HIPAA Notice

Policy Number: 1-002

Creation Date: 09/19/2020

Effective Date: 09/19/2020

Last Reviewed: 01/12/2023

Last Revision:

Next Review:

Owner: Michelle Hatfield

Chapter: 1

Current Status: Active

Confidentiality and HIPAA

Applicability

State laws and regulations on confidentiality of mental health and addictive disease information, as well as other health information, govern Kindbridge, as defined herein. Kindbridge is also a “covered entity” as defined in, and as governed by, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and its regulations.

This policy is therefore applicable to any service or program that is a part of Kindbridge. All employees, agents, trainees, volunteers and contractors of Kindbridge shall abide by federal and state laws and regulations regarding confidentiality, relevant Kindbridge policies and procedures, and all federal laws regarding the disclosure and use of confidential and Protected Health Information (PHI).

Kindbridge providers, as defined herein, who are under contract or have a Letter of Agreement with Kindbridge have an independent duty to follow state confidentiality laws; if they are also covered entities under HIPAA, they have an independent duty to follow HIPAA and its regulations. If they also conduct certain types of business functions on behalf of Kindbridge, they are also Business Associates of Kindbridge and must comply with applicable provisions of the HIPAA Privacy and Security Rules through a Business Associate Agreement with Kindbridge. Business Associates must also have Business Associate Agreements with all applicable subcontractors.

Policy

The right of an individual to confidentiality and privacy of his or her healthcare information, including information about mental health or addictive disease is protected by state laws and regulations and by federal laws and regulations. Individuals also have certain legal rights regarding their own records and information.

It is the policy of Kindbridge to ensure compliance with applicable state and federal laws and regulations regarding confidentiality and privacy. These laws and regulations govern topics including but not limited to:

Mental health information,

• Addictive disease information,
• Protected Health Information (PHI) as defined by HIPAA,
• Rights of individuals regarding their protected health information,
• Notice of Privacy Rights,
• Disclosures of Protected Health Information,
• Reporting of violations and breaches, and resulting sanctions,
• Complaints,
• Business Associates,
• Accounting of disclosures,
• AIDS confidential information,
• Medicare or Medicaid information, and
• Open Records Act requests.

When there is a conflict between state and federal law, Kindbridge shall seek legal counsel regarding the conflict. Generally, Kindbridge will follow the law which provides greater rights of the individual, or greater access by the individual to the individual’s PHI, or which provides the greatest protection of confidentiality and privacy. HIPAA does not supersede or negate more stringent federal and state laws, rules and regulations. In the event of an apparent conflict in laws, or between the confidentiality laws regarding any specific program and the terms of this policy, the responsible employee shall seek direction from legal services.

Unless otherwise specifically stated, Kindbridge policy and procedures regarding confidentiality do not compel or require disclosure of confidential or PHI. If there is an exception to the rule of confidentiality and a disclosure is allowed, such disclosure is not required unless a law, rule or regulation, or a Kindbridge policy or procedure states that the disclosure is required.

Definitions

Unless a different meaning is required by the context, the terms as used in this policy and procedures and in all Kindbridge policies and procedures regarding confidentiality and HIPAA shall have the following meanings:

Accounting of disclosures – A history of when and to whom disclosures of PHI is made for purposes other than treatment, payment, and healthcare operations and certain other exceptions.

Advance directive for healthcare – A document voluntarily executed by an individual in accordance with official State law. For example, in Georgia O.C.G.A. § 31-32-5. A living will or a durable power of attorney for healthcare may be an advance directive.

AIDS confidential information – Information which permits identification of an individual and discloses that the individual;

• Has been diagnosed as having Acquired Immunodeficiency Syndrome (AIDS) or AIDS Related Complex (ARC),
• Has been or is being treated for AIDS,
• Has been determined to be infected with any type of Human Immunodeficiency Virus (HIV) as defined in Georgia law,
• Has submitted to an HIV test,
• Has had a positive OR a negative result from an HIV test,
• Has sought and received counseling regarding AIDS, or
• Has been determined to be a person at risk of being infected with AIDS.

