Privacy Policy

Subject; Privacy

Policy Number: 1M-3

Joint Commission Standard(s): 1M.02.01.01, EP 3 Date: July 1, 2021 POLICY:

It is the policy of Safe Future that individuals applying for or receiving mental health or substance abuse services are guaranteed the protection of fundamental human, civil, constitutional, and statutory rights.

PROCEDURE:

The HIPAA Privacy 'Rule requires that clients be permitted to request access and amendment to their Protected Health Information ("PHI") that is maintained in a Designated Record Set, This policy documents the contents of the Designated Record Set.

PROCEDURE

The Designated Record Set is a group of records maintained by or for Safe Future that consists of the Medical Records and billing records about a client and is used, in whole or in part, by or for SAFE FUTURE LLC to make decisions about the client. The term record means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for SAFE FUTURE LLC
SAFE FUTURE LLC maintains the following as the Designated Record Set:
1. The client's Medical Record,
2. The client's Financial Records.
The Client Medical Record includes, at a minimum, the following:
1. Activity documentation
2. Admission/readmission documentation
3. Assessments, flow sheets
4. Care plan
5. Informed consent
6. Treatment records
7. Progress documentation/progress notes
8. Face sheet
If records from other providers are used by SAFE FUTURE LLC to make decisions related to the care and treatment of the client, then these records are considered part of the Designated Record Set as well as the Medical Record. SAFE FUTURE LLC uses an individual's clinical/case information only for purposes permitted by law and regulation or as further limited by its policy on privacy. (See also MM.OI.OI .01, EP l ; RI.OI.OI.OI, EP 7)
The Client's Financial File includes, at a minimum, the following:
1. Statement of Financial Responsibility
2. Correspondence relating to payment
3. Statements of account balance
4. Collection activity documents and correspondence
Personal Health Records consist of the client's personal health information provided to SAFE FUTURE LLC by the client, If such records are used by SAFE FUTURE LLC to make health care related decisions, provide care services, or document observations, actions or instructions, then the records will be considered part of the Designated Record Set.
The following are excluded from the Designated Record Set: Administrative data, such as audit trails, appointment schedules and practice guidelines that do not imbed PHI. Also excluded are incident reports, quality assurance data, vital certificate worksheets, and derived data such as accreditation reports, anonymous client data for research purposes, public health records and statistical reports.
The Designated Record Set is to be retained according to state and federal regulations and following SAFE FUTURE LLC's retention procedures.

Minimum Necessar Uses and Disclosures of PHI

It is the policy of SAFE FUTURE LLC to make a reasonable effort to use or disclose, or to request from another health care provider, the minimum amount of PHI required to achieve the particular use or disclosure unless an exception applies. SAFE FUTURE LLC will identify people or classes of people in its work force who need access to PHI to carry out their duties, the category or categories of PHI to which access is needed, and any conditions appropriate to such access. For any non-routine request for disclosure of PHI that does not meet an exception, SAFE FUTURE LLC will review the request for disclosure on an individual basis.

Minimum necessary requirements do not apply to disclosures to health care providers for treatment purposes.

