The Hope Ranch Recovery

Privacy Policy

HIPAA


POLICY
Hope Ranch shall enforce all regulations set forth by HIPAA law to protect all person’s health information regardless of format, type of communication, or content. The organization has in place all standards for 42 CFR, Pt 2 and HIPAA to uphold all confidentiality laws.

Procedure
Health Insurance Portability and Accountability Act (HIPAA) Overview
The final privacy standards adopted by the U.S. Dept. of Health and Human Services (HHS) took effect for most covered health care entities on April 14, 2003. For providers of alcohol and drug treatment services, 42 CFR, chapter 1, part 2 (Confidentiality of Alcohol and Drug Abuse Records) still is in force (see page 3).

HIPAA Standards for Privacy of Individually Identifiable Health Information
In general, the federal Standards for Privacy of Individually Identifiable Health Information, also known as the HIPAA Privacy Rule (45 CFR Part 160-164) requires that:

An individual patient has a right to a notice as to the uses and disclosures of protected health information that may be made by the covered health care entity, as well as to the individual's rights, and to the covered entity's legal duties with respect to protected health information.

In general, the content of the notice must contain:
1) A header "THIS NOTICE DESCRIBES HOW INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
2) A description, including at least one example of the types of uses and disclosures that the covered entity is permitted to make for treatment, payment, and healthcare operations.
3) A description of each of the other purposes for which the covered entity is permitted or required to use or disclose protected health information without the individual's written consent or authorization.
4) A statement that other uses and disclosures will be made only with the individual's written authorization and that the individual may revoke such authorization.
5) When applicable, separate statements that the covered entity may contact the individual to provide appointment reminders or information about treatment alternatives or other continuing care health-related benefits and services that may be of interest to the individual.
6) A statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights including:
a) The right to request restrictions on certain uses and disclosures as provided by 45 CFR 164.522(a), including a statement that the covered entity is not required to agree to a requested restrictionb) The right to receive confidential communications of protected health information as provided by 164.522(b), as applicable
c) The right to inspect and obtain a paper or electronic copy of protected health information as provided by 164.524
d) The right to amend protected health information as provided in 164.526
e) The right to receive an accounting of disclosures as provided in 164.528
f) The right to obtain a paper copy of the notice upon request as provided in 164.5207) A statement that the covered entity is required by law to maintain the privacy of protected health information and to provide individuals with a notice of its legal duties and privacy practices with respect to protected health information.
8) A statement that the covered entity is required to abide by the terms of the notice currently in effect.
9) A statement that the covered entity cannot use or disclose an individual's health information for marketing purposes without consent.
10) A statement that the covered entity will not sell protected health information without the individual’s consent.
11) A statement that the covered entity has the right to restrict certain disclosures of health information to a health plan when they pay out of pocket expenses in full for healthcare items or services.
12) A statement that the covered entity will notify individuals and the Department of Health and Human Services if it is determined through risk analysis that a breach of their health information occurred.
13) A statement that the covered entity reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains.
14) A statement describing how it will provide individuals with a revised notice.
15) A statement that individuals may complain to the covered entity and to the Secretary of Health and Human Services if they believe their privacy rights have been violated; a brief description as to how one files a complaint with the covered entity; and a statement that the individual will not be retaliated against for filing a complaint.
16) The name or title, and telephone number of a person or office to contact for further information.
17) An effective date, which may not be earlier than the date on which the notice is printed or otherwise published.
18) In the preamble to the August 14, 2002, final rule, the government encourages the use of a "layered notice.” A layered notice consists of a short notice that briefly summarizes the individual's rights and other information, followed by a longer notice layered beneath that explains all the required notice elements.
19) A covered healthcare entity that is required to have a notice may not use or disclose protected health information in a manner inconsistent with such notice.
20) A covered healthcare provider with a direct treatment relationship with an individual must:
a) Provide the notice no later than the date of the first service delivery, including service delivered electronically, or in an emergency treatment situation, as soon as reasonably practicable after the emergency.
b) Have the notice available at the service delivery site for individuals to request and take with them.
c) Post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered healthcare provider to be able to read the notice.

Except in an emergency situation, the covered entity must make a good faith effort to obtain written acknowledgement of receipt of the notice. If it is not obtained, document the good faith effort and the reason why the acknowledgement was not obtained. If the notice is mailed, along with an acknowledgement form, the covered entity is not required to follow up to ensure the individual returns the acknowledgement form. A covered healthcare entity that maintains a Web site that provides information about the covered entity's customer services or benefits must prominently post its notice on its Web site.

The covered entity may provide the notice by email if the individual agrees and agreement has not been withdrawn. If the covered entity knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual.According to the August 14, 2002 final rule preamble, the Department of Health and Human Services believes that providers who provide notices electronically should be capable of capturing the individual's acknowledgement of receipt electronically in response to that transmission. The covered entity must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual's rights, the covered entity's legal duties, or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice may not be implemented prior to the effective date of the notice in which such material change is reflected.

A covered healthcare entity must document compliance with the notice requirements by retaining copies of the notices issued and acknowledgements received.

Confidentiality of Drug and Alcohol Patient Records per 42 CFR, Chapter 1, Part 2
The Confidentiality of Alcohol and Drug Abuse Patient Records rules (42 CFR, Chapter 1, Part 2) establish the following notice provisions for patients of federally assisted drug or alcohol abuse programs:

At the time of admission or as soon thereafter as the patient is capable of rational communication, each substance abuse program shall communicate to the patient that federal law and regulations protect the confidentiality of alcohol and drug abuse patient records. The program must also provide the patient with a written summary of the federal law and regulations. The written summary of the federal law and regulations must include:
a) A general description of the limited circumstances under which a program may acknowledge that an individual is present at a facility or disclose outside the program information identifying a patient as an alcohol or drug abuser.
b) A statement that violation of the federal law and regulations by a program is a crime and that suspected violations may be reported to appropriate authorities in accordance with these regulations.
c) A statement that information related to a patient's commission of a crime on the premises of the program or against personnel of the program is not protected.
d) A statement that reports of suspected child abuse and neglect made under State law to appropriate State or local authorities are not protected.
e) A citation to the federal law and regulations.

