Privacy Policy

Policy: Refuge, Inc. shall ensure the privacy of all residents at all sites. 

Procedure:

1. Refuge, Inc. shall inform all residents of the Notice of Privacy Practices and make it available upon request to all individuals as specified in this policy.

2. Refuge, Inc. shall retain copies of the notices Refuge, Inc. issues, including the original and subsequent revisions. Copies may be printed or electronic and shall be retained for at least six years from the date the notice was created or was last in effect, whichever is later.

3. Refuge, Inc. shall not use or disclose protected health information in a manner inconsistent with Refuge, Inc. Notice of Privacy practices or those practices described in the Refuge, Inc.’s Clinical Policies and Procedures.

4. Refuge, Inc. shall promptly revise and distribute the Notice whenever there is a material change in a privacy practice as stated in the Notice. This could include a change to uses or disclosures, the individual’s rights, Refuge, Inc.’s legal duties, or other privacy practices.

5. Revisions to the Notice shall not be implemented prior to the effective date of the revised notice, except as required by law.

6. Refuge, Inc. shall make the Notice available upon request to any person specified in this policy.

7. Refuge, Inc. shall provide the notice to residents:

• No later than the date of first service delivery, including services delivered electronically.

• If the individual is a patient prior to the compliance date of the HIPAA regulations, no later than the date of first service delivery after the compliance date;

• In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.

8. Refuge, Inc. shall make a good faith effort to obtain written acknowledgment of receipt of the Notice. If not obtained, Refuge, Inc. shall document his/her good faith efforts to obtain written acknowledgment and the reason why it was not obtained.

9. In an emergency treatment situation, Refuge, Inc. is not required to obtain written acknowledgment of receipt of the Notice.

10. Refuge, Inc. shall post the notice in a clear and prominent location where individuals seeking services can reasonably read the Notice.

11. Whenever the Notice is revised, the revised Notice shall be made available and posted as described in this policy.

Policy:

It is the policy of Refuge, Inc. to comply with all HIPAA requirements.

Procedure:

1. Compliancy Group will maintain records to demonstrate compliance with HIPAA regulations and standards in accordance with mandates from the Secretary of Health and Human Services.

2. Refuge, Inc. shall cooperate with investigations and compliance reviews of the policies, procedures or practices of the provider in regards to HIPAA and protected health information.

3. Refuge, Inc. shall provide access at all sites to all records and other information that pertain to compliance during normal business hours. As necessary, Refuge, Inc. will provide access at any time without notice.

4. Regard to the minimum necessary requirement is not necessary when use or disclosure of protected health information is made under related compliance or review.

5. If any information required of Refuge, Inc. is unobtainable due to the refusal of another entity to furnish that information, Refuge, Inc. must document and report its efforts to obtain this information.

Policy:

Refuge, Inc. shall implement policies and procedures with respect to protected health information (PHI). In order to comply with the standards, implementation specifications, and other requirements of the HIPAA regulations, these Policies and Procedures shall be maintained within Refuge, Inc.'s Clinical Policies and Procedures Manual available to all staff.

Procedures:

1. Refuge, Inc. shall develop and implement policy and procedures necessary to the standards, and requirements of the HIPAA regulations.

2. Refuge, Inc. may revise policies and procedures that do not affect the content of the Notice of Privacy Practices as long as the revision maintain compliance with HIPAA, and as long as the reviewed policy or procedure is documented in written or electronic form prior to the effective date of the change.

3. Refuge, Inc. shall retain all original implemented and revised policies and procedures, in written form, for at least six years from the date that they were created or from the date when they were last in effect, whichever is later.

4. Refuge, Inc. shall promptly revise and distribute the Notice of Privacy Practices whenever the content of the Notice is affected by a change in law.

5. When implementing a change to Refuge, Inc.’s privacy practices as described in the Notice of Privacy Practices, Refuge, Inc. shall:

• Ensure that the revised policies and procedures reflect the change, and are compliant with the HIPAA regulations; AND

• Document the revised policies and procedures in written form; AND

• Make the revised Notice available at all agency sites as required under policy.

6. Refuge, Inc. shall not implement a change to a policy or procedure prior to the effective date that applies to the revised Notice of Privacy Practices.

7. Revised privacy practices may be applied to all protected health information created or received prior to the effective date of the revision.

8. Refuge, Inc. will only enact changes to its Notice of Privacy Practices that will maintain compliance with HIPAA regulations.

Limited Data Sets

Policy: Should Refuge, Inc. enter into an agreement for use of Data Sets, the vendor must comply with all HIPAA requirements.

Procedure:

1. Refuge, Inc. may use or disclose a limited data set of protected health information, provided that Refuge, Inc. enters into a data use agreement with a recipient that complies with the requirement of this policy.

2. The data use agreement between Refuge, Inc. and the recipient of the limited data set shall:

• Establish the permitted uses and disclosures by the recipient, consistent with this policy; AND

• Establish who is permitted to use or receive the limited data set.

3. The data use agreement between Refuge, Inc. and the recipient of the limited data set shall provide that the recipient will:

• Not use or further disclose the information other than as permitted by the data user agreement or as otherwise required by law; AND

• Use appropriate safeguards to prevent use or disclosure of the information not provided for by the data use agreement; AND

• Report to the provider any use or disclosure of the information not provided for by the data use agreement of which it becomes aware; AND

• Ensure that any agents or subcontractors to whom it provides the limited data set agree to the same restrictions and conditions that apply to the recipient with respect to the information; AND

• Not identify the information or contact the individuals.

4. Refuge, Inc. and recipient may use or disclose a limited data set only for the purposes of research, public health, or health care operations.

5. Refuge, Inc. may use protected health information to create a limited data set, or may disclose protected health information to a business associate for the purpose of creating a limited data set.

6. A limited data set is created when the following information about the individual, relatives, employers, or household members is removed:

• Names;

• Postal address information, other than town or city, state, and zip code;

• Telephone numbers;

• Fax numbers;

• Electronic mail addresses;

• Social security number;

• Medical record numbers;

• Health plan beneficiary numbers;

• Account numbers;

• Certificate/license numbers;

• Vehicle identifiers and serial numbers, including license plate numbers;

• Device identifiers and serial numbers;

• Web Universal Resource Locators (URLs)

• Internet Protocol (IP) Address numbers;

• Biometric identifiers, including finger and voice prints;

• Full-face photographic images and any comparable images;

7. If Refuge, Inc. becomes aware of a pattern of activity or practice by the recipient of the limited data set that would constitute a material breach or violation of the data use agreement, the provider shall take reasonable steps to cure the breach or end the violation such steps are unsuccessful, the provider shall:

• Discontinue disclosure of protected health information to the recipient; AND

• Report the problem to the Secretary.

8. If a limited data set recipient violates the data use agreement, the covered entity is considered non-compliant with HIPAA regulations.

Policy

1. Refuge, Inc. Resident Grievance process shall be used to respond to all PHI-related complaints.

Procedure

1. The Resident Grievance process can be used to make complaints concerning Refuge, Inc. policies and procedures or actions with respect to protected health information.

2. Refuge, Inc. will document all complaints received, and their disposition, in written or electronic form according to the Resident Rights and Grievance Policy.

3. Refuge, Inc. shall retain PHI-related documentation for a minimum of six years from the date of its creation.

Ohio Administrative Code: 5122-26-18, 5101:2-9-24, 5122:2-1-01, 5122-30-22, 51-30-22.1, 5101:2-5-35, 5101:2-9-1

Policy

The Refuge Inc Resident Rights and Grievance Policy and Procedures provide a means for residents receiving our services to voice complaints regarding care, treatment, or the exercise of rights and to have those complaints heard and have complaints acted upon in a timely manner. A resident has the right to file a grievance either verbally or in writing or to have any other person or agency on behalf of the resident file a grievance regarding denial or abuse of any resident’s rights.

Procedure

Resident’s Rights

1. The right to be treated with consideration and respect for personal dignity, autonomy, and privacy.

2. The right to service in a humane setting which is the least restrictive feasible as defined in the treatment plan.

3. The right to be informed of one’s own condition, of proposed or current services, treatment or therapies, and of the alternatives.

4. The right to give informed consent to or to refuse any service, treatment, or therapy, including medication absent an emergency upon full explanation of the expected consequences of such consent to or refusal.

5. The right to a current, written, individualized service plan that addresses one’s own mental health, social and economic needs and that specifies the provision of appropriate and adequate services, as available, either directly or by referral.

6. The right to active and informed participation in the establishment, periodic review, and reassessment of the service plan.

7. The right to participate in any appropriate and available agency service that is consistent with an Individual Service/Treatment Plan (ISP/ITP), regardless of the refusal of any other service, unless that service is a necessity for clear treatment reasons and requires the person’s participation.