SAFE FUTURE LLC will identify role based access to PHI per job description, including:
1. People or classes of people in its workforce who need access to PHI to carry out their duties, and
2. The category or categories of PHI to which access is needed, including any conditions that may be relevant to such access.
SAFE FUTURE LLC, for any type of disclosure or request for disclosure that is made on a routine and recurring basis, will limit the disclosed PHI, or the request for disclosure, to that which is reasonably necessary to achieve the purpose of the disclosure or request
SAFE FUTURE LLC, for disclosures or requests for that are not made on a routine and recurring basis (non-routine disclosures), will review the request to verify that PHI disclosed or requested is the minimum necessary. All requests for non-routine disclosures or requests that do not meet an exception will be reviewed using standard criteria.
Exceptions to minimum necessary requirements: SAFE FUTURE LLC will release information without concem for the minimum necessary
standard as follows:
1. Disclosures to or requests by a health care provider for treatment.
2. Uses or disclosures made to the individual who is the subject of the PHI.
3. Uses or disclosures made pursuant to an authorization signed by the individual.
4. Disclosures made to the Secretary of the U.S. Department of Health and Human Services (federal government).
5. Disclosures that are required by law (such as for Department of Health state surveys, federal surveys, public health reportable events, FDA as related to product quality, safety, effectiveness or recalls etc.).
6. Uses and disclosures that are required for compliance with the HIPAA Privacy Rule.
SAFE FUTURE LLC may use or disclose an individual's entire Medical Record only when such use or disclosure is specifically justified as the amount that is reasonably necessary to accomplish the intended purpose or one of the exceptions noted above applies.
Requests for entire Medical Records that are not covered by an exception will be reviewed using standard criteria.
Reasonable Reliance: SAFE FUTURE LLC may rely on a requested disclosure as minimum necessary for the stated purpose(s) when:
1. Making disclosures to public officials, if the official represents that the information is the minimum necessary for the stated purpose(s).
2. The information is requested by another covered entity (health care provider, clearinghouse or health plan)
3. The information is requested by a professional who is a member of SAFE FUTURE LLC's workforce or is a Business Associate of SAFE FUTURE LLC for the purpose of providing professional services to SAFE FUTURE LLC, if the professional represents that the information requested is the minimum necessary for the stated purpose(s).
The information is requested for research pull)oses and the person requesting the information has provided documentation or representations to Safe Future that meet the HIPAA Privacy 'Rule. Contact the Privacy Officer to assist in the determination of whether such requirements have been met.
SAFE FUTURE LLC, upon determination that the use, disclosure or request for PHI is the minimum necessary or one of the above exceptions apply (see Items 4 and 6), will release the PHI to the requestor.
Office Requests for PHI from Another Covered Entity: When requesting PHI from another Covered Entity, SAFE FUTURE LLC must limit its request for PHI to the amount reasonably necessary to accomplish the purpose for which the request is made. For requests that are made on a routine and recurnng basis, SAFE FUTURE LLC shall take reasonable steps to insure that the request is limited to the amount of PHI reasonably necessary to accomplish the purpose for which the request is made. For requests that are not on a routine or recurring basis, SAFE FUTURE LLC shall evaluate the request according to the following criteria:
1. Is the purpose for the request stated with specificity?
2. Is the amount of PHI to be disclosed limited to the intended purpose?
3. Have the requirements for supporting documentation, statements, or representations been satisfied?
4. Have all applicable requirements of the HIPAA Privacy Rule been satisfied with respect to the request?

REFERENCES:

1M.02.01.01 SAFE FUTURE LLC protects the privacy of health information.

SAFE FUTURE LLC has a written policy addressing the privacy of health information. (See also RI.OI.OI.OI, EP 7)

SAFE FUTURE LLC implements its policy on the privacy of health information. (See also RI.OI.OLOI, EP 7)

SAFE FUTURE LLC uses health information only for purposes permitted by law and regulation or as further limited by its policy on privacy. (See also EP l;

SAFE FUTURE LLC discloses health information only as authorized by the individual served or as otherwise consistent with law and regulation, (See also RI. 01.01.01, EP 7)

Note: For opioid treatment programs: Patients in addiction treatment programs and opioid treatment programs have the right to confidentiality in accordance with federal regulations (42 CFR).