The program may devise its own notice or use a sample notice. In addition, the program may include in the written summary information concerning State law and any program policy not inconsistent with State and federal law on the subject of confidentiality of alcohol and drug abuse patient records.

State Requirements
Some states have laws or regulations and provide specific requirements for a notice of health information practices.Privacy Recommendations
1) Identify applicable notice requirements in both federal and state law.
2) Collect sample notices from associations and other organizations.3) Identify the way information is used and disclosed in your organization.
4) Decide whether your organization will participate in an organized healthcare arrangement.
5) Assign an individual or department to serve as an initial point of contact for individuals requesting additional information or who would like to file a complaint relative to information privacy practices.
6) Decide how material changes in the notice will be communicated.
7) Although not a required element, consider providing space on the notice to allow an individual to request a restriction to the uses and disclosures of his or her health information.
8) Decide whether your organization will provide space for the acknowledgement on the notice or on a separate form.
9) Draft a notice that complies with federal and state law and regulations and accurately describes your organization's health information practices. (Although models are helpful, they cannot be used without adapting them to reflect actual practices in your organization.)
10) Decide whether to place a copy of the current notice in the individual's record with the individual's acknowledgement or simply to maintain a copy of each version of the notice with the dates it was in effect in a separate file.
11) Ask legal counsel to help develop or review the notice.
12) Generate policies and procedures relative to the notice.
13) Educate and train staff.Post the notice and make copies available for distribution where notice acknowledgements are obtained to implement and monitor compliance.

Prior to making material changes in information practices, generate a new notice and provide that new notice to individuals about whom protected health information is maintained.

HIPAA Security Standards
Under the final HIPAA security standards published in February 2003: health insurers, certain health care providers and health care clearinghouses must establish procedures and mechanisms to protect the confidentiality, integrity and availability of electronic protected health information. The rule requires covered entities to implement administrative, physical and technical safeguards to protect electronic protected health information in their care.

The new security standards work in concert with the final privacy standards adopted by HHS. The two sets of standards use many of the same terms and definitions in order to make it easier for covered entities to comply.Covered healthcare entities were required to comply with the security standards by April 21, 2005. Small health plans had an additional year to comply.

References
Public Health Service, Department of Health and Human Services. “Confidentiality of Alcohol and Drug Abuse Patient Records. “Code of Federal Regulations, 2000. 42 CFR, Chapter I, Part 2. "Standards for Privacy of Individually Identifiable Health Information: Final Rule." 45 CFR Parts 160 and 164.Federal Register 67. No. 157 (August 14, 2002).American Health Information Management Association Practice Brief, "Notice of Information Practices" (Updated November 2002)

Accounting of Disclosures of Protected Health Information

This organization, in abiding by HIPAA Standards for Privacy of Individually Identifiable Health Information (45 CFR Parts 160 and 164), will keep an accounting of disclosures of protected health information made by this organization except for disclosures to carry out treatment,payment and health care operations. This was effective starting April 14, 2003, for all individual patient records. (See accompanying attachment excerpted from HIPAA Privacy Regulation Text, Section 164.528 “Accounting of disclosures of protected health information”)In most cases, a specified authorization, signed by the patient, approving release of Alcohol and Drug Abuse Records (per 42 CFR, Chapter 1, Part 2) is the recommended avenue to be utilized for disclosure of Protected Health Information (PHI).

A disclosure log will be maintained by a designated individual within the electronic medical record system.An Accounting Record of Accesses to Patient Protected Health Information (PHI) for Reasons Unrelated to Treatment, Payment or Healthcare Operations (Non TPO Disclosures)” may be used for this purpose.The log will describe:
a) Date of Access
b) Name of person who accessed the Chart
c) Who (specifically) the PHI was released to
d) Patient Name (top of log is sufficient)
e) Reason for the Disclosure
f) What specific PHI was disclosed?
g) If a specified Consent is utilized for release of information for TPO, the original is placed in the chart.§164.506 Uses and disclosures to carry out treatment, payment, or health care operations.

Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under §164.508(a) (2) and (3), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart.

Standard: Consent for uses and disclosures permitted.
1) A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment or health care operations.
a. Consent, under paragraph
(b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under§164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart.
2) Implementation specifications
3) Treatment, payment or health care operations.
a. A covered entity may use or disclose protected health information for its own treatment, payment or health care operations.
4) A covered entity may disclose protected health information for treatment of a healthcare provider.
5) A covered entity may disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information.
6) A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure isa.

For a purpose listed in paragraph (1) or (2) of the definition of health care operations; orb. For the purpose of health care fraud and abuse detection or compliance. (5) A covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement.§164.508 Uses and disclosures for which an authorization is required.

Standard: authorizations for uses and disclosures.

1) Authorization required: general rule. Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.
2) Authorization required: psychotherapy notes. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except:
a. To carry out the following treatment, payment, or health care operations:
i. Use by the originator of the psychotherapy notes for treatment;
ii. Use or disclosure by the covered entity for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or
iii. Use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual; and
b. A use or disclosure that is required by §164.502(a)(2)(ii) or permitted by§164.512(a); §164.512(d) with respect to the oversight of the originator of the psychotherapy notes; §164.512(g)(1); or §164.512(j)(1)(i).
3) Authorization required: Marketing. 
a. Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form of:i. A face-to-face communication made by a covered entity to an individual; orii. A promotional gift of nominal value provided by the covered entity.
b. If the marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.
4) Implementation specifications: general requirements
.a. Valid authorizationsi.

