DePaul Community Resources Community Based Services Notice of HIPAA Privacy Practices

Effective 08/30/2018

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

If you have any questions about this Notice please contact the Security and Privacy Officer (hereafter referred to as Privacy Officer) for DePaul Community Resources at 540-265-8923.

This Privacy Notice is provided to you on behalf of DePaul Community Resources, Inc. (“DePaul”), as a requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This Notice describes how we may use and disclose your Protected Health Information (hereinafter, “PHI”) to carry out provision of services, payment or health care operations and for other purposes that are permitted or required by law. It also describes your rights to access and control your PHI in some cases. “Protected Health Information” means any recorded or oral information about you, including demographic data, that may identify you, that is created or received by DePaul, and that relates to your past, present or future physical or mental health or condition, the provision of health care to you, or payment for the provision of health care to you.'

OUR PLEDGE REGARDING MEDICAL INFORMATION:

We understand that PHI about you is confidential. We are committed to protecting the privacy of your PHI. We create a record of the services you receive to provide you with quality services and to comply with the law. This Notice applies to all PHI generated or received by our Agency.

WE ARE REQUIRED BY LAW TO:

• Make sure that your PHI is kept confidential;
• Give you this Notice of our legal duties and privacy practices with respect to PHI about you;
• Abide by the terms of the Notice as currently in effect; and
• Notify you in the event that there is a breach of your unsecured PHI.

I. THE ORGANIZATIONS AND PEOPLE COVERED BY THIS NOTICE

This Notice describes DePaul’s practices, which extend to:

• Any social /case work or support staff authorized to enter information into your records maintained by DePaul (including social workers, clinicians, case aides, mentors, support staff and finance department staff);
• All locations of DePaul and all areas of each location (front desk, administration, billing and collection, etc.);
• Any member of a volunteer group we allow to help you while you are a Service User;
• All employees, staff and other personnel that work for DePaul, including foster parents and sponsored residential providers;
• Our Business Associates with whom we have signed or will sign business associate agreement as required by HIPAA.

II. USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION

The following describes different ways that we are permitted by HIPAA to use and disclose your PHI. For each category of uses or disclosures we will give some examples. Not every use or disclosure is listed, and the examples are not exhaustive. This explanation is provided for your general information only. Disclosure of your PHI for the purposes described in this Notice may be made in writing, orally, electronically (e-mail), by facsimile or by any other means.

A. PROVISION OF SERVICES, PAYMENT AND HEALTH CARE OPERATIONS

1. For Provision of Services.

We may use and disclose PHI about you to provide, coordinate or manage your services. This includes the coordination or management of your care with a third party. We may disclose PHI about you to social workers, FAPT teams, doctors, nurses, therapists, or other personnel who are involved in taking care of you. For example, we may disclose your PHI to any social services office, health care provider or other referral source who has referred you to us for services. We may also disclose PHI about you for provision of services activities of other health care providers. For example, if your doctor determines that you need to be seen by a DePaul clinician for services, we may send him a report of our diagnostic findings and our plan of treatment to assist him in providing you with care. Different departments of DePaul also may share PHI about you in order to coordinate the different things you need, such as provision of adult residential services, foster care, mentoring services, community-based services, day support and other services.

2. For Payment.

We may use and disclose PHI about you so that the services you receive at DePaul may be billed to, and payment may be collected from, you, an insurance company or other third party. For example, we may need to give your health plan information about services you received so they will pay us for the services. We may also tell your health plan about a service you are going to receive in order to obtain prior approval or to determine whether your plan will cover the service. We may also disclose PHI to another provider involved in your care for the other provider’s payment activities. This might include disclosures of demographic information to other providers for payment of their services.

3. For Health Care Operations.

We may use and disclose PHI about you for our own operations. These uses and disclosures are necessary to run DePaul and provide quality services to all our Service Users. For example, we may use PHI to review our provision of services and to evaluate the performance of our staff in caring for you. We may combine PHI about many of our Service Users to decide what additional services we should offer, what services are not needed, and whether certain new services are effective. We may also disclose information to DePaul personnel for training programs. We may combine the PHI we have with PHI from other providers to compare how we are doing and see where we can make improvements in the care and services we offer. We may sometimes remove information that identifies you from this set of PHI so others may use it to study health care and health care delivery without learning who the specific Service Users are. We may also provide your PHI to our accountants, attorneys, consultants, and others in order to operate DePaul and to make sure we are complying with the laws that affect us.