8. The right to be advised and the right to refuse observation by others and by techniques such as one-way vision mirrors, tape recorders, video recorders, television, movies, photographs, or other audio and visual technology. This right does not prohibit an agency from using closed-circuit monitoring to observe seclusion rooms or common areas, which does not include bathrooms or sleeping areas.

9. The right to have the opportunity to consult with independent treatment specialists or legal counsel, at one’s own expense.

10. The right to confidentiality of communications and of all personally identifying information with the limitations and requirements for disclosure of various funding and/or certifying sources, state or federal statutes, unless release of information is specifically authorized by the resident in accordance with rule 5122.2-3-11 of the administrative code.

11. The right to have access to one’s own treatment unless access to particular, identified items of information is specifically restricted for the individual resident for clear treatment reason in the resident’s treatment plan. Clear treatment reasons shall be understood to mean only severe emotional damage to the resident such that dangerous or self-injurious behavior at imminent risk. The person restricting the information shall explain to the resident factual information about the individual resident that necessitates the restriction. The restriction must be renewed at least annually to retain validity. Any person authorized by the resident has unrestricted access to all information. Residents shall be informed in writing of agency policy and procedures for viewing or obtaining copies of personal records.

12. The right to be informed a reasonable amount of time in advance of the reason for terminating participation in a service, and to be provided a referral, unless the service is unavailable or not necessary.

13. The right to receive an explanation of the reasons for denial of service.

14. The right not to be discriminated against for receiving services on the basis of race, ethnicity, age, color, religion, gender, national origin, sexual orientation, physical or mental handicap, developmental disability, genetic information, human immunodeficiency virus status, or in any manner prohibited by local, state or federal laws.

15. The right to be verbally informed of all resident rights, and to receive a written copy upon request.

16. The right to exercise one’s own rights without reprisal, except that no right extends so far as to supersede health and safety considerations.

17. The right to file a grievance.

18. The right to have oral or written instructions concerning the procedure for filing a grievance, and to assistance in filing a grievance if requested.

19. The right to reasonable protection from physical, sexual or emotional abuse, neglect, and inhumane treatment.

20. The right to participate in the development, review, and revision of one’s own individualized treatment plan (ISP/ITP) and receive a copy of it.

21. The right to receive services in the least restrictive, feasible environment.

22. The right to receive timely and consistent access to:

a. Housing that is a clean and safe living environment, free of infestation and contaminants. This includes the right to enter their housing at any time during their placement.

b. Food in accordance to rule 5101:2-7-06 or 5101:2-9-20 of the Administrative Code. This includes the right to have other special considerations regarding food as a result of trauma included in their service and/or case plan.

23. The right to privacy and personal belongings.

24. The right to their own money. As appropriate (with programing guidelines), the right to earn their own money, open a bank account, and be provided guidance on how to save and spend money.

25. The right to visitation and communication with parents, siblings, other family members, non-related kin, friends, and significant others from whom they are living apart (within program guidelines).

26. The right to contact their attorney, caseworker, probation officer.

27. The right to have their opinions heard and be included when any decisions are being made affecting their lives.

28. The right to receive timely, adequate, and appropriate medical care, dental services, vision care, and mental health services. This includes the right to have appointments scheduled and be transported to these appointments.

29. The right to enjoy freedom of thought, conscience, and religion or to abstain from the practice of religion.

30. The right to receive appropriate and reasonable guidance, support, and supervision from adults in their lives including parents, resource caregivers, agency staff, mentors, youth advisory boards, and others, as applicable.

31. The right to life skills preparation pursuant to rule 5101:2-42-19 of the administrative code.

Posting of Resident Rights

1. The resident rights policy, and grievance procedure is clearly posted in each location in which services are provided.

2. The resident rights policy and grievance procedure is clearly posted in a conspicuous location that is accessible to persons served, their family, or legal guardian, as well as the public (The Refuge Inc website) and can be seen by all.

3. The resident right policy and grievance procedure is outlined in the Residents Orientation Packet, and on The Refuge Inc’s website.

4. The Refuge Inc ensures that residents in the care of the organization have ongoing access to the handbook.

Provision of Resident Rights

1. The Refuge Inc will explain and maintain documentation in the resident electronic medical record of the explanation of rights to each person served prior to or when beginning assessment or treatment services.

2. Explanations of rights shall be in a manner appropriate for the resident’s representatives’ understanding.

3. Residents or recipients of referral and information service, consultation service, and prevention service as described in Chapter 5122-29 of the Administrative Code may have a copy and explanation of resident rights policy upon request.

Resident Grievance Procedure

Residents who believe their rights have been violated, abused, or denied may file a grievance with The Refuge Inc or may file a grievance with any of the outside agencies listed at the bottom of this procedure. Although a grievance may be filed at any point, The Refuge Inc encourages grievances to be filled as soon as possible after the incident.

A grievance is a written complaint initiated either verbally or in writing by a resident or by any other person or provider on behalf of the resident regarding denial or abuse of any resident’s rights.

General Provisions

1. The Refuge Inc has a Grievance policy and procedure written in clear and simple language that shall be given and explained to the resident at the time of the resident’s admission/ intake. A copy of this policy and procedure is included The Refuge Inc’s Website.

2. The Refuge Inc shall document that the resident/resident and family have received the Resident Rights & Responsibilities Policy and the Resident Grievance Policy. Documentation of this acknowledgment shall be maintained in the resident’s file. Residents are asked to sign a statement signifying that they have received a copy of these policies and understand their rights and how to address if they feel they have been violated and/or have a grievance.

3. Upon hire, all staff, interns, and volunteers are trained regarding the resident rights and the complaint and grievance procedures. There shall be documentation in each employee’s personnel file, including contract staff, volunteers, and student interns that each staff member has received a copy of the resident rights policy and the resident grievance procedures and has agreed to abide by them.

4. All staff are required to follow the Resident Rights Policy and Resident Grievance Procedures.

5. Any staff person hearing of or having knowledge of a complaint or grievance shall refer the resident or person expressing a grievance on behalf of the resident, to where they can find information on their resident rights and The Refuge Inc’s policy and procedures for filing a formal grievance. Staff can also provide the resident with a copy of their rights and the grievance procedure at any time upon request.

6. All staff have a responsibility to notify their direct supervisor if a resident or resident representative expresses a complaint and/or grievance, this notification is expected to be communicated before the end of their shift/business day.

7. Supervisors are expected to follow up with the resident or resident representative and notify The Refuge Inc’s Resident Rights Advocate if the resident or resident’s representative would like to file a formal grievance. The Refuge Inc ensures that a resident or resident representative is not required to transmit a complaint through the staff member who is the subject of the complaint.

8. The Refuge Inc assures prompt accessibility of a resident rights advocate. The Refuge Inc’s designated resident rights advocate will be available to assist a resident in the filing of a grievance, the resident rights advocate shall have their name, title, location, and hours of availability, and telephone number included with the posting of resident rights as required.

9. The Refuge Inc shall take all precautions and measures to ensure against retaliation by staff or by other residential residents against the person making the complaint.

10. The Refuge Inc. are responsible for ensuring implementation and maintenance of resident rights activities within The Refuge Inc’s Programs and services, including the resident complaint and grievance procedures.

Process for filing a formal grievance

The following is the procedure detailing how to file a grievance with The Refuge Inc. If the resident or other person or provider acting on behalf of the resident would like to file a grievance with an outside agency, the Resident Rights Advocate will assist the resident or person filling out the grievance on behalf of the resident. The Resident Rights Advocate’s information and some of the outside organizations a grievance may be filed with are listed at the end of this procedure.

1. To file a grievance with The Refuge Inc, the resident or person acting on behalf of the resident shall prepare a written statement that describes the incident or situation being grieved. The grievance may be made verbally to the Resident Rights Advocate who will then prepare a written text of the grievance. The grievance must include the date, approximate time and description of the incident, including the names of individuals involved in the incident or situation being grieved. The grievance must be signed by the resident or the individual that filed the grievance on behalf of the resident. If the grievance is prepared by the Resident Rights Advocate, the Resident Rights Advocate shall include an attestation that the written grievance is a true and accurate representation of the resident’s grievance. The grievance should be given to the Resident Rights Advocate.