A valid authorization is a document that meets the requirements in paragraphs (A)(3)(ii), (C)(1), and (C)(2) of this section, as applicable.ii. A valid authorization may contain elements or information in addition to the elements required by this section, provided that such additional elements or information are not inconsistent with the elements required by this section.

5) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects:
a. The expiration date has passed, or the expiration event is known by the covered entity to have occurred.
b. The authorization has not been filled out completely, with respect to an element described by paragraph C of this section, if applicable.
c. The authorization is known by the covered entity to have been revoked.
d. The authorization violates paragraph (B)(3) or (4) of this section, if applicable.
e. Any material information in the authorization is known by the covered entity to be false.
6) Compound authorizations. An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows:
a. An authorization for the use or disclosure of protected health information for a research study may be combined with any other type of written permission for the same research study, including another authorization for the use or disclosure of protected health information for such research or a consent to participate in such research;’
b. An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes;
c. An authorization under this section, other than an authorization for a use or disclosure of psychotherapy notes, may be combined with any other such authorization under this section, except when a covered entity has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits under paragraph (B)(4) of this section on the provision of one of the authorizations. 
7) Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except:
a. A covered health care provider may condition the provision of research-related treatment on provision of an authorization for the use or disclosure of protected health information for such research under this section;
b. A health plan may condition enrollment in the health plan or eligibility for benefits on provision of an authorization requested by the health plan prior to an individual’s enrollment in the health plan, if:i. The authorization sought is for the health plan’s eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations; andii. The authorization is not for a use or disclosure of psychotherapy notes under paragraph (a)(2) of this section; an
c. A covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party.
8) Revocation of authorizations. An individual may revoke an authorization provided under this section at any time, provided that the revocation is in writing, except to the extent that:
a. The covered entity has taken action in reliance thereon; or
b. If the authorization was obtained as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy or the policy itself.
9) Documentation. A covered entity must document and retain any signed authorization under this section as required by § 164.530(j).Health Care Operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions:
1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and clients with information about treatment alternatives; and related functions that do not include treatment;
2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non- health care professionals, accreditation, certification, licensing, or credentialing activities; 
3) Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop- loss insurance and excess of loss insurance), provided that the requirements of§164.514(g) are met, if applicable;
4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
5) Business planning and development, such as conducting cost-management and planning- related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
6) Business management and general administrative activities of the entity, including, but not limited to:
a. Management activities relating to implementation of and compliance with the requirements of this subchapter;
b. Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holders, plan sponsor, or customer.
c. Resolution of internal grievances.d. The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; ande. Consistent with the applicable requirements of §164.514, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

Health Oversight Agency
Means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

Reference
Standards for Privacy of Individually Identifiable Health Information Regulation Text, as amended August 14, 2002U.S. Department of Health and Human Services Office for Civil Rights

HIPAA – Posting Notice of Health Information Practices 
It is policy of this organization to publicly post a “Notice of Health Information Practices” at all Facilities and Programs and to furnish a copy of this notice to the persons served (clients).As of April 14, 2003, pursuant to 45 CFR, Parts 160 and 164, also known as the Health Insurance Portability and Accountability Act, all Facilities and Programs must:1) Post in a conspicuous public place, the following attached “Notice of Health Information Practices”2) Furnish a copy of this notice to all patients served that explains:a. § The Patient Health Information Rights andb. § Our responsibilities under the HIPAA Standards for Privacy of Individually Identifiable Health Informationc. § How to report a problem regarding the privacy of health information See attached sample “Notice of Health Information Practices”

Notice of Health Information PracticesTHIS NOTICE DESCRIBES HOW INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. EFFECTIVE DATE: APRIL 14, 2003 (REVISED: SEPTEMBER 23, 2013)

Understanding Your Health Record / Information
Your client / patient medical record contains information about your health history, symptoms, examination and test results, diagnoses, treatment, and a plan for future care or treatment. This information serves as a:
1) basis for planning your care and treatment
2) means of communication among the many health professionals who contribute to your care
3) legal document describing the care you received
4) means by which you or a third-party payer can verify that services billed were actually provided
5) a tool in educating health professionals.
6) a source of data for medical research.
7) a source of information for public health officials charged with improving the health of the nation.
8) a source of data for facility planning and marketing and
9) a tool with which we can assess and continually work to improve the care we render and the outcomes we achieve

Understanding what is in your record and how your health information is used helps you to:
 1) ensure its accuracy
2) better understand who, what, when, where and why others may access your health information
3) make more informed decisions when authorizing disclosure to others

Your Health Information Rights:

Although your health record is the physical property of the healthcare practitioner or facility that compiled it, the information belongs to you. You have the right to:
1) request a restriction on certain uses and disclosures of your information as provided by 45 CFR 164.522 and 42 CFR, Chapter 1, Part 2
2) obtain a paper copy of the notice of information practices upon request
3) inspect and obtain a paper or electronic copy your health record as provided for in 45 CFR 164.524
4) amend your health record as provided in 45 CFR 164.528
5) obtain an accounting of disclosures of your health information as provided in 45 CFR 164.528
6) request communications of your health information by alternative means or at alternative locations
7) revoke your authorization to use or disclose health information except to the extent that action has already been taken

Our Responsibilities: This organization is required to:
1) maintain the privacy of your health information
2) provide you with a notice as to our legal duties and privacy practices with respect to information we collect and maintain about you
3) abide by the terms of this notice
4) notify you if we are unable to agree to a requested restriction
5) accommodate reasonable requests you may have to communicate personal health information by alternative means or at alternative locations
6) notify you and the Dept. of Health and Human Services if it is determined through a risk analysis that a breach of your health information occurred

We reserve the right to change our practices and to make the new provisions effective for all protected health information we maintain. Should our information practices change, we are required to distribute the modified version to new clients / patients on or after the date of modification.We will not use or disclose your health information without your authorization, except as described in this notice.

