The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).1 The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.
Privacy & Confidentiality Policy
Confidentiality Regulations: Federal confidentiality regulations require that participants receive a written summary of their rights.
- During program in-processing, participants will review and sign a copy of “Participant Rights”.
- A copy of “Participant Rights” will be posted on the staff bulletin board.
- A copy of “Participant Rights” will be maintained in the staff Policy and Procedures manual.
This privacy notice tells you how treatment/medical information about you can be used and disclosed, and how you can get access to this information. Please read it carefully. If you have any questions, please contact our Administrative Office.
Privacy: The Privacy Act and Freedom of Information Act (See below) sets forth a series of requirements governing federal agency record keeping practices intended to safeguard individuals against invasions of personal privacy. The determination of what information may be released requires RHP staff to have a basic understanding of both the FOIA and the Privacy Act. Staff also should be aware that the Privacy Act establishes criminal penalties and civil liabilities for unauthorized disclosures. All staffs and participants must familiarize themselves with the RHP Notice of Privacy Practices.
In order to release information to a participant's employer and other third parties, RHP staff will obtain a release from the participant. Likewise, participants shall acknowledge other conditions of residence in a center program which include, but are not limited to, urine testing, subsistence collection, medical treatment, and an agreement to abide by posted regulations. RHP staff will not release information to any individual unless the subject of the request has provided written consent and the Executive Director or designee has granted permission.
The following web pages are to be referenced by RHP staff for information about security laws:
- The Freedom of Information Act, 5 U.S.C. § 552, As Amended By Public Law No. 104-231, 110 Stat. 3048. http://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htm
- THE PRIVACY ACT OF 1974, 5 U.S.C. § 552a, As Amended. http://www.usdoj.gov/04foia/privstat.htm
Effectively protecting the confidentiality of individually identifiable data requires uniform and comprehensive practices by all agency staff/employees. See Best Practices Assurance of Confidentiality and Security Agreement in Operations Manual, “Personnel Policies.”
THIS NOTICE DESCRIBES HOW MEDICAL AND DRUG AND ALCOHOL RELATED INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY:
General Information: Information regarding your health care, including payment for health care, is protected by two federal laws: the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 42 U.S.C. & 1320d et seq., 45 C.F.R. Parts 160 & 164, and the Confidentiality Law, 42 U.S.C & 290dd-2, 42 C.F.R. Part 2. Under these laws, Reality House may not say to a person outside Reality House that you attend the program, nor may Reality House disclose any information except as permitted by federal law.
Reality House must obtain your written consent before it can disclose information about you for payment process. For example, Reality House must obtain your written consent before it can disclose information to your health insurer in order to be paid for services. Generally, you must also sign a written consent before Reality House can share information for treatment purposes or for health care operations. However, federal law permits Reality House to disclose information without your written permission:
- Pursuant to an agreement with a Qualified Service Organization;
- For research, audit or evaluations;
- To report a crime committed on Reality House’s premises or against Reality House personnel;
- To medical personnel in a medical emergency;
- To appropriate authorities to report suspected child abuse or neglect;
- As allowed by a court order.
For example, Reality House can disclose information without your consent to obtain legal or financial services, or to another medical facility to provide health care to you, as long as there is a Qualified Service Organization Agreement in place.
Before Reality House can use or disclose any information about your health in a manner which is not described above, it must obtain your specific written consent allowing it to make the disclosure. Any such written consent may be revoked by you in writing.
Your Rights: Under HIPAA you have the right to request restrictions on certain uses and disclosures of your health information. Reality House is not required to agree to any restrictions you request, but if it does agree then it is bound by that agreement and may not use or disclose any information which you have restricted except as necessary in a medical emergency. You have the right to request that we communicate with you by alternative means or at an alternative location. Reality House will accommodate such requests that are reasonable and will not request an explanation from you. Under HIPAA you also have the right to inspect and copy your own health information maintained by Reality House, except to the extent that the information contains psychotherapy notes or information compiled for use in a civil, criminal or administrative proceeding or in other limited circumstances. Under HIPAA you also have the right, with some exceptions, to amend health care information maintained in Reality House’s records, and to request and receive an accounting of disclosures of your health related information made by Reality House during the six years prior to your request. You also have the right to receive a paper copy of this notice.
Reality House’s Duties: Reality House is required by law to maintain the privacy of your health information and to provide you with notice of its legal duties and privacy practices with respect to your health information. Reality House is required by law to abide by the terms of this notice. Reality House reserves the right to change the terms of this notice and to make new notice provisions effective for all protected health information it maintains.
Complaints and Reporting Violations: You may complain to Reality House and the Secretary of the United States Department of Health and Human Services if you believe that your privacy rights have been violated under HIPAA. You will not be retaliated against for filing such a complaint.
