1. Privacy Notice:

At the first contact with a patient or personal representative, they shall receive our Privacy Notice.

2. Authorization to release patient information:

The Agency shall only release patient information if:

The patient signs a release of information form

Court Order

Medical Emergency

The patient commits or threatens to commit a crime against themselves or other people.

To release confidential information with a written consent, the release of information form must be completely filled out and signed by the patient. The patient has the

right to limit the amount of information we may give out and revoke the consent at anytime.

3. Revocation of a release of information:

A patient may request to revoke their consent at anytime. Health Connections is not responsible for information given to other entities prior to granting the request for a

revocation.

4. Access, designated record set, subject to access, authorization of request, and fee:

The staff staff shall have access to patient records. If the patient is granted access to their chart, they shall not view copies of their treatment notes, unless a specific release

of information is completed. A standard fee will be given to the patient for access to, and copying of a chart, as well as, staff time and resources needed to grant the

request. All patients shall know in advance the fee and agree to pay the fee prior to receiving the patient information.

5. Accounting of Personal Healthcare Information

All patients have the right to request an accounting of personal healthcare information. This means that our Agency would have to account for all information given or

received by other organizations. The Agency has sixty (60) days to complete the task. A standard fee will be agreed upon between our Agency and the patient prior to

receiving the patient information.

6. Requests for confidential communications:

Confidential communications means the right to receive communication from our Agency at a patient-approved location. For example, office, PO box, etc. All patients

have the right to request their communication be sent to an alternative location. The Patient will need to present our Agency with a written request for this service.

7. Identification of persons seeking disclosure of protected health information.

The Agency shall request photo identification of all persons requesting protected health information to verify their authenticity and authority to request the information.

If a request is mailed, or faxed to our Agency, signatures will be verified to ensure the proper person is requesting the information.

8. Safeguarding protected health information:

The Agency shall safeguard protected health information against intentional and unintentional misuse by requesting written authorization, Photo identification, as well as

correspondence to the patient to verify the request.

9. Complaint/Grievance Procedure:

All patients have a right to file a complaint or grievance in the event a patient believes our Agency is not complying with HIPAA regulations. The patient also has the

right to file a complaint with the Secretary of the US Department of Health and Human Services. The patient must file a complaint in writing, either on paper or

electronically, name the entity of the subject of the complaint and describe the acts believed to be a violation. The complaint must be filed within 180 days of when the

complainant knew of should have known that the act occurred.

10. Restriction of Protected Health Information:

Patients have the right to request restrictions on the uses and disclosure of information. This included a restriction on but nor limited to content of information, persons to

receive information, and length of time permitted to provide this information. The Medical Records clerk or the patient’s counselor to accept or deny the request will

review all requests.

11. Amendment to information:

Patients have the right to amend their protected health information if they believe an error has occurred. The Agencies must respond the request within sixty (60) days.

The Agency does not have to grant this request if our Agency did not create the information.

12. Requests for information by family and friends of the patient:

Family and friends of patients or health plan enrollees may request access to protected health information upon written request and our Agency accepting the requests.

The Agency must attempt to communicate with the patient to obtain written verification to release such information.

13. De-identifying patient information:

In the event that our Agency needs to release information to the public, our Agency will de-identify patient information to safeguard protected health information of the

patient.

14. Facility Directory:

The Agency is permitted to maintain a facility directory obtaining all current patient names, levels of care, and counselor. Patients have the right to request not to be

listed on the directory.

15. Sanctions for workforce violations:

The Agency has the right to sanction employees, interns, volunteers, and contract staff on violations of HIPAA privacy standards.

16. Mitigation and reporting of privacy problems:

The Agency shall mitigate, to the extent practicable, any harmful effects that is known to our Agency of a use or disclosure of protected health information in violation

of its policies and procedures, or the requirements of this subpart by our Agency and its business associates.

17. Responding to business associate violations:

If our Agency discovers a business associate has difficulty maintaining HIPAA regulations, our Agency shall notify the entity. If the entity does not correct the difficulty,

our Agency shall break the agreement with the entity and notify the Secretary of the Department of Health and Human Services. If our Agency is notified of a violation

within our Agency, the Privacy officer shall examine the violation and make appropriate corrections.

18. Training of HIPAA regulations:

All medical and professional staff, volunteers, interns and contract staff shall be trained on HIPAA regulations and tutored by department leaders on compliance of HIPAA

regulations. The Privacy Officer shall oversee the privacy standards and compliance with HIPAA standards.

19. Fundraising and Marketing:

During the course of fundraising and marketing activities, our Agency must de-identify all patient demographic information.