2. Once the grievance is given to the Resident Rights Advocate, the resident or person filling the grievance on behalf of the resident will be provided with a written acknowledgement of receipt of the grievance. The receipt will be provided to the resident or person filling the grievance on behalf of the resident within three (3) business days. The receipt will include the following:

3.2.1 The date grievance was received.

3.2.2 A summary of the grievance.

3.2.3 An overview of the grievance investigation process.

3.2.4 Timetable for completion of the investigation and notification of the resolution.

3.2.5 The Refuge Inc information (Treatment provider contact name, address, and telephone number).

Process for Grievance Investigation

The Resident Rights Advocate will be responsible for investigating the grievance situation or incident. The investigation may include speaking with all parties involved in an attempt to achieve a timely resolution. At the conclusion of the Resident Rights Advocate’s investigation, a resolution or remedy will be presented to the resident or person who filed the grievance on behalf of the resident. If the resident or person who filed the grievance on behalf of the resident feels that the resolution presented is not acceptable, the resident has the right to ask the Resident Rights Advocate to escalate the grievance to the Executive Director or will be assisted in filing a grievance with one or more agencies listed at the end of this procedure. The grievance process will conclude within twenty (20) business days of receiving the grievance. If extenuating circumstances occur that require additional time to resolve the grievance, written documentation of the extension will be provided to the resident or the person filing the grievance on behalf of the resident. At the conclusion of the grievance process, a written statement and explanation of the results will be given to the resident or person that filed the grievance on behalf of the resident.

Monitoring and Implementation of the Grievance Procedure

The Resident Rights Officer maintains a record of all grievances filed, including a grievance log that briefly summarizes each grievance and its outcome. Written grievance forms that detail the subject matter of the complaint, the process used and any actions taken regarding the resolution/remedy of the grievance documentation of any circumstances for extending the time period for resolving grievances beyond the twenty business days. All records concerning grievances will be maintained by the agency for at least two (2) years.

The Resident Rights Advocate will provide any necessary reports to appropriate bodies, such as the local Mental Health and Recovery Board, in the required format and at the required intervals, incident reports will be filed with the Ohio Department of Mental Health and Addiction Services within 24 hours of the discovery of the incident, if applicable. The Resident Rights Advocate reports monthly to the Executive Director regarding any resident grievances and prepares an annual written summary of resident grievances, if any exist, for review and incorporate any finding into the agency’s performance improvement plan.

Residents Rights Advocate

Residents Rights Advocate is available to assist residents with all aspects of resident rights and the grievance procedure.

This information is required by the Ohio Counselor, Social Worker, Marriage and Family Therapist Board which regulates all license counselors.

The Refuge Inc Resident Rights Advocate:

Name: Heidi Hess

Address: P.O. Box 163173 Columbus, Ohio 43216

Phone Number: (614) 546-5160

Schedule: Monday - Friday 9a-5p to Schedule Appointment

Ohio Department of Job and Family Services

Columbus District Office

30 E. Broad St, 32nd floor

Columbus, OH 43215

1-800-686-1556

Counselor and Social Worker, Marriage and Family Therapist Board:

77 South High St, 24th Floor, Room 2468

Columbus OH 43215-5919

(614) 466-0912

Ohio Department of Mental Health and Addiction Services

30 East Broad St, 36th floor

Columbus, OH 43215-3430

(614) 466-2596 

www.mha.ohio.gov

Disability Rights Ohio

200 S Civic Center Drive #300

Columbus, OH 43215

(614) 446-7264 or (800) 282-9181

TTY: (614) 728-2553 www.disabilityrightsohio.org

US Department of Health and Human Services

Office for Civil Rights, Region V

233 North Michigan Ave, Suite 240

Chicago, IL 60601

(312) 886-2359

TTY: (312) 353-5693

Franklin County Board of Alcohol, Drug Addiction and Mental Health Services (ADAMH)

447 E Broad St

Columbus, OH 43215

(614) 224-1057

If the resident or other person or provider acting on behalf of the resident would like to file a grievance with one of the above outside entities and would like The Refuge Inc’s assistance in doing so, the Resident Rights Advocate will be available to assist the resident or person filing the grievance on behalf of the resident. The Resident Rights Advocate’s information and some of the outside entities a grievance may be files with are listed above.

1. Persons who participate in any service provided by Refuge, Inc. have the right to confidentiality and privacy of information regarding all protected health information. Refuge, Inc. may use or disclose protected health information to carry out treatment, payment, or health care operations. This information must be released within the limitations and applicable regulatory requirements for disclosure to various funding and/or certifying sources and state or federal statutes, such as HIPAA.

2. No authorization is required for use or disclosure of protected health information, including psychotherapy notes, to the extent that such use or disclosure is required by law, is in response to an order of the court, in response to a subpoena, in response to a discovery request, or other lawful processes.

3. The clinical staff also may disclose protected health information if there is a professional judgment that the individual is at risk of serious harm to self and/or others and this disclosure is required by law, or the individual agrees to the disclosure. For use beyond the reasons mentioned, a release of information must be specifically authorized by the resident.

4. Persons who participate in any service provided by Refuge, Inc. have a right to choose and give their consent by signing a release of information, which individuals or agencies are permitted to have their protected health information. Residents have the right to revoke these releases at any time. If residents are court-ordered into treatment, in order to participate in services, a release of information is necessary to the ordering court, as well as to a significant other as outlined with their treatment program. If residents are asked to sign a release of information, these forms will comply with applicable federal and state laws and will identify, at a minimum, the following:

o The name of the person about whom information is to be released.

o The content to be released.

o To whom the information is to be released.

o The purpose for which the information is to be released.

o The date on which the release is signed.

o The date, event, or condition upon which the authorization expires.

o Information as to how and when the authorization can be revoked.

o The signature of the person who is legally authorized to sign the release.

Policy – Residents

1. Refuge, Inc. shall ensure accepted amendments are properly linked within the resident record

Procedure

1. Refuge, Inc. shall inform the individual that the amendment has been accepted.

2. At a minimum, the Refuge shall identify the records in the designated record set that are affected by the amendment and shall append the amendment or otherwise provide a link to the amendment.

3. The Refuge shall request from the individual:

• The identifies of others who should receive the amendment; AND

• The individual’s agreement to have the provider share the amendment with relevant persons as described in this policy.

4. The Refuge shall make reasonable efforts to inform and provide the amendment within a reasonable time to:

• Persons identified by the individual as having received the protected health information and needing the amendment; AND

• Persons, including business associates, whom Refuge, Inc. knows have the protected health information that has been amended and that may have relied on, or could conceivably rely on, such information to the detriment of the individual.

Policy - Non-Residents

1. Refuge, Inc. shall amend its records should it be appropriately notified by another entity.

Procedure

1. If the Refuge is informed by another covered entity of an amendment to the individual's protected health information it shall amen the protected health information in its record set within 72 hours of notification.

Policy: Refuge, Inc. shall deny a resident access to his/her records in accordance with the policy.

Procedure:

1. Refuge, Inc. may deny individual access without providing the individual an opportunity for review of the denial if such denial meets the provisions of this policy.

A. The individual does not have a right to access or obtain a copy of psychotherapy notes.

B. The individual does not have a right to access or obtain a copy of information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding.

C. Refuge, Inc., if acting under the direction of a correctional institution, may deny access by the inmate, in whole or in part, if the provider believes such access would jeopardize:

• The health, safety, security, custody, or rehabilitation of the individual or other inmates; OR

• The safety of any officer, employee, or another person at the correctional institution or responsible for transporting the inmate.

D. Refuge, Inc. may deny access if the protected health information is contained in records that are subject to the Privacy Act and such denial meets the requirements of that law.

E. Refuge, Inc. may deny access if the protected health information was obtained from someone other than a health care provider under a promise of confidentiality if allowing access would be reasonably likely to reveal the source of the information.

2. The following denials will be subject to review:

A. Refuge, Inc. may deny an individual access to their protected health information under the conditions outlined in this policy, provided that the individual is given the right to have the denial reviewed according to the

B. Refuge, Inc. may deny access if it is reasonably likely to endanger the life or physical safety of the individual or another person.

C. Refuge, Inc. may deny access if the protected health information makes reference to another person (unless that person is a health care provider) if such access is reasonably likely to cause substantial harm to the other person.

D. Refuge, Inc. may deny access requested by the individual’s personal representative if it is reasonably likely to cause substantial harm to the individual or another person.

3. If access is denied for reasons specified under this Policy, the individual has the right to have the denial reviewed by a licensed health care professional. The reviewing professional shall not have participated in the decision to deny.

A. Refuge, Inc. may deny an individual their protected health information under the conditions outlined in this policy, provided that the individual is given the right to have the denial reviewed according to the provisions of the Policy.

B. Refuge, Inc. may deny access if it is reasonably likely to endanger the life or physical safety of the individual or another person.

C. Refuge, inc. may deny access if the protected health information makes reference to another person (unless that person is a health care provider), if such access is reasonably likely to cause substantial harm to the other person.

D. Refuge, Inc. may deny access requested by the individual’s personal representative if it is reasonably likely to cause substantial harm to the individual or another person.