SAFE FUTURE LLC monitors compliance with its policy on the privacy ofhealth iuformation. (See also 1?1.01.01.01, EP 7)

LEVEL I: None —No Access to Designated Record Set (i.e. Volunteer)

LEVEL 2: May access minimum necessary PHI (not Designated Record Set) to complete assigned tasks and/or to document actions (i. e. PHI discussed)

LEVEL 3: Full access to the Medical Record subset Q/' the Designated Record Set

LEVEL 4: Full access to the Business Office File subset of the Designated Record Set

Notice of Privacy Practices

POLICY

SAFE FUTURE LLC's policy is to provide a Notice of Privacy Practices ("Notice") to each client upon each admission to SAFE FUTURE LLC, and make a good faith effort to obtain a signed Acknowledgement of Receipt of Notice of Privacy Practices ("Acknowledgement") from the client. The Notice shall include all elements and statements that are required by law. The Notice shall inform the clients of:

Uses and disclosures of Protected Health Information ("PHI") that may be made by SAFE FUTURE LLC;
The client's rights with respect to his PHI; and
SAFE FUTURE LLC's legal duties with respect to such PHI,

PROCEDURE

The Notice and Acknowledgement forms will be included in the standard Admission Packet.
SAFE FUTURE LLC Admission Staff will provide the Notice to the client at the time of admission.

Note: In the case of an emergency treatment situation, SAFE FUTURE LLC will provide the Notice to the client as soon as reasonably practicable after the emergency treatment situation.
The Admission Staff will make a good faith effort to obtain the client's signature on the Acknowledgement at the time the Notice is provided. The Notice and signed Acknowledgement will be kept in the client's Medical File.
If the client refuses or is otherwise unable to sign the Acknowledgement, the Admission Staff will document, on the Acknowledgement form, what actions were taken to obtain the client's signature on the Acknowledgement and the reason(s) why a signed Acknowledgement was not obtained. This document will then be placed in the client's Business Office File.
SAFE FUTURE LLC will provide a copy of the written Notice to clients and to other persons upon request.
SAFE FUTURE LLC will post a copy of the Notice in a clear and prominent location such as the entrance lobby or similar location.
Whenever the Notice is revised, SAFE FUTURE LLC privacy Official will assure that:
The revised Notice is made available upon request on or after the effective date of the revision; and
The revised Notice is posted in a clear and prominent location.
Material changes shall not be implemented prior to the effective date of the revised Notice.
A copy of each 'Notice issued by SAFE FUTURE LLC will be maintained for at least six years from the date it was last in effect.
Any member of the workforce who has knowledge of a violation or potential violation of this Policy must make a report directly to the Privacy Official.

NOTICE OF PRIVACY PRACTICE

THIS NOTICE DESCRIBES HOW THE CLIENT MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW THE CLIENT CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

Safe Future is required by law to provide clients with this Notice so that the client will understand how we may use or share client information from the Designated Record Set. The Designated Record Set includes financial and health information referred to in this Notice as "Protected Health Information" ("PHI") or simply "health information." We are required to adhere to the terms outlined in this Notice

UNDERSTANDING THE CLIENT HEALTH RECORD AND INFORMATION

Each time a client is admitted to our Office, a record of their stay is made containing health and financial information. Typically, this record contains information about their condition, the treatment we provide and payment for the treatment. We may use and/or disclose this information to:

plan client care and treatment
communicate with other health professionals involved in client care
document the care clients receive
educate health professionals
provide information for medical research
provide information to public health officials
evaluate and improve the care we provide
obtain payment for the care we provide

Understanding what is in the record and how health information is used helps Safe Future to:

ensure it is accurate
better understand who may access health information
make more informed decisions when authorizing disclosure to others

ABOUT THE CLIENT

The following categories describe the ways that we use and disclose health infomation. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall into one of the categories.

For Treatment We may use or disclose health information about clients to provide clients with medical treatment. We may disclose health information about clienG to clinicians, mentors, or other office personnel who are involved in taking care of clients. For example, a doctor treating a client for a broken leg may need to know if the client may have diabetes because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian if the client has diabetes so that we can help the client plan meals. Different departments also may share health information about a client in order to coordinate client care and provide medication, lab work and x-rays. We may also disclose health information about a client to people outside SAFE FUTURE LLC who may be involved in the client's medical care after the client leaves the Office. This may include family members in the client's home.