For More Information or to Report a ProblemIf you have questions and would like additional information, you may contact the Compliance Designee of Hope Ranch. If you believe your privacy rights have been violated, you can file a complaint with the Dept. of Health and Human Services / Office for Civil Rights by email at ocrcomplaint@hhs.gov or by calling the national Office at 202-205-8725 and asking for the OCR Health Information Privacy Complaint Form and / or for the appropriate Regional OCR Office. There will be no retaliation for filing a complaint.

Examples of Disclosures for Treatment, Payment and Health Operations 
We will use your health information for treatment.For example: Information obtained by a counselor, physician, or other member of your treatment care team will be recorded in your record and used to determine the course of treatment that should work best for you.

With your consent We also provide an individual such as a physician or an entity such as a subsequent healthcare provider with copies of your diagnosis, various reports, assessments, and summaries, including psychotherapy notes where appropriate, that should assist him / her or the entity treating you once you are discharged from this program. Without your consent, we will not use or disclose your health information for marketing purposes, and we will not sell your health information. Other uses and disclosures not described in this Notice of Health Information Practices will only be made with your consent.With your consent we will use your health information for payment. For example: A bill may be sent to you or a third-party payer.

The information on or accompanying the bill may include information that identifies you, as well as your diagnosis and descriptions of treatment methods and procedures used. You have the right to restrict certain disclosures of health information to a health plan when you pay out of pocket in full for the healthcare item or services.

We will use your health information for regular, internal health operations. For example: members of the treatment staff, the utilization review coordinator, the quality improvement manager, or members of the quality improvement team may use information in your health record to assess the care and outcomes in your case and others like it. This information will then be used in an effort to continually improve the quality and effectiveness of the treatment and service we provide.

Other Uses or Disclosures
Business Associates
There are some services provided in our organization through contacts with business associates. Examples include care by external physicians (in the event urgent or emergency care is needed), pharmacy services (filling prescriptions), and laboratory tests.

When these services are contracted, we may disclose your health information to our business associate so that they can perform the job we've asked them to do and bill for services rendered. So that your health information is protected, however, both we and the Dept. of Health and Human Services require business associates and their subcontractors to appropriately safeguard your information.

Notification With your prior consent, in the event of an emergency or crisis, we may use or disclose your personal information to notify or assist in notifying a family member, personal representative, or another person that you designate as responsible for your continued care, your location, and general condition.

Communication with Family With your consent, this program’s treatment personnel, using their best judgment, may disclose to a family member, other relative, close personal friend or other significant person that you identify, your personal health information that is relevant to that person's involvement in your care – or for payment needs related to your care.

Un-emancipated Minor If and to the extent, permitted or required by an applicable provision of State or other law, including applicable case law, this organization’s treatment representative may disclose and provide access to protected health information about the un-emancipated minor to the parent or legal guardian, or other person acting in loco parentis.

Research With your consent, we may disclose information to researchers when their research has been approved by an Institutional Review Board, which has reviewed the research proposal and has established specific protocols to ensure the confidentiality of your health information.

Continuing Care and/or Marketing With your prior consent, we may contact you to provide appointment reminders or information about continuing care or other related benefits and services that may be of interest to you.

Food and Drug Administration (FDA) We may disclose to the FDA health information relative to adverse events with respect to food, supplements, product and product defects or other information to enable the FDA to notify patients and physicians about emerging dangers.

Disability Insurance and Workers Compensation With your consent, we may disclose the minimum health information needed to the extent authorized by and to the extent necessary to comply with laws relating to disability and workers compensation or other similar programs established by law.

Public Health With your consent and if required by law, we may disclose the minimum necessary health information to public health or legal authorities charged with preventing or controlling disease, injury or disability.

Law Enforcement We may disclose health information for law enforcement per 42 CFR: Chapter 1, Part 2 (see Notice of “Confidentiality of Alcohol and Drug Abuse Patient Records”) Federal law makes provision for your health information to be released to an appropriate health oversight agency, public health authority or attorney, provided that a workforce member or business associate believes in good faith that we have engaged in unlawful conduct or have otherwise violated professional or clinical standards and are potentially endangering you or patients, workers or the public. In this case, a court order is required per 42 CFR, Chapter 1, Part

This organization reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains. Revisions of this notice will be posted at this location and on the organization’s web site.Reference: Health Insurance Portability and Accountability Act (45 CFR Part 160-164) HIPAA Privacy Rule – Standards for Privacy of Individually Identifiable Health Information Adapted from the American Health Information Management Association Practice Brief, "Notice of Information Practices" (Updated November 2002); and 42 CFR, Chapter 1, Part 2: Confidentiality of Alcohol and Drug Abuse Patient Records

HIPAA – Confidentiality and Security for Protected Health Information (PHI)
The Hope Ranch Program / Facility will document that it has established HIPAA compliant policies and procedures per 45 CFR, Parts 160 & 164; as well as maintain the confidentiality of Alcohol and Drug Abuse Patient Records per 42 CFR, Chapter 1 Part 2.