4. If access is denied for reasons specified under the policy, the individual has the right to have the denial reviewed by a licensed health care professional. The reviewing professional shall not have participated in the decision to deny.

A. Refuge, Inc. shall designate its Privacy Officer (licensed health care professional) to act as a reviewing official.

B. Refuge, Inc. shall promptly refer a request for review to the designated reviewing official.

C. The Privacy Officer shall determine, within a reasonable period of time, whether or not to deny the requested access based on the provisions of policy.

D. Refuge, Inc. shall deny, or promptly access, in accordance with the determination of the reviewing official.

5. If access is denied for reasons specified under Policy, the individual has the right to have the denial reviewed by a licensed health care professional. The reviewing professional shall not have participated in the decision to deny.

A. Refuge, Inc. shall designate its Privacy Officer (licensed health care professional) to act as a reviewing official.

Policy: It is the policy of Refuge, Inc. to disclose Protected Health Information without authorization only in accordance with policy.

Employers

1. Refuge, Inc. will disclose protected health information to an employer about an individual who is an employee, for the purposes of workplace medical surveillance or evaluating or documenting possible work-related illnesses or injuries.

A. Related disclosure may be made without authorization only if the provisions of this policy are met.

B. Refuge, Inc. must be providing a service to the individual at the request of the employer.

C. Refuge, Inc. may disclose the protected health information if that information consists of findings concerning a work-related illness or injury or a workplace- related medical surveillance.

D. Refuge, Inc. may disclose the protected health information if the employer needs such findings to comply with legal requirements to record work-related illnesses or injuries, or to carry out responsibilities for workplace medical surveillance.

E. Refuge, Inc. shall give written notice to the individual that protected health information relating to medical surveillance of the workplace and work-related illnesses or injuries will be disclosed to the employer. The notice required for employees under this provision must be separate from the Notice of Privacy Practices.

Victims of Abuse, Neglect, or Domestic Violence

1. No authorization is required for use or disclosure of protected health information (including psychotherapy notes) to the extent that such use or disclosure is required by law and is limited to the relevant requirements of such law, provided that the provisions of this policy are met.

2. Refuge, Inc. may disclose protected health information about an individual when Refuge, Inc. reasonably believes the individual to be a victim of abuse, neglect, or domestic violence under the following circumstances:

• When such disclosure is required by law and the disclosure is limited to the relevant requirements of such law (i.e., the “minimum necessary”); OR

• The individual agrees to the disclosure.

3. Refuge, Inc. may disclose protected health information about an individual when Refuge, Inc. reasonably believes the individual to be a victim of abuse, neglect or domestic violence as expressly authorized by statute or regulation, provided that:

• Refuge, Inc., using professional judgment, believes this disclosure is necessary to prevent serious harm to the individual or other potential victims; OR

• If the individual cannot agree to disclosure due to incapacity, a law enforcement official or other public official authorized to receive the report represents that the protected health information is not intended to be used against the individual and that an immediate enforcement activity that depends on the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.

4. When Refuge, Inc. makes a disclosure under this policy it shall promptly inform the individual that such a report has been or will be made, unless:

• Refuge, Inc. using professional judgment, believes that informing the individual would place the individual at risk of serious harm; OR

• Refuge, Inc. would be informing a personal representative and Refuge, Inc., using professional judgment, believes the personal representative is responsible for the abuse, neglect, or another injury, and that informing the personal representative would not be in the best interest of the individual.

5. For the purposes described in this policy, the Agency may inform the individual orally, and the individual’s agreement may be given orally.

Health Oversight

1. Refuge, Inc. may disclose protected health information to health oversight agencies for oversight activities authorized by law if the individual is not the subject of the investigation or oversight activity.

2. If the individual is the subject of the investigation/oversight activity, Refuge, Inc. may disclose an individual’s protected health information for health oversight activities only if the investigation or oversight arises out of:

• The receipt of health care; OR

• A claim for public benefits related to health; OR

• Qualification for or receipt of public benefits or services when the individual’s health is integral to the claim for those benefits or services.

Judicial/Administrative Proceedings

1. No authorization is required for use or disclosure of protected health information (including psychotherapy notes) to the extent that such use or disclosure is required by law and is limited to the relevant requirements of such law (i.e., the “minimum necessary”), provided that the provisions of this policy are met.

2. Refuge, Inc. may disclose protected health information, in response to an order of the court or administrative tribunal, but such disclosure may include only protected health information expressly authorized by such order.

3. Refuge, Inc. may disclose protected health information in response to a subpoena, discovery request, or another lawful process (not ordered by a court or administrative tribunal) only if Refuge, Inc. deems appropriate.

4. Receives satisfactory assurance from the party seeking the information that reasonable efforts have been made to ensure that the resident has been given notice of the request; OR Receives satisfactory assurance from the party seeking the information that reasonable efforts have been made to secure a “qualified protective order.”

Law Enforcement

1. Refuge, Inc. may disclose PHI (including psychotherapy notes) to a law enforcement official if such use or disclosure is required by law and is limited to the relevant requirements of such law (i.e., the “minimum necessary”).

2. Refuge, Inc. may disclose protected health information as required by laws. Injuries that are the result of child abuse, neglect, or domestic violence may be reported to appropriate public health authorities or social service agencies.

3. Refuge, Inc. may disclose protected health information to comply with a court order, a court-ordered subpoena, a grand jury subpoena, or a search warrant. Such disclosure shall be limited to the relevant requirements of the order, subpoena, or warrant.

4. Refuge, Inc. may disclose protected health information in compliance with an administrative subpoena, administrative summons, civil or authorized investigative demand, or similar process authorized by the law provided that:

• The protected health information is relevant and material to a legitimate law enforcement inquiry; AND

• The request is specific and limited in scope to the extent reasonably practicable for its purpose; AND

• De-identified information could not reasonably be used.

5. Refuge, Inc. may disclose protected health information, in response to a law fugitive, material witness, or missing person, provided that the disclosed information enforcement official’s request, for the purpose of identifying or locating a suspect, is limited to:

• Name and address;

• Date and place of birth;

• Social security number;

• Date and time of treatment;

• Date and time of death, if applicable;

• A description of distinguishing characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars, and tattoos.

6. Refuge, Inc. may disclose protected health information in response to a law enforcement official’s request when the individual is, or is suspected to be, a victim of a crime if the individual agrees to the disclosure or Refuge, Inc. is unable to obtain the individual’s agreement due to incapacity or other emergency circumstances, and the law enforcement official represents that:

• The information is needed to determine if a crime was committed by someone other than the victim; AND

• The information will not be used against the victim; AND

• Immediate law enforcement activity would be seriously impeded by waiting until the individual is able to agree to the disclosure; AND

• Refuge, Inc. using professional judgment, determines that the disclosure is in the best interest of the individual.

Research

1. Refuge, Inc. may use or disclose protected health information for research, without authorization, provided that Refuge, Inc. obtains from the researcher assurance that:

• The protected health information is sought solely to prepare a research protocol or for similar purposes preparatory to research; AND

• No protected health information will be removed from the premises/systems of Refuge, Inc.. in the course of review; AND

• The protected health information is necessary for research purposes.

Correctional Institutes

1. Refuge, Inc. may disclose to a correctional institution or law enforcement official the protected health information of an individual who is an inmate or otherwise in lawful custody, if informed that the disclosure is necessary for:

• The provision of health care to the individual;

• The health and safety of the individual or other inmates;

• The health and safety of the officers, employees, or others at the correctional institution;

• The health and safety of officers or other persons responsible for transporting inmates;

• Law enforcement on the premises of the correctional institution.

• The administration and maintenance of the safety, security, and good order of the correctional institution.

To Avert a Threat to Health or Safety

1. Refuge, Inc. may disclose protected health information without authorization to law enforcement or other persons who can reasonably prevent or lessen the threat of harm.

2. Refuge, Inc. will abide by the minimum necessary requirement when disclosing protected health information when averting a threat to health or safety.

Relating to Decedents

1. Refuge, Inc. may disclose protected health information related to a death to coroners, medical examiners, or funeral directors, and to organ procurement organizations relating to organ, eye, or tissue donations or transplants.

Policy: The storage and destruction of resident records shall be accomplished in a manner to ensure the confidentiality of all records. These records must be maintained a minimum of six (6) years six years from the date of its creation or the date when it last was in effect, whichever is later.

Procedure:

1. When deemed necessary, i.e., retention guidelines, time limitations, etc. Refuge, Inc. will engage a paper shredding company, if Refuge, Inc. is not capable of shredding the documents on its own, to destroy patient records and confidential information on an as-needed basis.