For Payment We may use and disclose health information about clients so that the treatment and services clients receive at the office may be billed to the client's insurance company or a third party. For example, in order to be paid, we may need to share information with the client's health plan about services provided to the client. We may also tell the client's health plan about a treatment the client is going to receive to obtain prior approval or to determine whether the client's plan will cover the treatment

For Health Care Operations. We may use and disclose health information about the client for our day-to-day health care This is necessary to ensure that all clients receive quality care. For example, we may use health information for quality assessment and improvement activities and for developing and evaluating clinical protocols. We may also combine health information about many clients to help determine what additional services should offer, what services should be discontinued, and whether certain new treatments are effective. Health information about the client may be used by our corporate office for business development and planning, cost management analyses, insurance claims management, risk management activities, and in developing and testing information systems and programs. We may also use and disclose information for professional review, performance evaluation, and for training programs. Other aspects of health care operations that may require use and disclosure of the client's health information include accreditation, certification, licensing and credentialing activities, review and auditing, including compliance reviews, medical reviews, legal services and compliance programs. The client's health information may bc used and disclosed for the business management and general activities of SAFE FUTURE LL including resolution of internal grievances, customer service and due diligence in connection with a sale or transfer of SAFE FUTURE In limited circumstances, we may disclose the client's health information to another entity subject to HIPAA for its own health care operations. We may remove information that identifies the client so that the health information may be used to study health care and health care delivery without learning the identities ofclients. We may disclose the client's age, birth date and general information about the client in SAFE FUTURE LLC newsletter, on activities calendars, and to entities in the community that wish to acknowledge the client's birthday or commemorate the client's achievements on special occasions. If the client is receiving therapy services, we may post the client's photograph and general information about the client's progress.