The Program / Facility will designate responsibility for the confidentiality and security for PHI by assigning an individual or organizational group to accomplish the following functions:
1) provide internal leadership for the facility’s overall privacy and security of PHI
2) implement controlling policies and procedures for who has information access to PHI
3) have mechanisms in place for information authorization practices, controls and internal audits of access to PHI
4) establish and monitor Business Associate Agreements for all active business associates
5) documenting procedures for processing, storing, retrieving and destroying all records that contain PHI
6) maintaining secure and private workplace and workstation locations to prevent unauthorized leakage or access to PHI
7) providing physical access controls for security of PHI
8) enforce personnel disciplinary procedures for privacy and security breaches and for protection of the integrity of PHI when personnel terminate employment
9) provide ongoing education and training on privacy and security of PHI

Breach of Notification Rule
Section 13402 of the HITECH Act requires a covered entity to provide notification to affected individuals and to the Secretary of Health and Human Services (HHS) following the discovery of a breach of unsecured protected health information. In some cases, the Act requires covered entities to also provide notification of a breach to the media. In the case of breach of unsecured protected health information at a Business Associate of a covered entity, the Act requires the Business Associate to notify the covered entity.
1) For covered entities and business associates, HHS is the enforcement agent for the HIPAA Breach Notification Rule
2) The Final Rule amends the definition of "breach" at 164.402.
3) The impermissible use or disclosure of protected health information (i.e. a violation of the HIPAA Privacy Rule) is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.
4) Breach notification is not required under the Final Rule if a covered entity or business associate demonstrates through the RA, that there is a low probability that the Protected Health Information has been compromised, rather than having to demonstrate that there is no significant risk of harm to the individual, as was provided for in the Interim Final Rule.
5) The RA should consider the following factors:
(1) the nature and extent of the Protected Health Information involved, including the types of identifiers and the likelihood of re- identification;
(2) the unauthorized person who used the Protected Health Information or to whom the Protected Health Information was disclosed;
(3) whether the Protected Health Information was actually acquired or viewed; and
(4) the extent to which the risk to the Protected Health Information has been mitigated.

6) Nothing prevents covered entities and business associates from providing notification for each breach without performing the RA. The RA analysis is only required if the Covered Entity or Business Associate, based on the facts, wants to demonstrate that no notification is required.
7) The final rule eliminates the exception that limited data sets that did not include dates of birth and zip codes were exempted from breach notification. Now the four-factor analysis must be performed with respect to the protected health information in question.
8) The Notice of Health Information Practices need not include a description of how the RA will be conducted.
9) Covered entities and business associates have the burden of proof, pursuant to 164.414, to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach and to maintain documentation (e.g. RA demonstrating that there was a low probability that the Protected Health Information had been compromised or that the impermissible use or disclosure fell within one of the other exceptions in the definition of breach).
10) Uses or disclosures that violate the "Minimum Necessary" principle may qualify as breaches. Such incidents must be evaluated like any other security incident.
11) The covered entity ultimately maintains the obligation to notify affected individuals of the breach under 164.404, although a covered entity is free to delegate the responsibility to the business associate that suffered the breach, or to another of its business associates.
12) The Final Rule retains 164.408(c) with one modification. The modification clarifies that Covered Entities are required to notify the Secretary of all breaches of unsecured Protected Health Information affecting fewer than 500 individuals not later than 60 days after the end of the calendar year in which the breaches were "discovered," not in which the breaches "occurred."The HIPAA Risk Assessment and Audit will be reviewed, and revised (if needed), annually.

HIPAA – Employee Awareness and Training Regarding Protected Health Information (PHI)
It is the policy of Hope Ranch that all Programs and Facilities will operationalize and provide for employee compliance awareness and training under the HIPAA Privacy and Security Standards (45 CFR, Parts 160 & 164) for Protected Health Information (PHI) and the Federal Confidentiality Requirements for Alcohol and Drug Abuse Patient Records (42 CFR, Chapter 1, Part 2).The Privacy Standards for HIPAA (45 CFR, Parts 160 & 164) took effect April 14, 2003. The Federal Confidentiality Requirements for Alcohol and Drug Abuse Patient Records (42 CFR, Chapter 1, Part 2) have been an ongoing practice.

Procedure
Hope Ranch may provide compliance awareness and training that fits the program orientation and the state regulatory environment in which it operates. However, the following points on confidentiality, privacy and security of Protected Health Information should be closely adhered to:All new employees will receive the facility-appropriate education and training regarding 45 CFR, Parts 160 & 164; and 42 CFR, Chapter 1, Part 2. Hope Ranch supplied documents (attached) may be used for this purpose.1) § The entire text for HIPAA Privacy Rules 45 CFR, Parts 160 & 164 is available at: http://www.hhs.gov/ocr/combinedregtext.pdf2) § The entire text for Federal Confidentiality Laws for Alcohol and Drug Records (42 CFR, Chapter 1, Part 2) is at: http://www.access.gpo.gov/nara/cfr/waisidx_00/42cfr2_00.htmlUpon hire and/or receiving education and training in confidentiality and privacy of PHI, each employee will sign a “Confidentiality Statement” as a condition of employment with the Program or Facility.All employees of the Program or Facility will receive ongoing educational and training updates when appropriate, but at least on a yearly basis.Criteria for Making Non-Routine

Disclosures
For non-routine disclosures, a covered entity must develop criteria to limit the protected information disclosed to what is reasonably needed to accomplish the purpose of the disclosure. It is impossible to assign scientific methodology to evaluating disclosures. Non-routine requests must be reviewed against these criteria on an individual, case-by-case basis. The criteria need to be balanced against each other. For example, if there is knowledge that the individual could be significantly harmed by a disclosure, but the provider may not get reimbursed for the care, consider alternatives such as discussing alternative payment arrangements with the patient.

Screening Requests from Other Covered EntitiesUnder the privacy regulations, covered health entities are required to limit their requests to the minimum amount of information needed to accomplish the intended purpose. Thus, one covered entity is not required to monitor the requests received from another covered entity to ensure compliance. However, the disclosing entity should require supporting documentation for any request made by another covered entity that would involve disclosure of a complete clinical record, or for any disclosure that does not appear reasonable under the circumstances.