Authorization – Permission by an individual or a person legally authorized to consent on the individual’s behalf, to the release or use of PHI relating to the individual.

Breach – The acquisition, access, use or disclosure of PHI in a manner not permitted by HIPAA or this policy which compromises the security or privacy of the PHI. See additional details at Reporting and Notification of Breaches and Confidentiality 1-003.

Business Associate – A person or entity who is not a member of Kindbridge’s workforce and who:

1. On behalf of Kindbridge, creates, receives, maintains or transmits PHI for a function regulated under HIPAA, including but not limited to claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; patient safety activities as defined in this policy; billing; benefit management; practice management and repricing.
2. Provides legal, actuarial, accounting, consulting, data aggregation, management, accreditation, or financial services to or for Kindbridge, which services involve the disclosure of PHI by Kindbridge or from another business associate of Kindbridge, to the business associate.
3. A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI to Kindbridge and that requires access on a routine basis to such PHI.
4. A person that offers a personal health record to one or more individuals on behalf of Kindbridge.
5. A subcontractor that creates, receives, maintains or transmits PHI on behalf of a Business Associate.

Clinical Record – A written record pertaining to an individual, including all medical records, progress notes, charts, admission and discharge data, and all other information recorded by a program or other entities responsible for an individual’s care and treatment or habilitation, and pertaining to the individual’s and treatment or habilitation. Such other information as may be required by rules and regulations of Kindbridge shall also be included. The clinical record may be maintained electronically.

Confidential – The property that data or information is private and is not made available or disclosed to persons who are not authorized to access such data or information.

Court – In the case of an individual who is a juvenile (see Interstate Commission link below for ages by State) the probate court for the county of residence of the individual or the

county in which such individual is found, and, in the case of an individual who is under the mandated age, the juvenile court for the county of residence of the individual or the county in which such individual is found. (See link in Reference Materials Section at the end of the policy).

Covered Entity – A healthcare provider, health plan, or healthcare clearinghouse that transmits any health information in electronic form in connection with a HIPAA transaction; Kindbridge is a covered entity.

De-identified Information – Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.

Diagnosis – Any reference to an individual’s gambling, gaming, or to a condition which is identified as having been caused by that abuse (including but not limited to: depression, anxiety, personality disorder, obsessive-compulsive disorder (OCD), or bipolar disorder) which is made for the purpose of treatment or referral for treatment.

Direct Treatment Relationship – A treatment or service relationship between an individual and a healthcare provider that is not an indirect treatment relationship. In an indirect treatment relationship, the healthcare provider delivers healthcare to the individual based on the order of another healthcare provider and the healthcare provider typically provides services or products, or reports the diagnosis or results associated with the healthcare, directly to another healthcare provider, who provides the services or products or reports to the individual.

Disclosure – The release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information. Disclosure includes the affirmative verification of another person’s communication of individually identifiable health information, or the communication of any information from the record of an individual who has been identified. “Release” also means disclosure, for purposes of this policy.

Guardian – A person appointed by written court order to be legally responsible for the person of an adult or of a minor. The individual for whom a guardian is appointed is known as the “ward.” Whenever “individual” is used in confidentiality and HIPAA policies and procedures, a guardian is entitled to exercise the individual’s rights on behalf of the individual (ward). “Guardian” as used in this policy does not include a conservator or a guardian of property alone.

Health and Human Services (HHS) – The federal government department that has overall responsibility for implementing HIPAA.