2. All resident records and HIPAA related information shall be maintained for not less than six (6) years.

Policy: It is the policy of Refuge, Inc. to implement reasonable and appropriate security measures to ensure the confidentiality, integrity, and availability of all electronic protected health information that the agency creates, receives, maintains, or transmits.

Procedure:

1. Refuge, Inc. shall implement reasonable and appropriate security measures to protect against any reasonably anticipated threats or hazards to the security of electronic protected health information.

2. Refuge, Inc. will maintain electronic health records in accordance with Public Health Service Act Title XXX and comply with 3701.75 of Revised Code.

3. Refuge, Inc. shall take reasonable and appropriate steps to ensure compliance by the workforce with the security standards of the HIPAA Security Rule.

4. Refuge, Inc. shall review and modify security measures as needed to ensure continued reasonable and appropriate protection of electronic protected health information.

5. Refuge, Inc. may use any security measures that allow the organization to reasonably implement the security rules.

6. Refuge, Inc. staff shall conduct a periodic evaluation to determine which security policies and procedures meet HIPAA Security Rule requirements.

7. Refuge, Inc. shall document security measures that are used to protect electronic PHI.

8. Audit Trails will be in place, allowing a chronological record of activities occurring in the system.

Securing The Agency’s Network

9. Access to Refuge, Inc.’s network will be controlled through the use of user IDs and passwords, which will be unique for each person.

10. All programs containing confidential data must be password protected, including third-party purchased software and applications developed internally by Refuge, Inc.

11. The display and printing of passwords should be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them. After three unsuccessful attempts to log in to Refuge, Inc.’s network, the person’s network login will temporarily be disabled until it is reset by a system administrator.

12. Password confidentiality is the responsibility of each user. Users will not share their passwords. In the event IT needs to perform computer assistance, only equipment, not specific program passwords may be given to IT. Immediately upon completing such maintenance, the user will be allowed to reset any passwords given to IT staff.

13. Electronic signatures consisting of letters, numbers, characters, or symbols may be adopted by an individual as their electronic signature, or a computer-generated signature may be created, or an electronic image of the individual’s handwritten signature may be created using a pen computer.

14. Any manual records users maintain of passwords must be maintained in a secure and confidential manner. Passwords will not be stored in readable form without access control or in other locations where unauthorized persons might discover them. All such passwords are to be strictly controlled using either physical security or computer security controls.

15. Staff shall at all times be in physical control of any access device on which they have accessed programs with their login. If a staff member needs to leave physical control of their device, they must first either log out or set an access security measure such as activating a device access code. This is commonly referred to as “locking down” a workstation, tablet, phone, etc.

16. The IT department will periodically review user access privileges and remove identification codes and passwords from their systems when users no longer require access.

17. Termination of an employee will result in the deletion of that person’s access to Refuge, Inc.’s network. The timing of such deletion will be appropriate to ensure minimal risk to Refuge, Inc.’s confidential data.

Securing Access to Clinical Software Applications

18. Access to the Refuge, Inc.’s clinical software applications will be limited to staff that have a business purpose to access such information.

19. Users will be given access only to functions or resident information based on what is required in order to perform their job duties to the extent that security applications of such programs shall permit.

20. Non-Refuge, inc. staff will only be allowed electronic access to Refuge, Inc.’s clinical data after completing required HIPAA agreements and upon receiving approval by the Executive Director

21. Access to clinical software applications will be timed-out after a sufficient period of inactivity. The application will lock down so only the user who logged in can get back in when ready to do so.

Securing Data Resources

22. Any electronic media being discarded or replaced (including hard drives in computers) shall be written over or irrecoverably destroyed to ensure proper erasure of confidential or proprietary data.

23. Users must not load unauthorized programs or data onto Refuge, Inc.’s systems.

24. Users shall secure media (such as hard copy, CDs, DVDs, flash drives, etc.) which contain confidential information in a locked desk, cabinet, or room.

25. Any protected health information in hardcopy format should be disposed of properly. This may include shredding finely enough to ensure that the information is unrecoverable.

26. Copying of confidential documents shall be minimized. Printed versions of the Refuge, Inc’s data should not be copied indiscriminately or left unattended.

27. Documents containing any protected health information may be transported by Refuge, Inc. staff in containers deemed appropriate. Reasonable care should be used, and media should be secured when left unattended.

28. A paper copy of the resident record will be available upon request as necessary for legal documentation.

Policy: It is the policy of Refuge, Inc. to safeguard all files that are transferred between Refuge, Inc.’s various sites in a manner that will protect confidential information.

Procedure:

1. Only authorized employees are permitted to transfer files between sites.

2. Specific employee authorization is designated in the employee access policy.

3. Any employee who is transferring files will provide reasonable protection and safeguards to the files that are being transferred. Any container holding PHI shall be securely locked.

Policy

1. It is the policy of Refuge Inc. to account for all disclosures.

Procedure

1. The individual has the right to receive an accounting of disclosures of protected health information made by Refuge, Inc. in the six years prior to the date on which the accounting is requested.

2. Refuge, Inc. is not required to give an accounting of disclosures made:

• To carry out treatment, and health care operations; OR

• To the individual or personal representative; OR

• For national security or intelligence purposes; OR

• To law enforcement officials or correctional facilities; OR

• For an incident to a permitted or required use or disclosure; OR Prior to April 14, 2003.

3. Refuge, Inc. shall temporarily suspend the individual’s right to an accounting of disclosures to a health oversight agency or to a law enforcement official under these conditions:

• Refuge, Inc. or official submits a written statement that such an accounting would be reasonably likely to impede the Refuge’s activity; AND

• The statement specifies the time for which the suspension is required; AND

• The provider suspends the accounting only for that period of time.

4. If the statement required is oral rather than written, Refuge, Inc. shall:

• Document the statement and the identity of the agency or official making the statement; AND

• Temporarily suspend the individual’s right to an accounting of disclosure subject to the statement; AND

• Limit the temporarily suspension to no more than 30 days from the date of the oral statement unless a written statement is submitted during that time.

5. Refuge, Inc shall document the title of the person responsible for receiving and processing requests for an accounting of disclosures of protected health information.

6. Refuge, Inc. shall document and retain the information in the designated record set any information that would be required as part of an accounting.

7. When a written accounting is provided to the individual, Refuge Inc document this and retain a copy in the resident record.

8. The documentation required under this policy shall be retained, in written or electronic form, for at least six years from the date it was created.

9. Refuge, Inc. will respond to a resident’s written request for a list of disclosures within 60 days of receiving the request.

10. Refuge, Inc. will provide the list of disclosures free of charge for once list each year.

11. Refuge, Inc. is entitled to charge a reasonable fee for more frequent requests

Policy: It is the policy of Refuge, Inc. to use or disclose PHI in compliance with HIPAA requirements.

Procedures:

1. Refuge, Inc. will continue to use or disclose protected health information received pursuant to an authorization for release of information or other express legal permission if such permission was obtained prior to the compliance date.

2. Refuge, Inc. may use or disclose protected health information created or received prior to the compliance date for purposes other than research, if the prior authorization specifically permits such use or disclosure.

3. Refuge, Inc. has the right to use or disclose protected health information created or received prior to or after the compliance date for research purposes. This is provided that Refuge, inc. has obtained the individual’s authorization or informed consent for use and disclosure for the research study.

Purpose: To provide service delivery that ensures the confidentiality of all residents through the organization and control of all clinical records.

Policy:

1. Refuge, Inc. shall take every necessary step to ensure confidentiality of resident records and resident service activity except when disclosure is required by law, or when the resident and/or guardian requests in writing the information to be released. It is not determined a breach of confidentiality to use or disclose resident-protected health information for treatment, payment, or health care operations.

2. For policies concerning the unauthorized release of protected health information refer to Sections II and III in the Policies and Procedures Manual.

3. Resident records removed from storage should be returned within 24 hours of the time they were removed.

4. An incomplete record is not to be returned without authorization from the ED.

5. If a report is made to the ED regarding any discrepancies, the ED or designee will be responsible to ensure follow-up.

Procedures:

1. All clinical records and computerized resident information are confidential. Records are to be kept in the filing cabinet and the files shall be locked during all business hours. Records and computerized resident information shall be retrievable by Refuge, Inc. staff and/or authorized person(s) only. All computers are secured by passwords which are activated whenever the computers are left unattended.

Other unauthorized people (s) shall not be permitted to access the filing cabinet. Clinical records shall not be left in or on desks after use. Residents have the right to see their files and should be properly notified of this

• New Records: Each clinical record shall be indexed by the last name of the resident and shall be kept in alphabetical order in the file cabinet.

• Retrieval: Refuge, Inc. staff shall be responsible to sign out the clinical record by documenting the name of the resident, signature of staff removing the record and the date removed on the sign-out cards provided at the front of the filing cabinet.