Covered entities may also rely on a requested disclosure as the minimum necessary for the stated purpose when making disclosures to public officials. The covered entity should verify the identity of such a person.Limiting the decision making to individuals well trained in health information management promotes professional judgment and consistency. While qualified personnel should be able to apply institutionally agreed upon criteria to most disclosure requests, in some cases it may be best to discuss specifics with the patient's attending physician and/or case manager and to seek further representations of need to know from the person requesting the patient’s PHI.

Disclosure of an Entire Clinical RecordIn compliance with the HIPAA regulations, a covered entity may not use, disclose, or request an entire clinical record, except where the entire clinical record is specifically justified as the amount reasonably necessary to accomplish the purpose.

Re-disclosure of Health Information
One of the sample criteria is the likelihood of re-disclosure. A healthcare provider's records may contain information about a patient from another healthcare provider's records. Such information may be sent with a patient who is transferred or referred to a facility for definitive treatment or continuing care.Issues often arise regarding re-disclosure of information from other healthcare providers. Unless otherwise required by state law or regulation, the following is recommended:

Under 42 CFR, chapter 1, part 2, a provider may not re-disclose health information from another provider, unless a medical emergency exists, and the PHI is needed for the patient's continuing treatment. Otherwise, a separate specified release should be signed by the patient and be sent to the previous provider.
1) If a patient requests access to health information that was obtained from another medical provider, it may be disclosed to the patient upon written request and following the HIPAA requirements for granting access to PHI. However, highly confidential alcohol and drug abuse records and/or psychotherapy notes obtained from another provider should be excluded, with direction given to the patient to contact that provider directly to view, copy or amend those records originating from outside the facility.
2) Unless otherwise required by law, generally no other re-disclosures should be made. In response to a court order or other 42 CFR approved request for confidential alcohol and drug abuse records, the healthcare provider should not disclose information from another provider, with the exception of outside test results that were ordered by the facility (such as from a contracting reference laboratory) that have been made part of the patient's record.Notes1) When responding to questions on access controls, HHS refers visitors to its Web site to the National Institute of Standards and Technology (NIST) publication NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, Chapter 17, "Logical Access Control."2) According to HHS, "This is not a strict standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers today to limit the unnecessary sharing of medical information." More information is available on the HHS Office for Civil Rights Web site at http://www.hhs.gov/ocr/hipaa/Adapted from: Journal of AHIMA 73, no.9 (2002): 96A-F. Amatayakul, Margaret; Brandt, Mary D.; and Dennis, Jill Callahan. “Implementing the Minimum Necessary Standard (AHIMA Practice Brief)."HIPAA – Client Right to Access, Inspect and Obtain Copies of Their RecordsIt is the policy of this organization that its clients have a right to access, inspect and obtain a copy of their protected health information as contained in their designated records, which could include electronically stored information in electronic format, for as long as such records are maintained by the facility or program. This right is conditioned by and pursuant to: HIPAA Standards for Privacy of Individually Identifiable Health Information, 45 CFR, Part 164.524: Access of Individuals to Protected Health Information.If any client / person serves requests to access, see and / or obtain a copy of his / her protected health information. The following general guidelines and procedures are to be followed:
1) The client will be instructed to sign a written release of records to him or herself, which will be placed in the patient’s record to serve as documentation of the request.
2) The client will be informed that--per 45 CFR, Part 2, Section 164.52--that access to the record will be granted within 30 days of the receipt of the written request, unless the record is stored off site. If stored off site, the record will be obtained for inspection also within 30 days of the receipt of the
3) Fee for copying: the client will be informed that a reasonable, cost-based fee may be incurred by the client to cover the cost of copying labor and supplies, and for postage or delivery charges if the patient requests this service.
4) Denial of access: client will be informed that access to and review or copying records will be denied without opportunity for review / appeal if:\
a. the Program or facility or its personnel are aware of, or reasonably anticipate, that the protected health information in the client record may be compiled for a civil, criminal, or administrative action or proceeding.
b. The protected health information in the record was obtained from someone other than a health care provider under a promise of confidentiality, and access would then be reasonably likely to reveal the source of the information.
c. the record contained information that is construed as being psychotherapy
5) Reviewable / appealable grounds for denial: client will be informed that access to and review or copying records can be denied, but with opportunity for review appeal if:a. the Program or facility-based health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the requesting individual, or of another individual.b. the confidential information in the record makes reference to another person (unless such person is a health care provider) and the facility’s staff has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; orc. the request to access the record is made by the patient’s personal representative (such as a parent or guardian) and the Program / facility’s staff determine, in their profession judgment, that such personal representative is reasonably likely to cause substantial harm to the patient or another person as a result of seeing the protected information in the record.
6) Review / appeal of a denial to access: if denial is based on the reasons listed in #5. (A)- (C), above, the patient or personal representative has the right to have the denial reviewed by a licensed healthcare professional who is designated by the facility to act as a reviewing official and who did not participate in the original decision to deny. This designated reviewing official must determine, within a reasonable period of time, whether or not to deny follow up access based on the standards listed in # 5, as previously cited. The reviewing official must promptly provide written notice to the patient of the official determination as to whether continued denial is reasonable or access to the record is to be subsequently granted.
7) The patient has the right to amend protected health information in his / her record if such request is made in writing to the facility / keeper of the record. The procedure for accepting or denying such amendments is delineated in 45 CFR, section 164.526. (See attachment.1)
8) The Program / facility must identify and document the names / titles of the persons or offices that are responsible for receiving and processing requests for access to patient records.