Healthcare – Care, services, or supplies related to the health of an individual. Healthcare includes, but is not limited to, the following:

1. Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body, and
2. Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

Healthcare Agent – A person appointed by an individual to act for and on behalf of an individual, as set forth in an advance directive for healthcare executed by the individual.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) – Public Law 104-191– A Federal law that governs the use, access, and disclosure of PHI (see definition) regarding individuals. HIPAA gives HHS the authority to mandate the use of standards for the electronic exchange of healthcare data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for healthcare consumers, healthcare providers, payers, and employers; to specify the types of measures required to protect the security and privacy of personally identifiable healthcare information; and to specify requirements for reporting breaches of HIPAA to HHS and others. As defined in Kindbridge confidentiality and HIPAA policies and procedures, HIPAA refers to the federal act and also to related federal regulations known as the Privacy Rule, the Security Rule, and regulations implementing the “Health Information Technology for Economic and Clinical Health Act” (“HITECH Act”), located at 45 CFR Parts 160, 162, and 164.

Health Plan – An individual or group plan that provides, or pays the cost of care. 1. Health plan includes the following, singly or in combination: 

1. A group health plan,
2. A health insurance issuer,
3. A Health Maintenance Organization (HMO),
4. Part A or Part B of the Medicare program,
5. The Medicaid program,
6. The Voluntary Prescription Drug Benefit Program under Medicare Part D, g. An issuer of a Medicare supplemental policy,
7. An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers,
8. The healthcare program for uniformed military services,
9. The Veterans healthcare program under 38 U.S.C. chapter 17,
10. The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), l. The Indian Health Service program,
11. The Federal Employees Health Benefits Program,
12. The Medicare Advantage program,
13. The Medicare+Choice program,
14. A high-risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage to eligible individuals, and
15. Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care.

Health plan excludes:

1. Policies and plans for coverage of accident, disability income, liability and supplementary coverage, workers’ compensation, automobile medical payments, credit-only insurance, coverage for on-site medical clinics, any similar policies where medical care benefits are secondary to other insurance benefits, and
2. A government-funded program (other than one listed in this definition):Whose principal purpose is other than providing, or paying the cost of, healthcare, or
   Whose principal activity is:
   The direct provision of healthcare to persons, or
   The making of grants to fund the direct provision of healthcare to persons.

Individual – Any person who is seeking, applying for, currently receiving, or formerly received treatment or services from Kindbridge or any of its programs or services, for mental illness gambling, or addictive disease or co-occurring combinations thereof. For purposes of this Policy, “individual” means the person who is the subject of PHI.

Individually identifiable health information – Any information, including demographic information collected from an individual, that is (1) created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare to an individual, and identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. Individually identifiable health information contains some or all of the following identifying elements:

• • Name,
  • All address information,
  • Zip codes,
  • E-mail addresses,
  • Dates (except year) directly related to an individual, including dates of birth, admission, discharge, death,
  • Age, if over 89 years,
  • Telephone numbers,
  • Fax numbers,
  • Social Security Number,
  • Medical record numbers,
  • Health plan beneficiary numbers,
  • Account numbers,
  • Certificate numbers,
  • License numbers,
  • Device identifiers,
  • URLs,
  • IP addresses,
  • Facial photographs,
    Vehicle identifiers and serial numbers, including license plate numbers; and ● Any other unique identifying number, characteristic, or code,
    Biometric identifiers

Limited Data Set – PHI that excludes the following direct identifiers of the individual or of relatives, employers or household members of the individual:

1. Names,
2. Postal address information, other than town or city, state, and zip code,
3. Telephone numbers,
4. Fax numbers,
5. Electronic mail addresses,
6. Social security numbers,
7. Medical record numbers,
8. Health plan beneficiary numbers,
9. Account numbers,
10. Certificate or license numbers,
11. Vehicle identifiers and serial numbers, including license plate numbers, 
12. Device identifiers and serial numbers,
13. Web Universal Resource Locators (URLs),
14. Internet Protocol (IP) address numbers,
15. Biometric identifiers, including finger and voice prints, and
16. Full face photographic images and any comparable images.

Minimum Necessary – The process of making reasonable effort to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.

Notice of Privacy Practice – A notice of the uses and disclosures of PHI that may be made by Kindbridge, and of the individual’s rights and Kindbridge’s duties regarding the individual’s PHI.