We may also disclose PHI to another covered entity for certain health care operations of that entity, if the entity either has or had a relationship with you, such as a treatment relationship, and if the PHI pertains to such relationship. Such disclosure is limited to certain activities of the other entity, including quality assessment and related activities, protocol development, care coordination, contacting health care providers and patients with information about treatment alternatives, and reviewing the competency and qualifications of our professionals. We may use or disclose your PHI in order for third party "business associates" to perform various activities involving treatment, payment or operations on behalf of DePaul. However, whenever an arrangement between DePaul and a business associate involves the use or disclosure of your PHI, we will have a written contract, as and when required by law, that contains terms to protect the privacy of your PHI.

B. USES AND DISCLOSURES BEYOND PROVISION OF SERVICES, PAYMENT, AND HEALTH CARE OPERATIONS PERMITTED WITHOUT AUTHORIZATION OR OPPORTUNITY TO OBJECT

Federal privacy rules allow us to use or disclosure your PHI without your permission or authorization for a number of reasons including the following:

1. Treatment Alternatives.

We may use and disclose PHI about you to tell you about or recommend possible treatment options or alternatives that may be of interest to you.

2. Health-Related Benefits and Services.

We may use and disclose PHI about you to tell you about health-related benefits or services that may be of interest to you. For example, we may send you a packet of information and registration forms prior to your first appointment with one of our providers.

3. Appointment and Service User Recall Reminders.

We may use and disclose PHI about you to contact you as a reminder you have an appointment at DePaul or that you are due to receive periodic care. This contact may be by phone, in writing, automated appointment system, e-mail, or otherwise and may involve leaving an email, message over an answering machine or which could (potentially) be received or intercepted by others.

4. As Required by Law.

We may disclose PHI about you when required to do so by, and if we limit the disclosure as required by, federal, state, or local law.

5. To Avert a Serious Threat to Health or Safety.

We may use and disclose limited PHI about you when we believe it is necessary to prevent a serious threat to your health or safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.

6. Public Health Activities.

We may disclose PHI about you to a public health authority for public health activities. These activities generally include the following:

• To prevent, control, or report disease, injury or disability;
• To report vital events such as births and deaths;
• To report child abuse or neglect;
• To report reactions to medications or problems with products, track FDA regulated products, enable product recalls, repairs or replacements and to conduct post marketing surveillance;
• To notify people of recalls of products they may be using;
• To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition.

7. Emergency Situations.

We may disclose PHI about you to an organization assisting in a disaster relief effort or in an emergency situation so that your family or others can be notified about your general condition, location, or death.

8. Victims of Abuse, Neglect and Domestic Violence.

We may use and disclose PHI about you to notify the appropriate government authorities if we believe you have been a victim of abuse, neglect or domestic violence, but we will only make this disclosure; (i) if you agree; (ii) when required by law; or (iii) when authorized by law and certain other conditions are met.

9. Health Oversight Activities.

We may disclose PHI to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections and licensure. These activities are necessary for the government to monitor the health care system, government programs and compliance with civil rights laws and other activities necessary for oversight of the health care system, government benefit payments and entities subject to government regulation. This does not include disclosure for investigations or other activities in which you are a subject of the investigation and which do not arise out of the receipt of health care, a claim for public health benefits or the qualification for receipt of public health benefits or services.

10. Lawsuits and Administrative Proceedings.

We may disclose PHI about you in response to a court or administrative order. We may also disclose PHI pursuant to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made by the party requesting the information to tell you about the request or to obtain an order protecting the information requested. We may also use such information to defend ourselves or any personnel of DePaul in any actual or threatened action.

11. Law Enforcement Purposes.

We may disclose PHI if asked to do so by a law enforcement official:

• In response to a court order, subpoena, warrant, summons, grand jury subpoenas or similar process;
• To identify or locate a suspect, fugitive, material witness, or a missing person;
• About the victim of a crime if the individual agrees and, under certain limited circumstances, where we are unable obtain the person’s agreement;
• About a death we believe may be the result of criminal conduct;
• About criminal conduct at DePaul;
• In emergency circumstances to report a crime, the location of the crime or victims, or the identity, description or location of the person who committed the crime; or
• About certain types of wound or physical injuries as required by law.

12. Incidental Disclosures.

We may disclose PHI about you incidental to otherwise permitted or required disclosures. For example, we may ask you to sign a signin sheet when you arrive for an appointment at DePaul as an incident to the provision of services process.