HIPAA –Patient Right to Amend PHI
From: U.S. Department of Health and Human Services Office for Civil Rights Standards for Privacy of Individually Identifiable Health Information (Unofficial Version) (45 CFR Parts 160 and 164) Regulation Text (December 28, 2000) as amended: Part 160 (May 31, 2002) Parts 160, 164 (August 14, 2002) §164.526 Amendment of protected health information.Standard: right to amend.
1) Right to amend. An individual has the right to have a covered entity amend protected health information or a record about the individual in a designated record set for as long as the protected health information is maintained in the designated record set.
2) Denial of amendment. A covered entity may deny an individual’s request for amendment, if it determines that the protected health information or record that is the subject of the request:
a. Was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of protected health information is no longer available to act on the requested amendment.
b. Is it part of the designated record set;?
c. Would not be available for inspection under §164.524; ord. Is accurate and complete.
3) Implementation specifications: requests for amendment and timely action.
4) Individual’s request for amendment. The covered entity must permit an individual to request that the covered entity amend the protected health information maintained in the designated record set. The covered entity may require individuals to make requests for amendment in writing and to provide a reason to support a requested amendment, provided that it informs individuals in advance of such requirements.
5) Timely action by the covered entity.
a. The covered entity must act on the individual’s request for an amendment no later than 60 days after receipt of such a request, as follows. i. If the covered entity grants the requested amendment, in whole or in part, it must take the actions required by paragraphs (C)(1) and (2) of this section.ii. If the covered entity denies the requested amendment, in whole or in part, it must provide the individual with a written denial, in accordance with paragraph (D)(1) of this section.iii. If the covered entity is unable to act on the amendment within the time required by paragraph (B)(2)(i) of this section, the covered entity may extend the time for such action by no more than 30 days, provided that:1. The covered entity, within the time limit set by paragraph (B)(2)(i) of this section, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and2. The covered entity may have only one such extension of time for action on a request for an amendment.
6) Implementation specifications: accepting the amendment. If the covered entity accepts the requested amendment, in whole or in part, the covered entity must comply with the following requirements.
7) Making the amendment. The covered entity must make the appropriate amendment to the protected health information or record that is the subject of the request for amendment by, at a minimum, identifying the records in the designated record set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment.
8) Informing the individual. In accordance with paragraph (B) of this section, the covered entity must timely inform the individual that the amendment is accepted and obtain the individual’s identification of an agreement to have the covered entity notify the relevant persons with which the amendment needs to be shared in accordance with paragraph (C)(3) of this section.
9) Informing others. The covered entity must make reasonable efforts to inform and provide the amendment within a reasonable time to:a. Persons identified by the individual as having received protected health information about the individual and needing the amendment; andb. Persons, including business associates, that the covered entity knows have the protected health information that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of the individual.Implementation specifications: denying the amendment. If the covered entity denies the requested amendment, in whole or in part, the covered entity must comply with the following requirements.

1) Denial. The covered entity must provide the individual with a timely, written denial, in accordance with paragraph (B)(2) of this section. The denial must use plain language and contain:a. The basis for the denial, in accordance with paragraph (A)(2) of this section. b. The individual’s right to submit a written statement disagreeing with the denial and how the individual may file such a statement.c. A statement that, if the individual does not submit a statement of disagreement, the individual may request that the covered entity provide the individual’s request for amendment and the denial with any future disclosures of the protected health information that is the subject of the amendment; andd. A description of how the individual may complain to the covered entity pursuant to the complaint procedures established in §164.530(d) or to the Secretary pursuant to the procedures established in §160.306. The description must include the name, or title, and telephone number of the contact person or office designated in§164.530(a)(1)(ii).

2) Statement of disagreement. The covered entity must permit the individual to submit to the covered entity a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The covered entity may reasonably limit the length of a statement of disagreement.3) Rebuttal statement. The covered entity may prepare a written rebuttal to the individual’s statement of disagreement. Whenever such a rebuttal is prepared, the covered entity must provide a copy to the individual who submitted the statement of disagreement.
4) Record keeping. The covered entity must, as appropriate, identify the record of protected health information in the designated record set that is the subject of the disputed amendment and append or otherwise link the individual’s request for an amendment, the covered entity’s denial of the request, the individual’s statement of disagreement, if any, and the covered entity’s rebuttal, if any, to the designated record set.
5) Future disclosures.a. If a statement of disagreement has been submitted by the individual, the covered entity must include the material appended in accordance with paragraph (d)(4) of this section, or, at the election of the covered entity, an accurate summary of any such information, with any subsequent disclosure of the protected health information to which the disagreement relates.b. If the individual has not submitted a written statement of disagreement, the covered entity must include the individual’s request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the protected health information only if the individual has requested such action in accordance with paragraph (D)(1)(iii) of this section.c. When a subsequent disclosure described in paragraph (d)(5)(i) or (ii) of this section is made using a standard transaction under part 162 of this subchapter that does not permit the additional material to be included with the disclosure, the covered entity may separately transmit the material required by paragraph (d)(5)(i) or (ii) of this section, as applicable, to the recipient of the standard transaction.6) Implementation specification: actions on notices of amendment. A covered entity that is informed by another covered entity of an amendment to an individual’s protected health information, in accordance with paragraph (C)(3) of this section, must amend the protected health information in designated record sets as provided by paragraph (C)(1) of this section.7) Implementation specification:a. Documentation.i. A covered entity must document the titles of the persons or offices responsible for receiving and processing requests for amendments by individuals and retain the documentation as required by §164.530(j).

HIPAA – Telefacsimile (Fax) Policy
This site will comply with all HIPAA and the Federal Confidentiality rules relevant to the use of faxing, by demonstrating adherence to our organization’s intent and duty to preserve the confidentiality and integrity of protected health information as required by law, professional ethics, accreditation and licensing requirements.