OTHER ALLOWABLE USES OF CLIENT HEALTH INFORMATION

Business. There are some services provided in our Office through contracts with business associates. Examples include medical directors, outside attorneys and a copy service we use when making copies of the client health record. When these services are contracted, we may disclose the client's health information so that they can perform the job we've asked them to do and bill the client or the client's third-party payer for services rendered. To protect the client health information, however, we require the business associate to appropriately safeguard the client information.
Providers. Many services provided to the client, as part of the client care at our office, are offered by participants in one of our organized healthcare arrangements. These participants include a variety of providers such as clinicians, mentors, and administrative staff.
Treatment Alternatives. We may use and disclose health information to tell the client about possible treatment options or alternatives that may be of interest to the client.
Benefits and Services and Reminders. We may contact the client to provide appointment reminders or information about treatment alternatives or other healthrelated benefits and services that may be of interest to the client.
Fundraising Activities. We may use health information about the client to contact the client in an effort to raise money as part of a fundraising effort. We may disclose health information to a foundation related to SAFE FUTURE LLC so that the foundation may contact the client in raising money for SAFE FUTURE LLC We will only release contact information, such as the client's name, address and phone number and the dates the client received treatment or services at SAFE FUTURE LLC
Office Directory. We may include information about the client in SAFE FUTURE LLC directory while the client is a client. This information may include the client name, location in SAFE FUTURE LLC, the client general condition (e.g., fair, stable, etc.) and the client religion. The directory information, except for the client religion, may be disclosed to people who ask for the client by name. The client's religion may be given to a member of the clergy, such as a priest or rabbi, even if they don't ask for the client by name. This is so the client family, friends and clergy can visit the client in SAFE FUTURE LLC and generally know how the client is doing.
Individuals Involved in the client Care or Payment for Care. Unless the client objects, we may disclose health information about the client to a friend or family member who is involved in the client's care. We may also give information to someone who helps pay for the client's care. In addition, we may disclose health information about the client to an entity assisting in a disaster relief effort so that the client's family can be notified about the client's condition, status and location.
As Required by Law. We will disclose health information about the client when required to do so by federal, state or local law.
To Avert a Serious Threat to 'Health or Safety. We may use and disclose health information about the client to prevent a serious threat to client health and safety or the health and safety of the public or another person. We would do this only to help prevent the threat
Organ and Tissue Donation. If a client is an organ donor, wc may disclose health information to organizations that handle organ procurement to facilitate donation and transplantation.
Military and Veterans. If the client is a member of the armed forces, we.may disclose health information about the client as required by military authorities. We may also disclose health information about foreign military personnel to the appropriate foreign military authority.
Research. Under certain circumstances, we may use and disclose health information about the client for research purposes. For example, a research project may involve comparing the health and recovery of all clients who received one medication to those who received another, for the same condition. All research projects, however, are subject to a special approval process, This process e valuates a proposed research project and its use of health information, trying to balance the research needs with clients' need for privacy of their health information. Before we use or disclose health information for research, the project will have been approved through this research approval process. We may, however, disclose health information about the client to people preparing to conduct a research project so long as the health information they review does not leave an Office.
Workers' Compensation. We may disclose health information about the client for workers' compensation or similar programs. These programs provide benefits for work-related injuries or illness.
Reporting Federal and state laws may require or permit SAFE FUTURE LLC to disclose certain health information related to the following:
Public Health Risks. We may disclose health information about the client for public health purposes, including:
- Prevention or control of disease, injury or disability
- Reporting births and deaths;
- Reporting child abuse or neglect;
- Reporting reactions to medications or problems with products;
- Notifying people of recalls of products;
- Notifying a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease;
- Notifying the appropriate government authority if we believe a client has been the victim of abuse, neglect or domestic violence. We will only make this disclosure if the client agrees or when required or authorized by law.
Health Oversight Activities. We may disclose health information to a health oversight agency for activities authorized by law'. These oversight activities may include audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws. o Judicial and Administrative Proceedings: If the client is involved in a lawsuit or a dispute, we may disclose health information about the client in response to a court or administrative order. We may also disclose health information about the client in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell the client about the request or to obtain an ordcr protecting the information requested.
Reporting Abuse, Neglect or Domestic Violence: Notifying the appropriate government agency if we believe a client has been the victim of abuse, neglect or domestic violence.
Law Enforcement, We may disclose health information when requested by a law enforcement official:
In response to a court order, subpoena, warrant, summons or similar process;
To identify or locate a suspect, fugitive, material witness, or missing person;
About the client, the victim of a crime if, under certain limited circumstances, we are unable to obtain the client's agreement;
About a death we believe may be the result of criminal conduct;
About criminal conduct at SAFE FUTURE LLC; and
In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
Coroners, Medical Examiners and Funeral Directors. We may disclose medical information to a coroner or medical examiner. This may be necessary to identify a deceased person or determine the cause of death. We may also disclose medical information to funeral directors as necessary to carry out their duties.
National Security and Intelligence Activities. We may disclose health information about the client to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
Correctional Institution: Should the client be an inmate of a correctional institution, we may disclose to the institution or its agent's health information necessary for the client health and the health and safety of others.

OTHER USES OF HEALTH INFORMATION

Other uses and disclosures of health information not covered by this Notice or the laws that apply to us will be made only with the client written permission. If the client provides us permission to use or disclose health information about the client, the client may revoke that permission, in writing, at any time. If the client revokes permission, we will no longer use or disclose health information about the client for the reasons covered by the client written authorization. The client understands that we are unable to take back any disclosures we have already made with the client's permission, and that we are required to retain our records of the care that we provided to the client.
THE CLIENT RIGHTS REGARDING HEALTH INFORMATION ABOUT THE CLIENT Although the client health record is the property of SAFE FUTURE LLC, the information belongs to the client. The clients have the following rights regarding the client health information:
Right to Inspect and Copy. With some exceptions, the clients have the right to review and copy the client health information. The employee must submit the client request in writing to SAFE FUTURE LLC We may charge a fec for the costs of copying, mailing or other supplies associated with the client rcquest.
Right to Amend. If the client feels that health information in the client record is incorrect or incomplete, they may ask us to amend the information. The clients have this right for as long as the information is kept by or for SAFE FUTURE LLC. The employee must submit the client request in writing to SAFE FUTURE LLC In addition, the client must provide a reason for the client request. We may deny the client request for an amendment if it is not in writing or does not include a reason to support the request, In addition, we may deny the client request if they ask us to amend information that:
- Was not created by us, unless the person or entity that created the information is no longer available to make the amendment:
- Is not part of the health information kept by or for SAFE FUTURE LLC; or
- Is accurate and complete.
- Right to an Accounting of Disclosures. The clients have the right to request an "accounting of disclosures". This is a list of certain disclosures we made of client health information, other than those made for purposes such as treatment, payment, or health care operations.

