OUR DUTIES TO YOU REGARDING PROTECTED HEALTH INFORMATION
“Protected health information” is individually identifiable health information. This information includes demographics, for example, name, age, address, social security number, and relates to your past, present, or future physical or mental health or condition and related health care services. NDTC is required by law to do the following:
– Make sure that your protected health information is kept private.
– Give you this notice of our legal duties and privacy practices related to the use and disclosure of your protected health information.
– Follow the terms of the notice currently in effect.
– Communicate any changes in the notice to you.
To avert threat to health or safety: In order to avoid a serious threat to health or safety, we may disclose PHI to law enforcement when a threat is made to commit a crime on the program premises or against program personnel.
YOUR RIGHTS REGARDING YOUR HEALTH INFORMATION
You may exercise the following rights by submitting a written request or electronic message to the NDTC Privacy Officer. Please be aware that the NDTC might deny your request; however, you may seek a review of the denial.
Right to Inspect and Copy
You may inspect and obtain a coy of your protected health information that is contained in a “designated record set” for as long as we maintain the protected health information. A designated record set contains medical and billing records and any other records that the NDTC uses for making decisions about you. We must provide you with access to your personal health information in the form or format requested by you, if it is readily producible in such form or format, or, if not, in a readable hard copy form or such other form or format. We may provide you with a summary of the personal health information or may provide an explanation of the personal health information to which access has been provided. If you request a copy of your personal health information or agree to a summary or explanation of such information, we may charge a reasonable cost-based fee for copying, postage, if you request a mailing, and the costs of preparing an explanation or summary as agreed upon in advance.
This right does not include inspection and copying the following records: information compiled in reasonable anticipation of, or use in civil, criminal, or administrative action or proceeding; and protected health information that is subject to law that prohibits access to protected health information.
Right to Request Restrictions
You may ask us not to use or disclose any part of your protected health information for treatment, payment, or health care operations. Your request must be made in writing to the NDTC Privacy Officer. In your request, you must tell us (1) what information you want restricted; (2) whether you want to restrict our use, disclosure, or both; (3) to whom you want the restriction to apply, for example, disclosures to your spouse; and (4) an expiration date.
If NDTC believes that the restriction is not in the best interest of either party, or NDTC cannot reasonably accommodate the request, NDTC is not required to agree. If the restriction is mutually agreed upon, we will not use or disclose your protected health information in violation of that restriction, unless it is needed to provide emergency treatment. You may revoke a previously agreed upon restriction, at any time, in writing.
Right to Request Confidential Communications
You may request that we communicate with you using alternative means or at an alternative location. We will not ask you the reason for your request. We will accommodate reasonable requests, when possible.
Right to Request Amendment
If you believe that the information we have about you is incorrect or incomplete, you may request an amendment to your protected health information as long as we maintain this information. We have the right to deny your request for amendment, if: (1) we determine that the information or record that is the subject of the request was not created by us, unless you provide a reasonable basis to believe that the originator of the information is no longer available to act on the requested amendment; (2) the information is not part of your designated record set maintained by us; (3) the information is prohibited from inspection by law; or (4) the information is accurate and complete. We may require that you submit written requests and provide a reason to support the requested amendment.
If we deny your request, we will provide you with a written denial stating the basis of the denial, your right to submit a written statement disagreeing with the denial and description of how you may file a complaint.
Right to an Accounting of Disclosures
You may request that we provide you with an accounting of the disclosures we have made of your protected health information. This right applies to disclosures made for purposes other than treatment, payment, or health care operations as described in the Notice of Privacy Practices. The disclosure must have been made after April 14, 2003, and no more than 6 years from the date of request. This right includes disclosures made to you, for patient/client directory, to family members or friends involved in your care, or for notification. The right to receive this information is subject to additional exceptions, restrictions, and limitations as described earlier in this notice.
Right to Obtain a Copy of this Notice
You may obtain a paper copy of this notice from the NDTC and/or an electronic copy by email upon request.
FEDERAL PRIVACY LAWS
This NDTC Notice of Privacy Practices is provided to you as a requirement of the Health Insurance Portability and Accountability Act (HIPAA). There are several other privacy laws that also apply including the Freedom of Information Act, the Privacy Act, and the
Alcohol, Drug Abuse, and Mental Health Administration Reorganization Act. See 42 U.S.C., 290 DD-3 and 42 U.S.C. 290 EE-3 for federal laws and 42 CFR Part 2 for federal regulations. These laws have not been superseded and have been taken into consideration in developing out policies and this notice of how we will use and disclose your protected health information.