HIPAA- Incident Response and ReportingPOLICY
Hope Ranch Implements HIPAA privacy and security rules in all aspects of the organization to ensure processes are in compliance with such rules.

Procedure
Procedures and processes developed and implemented by Hope Ranchto respond, report and mitigate all HIPAA Security related incidents and violations.
1) Reporting and response procedures include methods to notify the appropriate parties and respond to viruses, worms, and other malicious code.
2) Reporting and response procedures include methods to notify the appropriate parties and respond to security threats and vulnerabilities.
3) Reporting and response procedures include methods to notify the appropriate parties and respond to HIPAA Security incidents and violations.
4) Reporting and response procedures include methods to notify the appropriate parties and respond to disasters and system failures.
5) Procedures include formally documented and easily accessible contact information for the Hope Ranch Entities as outlined.
6) Procedures to ensure all IT staff and other appropriate workforce members are aware of all internal incident response and reporting procedures.
7) Procedures to have a formal incident Response and Reporting procedure available to all IT staff and other appropriate workforce members.Reporting and response procedures include methods to notify the appropriate parties and respond to viruses, worms, and other malicious code Exception reports are generated by an auditing control system if defined thresholds are reached. This enables real-time monitoring of system resources and attempted system integrity breaches. All incidents of a suspicious nature will be escalated to the Quality and Compliance designee as appropriate.In the case of a potential threat identified at the network server level, IT support teams will work with management to determine the best option for resolving the problem.

IT is responsible for notifying the Quality and Compliance designee when they detect a worm or virus problem on a Hope Ranch Workstation. If IT determines this worm or virus is a threat to spread, they disable the network port and clean the workstation. If they determine it is not a threat to spread, they do not disable the network port but do have the workstation cleanedReporting and response procedures include methods to notify the appropriate parties and respond to security threats and vulnerabilities.

Exception reports are generated by an auditing control system if defined thresholds are reached. This enables real-time monitoring of attempted system integrity breaches. Reports are generated showing trends and historical statistics for the system administrators as needed.

All incidents of a suspicious nature will be escalated to the Quality and Compliance designee as appropriate.

Reporting and response procedures include methods to notify the appropriate parties and respond to HIPAA Security incidents and violations.All incidents of a suspicious nature will be escalated to the Quality and Compliance Department as appropriate.Reporting and response procedures include methods to notify the appropriate parties and respond to disasters and system failures.Exception reports are generated by the control system if defined thresholds are reached. This enables real-time monitoring of system resources and usage. Reports are generated showing trends and historical statistics for the system administrators as needed.All incidents related to a system outage or the unavailability for any reason of access to EPHI will be escalated to the Quality and Compliance Department as appropriate.Procedures include formally documented and easily accessible contact information for Hope Ranch  as outlined.

Reporting and response procedures include contact information for the following entities:
1) Quality and Compliance designee
2) IT Technician Hope Ranch Procedures to ensure all IT staff and other appropriate workforce members are aware of all internal incident response and reporting procedures.IT staff and other appropriate workforce members have been made aware of all internal incident response and reporting procedures.Hope Ranch Procedures to have a formal incident Response and Reporting procedure available to all IT staff and other appropriate workforce members.HIPAA incidents or violations may be reported via phone to the HIPAA Security or Privacy officers or the workforce member may use an email-based form.All incidents of a suspicious nature will be escalated to the Quality and Compliance designee as appropriate.Background: Often our personnel, and the organizations with which we do business, will have a need to transmit or receive documents (that include protected health information) by telefacsimile rather than by a slower, more secure method, such as mail or courier.Personnel could miss-send faxes to unauthorized recipients, faxes could be intercepted or lost in transmission, or the facility may not receive a fax intended for it because of these or other reasons. Thus, the potential for breach of protected health information (PHI) exists every time someone uses such information. Therefore, all personnel must strictly observe the following procedures relating to facsimile communications of PHI:Standards and Procedures·

Personnel must limit information transmitted to the minimum amount necessary to meet the requester’s needs·

The facility, its officers, agents and employees will send health information by facsimile only when the original record or mail delivered copies will not adequately meet the needs for timely patient care and efficient business operations.·

Personnel may transmit health records by facsimile only when directly needed for client care or as required by a third-party payer for ongoing certification of payment for patient treatment.·

Except as authorized by law, a properly completed and signed authorization must be obtained before releasing patient information·

Personnel may not send by fax especially sensitive medical information, including, but not limited to, AIDS / HIV information, mental health and developmental disability information, alcohol and drug abuse information, and other sexually transmissible disease information without the specific, express authorization of the client.·

The cover page accompanying the facsimile transmission must include a confidentiality notice (See sample).·

Fax machines must be in secure areas, and the department director is responsible for limiting access to them. ·

Each department is responsible for ensuring that incoming faxes are properly handled, not left sitting on or near the machine, but rather are distributed to the proper recipient expeditiously while protecting confidentiality during distribution, as by sealing the fax in an envelope.·

Personnel must report any misdirected faxes to the facility.· The Department Head will periodically and / or randomly check all fax speed‑dial numbers pre-programmed in the dept. fax machine to ensure their validity and accuracy, and to verify authorization to receive confidential information.·

Users must immediately report violations of this policy to their department head and / or designee.EnforcementAll supervisors are responsible for enforcing this policy. Employees who violate this policy are subject to discipline up to and including termination from employment. Civil and criminal charges/ penalties may also ensue.

HIPAA Penalties
● $100 per person per violation up to $25,000
● Criminal - $50,000 fine and up to 1-year imprisonment for wrongful disclosure
● Intent to sell, transfer or use PHI for gain is a $250,000 fine and up to 10 years imprisonment.