• Refuge, Inc. staff are not to remove records/forms from clinical records. All new additions to the record shall be bound in the record.

2. The ISP shall be developed within the first four sessions or within 30 days of admission, whichever is sooner.

3. Treatment reviews shall occur bi-annually/every six months.

4. Documentation of progress shall occur within seven (7) days following each group/individualized/family therapy session.

5. An incomplete record is not to be returned without authorization from the Executive Director.

6. If a report is made to the ED regarding any discrepancies, the ED or designee will be responsible to ensure follow-up.

7. All clinical records shall be maintained by Refuge, Inc. for the duration of ten (10) years for all adults. Clinical records for minors shall be maintained for ten (10) years after the age of majority.

8. Refuge, Inc. shall maintain all HIPAA-required policy/procedures, verifications, agreements, documentation for a minimum of six years from implementation.

9. Refuge, Inc. shall maintain the policies and procedures required by the HIPAA regulations in written or electronic form, including any actions or designations required by said regulations.

10. If written communication is ever required by the HIPAA regulations, Refuge, Inc. shall provide either an original or copy of the specified written communication in paper copy as requested.

11. All errors in the clinical records shall be as follows

• A line shall be drawn through the section to be corrected.

• Initials of the individual making the correction shall be written above or beside the lined-out area.

• The date the correction is made shall be entered beside the initials.

• Under no circumstances shall whiteout or other permanent erasing solution be used.

In accordance with the Sarbanes-Oxley Act, which makes it a crime to alter, cover-up, falsify, or destroy any document with the intent of impeding or obstructing an official proceeding, this policy provides for the systematic review, retention, and destruction of documents received or created by Refuge, Inc. in connection with the transaction of organization business. This policy covers all records and documents, regardless of physical form, contains guidelines for how long certain documents should be kept, and how records should be destroyed (unless under a legal hold). The policy is designed to ensure compliance with federal and state laws and regulations, to eliminate accidental or innocent destruction of records, and to facilitate Refuge, Inc.’s operations by promoting efficiency and freeing up valuable storage space.

Document Retention

Refuge, Inc. follows the document retention procedures outlined below. The information listed in the retention schedule below is intended as a guideline and may not contain all the records Refuge, Inc. may be required to keep in the future. Documents that are not listed but are substantially similar to those listed in the schedule will be retained for the equivalent and appropriate length of time. Questions regarding the retention of documents not listed in this chart should be directed to the Executive Director.

Permanent Records

• Chart of accounts

• General ledger & end of year trial balance

• Financial statements – end of year

• Form 990

• Depreciation schedules

• Articles of Incorporation

• By-Laws

• Board minutes

• Audit reports, including A-133

Seven (7) Years

• Bank statements, reconciliations, canceled checks

• Accounts payable & receivable

• Grant agreements

• Monthly financial statements

• Vouchers/vendor

• Payroll records/payroll taxes

• Budgets

• Employment records (after termination)

• Employee Time sheets

• Resident Records

Five (5) Years

• Continuing Education documentation

Three (3) Years

• Petty cash vouchers

• Insurance policies – expired

• Employment Ads

• Resumes/Applications

• General Correspondence

• Fundraising Correspondence

One (1) Year or Less

• Unsolicited Resumes (not kept on file)

• Non-record email

Electronic Documents and Records

Electronic documents will be retained as if they were paper documents. Therefore, any electronic files, including records of donations made online and program databases that fall into one of the document types on the above schedule, will be maintained for the appropriate amount of time. If a user has sufficient reason to keep an email message, the message should be printed in hard copy and kept in the appropriate file or moved to an “archive” computer file folder. Backup and recovery methods will be tested on a regular basis. Emails from or related to residents will be printed in hard copy and kept in the resident file. The email should not be stored on the system in any capacity, including in the “Deleted Items” folder.

Emergency Planning

Refuge, Inc.’s records will be stored in a safe, secure, and accessible manner. Documents and financial files that are essential to keeping Refuge, Inc. operating in an emergency will be duplicated or backed up at least every week. Refuge, Inc. server is backed up daily and a copy is uploaded to the cloud and to an external hard drive which is kept in a locked fireproof safe.

Document Destruction

Documents that have been identified for destruction will be shredded. Refuge, Inc.’s Fiscal Manager is responsible for the ongoing process of identifying financial records that have met the required retention period and overseeing their destruction. Refuge, Inc.’s Controller is responsible for ongoing process of identifying personnel records that have met the required retention period and overseeing their destruction. Refuge, Inc.’s program supervisors are responsible for the ongoing process of identifying resident records that have met the required retention period and overseeing their destruction. Document destruction will be suspended immediately, upon any indication of an official investigation or when a lawsuit is filed or appears imminent. Destruction will be reinstated upon the conclusion of the investigation or upon release of a litigation hold.

Policy: It is the policy of Refuge, Inc. to re-identify resident record information using an assigned resident number system.

Procedure:

1. Refuge, Inc. will assign a resident identification number (as a code) unless another means of record identification is determined to be used, to allow de-identified information to be re-identified by Refuge, Inc.

2. The code shall not be derived from, or related to, information about the individual and shall not be otherwise capable of being translated so as to identify the individual.

3. Refuge, Inc. shall not use or disclose the code for any other purpose or disclose the mechanism for re-identification.

Refuge, Inc. will be responsible for maintaining all adult clinical records will be held for the duration of seven (7) years past closure of the last attendance, or as applicable according to state or federal guidelines. After the required period post closure, the CFO will be responsible for destroying the entire clinical file of a former resident. At no time will any records or other materials be altered, removed, or destroyed by staff before the time frame identified above. At no time will any records or other materials identified in a search warrant, subpoena, or other court order be removed or destroyed. Records in the process of being destroyed must be saved if a legal process is initiated against Refuge, Inc.

Policy: Refuge, Inc. shall verify the identity of all persons requesting protected health information.

Procedure:

1. Prior to any disclosure permitted, Refuge, Inc. shall verify the identity of the person requesting the protected health information and the authority of any such person to access that information if that person’s identity is not known to Refuge, Inc.

2. Prior to any disclosure permitted, Refuge, Inc. shall obtain any documentation, statements, or representations (oral or written) from the person requesting the protected health information.

3. When Refuge, Inc. receives an order/release that appears to meet all requirements, Refuge, Inc. may rely on that order as meeting the specified requirements.

4. When Refuge, Inc. receives a request for uses or disclosure of protected health information for research purposes, Refuge, Inc. may be satisfied that verification requirements are met only if Refuge, Inc. receives one or more written statements that the requirement for individual authorization has been waived, provided that the statement identifies the Institutional Review Board (IRB) or privacy board that granted the alteration or waiver, gives the date on which it was approved, and is signed by the chair or a designated member of the IRB or privacy board.

5. Refuge, Inc. may also rely on any of the following to verify identity when the disclosure of protected health information is to a public official or to a person acting on behalf of the public official:

• Presentation of an agency identification badge or other credentials; OR

• A written request using the appropriate government letterhead; OR

• Any document that establishes that the person is acting on behalf of a government official, such as a contract for services, memorandum of understanding, or purchase order.

6. Refuge, Inc. may rely, if reasonable under the circumstances, on any of the following to verify authority when disclosing protected health information to a public official or a person acting on behalf of the public official:

A written statement of the legal authority under which the information is requested; OR

If a written statement would be impractical, an oral statement of the legal authority under which the information is requested; OR

A legal warrant, subpoena, order, or other legal process issued by a grand jury, court, or administrative tribunal.

7. Verification requirements are met if Refuge, Inc. relies on the exercise of professional judgment when making use or disclosure in accordance with policy.

8. Verification requirements are met if Refuge, Inc. acts on a good faith belief when making a disclosure in accordance with policy.

Policy: Refuge, Inc. shall protect and safeguard health information within the organization at all sites.

Procedure:

1. Refuge, Inc. requires the implementation of satisfactory safeguards to protect the privacy of protected health information.

2. When making a use or disclosure that otherwise is permitted or required under these policies Refuge, Inc. shall make reasonable efforts to limit incidental uses or disclosures of protected health information.

3. Refuge, Inc. shall safeguard protected health information against any use or disclosure that violates the standards and regulations of HIPAA.

4. In accordance with 42 C.F.R. alcohol and other drug resident records are subject to the following confidentiality conditions: this agency complies with these requirements.

• Program staff shall not convey to a person outside of the program that the resident receives services from the program or disclose any information identifying a resident as an alcohol or drug services resident unless the resident consents in writing for the release of information, the disclosure is allowed by court order, or the disclosure is made to qualified personnel for a medical emergency, research, audit, or program evaluation purposes

• Federal laws and regulations do not protect any threat to commit a crime, any information about a crime committed by a resident either at Refuge, Inc. or against any person who works for Refuge, Inc.