Violation of the Confidentiality Law by a program is a crime. Suspected violations of the Confidentiality Law may be reported to the United States Attorney in the district where the violation occurs.
For further information contact:
Reality House Programs, Inc.
P.O. Box 1507
Columbia, MO 65205-1507
If you are receiving services available through the Missouri Department of Mental Health, you may contact and file a complaint with the department’s Participant Rights Monitor at 1-800-364-4687 or by writing:
Missouri Department of Mental Health
Participant Rights Monitor
P.O. Box 687
Jefferson City, MO 65102
All persons also have the right to file a complaint with the Office for Civil Rights, U.S. Department of Health and Human Services:
Office for Civil Rights
U.S. Dept. of Health and Human Services
200 Independence Avenue, S.W.
Room 509F, HHH Building
Washington, D.C. 20201
There will be no retaliation for filing a complaint with Reality House Programs, Inc., the Department of Mental Health, or the Office for Civil Rights.
Each new employee or volunteer of Reality House Programs, Inc. will read, understand, and sign the following agreement:
Confidentiality: Each new employee must read and sign the Best Practices Assurance of Confidentiality & Security Agreement: See the “Employee Intake” section of the Operations Manual.
- All employees sign confidentiality agreements (Best Practices Assurance of Confidentiality & Security Agreement);
- The security practices of the organization have been audited with no material findings, or, if material findings were noted, they have been corrected;
- Staff will never breach confidentiality by releasing confidential corporate or participant information (intended or unintended) to anyone who is not a RHP staff member, referral agent, or other agent with a specific need to know;
- Written Personnel Policies are in place to deal with breaches of confidentiality;
- Specific sanctions for confidentiality violation may be imposed that include employee disciplinary action and any of the following: remedial training in confidentiality, loss of certification of competency in confidentiality, prohibition from future work with confidential data at the institution, discharge;
- Access to data files is restricted to specific staff and access by unauthorized staff is not permitted (i.e.: medical, treatment, and financial);
- An individual (Joel Putnam) is designated to assure compliance with established standards.
Employee Education. Reality House Programs, Inc. can assure that it:
- Has developed and implemented education programs regarding confidentiality that includes information about the lack of security inherent in faxing, e-mailing, and other electronic data transfer;
- Reminds employees about not using names or other personal identifiers in conversations in public areas such as open labs, elevators, or hallways; and reminders to employees of their special duty to maintain confidentiality when RHP services are provided for individuals they know personally;
- Designated staff has received confidentiality training (treatment staff and HIPPA Officer);
- All staff conducts a routine evaluation of skill and performance with regard to protection of confidentiality and identifies re-training needs based on performance.
Electronic Security: Reality House Programs, Inc. has the following technical practices in place:
- Authentication of users by means of passwords or digital ID. All offices containing computers are locked when not occupied. All computers are locked with passwords installed. No identifying data is ever to be used over telephones or unsecured fax;
- Access to server controlled by means of role-based authentication/access, locked server room, and an internal firewall;
- A disaster prevention and recovery plan including adequate fire and entry alarms where data are stored; a fireproof file space for paper, routine backups of electronic data at intervals appropriate for the rote of data accrual; and offsite storage of backups;
- External firewalls in places to prevent remote access by unauthorized users;
- Virus checking is routine as are updates to the data files and engines to provide maximum protection of data files;
- System assessment including diagnostics runs and external audits conducted regularly to insure the integrity of the system;
- Data that are sent and received in conjunction with Reality House Programs, Inc. activities are electronically encrypted;
- Additional safeguards are also followed, including: maintenance of minimal data on home computer, use of electronic screen savers, and password control at home.
Paper Record Security: Reality House Programs, Inc. maintains the confidentiality of paper records by:
- Restricting access to data-storage areas, the use of locked file rooms or cabinets in limited-access areas, forms tracking log for any external disclosures, and a sign-out system for internal use of data;
- Development and implementation of policies by institutions for the secure transport of information from one physical location to another;
- Assuring confidentiality of written evidence that a patient is on a specific research study; for example, logs or lists of screened individuals or participants should not be left out on desks or in other open-access areas;
- Situating FAX machines in secure or limited-access areas; use of pre-coded phone number to eliminate dialing errors; cover sheets so data are not physically exposed; testing FAX machines to insure correct number and function; and de-programming FAX memory storage after use to prevent recovery of confidential information;
- Reality House employs 3rd party incineration procedures for disposal of sensitive (containing participant or corporate sensitive data) documents after use;
- Hardcopy information of sensitive information sent outside of Reality House is protected;
- Reality House Programs, Inc. does not release any data files to any one without written consent of an RHP Director and the participant;
- A written consent is required every time a data request is received, even if the requester has obtained previous approval or if new data ore added to a data file that was previously approved for release.
Misuse of confidential data and a breach of confidentiality is a serious offense. Employees who violate the aforementioned policies and procedures will be disciplined by their Reality House supervisor and may be terminated from employment with Reality House Programs, Inc.