Person legally authorized to sign – A person authorized by law to give authorization for release of an individual’s PHI. These persons include: for minors, the parent, the court-appointed guardian or the court-appointed custodian; for adults, the court-appointed guardian of the person, if any. An individual may give his or her agent an advance directive that authorizes the agent to sign for release of the individual’s PHI, except for alcohol or drug information.

Privacy – HIPAA regulations protect an individual’s right to the privacy or confidentiality of his or her healthcare information to keep it from falling into the hands of people who are not legally authorized to obtain it. The HIPAA privacy regulations require healthcare providers to obtain a signed authorization to disclose PHI, unless otherwise authorized by applicable law or regulation.

Privacy Rule – Standards for Privacy of Individually Identifiable Health Information, which implement the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 at 45 C.F.R. parts 160 and 164.

Privileged – Protected by law from unauthorized disclosure. Privilege gives the legal right to an individual to prevent disclosure of communications between the individual and his or her: psychiatrist, licensed psychologist, or between an individual and his or her licensed clinical social worker, clinical nurse specialist in psychiatric or mental health, Licensed Professional Counselor or Licensed Marriage and Family Counselor during psychotherapy.

Protected Health Information (PHI) – All individually identifiable health information (e.g., name, diagnosis, medical record number, billing information, etc.) that is transmitted or maintained by a covered entity in any form or medium, including orally. See “individually identifiable health information,” above. PHI excludes education records covered by the Family Educational Rights and Privacy Act (FERPA) and employment records held by Kindbridge in its role as employer. PHI also excludes information regarding an individual who has been deceased for more than fifty (50) years; however, such information remains confidential and private under state law and under federal laws protecting confidentiality of alcohol and drug abuse patient records, and may not be disclosed without authorization or a legal exception to confidentiality.

Psychotherapy Notes – Notes recorded in any medium by a provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s clinical record. Psychotherapy notes excludes medication and prescription monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.

Reasonable Cause – An act or omission in which Kindbridge or its Business Associate knew, or by exercising reasonable diligence would have known, that the act or omission violated the HIPAA Privacy Rule or Security Rule, but in which Kindbridge or the Business Associate did not act with willful neglect.

Records – Any information, whether recorded or not, received or acquired in connection with an individual’s treatment or services. “Records” includes administrative and other documentation (such as incident reports) that relates to and identifies an individual, regardless of whether it is part of the individual’s clinical record.

Workforce – Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for Kindbridge or its business associate, is under the direct control of Kindbridge or the Business Associate (as applicable), whether or not they are paid by Kindbridge or the Business Associate (as applicable).

Procedures

1. Kindbridge shall implement policies and procedures that are designed to comply with confidentiality laws and HIPAA. Policies and procedures shall be reasonably designed and take into account the size and type of activities that relate to PHI undertaken by Kindbridge.
    