The client must submit the client request in writing to SAFE FUTURE LLC The client request must state a time period which may not be longer than six years from the date the request is submitted and may not include dates before April 14, 2003. The client request should indicate in what form the client wants the list (for example, on paper or electronically). The fliSt list the client requests within a period will be free. For additional lists, we may charge the client for the costs of providing the list. We will notify the client of the cost involved and the client may choose to withdraw or modify the client request at that time before any costs are incurred.

Right to Request Restrictions. The clients have the right to request a restriction or limitation on the health information we use or disclose about the client. For example, the client may request that we limit the health information we disclose to someone who is involved in the client care or the payment for the client care. The client could ask that we not use or disclose information about a surgery they had to a family member or friend. We are not required to agree to the client request, If we do agree, we will comply with the client request unless the information is needed to provide the client emergency treatment. The client must submit the client request in writing to SAFE FUTURE LLC In the client request, the client must tell us (I) what information the client wants to limit; (2) whether the client wants to limit our use, disclosure or both; and (3) to whom the client wants the limits to apply, for example, disclosures to the client's spouse.
Right to Request Alternate Communications. The clients have the right to request that we communicate with the client about medical matters in a confidential manner or at a specific location. For example, the client may ask that wc only contact them via mail to a post office box.
The client must submit the client request in writing to SAFE FUTURE LLC We will not ask the client the reason for the request. The client request must specify how or where they wish to be contacted. We will accommodate all reasonable requests.
Right to a Paper Copy of This Notice. The clients have the right to a paper copy of this Notice of Privacy Practices even if the clients have agreed to receive the Notice electronically.
The client may ask us to give the client a copy of this Notice at any time.
The client may obtain a copy of this Notice at our website,

CHANGES TO THIS NOTICE

We reserve the right to change this Notice. We reserve the right to make the revised or changed Notice effective for health information we already have about the client as well as any information we receive in the future. We will post a copy of the current Notice in SAFE FUTURE LLC and on the website. The Notice will specify the effective date on the first page, in the top right-hand corner. In addition, if material changes are made to this Notice, the Notice will contain an effective date for the revisions and copies can be obtained by contacting SAFE FUTURE LLC adminisfrator.

COMPLAINTS

If the client believes their privacy rights have been violated, they may file a complaint with SAFE FUTURE LLC or with the Secretary of the Department of Health and Human Services. To file a complaint with SAFE FUTURE LLC, contact the Compliance Director. All complaints must be submitted in writing. The client will not be penalized for filing a complaint.

Safe uardin and Storin Protected Health Information

POLICY

It is the policy of SAFE FUTURE LLC to utilize computer emails in lieu of a facsimile machine to allow the use of facsimiles transmitted and received for PHI. The information released will be limited to the minimum necessary to meet the requestor's needs.

PROCEDURE

The computers for receipt of facsimiles are the Clinical Director/CEO, Administrative Manager, and Admission staff and are located in an area that is not easily accessible to unauthorized persons.
Received documents will be promptly disseminated to appropriate staff. To promote secure delivery, instructions on the cover page will be followed.
Unless otherwise prohibited by state law, information transmitted via facsimile is acceptable and may be included in the client's Medical Record.
Steps will be taken to ensure that the fax transmission is sent to the appropriate destination. These include:
1. Pre-programming and testing destination numbers whenever possible to eliminate errors in transmission due to misdialing.
2. Asking frequent recipients to notify SAFE FUTURE Of a fax number change.