Summary of 42 CFR Part 2
42 CFR Part 2 (“Part 2”) is a federal regulation that requires substance abuse disorder treatment providers to observe privacy and confidentiality restrictions with respect to patient records. The HIPAA Privacy Rule also limits use and disclosures of information
found in patient records.
Regulations That Apply to Substance Abuse Disorder Treatment Programs
Substance abuse disorder treatment programs are subject to the privacy regulations imposed under 42 CFR Part 2, AND the HIPAA Privacy Rule. Covered entities must comply with each. When one regulation imposes a stricter standard than the other, the covered entity must follow the stricter standard. Generally, 42 CFR Part 2 imposes more strict standards than does HIPAA.
42 CFR Part 2’s general rule places privacy and confidentiality restrictions upon substance use disorder treatment records.
Under the Part 2 general rule, providers may not disclose information in a substance abuse disorder (SUD) patient’s record, unless the provider can either obtain consent, or identify an exception to the general rule that specifically authorizes the disclosure.
As noted above, SUD medical record information may be disclosed if the patient consents to the disclosure.
Substance abuse disorder treatment programs most often make disclosures after a patient has signed a consent form that meets the requirements of 42 CFR Part 2. In light of HIPAA, a Part 2 consent form must include the following elements:
• Name or general designation of the program or person permitted to make the disclosure;
• Name or title of the individual or name of the organization to which disclosure is to be made;
• Name of the patient;
• Purpose of the disclosure;
• How much and what kind of information is to be disclosed;
• Signature of the patient (and, in some states, a parent or guardian);
• The date on which signed consent is given;
• A statement that the consent is subject to revocation at any time except to the extent that the program has already acted on it; and
• The date, the event, or condition upon which consent will expire if consent has not been previously revoked.
In addition, when substance abuse disorder programs operating under Part 2 disclose information pursuant to a consent form, they must include a written statement that the information cannot be redisclosed.
If consent cannot be obtained, a provider must rely upon a Part 2 exception permitting disclosure. Under Part 2, exceptions permitting disclosures include:
• When there is a patient medical emergency.
• When state law requires the reporting of incidents of suspected child abuse and neglect to the appropriate state or local authorities.
• When there are communications from part 2 program personnel to law enforcement agencies or officials which are directly related to a patient’s commission of a crime on the premises of the part 2 program or against part 2 program personnel, or to a threat to commit such a crime.
• When an individual determined by the part 2 program to be qualified to conduct an audit or evaluation of the part 2 program, or other lawful holder, is conducting an audit or evaluation that encompasses record review.
• Research requests.
• When communications between a part 2 program and a qualified service organization of information are needed by the qualified service organization to provide services to the program.
• When a valid court order authorizing disclosure and use of patient records is issued.
Differences Between When Disclosures Can be Made Under Part 2, and When Disclosures Can be Made Under HIPAA
There are two main differences between Part 2 substance abuse disorder disclosure limitations and the HIPAA Privacy Rule disclosure limitations. The HIPAA Privacy Rule permits disclosures without patient consent for treatment, payment, or healthcare operations. However, for patients with substance abuse disorders, such disclosures may lead to stigma and discrimination by healthcare providers, the potential loss of insurance, and even loss of employment.
As noted above, Part 2 substance use disorder treatment regulations require either that a patient consent, or that the disclosure be permitted under a specific exception. The two regulations also differ in the amount of privacy protections afforded or patient records in criminal and civil legal proceedings. Under HIPAA, a HIPAA-covered health care provider or health plan may share protected health information if it has a court order, or, if it receives a valid subpoena from a party to the litigation requesting medical records. Part 2’s requirements are much stricter. Part 2 requires that a specific court order authorize disclosure of SUD records. Persons having a legally recognized interest in the disclosure – and only those persons – may apply for the court order.
If you believe these privacy rights have been violated, you may file a written complaint with the NDTC Privacy Officer, 6694 Taylor Rd, Clinton, OH 44216, or with Secretary of the U.S. Department of Health and Human Services at 200 Independence Avenue, SW, Washington D.C. 20201. A complaint must be received by us or filed with the Secretary of DHHS within 180 days of when you knew or should have known that the act or omission complained of occurred. No retaliation will occur against you for filing a complaint.
You may contact the NDTC Privacy Officer for further information about the complaint process, or for further explanation of this document.
This notice is effective in its entirety as of April 14, 2003.