• Federal laws and regulations do not protect any information about suspected child abuse or neglect from being reported under State law to appropriate State or Federal authorities.

Policy: It is the policy of Refuge, Inc. to protect the confidentiality and integrity of confidential medical information as required by HIPAA regulations, professional ethics, and accreditation requirements.

Procedures:

1. Refuge, Inc., its officers, agents, and employees will send health information by facsimile or electronic mail only when the original record or mail delivered copies will not meet the needs of immediate resident care.

2. Employees may transmit health records by facsimile or electronic mail only when urgently needed for patient care or required by a third-party payer for ongoing certification of payment for a patient.

3. Employees must limit information transmitted to that necessary to meet the requester’s needs.

4. Except as authorized by law, a properly completed and signed authorization must be obtained before releasing patient information.

5. Personnel may not send a fax or electronic mail message containing especially sensitive medical information, including, but not limited to, AIDS/HIV information, mental health, and developmental disability information, alcohol and drug abuse information, and other sexually transmissible disease information without the express authorization of the Executive Director.

6. The cover page accompanying the facsimile transmission must include the confidentiality notice.

7. Fax machines must be in secure areas, and the ED may limit access to them.

8. Personnel must report any misdirected faxes or electronic mail messages to the ED.

Policy: Refuge, Inc. may use or disclose protected health information to carry out Refuge, Inc.’s own treatment, payment, or related operations.

Procedure:

1. Refuge, Inc. may use or disclose protected health information for the treatment activities of another health care provider.

2. Refuge, Inc. may use or disclose protected health information to another covered entity or health care provider for the payment activities of the entity that receives the information.

3. Refuge, Inc. may use or disclose protected health information to another covered entity or health care provider for the health care operations activities of the entity that receives the information, provided that both Refuge, Inc. disclosing the information and the entity receiving the information has or had a relationship with the individual who is the subject of the protected health information, the protected health information pertains to such relationship, and the disclosure is for the purpose of:

• Quality assessment or improvement activities; OR

• Population-based activities related to improving health or reducing health care costs;

• Protocol development: OR

• Case management and care coordination; OR

• Contacting of health care providers and residents with information about treatment alternatives; OR Reviewing the competence or qualifications of health care professionals; OR

• Evaluating provider performance; OR

• Conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills; OR

• Training of non-healthcare professionals; OR

• Accreditation, certification, licensing, or credentialing activities; OR

• Health care fraud and abuse detection or compliance

4. Refuge, Inc. shall make a good faith effort to obtain the individual’s written acknowledgment of receipt of the Notice of Privacy Practices. In routine care, this shall be done at the time the Notice of Privacy Practices is given to the individual, at the time Refuge, Inc. first sees the resident.

5. Refuge, Inc. is not required to make a good faith effort to obtain the individual’s written acknowledgment of receipt of the Notice of Privacy Practices in emergency treatment situations but is encouraged to do so as soon as practicable after the emergency situation is resolved.

6. Refuge, Inc. may choose to obtain written authorization from the individual.

7. Psychotherapy notes may not be disclosed under the provisions of this policy. A separate authorization would be required for their use or disclosure.

Purpose

1. Refuge, Inc. shall not use or disclose protected health information without completion of Release of Information form and other valid authorization except as otherwise permitted or required under law.

Policy

1. Upon receipt of a valid authorization, (Release of Information) Refuge, Inc. will ensure that any use of disclosure of protected health information is consistent with such authorization.

2. An authorization (Release of Information) is not valid, if any one of the following are true:

• The expiration date has passed;

• Refuge, Inc. knows the expiration event has occurred;

• Refuge, Inc. knows the authorization has been revoked; Any required element is not included;

• Any information required in the authorization is not filled out completely;

• Refuge, Inc. knows that any information in the authorization is false.

3. These authorizations are for any use or disclosure of protected health information for purposes other than treatment, payment, or related health care operations.

4. Proper utilization of a Release of Information will grant permission for Refuge, Inc., another agency, organization or individual to release the appropriate personal resident information for a time period not to exceed ninety days.

5. Upon release of information, Refuge, Inc.’s staff should respond with:

• Documentation in the resident's account of disclosures and a copy of a cover letter explaining the information forwarded;

• Release of only specific information requested in compliance with HIPAA minimum necessary requirements if applicable;

• The date and name of the person or agency to whom information was released;

• Signature of the staff member releasing the protected health information;

• In most cases, a summary of relevant information will be the most optimal approach. Copies of entire records are not considered an acceptable means of supplying information.

6. An original copy of the request for release of information shall be maintained in the individual resident record. The information forwarded shall also be included in the ICR.

7. Staff shall not disclose information if there is reasonable doubt as to the validity of the consent form. For example, if it has been over ninety days since the resident’s signature, if the signature is not an original, if the signature is not witnessed or parts of the document appear unofficially altered.

8. When requesting information from other sources, the agency should specify exactly what information is to be disclosed before the resident adds his/her signature to the Request for Information form.

9. The staff member requesting information shall complete a cover letter to accompany the request form which further explains what information is needed and why, a copy of which will also be forwarded to the resident's file.

10. In the case of a life-threatening situation, or where the individual’s condition or situation precludes the possibility of obtaining written consent, The Refuge, Inc. may release pertinent medical/clinical information to the medical personnel responsible for the individual’s care without the customer’s authorization and without administrative authorization from the Executive Director or the designee, if obtaining such authorization would cause an excessive delay in delivering treatment to the individual.

• In the event information has been released without initial authorization, the staff member responsible shall notify the Executive Director as well as enter documentation of all details pertinent to the situation in the ICR within 24 hours. This documentation shall include but be limited to:

o Date and time the information was released;

o Person’s name and title to whom the information was released;

o Justification for the release of the information;

o Reason written consent could not be duly obtained;

o Nature and details of the information given.

• After the release of such information, the resident shall be informed as soon as possible by the CFO that such information was released and was documented in the individual resident record.

Policy: Refuge, Inc. does not require residents to waive their rights in order to comply with HIPAA.

Procedure:

1. In compliance with HIPAA regulations, Refuge, Inc. shall not require residents to waive their rights concerning treatment, payment, or health care operations.

2. Any incidents of the above shall be reported immediately to the ED for corrective action and employee disciplinary measures.

Policy: The Refuge shall recognize the resident’s right to Protected Health Information

Procedure:

1. The resident has the right to access and obtain a copy of his/her own protected health information in a record for as long as the protected health information is maintained in the record, except as disallowed under policies. If the protected health is contained in more than one record set, the Refuge need only provide the protected health information once in response to the request for access.

2. The Refuge will require that the resident's request to access their records be made in writing.

3. The Refuge shall provide access, or deny access, in whole or in part according to the conditions specified under this policy.

4. The Refuge shall document the name of the person accessing the protected health information (e.g., the resident or personal representative), the date it is accessed, what information is accessed, and whether the person is provided a copy of the information.

5. The Refuge shall document in the records that are subject to access by individuals.

6. The Refuge shall document the titles of the persons responsible for receiving and processing the request for access by individuals.

7. The documentation required under this policy shall be retained, in written or electronic form, for at least six years from the date it was created.

8. The Refuge shall act on a request to protected health information that is maintained or accessible on-site within 30 days of receiving the request, whether by providing access or by informing the individual in writing.

9. If the request for access is for protected health information that is not maintained or accessible to the provider on-site, the Refuge shall act on the request within 60 days after receiving the request.

10. The Refuge may extend the allowed time for responding to the request by no more than 30 days if:

o The Refuge is unable to take action within the allowed time frame; AND

o The Refuge, within the allowed time frame, will provide a written statement of the reasons for the delay and the date by which the provider will act on the request.

Policy: Resident access and amendment to his/her protected health

APPROVAL OF AMENDMENTS:

1. Refuge, Inc. shall permit the resident to amend his/her protected health information or a record about the resident for as long as the information is maintained in the designated record set, except as provided for in this policy.

2. Refuge, Inc. will require individuals to make requests for amendments in writing and to provide a reason to support a requested amendment, provided that he/she informs the individual in advance of such requirements.

3. If Refuge, Inc. grants the request to amend the record, the amended information is added to the record; the original information is not replaced or deleted.

4. Refuge, Inc. shall document the title of the person responsible for receiving and processing requests for amendment.

5. The documentation required under this policy shall be retained, in written or in electronic form, for at least six years from the date it was created.

DENIAL OF AMENDMENTS:

1. Refuge, Inc. may deny the individual’s request for amendment if it determines that the protected health information or record is accurate and complete.