Disclosure of Protected Health Information Policy

SAFE FUTURE LLC will follow procedures listed to ensure that disclosure of Protected Health Information ("PHI") is made consistent with applicable laws, regulations and health information standards, and to ensure that any disclosures of a client's PHI to a client's family members, other relatives, close friends or other persons designated by the client are appropriate.

Disclosure of PHI will only be allowed with a properly completed and signed authorization except:

When required or allowed by law
As defined in the Notice ofPrivacy Practices:
- For continuing care (treatment)
- To obtain payment for services (payment)
- For the day-to-day operations of SAFE FUTURE LLC and the care given to the clients (health care operations)

Disclosure of PHI will be centralized through SAFE FUTURE LLC Privacy Official. In some instances, SAFE FUTURE LLC Privacy Official will need to track information that is disclosed. All disclosures designated as track-able on the "Request and Disclosure Table" must be approved by the Privacy Official to enable SAFE FUTURE LLC to provide an accounting of disclosures when requested, Disclosure of PHI will be carried out in accordance with all applicable legal requirements and in accordance with Office policy. Each Office will be responsible for researching and abiding by applicable state laws and regulations.

Original Medical Records will not be removed from the premises, except when ordered by subpoena or by other court order.

These procedures shall be followed, if reasonable by SAFE FUTURE LLC, for any meeting or conversation where PHI is discussed.

Meetings during which PHI is discussed:

Specific types of meetings where PHI may be discussed include, but are not limited to:

Shift Change Report
Daily Standup or leadership meetings
Interdisciplinary Plan of Care meeting
Bill review meetings
Family Care Conference
Meetings will be conducted in an area that is not easily accessible to unauthorized persons.
Meetings will be conducted in a room with a door that closes, if possible.
Voices will be kept to a moderate level to avoid unauthorized persons from overhearing.
Only staff members who have a "need to know" the information will be present at the meeting.
The PHI that is shared or discussed at the meeting will be limited to the minimum amount necessary to accomplish the purpose of sharing the PHI.

Telephone conversations:

Telephones used for discussing PHI are located in as private an area.
Staff members will take reasonable measures to assure that unauthorized persons do not overhear telephone conversations involving PHI. Reasonable measures may include:
1. Lowering the voice
2. Requesting that unauthorized persons step away from the telephone area
3. Moving to a telephone in a more private area before continuing the conversation
PHI shared over the phone will be limited to the minimum amount necessary to accomplish the purpose of the use or disclosure.

n-Person conversations:

With client]family in public areas
With authorized staff in public areas

Reasonable measures will be taken to assure that unauthorized persons do not overhear conversations involving PHI. Such measures may include:

Lowering the voice
Moving to a private area within SAFE FUTURE LLC

Safeguards for Written PHI

All documents containing PHI will be stored appropriately to reduce the potential for incidental use or disclosure. Documents will not be easily accessible to any unauthorized staff or visitors, Although SAFE FUTURE LLC will utilize Electronic Medical Records systems, any other documentation with the client's PHI provided will be addressed as follows:

Active Records in Treatment Offices:

PHI shall not be left unattended anywhere where clients, visitors and unauthorized individuals could easily view the records.
Treatment Administration Records, report sheets and other documents containing PHI shall not be left open and/or unattended.
Only authorized staff shall review the Medical Records. All authorized staff reviewing Medical Records shall do so in accordance with the minimum necessary standards.
Medical Records shall be protected from loss, damage and destruction through an integrative EMR system.

Active Business Office Files:

Active Business Office Files shall be stored in a secure area that allows authorized staff access as needed.

Thinned Records Inactive Medical Records:

l . Thinned and inactive Medical Records will be filed in a systematic manner in a location that ensures the privacy and security of the information. The Health Information Manager or a designee shall monitor storage and security of such Medical Records. When records are left unattended, records will be in a locked room, file cabinet or drawer. All records will be scanned into the client's Electronic Medical Chart in a timely manner and destroyed via an approved medical records shredding system once scanned.

