non-public IRecover.US activities, trade secrets, and proprietary information.


 

  1. Record-Keeping Requirements for the Security and Storage of Client PHI and                Employee PHI:


 

  1. Written PHI:


 

  1. Written PHI Not In Use. All Written PHI that is not being used by IRecover.US Staff must be maintained in a secure location at all times, either:

    1. In locked file cabinets; or

  1. Behind locked ADrs; provided that only those IRecover.US Staff with authorization to access such Written PHI have a key to such file cabinets or ADrs.

  1. Certain inactive client records shall be archived pursuant to the Client Records Policy.


 

  1. Written PHI In Use. All Written PHI that is in use must be safeguarded so that unauthorized individuals, including unauthorized IRecover.US Staff, may not access such records.

    1. IRecover.US Staff may not leave Written PHI unattended in open areas.

11.  Except for original client charts, which must remain in the facility or

archived appropriately, Written PHI may be removed from a facility by Management, or with the permission of Management, as long as the Staff removing the Written PHI complies with the security and storage requirements of this Policy.

  1. Written PHI may also leave the facility if:

    1. It is sealed in an envelope or container that does not have any Client PHI on the outside;

  1. It is properly addressed to an authorized recipient of the Client PHI; and

  1. It is being transported by delivery service, mail, or trustworthy messenger.


 

  1. Disposal of PHI. Any Written PHI being disposed of must be shredded or destroyed in a manner that makes the PHI unrecoverable. Applicable record retention requirements must be met when disposing of IRecover.US records.


 

  1. Transporting Written PHI. Any Written PHI must be transported in a sealed envelope that does not contain any client identifying information on the outside.

1. Client records being transported to archives must be transported pursuant to the Client Records Policy.


 

  1. Faxes. IRecover.US Staff who fax documents containing Written PHI shall be certain that only those persons who are authorized by this Policy to receive the Written PHI will receive the fax.


 

  1. Faxes shall not be sent to fax numbers where the documents might remain open to inspection by unauthorized IRecover.US Staff or third parties who are not authorized to receive PHI.


 

  1. Privacy Rights of Clients:


 

  1. IRecover.US must provide all clients with a Notice that describes how their client PHI may be used and informs them of the following individual rights:


 

  1. The right to request restrictions on certain uses and disclosures of their Client

PHI;

  1. The right to request that IRecover.US Treatment Staff communicates with the client by alternative means or at an alternative location;

  1. The right to inspect and copy a client's own health information, provided such a request is made is writing;

  1. The right to request an amendment to the client's records;

  1. The right to request and receive an accounting of the disclosures made by IRecover.US in the past 6 years;

  1. The right to complain to the company and the Secretary of the United States Department of Health and Human Services if the client believes that his/her privacy rights have been violated and the right not to be retaliated against for filing such a complaint; and

  1. The right to contact the company for further information.


 

  1. Any IRecover.US Staff who receives a request or complaint from a client related to the rights of clients set forth above shall immediately forward the request or complaint to the Director who shall respond within thirty (30) days in consultation with the Legal Department, if necessary.


 

  1. Documentation of all requests or complaints and IRecover.US' response to such requests or complaints must be maintained in the appropriate client's file and copies shall be forwarded to the appropriate compliance officer.


 

  1. Documentation that each client received the notice must be maintained in each client's chart.


 

  1. The Client Notice must be posted in a clear and prominent location in each facility where clients are receiving services.


 

  1. Retaliation against a client for his/her exercise of any of the aforementioned rights is strictly prohibited.



 

  1. Training of Staff:


 

  1. Each new IRecover.US Staff, including interns, volunteers, and temporary staff, must complete appropriate training on the IRecover.US Confidentiality Policy within two weeks of his/her start date.


 

  1. The supervisor of each new staff is required to ensure that such training is completed, either through the orientation conducted by the Human Resources Department or by making other arrangements for appropriate training.


 

  1. All documentation of employee training, including a signed acknowledgement that this Policy has been received and will be read, shall be maintained by the Human Resources Department.


 

  1. All consultants must sign a consultant agreement.



 

  1. Complaints:


 

  1. Any complaints concerning violations of this Policy shall be directed to the Quality Assurance Committee.


 

  1. The Quality Assurance Committee shall document all complaints received and the disposition, if any.


 

  1. Retaliation against a person who files a complaint regarding violations of this Policy is strictly prohibited.


 

  1. Violations of Policy:


 

  1. When Client PHI or Employee PHI is disclosed or used in violation of this Policy, steps must be taken to mitigate, to the extent practicable, any harmful effect caused by such disclosure or use.


 

  1. Any violations of this Policy must be documented and maintained in the Agency director's Office.


 

  1. Appropriate disciplinary action must be taken against any Staff who fails to comply with this Policy. Documentation of such disciplinary action must be maintained in the Staff's personnel file, with a copy forwarded to the Agency director.


 

  1. An accounting must be maintained of any unauthorized disclosures as required.



 

  1. Implementation.


 

  1. Maintenance of Records. A written record of the designation of any Quality Assurance Officer shall be maintained in the office of the Agency director for at least a year after the designation is made and stored offsite at facility storage for the remainder of six years.


 

  1. Responsibilities of Privacy Official. Each Quality Assurance Officer shall be responsible for implementing this Policy as applicable, by:


 

  1. Ensuring that the accounting requirements of this Policy are being fulfilled.


 

  1. Ensuring that the proper written authorization (consent) forms and client notices are being utilized.


 

  1. Ensuring that records are stored in compliance with the record-keeping requirements of this Policy, including the development of additional policies and procedures which more directly respond to the physical surroundings of the program.


 

  1. Ensuring that violations of this Policy are responded to in accordance with this Policy.


 

  1. Ensuring that all other staff understands their implementation obligations under this Policy, including the training requirements; and


 

  1. Answering staff questions about compliance with this Policy, in consultation with the Agency director, when necessary.


 

  1. Responsibilities of Agency director. The Agency director is responsible for:


 

  1. Updating this Policy, as needed, and ensuring that it is fully accessible to all IRecover.US Staff.


 

  1. Ensuring that all staff receive and understand this Policy and any changes to this Policy; and


 

  1. Monitoring implementation and regional compliance

bottom of page