13. To the Secretary of the Department of Health and Human Services.

We are required to disclose PHI about you when requested by the Secretary of the Department of Health and Human Services in order to investigate or determine our compliance with HIPAA.

14. Military and Veterans.

If you are a member of the armed forces, we may disclose PHI about you as required by military command authorities in certain situations. We may also disclose PHI about foreign military personnel to the appropriate foreign military authority.

15. Worker’s Compensation.

We may disclose PHI about you for workers’ compensation or similar programs as required by law. These programs provide benefits for work-related injuries or illness without regard to fault.

16. Victims of a Crime:

We may disclose your PHI if asked by a law enforcement official, if (i.) you are suspected to be a victim of a crime, (ii.) you agree to the disclosure or (iii.) we are unable to obtain your agreement because of incapacity or other emergency circumstances. However, the law enforcement official must represent that the information is needed to determine whether a violation of law by a person other than you has occurred, and the information is not intended to be used against you, that immediate law enforcement activity depends on the disclosure and would be materially and adversely affected by waiting until you are able to agree, and we determine that the disclosure is in your best interest in the exercise of professional judgment.

17. Coroners, Medical Examiners and Funeral Directors.

We may disclose PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death or for the coroner or medical examiner to perform other duties authorized by law. We may also disclose PHI about patients of DePaul to funeral directors as necessary to carry out their duties.

18. National Security and Intelligence Activities.

We may disclose PHI about you to authorized federal officials, so they may conduct intelligence, counterintelligence and other activities authorized by the National Security Act.

19. Protective Services for the President and Others.

We may disclosure PHI about you to authorized federal officials, so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations.

20. Inmates.

If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may disclose PHI about you to the correctional institution or law enforcement official. This disclosure may be necessary (i.) for the institution to provide you with health care; (ii.) to protect your health and safety or the health and safety of others; or (iii.) for the safety and security of the correctional institution.

21. Research.

Under certain circumstances, we may use and disclose PHI about you for research purposes regarding medications, efficiency of treatment protocols and the like. All research projects are subject to an approval process, which evaluates a proposed research project and its use of PHI. Before we use or disclose PHI for research, the project will have been approved through this research approval process by an Institutional Review Board (“IRB”) or a Privacy Board. We will obtain an Authorization from you before using or disclosing your individually PHI unless the authorization requirement has been altered or waived by the IRB or Privacy Board. If reasonably possible, we may make the information non-identifiable to a specific patient. If the information has been sufficiently de-identified, an Authorization for the use or disclosure is not required. If we obtain certain representations from the researcher, we may use and disclose PHI about you for the researcher to prepare protocols preparatory to research.

C. USES, AND DISCLOSURES PERMITTED WITHOUT AUTHORIZATION BUT WITH YOUR OPPORTUNITY TO OBJECT.

1. Disclosures to Family, Friends or Others Involved in Your Case.

We may disclose your PHI to your family members, to a close personal friend or other person that you identify if it is directly relevant to the person’s involvement in your care or payment related to your care. We may also disclose PHI concerning your location, condition or death in connection with trying to locate or notify family members or others involved in your care. Generally, we will obtain your verbal agreement before using or disclosing PHI in this way. However, under certain circumstances, such as in an emergency situation, we may make these uses and disclosures without your express agreement if we feel, in the exercise of professional judgment, that it is in your best interest.

2. Objection to Disclosures.

You may object to these disclosures by indicating the names and relationship of those individuals that you do not want to receive your PHI on the “Acknowledgement of Receipt of Notice of Privacy Practices” form, available from any of our offices. If you are present and do not object to these disclosures, or if you are present and we can infer from the circumstances that you do not object, or if you are not present or able to object and we determine, in the exercise of our professional judgment, that it is in your best interests for us to make disclosure of PHI that is directly relevant to the person’s involvement with your care, we may disclose your PHI for such purpose.

D. USES AND DISCLOSURES WHICH YOU MAY AUTHORIZE

1. Psychotherapy Notes.

We must obtain a valid authorization from you for any use or disclosure of psychotherapy notes, unless such use or disclosure is: (i.) necessary to carry out treatment, payment or health care operations; or (ii.) otherwise required by law.

2. Marketing.

We must obtain a valid authorization from you for any use or disclosure of your PHI for marketing purposes unless the marketing communication is in the form of a face-to-face communication; is a promotional gift of nominal value; or is a refill reminder or other communication regarding a drug or biological currently being prescribed.