2. Refuge, Inc. may deny the individual’s request for amendment if it determines that the protected health information or record was not created by the Refuge unless the individual provides a reasonable basis to believe that the originator of the protected health information is no longer available to act on the requested amendment.

3. Refuge, Inc. may deny the individual’s request for amendment if it determines that the protected health information or record is not part of the designated record set.

4. Refuge, Inc. may deny the individual’s request for amendment if it determines that the protected health information or record would not be available for inspection under the provision of the policy.

Policy: It is the policy of Refuge, Inc. to restrict its use upon the request of the resident. 

Procedure:

1. Residents may request that Refuge, Inc. restrict uses or disclosures of protected health information to carry out treatment, payment, or health care operations.

2. Individuals may request restrictions on disclosures to individuals who otherwise may be permitted access to certain protected health information.

3. Refuge, Inc. is not required to agree to a requested restriction.

4. If Refuge, Inc. agrees to a restriction, it is binding that Refuge, Inc. may not use or disclose protected health information in violation of the agreement unless otherwise allowed or required under this policy.

5. If the individual is in need of emergency treatment and restricted health information is needed for such treatment, Refuge, Inc. may use or disclose the restricted protected health information.

6. If restricted protected health information is disclosed to another health care provider as allowed for emergency treatment, Refuge, Inc. shall request that the other provider not make further use or disclosure of the information.

7. Refuge, Inc. shall not be bound to restrictions on uses or disclosures of protected health information when the disclosure is:

o To the individual, when requested under and required by Policies, OR

o Allowed under special conditions described in Policy, OR

o Allowed or required under Policy

8. Refuge, Inc. may terminate its agreement to a restriction if:

o The individual agrees to or requests the termination in writing, OR

o The individual orally agrees to the termination and the oral agreement is documented.

9. Refuge, Inc. may terminate its agreement to a restriction without the individual’s agreement if Refuge, Inc. informs the individual that it is terminating the restriction, but such termination is only effective with respect to protected health information created or received after the individual has been so informed.

10. Refuge, Inc. shall document any restriction to which it agrees and shall retain that documentation for at least six years from the date it was created.

Policy: It is the policy of Refuge, Inc. that all resident authorizations for use/disclosure must be singular and not combined with other authorizations or documents.

Procedure:

1. The authorization shall not be combined with any other document to create a compound authorization except as outlined in this policy.

2. An authorization for use or disclosure of protected health information for research may be combined with a consent to participate in the research or with any other authorization for the same research study.

3. An authorization for use or disclosure of psychotherapy notes may only be combined with another authorization for use or disclosure of psychotherapy notes.

4. An authorization may not be combined with other authorizations if treatment is conditional on the provision of that authorization.

5. Authorizations from multiple authorizations or consents that are contained in one record, shall be organized so that they are visually separate from one another and shall be separately signed and dated.

Policy: It is the policy of Refuge, Inc. to not individually identify PHI for creating information.

Procedure:

1. Refuge, Inc. may use protected health information to create information that is not individually identifiable health information.

2. Refuge, Inc. may disclose protected health information to a business associate for the purpose of creating information that is not individually identifiable health information.

3. Health information is not individually identifiable health information if it does not identify an individual, and there is no reasonable basis to believe it could be used to identify an individual.

4. Once the information has been properly re-identified, Refuge, Inc. may use or disclose it freely; it is no longer subject to the HIPAA regulations, provided that the conditions of it are met.

5. If de-identified information is re-identified, it is again considered protected health information and is subject to HIPAA regulations.

6. Protected health information may be converted to general health information that is not individually identifiable or protected if the following provisions of this policy are met.

7. The following information about the individual, relatives, employers, or household:

o Names.

o All geographic subdivisions smaller than the state, including street address, city, county, zip code, and their equivalent geocode.

o All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, and date of death.

o All ages over 89 and all elements of date (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.

o Telephone numbers;

o Fax numbers;

o Electronic mail addresses;

o Social security number;

o Medical record numbers;

o Health plan beneficiary numbers;

o Account numbers;

o Certificate/license numbers;

o Vehicle identifiers and serial numbers, including license plate numbers;

o Device identifiers and serial numbers;

o Web Universal Resource Locators (URLs);

o Internet Protocol (IP) Address Numbers;

o Biometric identifiers, including finger and voice prints;

o Full-face photographic images and any comparable images;

o Any other unique identifying number, characteristic, or code, except for a re- identification code.

8. Refuge, Inc. does not have actual knowledge that the remaining information could be used alone or in a combination of other information to identify the individual.

Policy: Refuge, Inc. shall provide a timely written record of all denials for record amendments.

Procedure:

1. Refuge, Inc shall provide to the individual a timely, written denial. The denial will be in plain language and contain:

o The basis for the denial; AND

o A statement that the individual may submit a written statement disagreeing with the denial; AND

o A statement that, if the individual does not submit a statement of disagreement, the individual may request that Refuge, Inc. include the request for amendment and the denial with any future disclosure of the protected health information that is subject of the requested amendment; AND

o A description of how the individual may complain to Refuge, Inc., including the name (or title) and telephone number of the contact person designated to receive complaints.

2. Refuge, Inc. shall accept the individual’s written statement of disagreement, if submitted, including the basis for the disagreement. Refuge, Inc. may reasonably limit the length of a statement of disagreement.

3. Refuge, Inc. will prepare a written rebuttal to the individual’s statement of disagreement. If this is done, Refuge, Inc. shall provide a copy to the individual who submitted the statement of disagreement.

4. Refuge, Inc. shall, as appropriate, identify the record or protected health information in the designated record set that is the subject of the disputed amendment and shall append or otherwise link:

o The individual’s request for the amendment; AND

o Refuge, Inc. denial of the request; AND

o The individual statement of disagreement, if any; AND

o Refuge, Inc. rebuttal, if any.

5. If a statement of disagreement has been submitted, Refuge, Inc. shall include those materials or a summary of such information, with any subsequent disclosure of the protected health information to which the disagreement relates.

6. If the individual has not submitted a written statement of disagreement, Refuge, Inc. may include the individual’s request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the disputed protected health information only if the individual has requested such action.

7. If Refuge, Inc. makes a subsequent disclosure of the disputed protected health information using a standard transaction that does not permit the additional material to be included, Refuge, Inc. may separately transmit the required material to the recipient of the standard transaction.

8. Refuge, Inc. shall act on a request for amendment no later than 60 days after the receipt of the request.

9. Refuge, Inc. may extend the allowed time for responding to the request no more than 30 days if:

o Refuge, Inc. is unable to take action within the allowed time frame: AND

o Refuge, Inc. within the allowed time frame, provides a written statement of the reasons for the delay and the date by which the provider will act on the request.

Procedure:

1. Refuge, Inc. may not combine an authorization for use or disclosure of clinical documentation not with another authorization for use or disclosure notes.

2. Clinical documentation may be used by the originator without authorization in the course of treatment.

3. Refuge, Inc. may use or disclose clinical documentation without authorization in its own training programs, in which students, trainees, or practitioners learn under the supervision to practice or improve their skills in group, joint, family, or individual counseling.

4. Refuge, Inc. may use or disclose clinical documentation without authorization to defend itself in a legal action or other proceeding brought by the individual who is the subject of the psychotherapy notes.

5. Refuge, Inc. may use or disclose clinical documentation to the Secretary of Health and Human Service without authorization as required to comply with an investigation of Refuge, Inc. compliance with the HIPPA regulations.

6. Refuge, Inc. may disclose clinical documentation without authorization to a public health authority or other appropriate government by law to receive reports of child abuse or neglect.

7. Refuge, Inc. may disclose clinical documentation without authorization when required by law, so long as the disclosure is limited to the relevant of such law.

8. Refuge, Inc may, consistent with applicable laws and standards or ethical conduct, use or disclosure Clinical documentation if, in good faith, Refuge, Inc. believes the use of disclosure:

o Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; AND

o Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.

9. Refuge, Inc. may use or disclose clinical documentation to a health oversight agency for health oversight activities authorized by law when such oversight applies to the originator of the psychotherapy notes.

10. Refuge, Inc. may use or disclose clinical documentation to a coroner medical examiner for the purpose of identifying a deceased person, determining the cause of death, or other duties as authorized by law.

11. Refuge, Inc. may continue to use or disclose clinical documentation pursuant to consent, authorization, or other expressed legal permission if such permission was obtained prior to the HIPPA compliance date.

12. If, after the HIPAA compliance date, Refuge, Inc. agrees to restriction on the use or disclose of psychotherapy notes as required by the individual, Refuge, Inc. shall comply with that restriction regardless of any pre-existing consent, authorization, or other expressed legal permission.

13. Refuge, Inc. is permitted to use or disclose protected health information without regard to the minimum necessary requirement under the provisions of this policy.