Who will follow this notice?
Reality House Programs provides treatment to our patients, residents, and clients working with counselors and other professionals and organizations. The list below tells you who will follow the outlined practice for keeping your data private.
Any treatment professional that treat you at any of our locations.
All areas and units of our organization,
All employees, staff, volunteers or students of our organization.
Any business associate or partner of Reality House Programs with whom we share treatment information.
Our pledge to you.
We understand that treatment data about you is private. We promise to protect this data. We make a record of the care and service you receive so we can provide good care and to comply with legal rules. This notice applies to all of your treatment records that we maintain, whether they were made by our staff or by your own doctor. Your doctor may have other rules or a notice about use and release of your treatment record kept in their office.
By law we must:
- Keep your treatment data private.
- Give you this notice of our legal duties and our practice of keeping your treatment data private.
- Follow terms of the notice in effect at the current time.
Changes to this Notice.
We may change our policies at any time. Changes will apply to treatment data we have on file, as well as new data we record after the notice is changed. Before we make a major change in our policies, we will change our notice and post the new notice in waiting areas, exam rooms, and on our Web site at http://www.realityhouse.org. You can get a copy of the current notice any time. The date it went into effect is listed just below the title. You will be offered a copy of the current notice each time you come to our facilities for treatment. You will also be asked to sign your name to show that you received this notice.
How we are allowed to use and disclose your treatment data?
We may use and disclose your treatment data for:
Treatment; such as sending your treatment data to a criminal justice system representative, doctor or other treatment facility when you are referred to them.
To obtain payment for treatment (such as sending billing information to your insurance company or Medicare or Medicaid); and
To support our treatment care efforts. Subject to certain rules, we may use or disclose your treatment data without your prior permission for other reasons:
- Public health issues
- Report abuse or neglect
- In an emergency
When required to by law, we also may disclose treatment data. In certain cases we must respond to requests from law enforcement officials or valid court orders.
We may disclose treatment data about you to a friend, family member, or referral person (i.e.; judge) who is involved in your treatment. Your treatment data may also be disclosed to disaster relief authorities so they can contact your family to tell them where you are and how you are doing.
Other uses of treatment data.
In any other situation not covered by this notice, we will ask for your written permission before we use or disclose your treatment data. If you choose to permit us to use or disclose this data, you can later revoke that permission by telling us about your decision in writing on our "Informed Consent Form."
What are your rights about your treatment data?
In most cases, you may make a written request to look at, or get a copy of your data we use to make choices for your care. If you request copies, we may charge a fee for the cost of copying, mailing or other related supplies. If we deny your request to review or obtain a copy, you may submit a written request to the Reality House Programs Executive Director for a review of that decision.
If you think that data in your record is wrong or if important items are missing, you have the right to request that we correct the records. You may submit a written request providing your reason for requesting the change. We could deny your request to amend a record if it was not created by us; if it is not part of the data maintained by us; or if we decide that the record is correct. You may submit a written appeal to the Reality House Programs Executive Director if we decide not to amend a record.
You have the right to receive a list showing where we have disclosed treatment data about you, other than for treatment, payment, treatment operations, or where you gave written permission. The request must state the time period you want us to include. You have the right to request that your treatment data be given to you in a private manner.
You may request, in writing, that we not use or disclose your treatment data for treatment, payment or healthier operations; or to persons involved in your care except when specifically authorized by you; when required by law; or in an emergency. We will review your request but we are not required by law to accept it. We will inform you of our decision on your request. All written requests or appeals should be submitted to our Administrative Office listed at the bottom of this notice.
If you are concerned that your privacy rights may have been violated; or you disagree with a decision we made about access to your records; you may contact our Administrative Office, P.O. Box 1507, Columbia, MO 65205-1507 at (573) 449-8117.
You may also contact State Department of Health, Bureau of Health Facility Regulation: 1-573-751-6302 and/or the State Attorney General's Office Consumer Hot Line: 1-800-392-8222 for more help.
You may send a written complaint to the U.S. Department of Health and Human Services Office of Civil Rights. Our Administrative Office can give you the address.
We will not punish you or take action against you if you file a complaint.
RHP Privacy Compliance Policy
Specific regulations have been established by the federal government to protect the privacy of individually identifiable health information. To comply with these regulations, Reality House Programs, Inc (RHP) has adopted a set of policies and procedures to address our clients’ privacy needs.
These policies and procedures are in accordance with the HIPAA Privacy Rule, promulgated under the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Confidentiality of Alcohol and Drug Abuse Patient Records statute and its implementing regulations, 42 C.F.R. Part 2. The HIPAA Privacy Rule applies to a wide variety of health plans and providers, called “covered entities.” Reality House Programs, Inc is a covered entity and, as such, is subject to HIPAA’s Privacy Rule.