3. Sale of PHI.

We must obtain a valid authorization from you for any use or disclosure of your PHI which results in a sale of your PHI for which DePaul receives financial remuneration.

Other uses and disclosures of PHI not described in this Notice or the laws that apply to us will be made only with your written authorization. If you provide us with a written authorization to use or disclose PHI about you, you may revoke that authorization, in writing, at any time to the extent that we haven't already taken any action relying on that authorization. If you revoke your authorization, we will no longer disclose PHI about you pursuant to that revoked authorization. You understand that we are unable to take back any disclosures we have already made with your authorization, and that we are required to retain our records of the services that we provided you.

III. SERVICE USER RIGHTS

THIS SECTION DESCRIBES YOUR RIGHTS AND THE OBLIGATIONS OF DePaul REGARDING THE USE AND DISCLOSURE OF YOUR PHI.

You have the following rights regarding PHI we maintain about you:

A. Right to Inspect and Copy.

You have the right to inspect and copy your PHI that is contained in a “designated record set.” A “designated record set” contains provision of services and billing records and any other records that DePaul uses for making decisions about your services and care. This does not include information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action; and PHI that is subject to a law that prohibits access to PHI or information which your doctor identifies as potentially harmful to you or others if it is released. To inspect and copy PHI in your designated record set, you must submit your request in writing to DePaul’s Privacy Officer, as identified on the last page of this Notice. If you request a copy of the information, we may charge a cost-based fee for the costs of copying, mailing or other supplies associated with your request. We will respond to you within 15 days after receiving your written request. We may deny your request to inspect or copy, in certain limited circumstances. If you are denied access to your PHI because a physician has determined it may be dangerous to you or another person, you may request that the denial be reviewed. Another licensed health care professional chosen by DePaul will review your request and the denial. In the alternative, you may choose another provider to review the material at your expense. We will comply with the outcome of that review. The designated professional will sign a statement that information determined to be harmful will be withheld, and the professional will share with you any and all information that is not determined to be a risk. The person conducting the review will not have participated in the first decision to deny your request.

B. Right to Amend.

If you feel that the PHI in your designated record set is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by DePaul.

To request an amendment, your request must be made in writing and submitted to DePaul’s Privacy Officer. In addition, you must provide:

• The reasons for the request;
• A description of the problem – how the information is incorrect or incomplete;
• A description of the: 1) administrative information to be corrected; and/or 2) medical information to be amended including the source if known, date and provider of service;
• The specific wording to make the entry correct/complete;
• Identification of person(s) who need to be advised of the amendment, including contact information and authorization to advise them if necessary.

The request must be dated and signed by you. We will act on your request within 60 days of receiving your request. If we are unable to act on the request within the 60-day period, we may extend the time for action by no more than 30 days by providing you, within the initial 60 days, with a written statement of the reasons for the delay and the date by which we will complete our action on your request.

We may deny your request for an amendment if it is not made in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:

• Was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
• Is not part of the designated record set kept by or for DePaul;
• Is not part of the information which you would be permitted to inspect or copy; or
• Is accurate and complete.

Our written denial will state the reasons for the denial and explain your right to file a written statement of disagreement with the denial. If you don’t file one, you have the right to ask that your request and our denial be attached to all future disclosures of your PHI. If we approve your request, we will make the change to your PHI, tell you we have done it, and tell others whom you identify and authorize us to tell that need to know about the change to your PHI.

C. Right to an Accounting of Disclosures.

You have the right to request an accounting of certain disclosures of your PHI. This right applies to disclosures for purposes other than provision of services, payment or health care operations as described in this Notice. We are also not required to account for disclosures made to you, disclosures that you agreed to by signing an authorization, disclosures for a facility directory, to friends or family members involved in your care, incidental disclosures, or certain other disclosures we are permitted to make without your authorization.

To request this accounting of disclosures, you must submit your request in writing to DePaul’s Privacy Officer, as identified on the last page of this Notice. Your request must state a time period, which may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, on paper or electronically). The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs involved and you may choose to withdraw or modify your request at that time, before any costs are incurred. We will respond within 60 days of receiving your request. If we are unable to respond within the 60-day period, we may extend the period for up to an additional 30 days if we send you a written statement of the reasons for the delay within the initial 60-day period. In certain situations, we are required by HIPAA to temporarily suspend your right to receive an accounting of disclosures.