2. Kindbridge shall document confidentiality and HIPAA privacy policies and procedures, either in writing or in electronic form. Any change to a policy or procedure shall be documented. In addition to policies and procedures, any correspondence or other documents required to be created or maintained by Kindbridge under such policies and procedures shall be maintained in writing or electronically for six (6) years, or longer if required under other applicable laws, regulations or policies.
3. Kindbridge shall have administrative, technical and physical safeguards to protect the privacy of PHI. Kindbridge must reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
4. Kindbridge shall provide adequate notice to individuals of the uses and disclosures of PHI it may make. Kindbridge shall document its compliance with the notice requirements by retaining copies of the notices it issues. Kindbridge shall not require individuals to waive their rights as a condition of treatment, payment or eligibility for benefits.
5. Kindbridge will establish and implement minimum necessary requirements for uses and disclosures of PHI. Kindbridge shall make reasonable efforts to limit PHI used, disclosed or requested from another covered entity to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
6. Kindbridge shall obtain a written Authorization for Release of Information from an individual before using or disclosing PHI relating to the individual for any purpose not otherwise permitted or allowed by confidentiality laws or HIPAA.
7. Kindbridge shall maintain policies and procedures governing the form of authorization for release of information, and the procedures for making authorized disclosures. 
8. Any disclosure authorized by law or any unauthorized disclosure of confidential or privileged information about an individual or communications shall not in any way abridge or destroy the confidential or privileged character of the information disclosed, except for the purpose for which such authorized disclosure is made. Any person making a disclosure authorized by state law shall not be liable under state law to the individual or any other person. 
9. Kindbridge shall establish standards relating to uses and disclosures, and de-identification and re-identification of PHI it creates, collects and maintains. 
10. Kindbridge shall maintain a clinical record for each individual. When disclosure is allowed, the original clinical record may be examined only under supervision by designated staff which maintains custody of the record. The original clinical record shall not be removed unless authorized by an attorney representing Kindbridge. The clinical record shall not be a public record. 
11. It is the policy of Kindbridge that all information about individuals, whether oral or written and regardless of the form or location in which it is maintained, is confidential and may be disclosed only in accordance with applicable state and federal laws and regulations. Kindbridge shall not confirm or deny whether an individual is receiving or has received services, unless such disclosure is authorized in writing by a valid authorization signed by the individual or otherwise authorized by applicable law. 
12. Kindbridge shall have a method to allow individuals to exercise their right to request that Kindbridge amend PHI or a record about the individual in a designated record set used in whole or in part to make decisions about the individual, for as long as Kindbridge maintains the PHI in the designated record set.
13. Kindbridge shall keep an accounting of when and to whom disclosures of PHI are made for purposes other than treatment, payment and healthcare operations, and shall be able to give an accounting of those disclosures to an individual, if requested.Kindbridge shall obtain from its Business Associates reasonable assurances that they will appropriately safeguard PHI disclosed by Kindbridge and that agents, employees and subcontractors of the Business Associates agree to the same conditions applicable to the Business Associates with respect to such information. Kindbridge shall include HIPAA compliance requirements in contracts, other written agreements and expressions of understanding, with business associates to whom Kindbridge discloses PHI. 
14. Kindbridge shall mitigate, to the extent practicable, any harmful effect known to Kindbridge of a use or disclosure of PHI in violation of its policies and procedures or the requirements of HIPAA, by Kindbridge or a business associate. 
15. Neither Kindbridge or its employees, workforce members, or agents, shall intimidate, threaten, coerce, harass, discriminate against, or take other retaliatory action against any individual or other person for:
    1. The individual’s exercising any right established, or for participation in any process provided for, by Kindbridge policies and procedures regarding confidentiality and HIPAA,
    2. Filing a complaint regarding Kindbridge policies or procedures or compliance with such policies or procedures,
    3. Testifying, assisting, or participating in an investigation, compliance review, proceeding, or administrative hearing regarding violations of HIPAA, and
    4. Opposing any act or practice made unlawful by HIPAA regulations, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of protected health information that violates HIPAA regulations, state law confidentiality, or federal regulations on confidentiality of alcohol and drug abuse or other clinical records.
       
       Kindbridge shall train all current and newly hired members of its workforce on its privacy policies and procedures as necessary and appropriate for them to carry out their functions within Kindbridge, according to a training plan for HIPAA awareness. Newly hired persons shall be trained within a reasonable time after being hired. If the functions of workplace members are materially affected by a change in Kindbridge policies, training will be provided within a reasonable time after such change in policy.Kindbridge shall examine and revise its confidentiality and HIPAA policies and procedures on an ongoing basis and as necessary to satisfy requirements of confidentiality laws and HIPAA. Policy changes based on changes in applicable laws and regulations shall be made promptly.Kindbridge shall establish policies and procedures for an individual to access and inspect his or her PHI in a designated record set for as long as Kindbridge maintains the PHI in the designated record set.

Reference Materials

Interstate Commission for Juveniles: https://www.juvenilecompact.org/age-matrix

Related PoliciesReporting and Notification of Breaches and Confidentiality 1-003.

Attachments

No Attachments

Approval Signatures

Name: Carol Zafiratos

Name:Robert Jordshaugen

Date

Date: 09/19/2020

Date: 01/11/2021