D. Right to Request Restrictions.

You have the right to request a restriction or limitation on the PHI we use or disclose about you for provision of services, payment, or health care operations. You also have the right to request a limit on the PHI we disclose about you to someone who is involved in your care, like a family member or friend or for notification purposes. For example, you could ask that we not use or disclose PHI about a particular treatment or service that you had.

We are not required to agree to your request, except for disclosures to a health plan which would have been made in the course of carrying out DePaul's payment or healthcare operations and pertain solely to a healthcare item or service for which DePaul has been paid out-of-pocket in full. If we do agree, we will comply with your request unless the information is needed to provide you emergency provision of services or unless the information is required to be disclosed by law.

To request such restrictions, you must make your request in writing to DePaul’s Privacy Officer, as identified on the last page of this Notice. In your request, you must tell us (i.) what information you want to limit; (ii.) whether you want to limit our use, disclosure or both; and (iii.) to whom you want the limits to apply, for example, disclosures to your parents or siblings.

We may terminate our agreement to a restriction, except for a restriction relating to disclosures to a health plan which would have been made in the course of carrying out DePaul's payment or healthcare operations, and pertain solely to a healthcare item or service for which DePaul has been paid out ofpocket in full, if:

• You agree to or request the termination in writing;
• You orally agree to the termination and the oral agreement is documented; or
• We inform you that we are terminating the agreement, except that such termination is only effective with respect to protected health information created or received after we have so informed you.

E. Right to Request Alternate Communications.

You have the right to request that we communicate with you about services in a certain way or at a certain location. For example, you can ask that we only contact you at home or by mail or that we not leave voice mail or email.

To request confidential communications, you must make your request in writing to DePaul’s Privacy Officer, as identified on the last page of this Notice. We will not ask you the reason for your request. We will accommodate all reasonable requests so long as we can easily provide it in the format you requested. Your request must specify how or where you wish to be contacted.

F. Right to a Paper Copy of this Notice.

You have the right to a paper copy of this Notice. You may ask us to give you a copy of this Notice at any time. Even if you have agreed to receive this Notice electronically, you are still entitled to a paper copy of this Notice. You may also view a copy of this Notice on our web site at www.depaulcr.org.

G. The Right to Get This Notice by E-mail.

You have the right to get a copy of this Notice by e-mail. Even if you have agreed to receive this Notice via e-mail, you also have the right to request a paper copy of this Notice. To obtain a paper copy of this Notice contact DePaul’s Privacy Officer as identified on the last page of this Notice.

IV. CHANGES TO THIS NOTICE

We reserve the right to change this Notice at any time. We reserve the right to make the revised or changed Notice effective for PHI that we already have about you as well as any such information we receive in the future. We will post a copy of the current Notice in DePaul’s office locations. The Notice will contain on the first page, in the top right-hand corner, and at the end of the Notice, the effective date. In addition, each time you register at, or are admitted to, DePaul for services, you may request a copy of the current Notice in effect. You may also view a copy of the current Notice on our web site at www.depaulcr.org.

V. COMPLAINTS

If you believe your privacy rights have been violated, you may file a complaint with DePaul or with the Secretary of the Department of Health and Human Services. To file a complaint with DePaul, contact our Privacy Officer at 5650 Hollins Road, Roanoke, VA 24019, phone number 540-265-8923, extension 9507. All complaints must be submitted in writing and all complaints will be investigated.

You will not be retaliated against or penalized by us for filing a complaint.

VI. PRIVACY OFFICER

DePaul’s contact person for all issues regarding your rights under HIPAA is the Privacy Officer of DePaul. Information regarding matters covered by this Notice can be requested by contacting the Privacy Officer. She may be reached at:

Pat Grizzel Security and Privacy Officer DePaul Community Resources, Inc. 5650 Hollins Road Roanoke, VA 24019 540-265-8923 extension 9507

VII. EFFECTIVE DATE

Effective April 7, 2016. Amended on August 29, 2016. Revision effective 8/30/2018.

I acknowledge that I have read and received the DePaul Community Resources Notice of Privacy Practices documentation that was provided to me, in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). I understand that this information describes how DePaul may use and disclose Protected Health Information (PHI) to carry out provision of services, payment, or health care operations, and for other purposes that are permitted or required by law. It also describes my rights to access and control your PHI in some cases. I understand that if I have additional concerns or questions, I may contact the Security and Privacy for DePaul Community Resources at 540-265-8923.