The Administrator will identify and document those staff members with keys to any stored Medical Records. The minimum number of staff necessary to assure that records are secure yet accessible

Inactive Business Office Files:

Inactive Business Office Files shall be stored in a systematic manner in a location that ensures privacy and security of the information.

PHI Not a Part of the Desi nated Record Set:

Use of "shadow" charts or files will not be permitted.
Any documentation of PHI shall be stored in a location that ensures, to the extent possible, that such PHI is accessible only to authorized individuals.

Office Equipment Safeguards

Computer access:

Only staff members who need to use computers to accomplish work-related tasks shall have access to computer workstations or terminals.

All users of computer equipment will have unique login and passwords.
Passwords will be changed every 90 days.
Posting, sharing and any other disclosure of passwords and/or access codes is not permitted.
Access to computer-based PHI shall be limited to staff members who need the information for treatment, payment or health care operations.
Office staff members shall log off their workstation when leaving the work area.
Computer monitors shall be positioned so that unauthorized persons cannot easily view information on the screen.
Employee access privileges will be removed promptly following their departure from employmen t.
Employees will immediately report any violations of this Policy to their supervisor, Administrator or Office Privacy Official.

Printers, copiers and fax machines:

Printers will be located in areas not easily accessible to unauthorized persons.
If equipment cannot be relocated to a secure location, a sign will be posted near the equipment indicating that unauthorized persons are prohibited from viewing documents from the equipment. Sample language: "Only authorized staff may view documents generated by this (indicate printer, copier, fax, etc). Access to such documents by unauthorized persons is prohibited by federal law.
Documents containing PHI will be promptly removed from the printer, copier or fax machine and placed in an appropriate and secure location.
Documents containing PHI that must be disposed of due to error in printing will be destroyed by shredding or by placing the document in a secure recycling or shredding bin until destroyed.

Destruction

Written:

Documentation that is not part of the Medical Record and will not become part of the Medical Record (e.g., report sheets, shadow charts or files, notes, lists of vital signs, weights, etc.) shall be destroyed promptly when it is no longer needed by shredding or placing the information in a secure recycling or shredding bin until the time that it is destroyed. Electronic:

Prior to the disposal of any computer equipment, including donation, sale or destruction, SAFE FUTURE LLC will determine if PHI has been stored in this equipment and will delete all PHI prior to the disposal of the equipment.

Authorization for Release of Protected Health Information

POLICY

In accordance with the HIPAA Privacy Rule, when PHI is to be used or disclosed for purposes other than treatment, payment, or health care operations, SAFE FUTURE LLC will use and disclose it only pursuant to a valid, written authorization, unless such use or disclosure is otherwise permitted or required by law. Use or disclosure pursuant to an authorization will be consistent with the terms of such authorization.

PROCEDURE

Exceptions to Authorization Requirements

PHI may be disclosed without an authorization if the disclosure is:

Requested by the client or his personal representative (authorization is never required);
For the purpose of treatment;
For the purpose of SAFE FUTURE LLC's payment activities, or the payment activities of the entity receiving the PHI;
For the purpose of SAFE FUTURE LLC's health care operations;
In limited circumstances, for the health care operations of another Covered Entity, if the other Covered Entity has or had a relationship with the client;
To the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the HIPAA Privacy Rule; or required by other state or federal law.

Use or Disclosure Pursuant to an Authorization

When SAFE FUTURE LLC receives a request for disclosure of PHI, SAFE FUTURE LLC Privacy Official shall determine whether an authorization is required prior to disclosing the PHI.

PHI may never be used or disclosed in the absence of a valid written authorization if the use or disclosure is:

Of psychotherapy notes as defined by the HIPAA Privacy Rule;
For the purpose of marketing; or
For the purpose of fundraising.
If the use or disclosure requires a written authorization, SAFE FUTURE LLC shall not use or disclose the PHI unless the request for disclosure is accompanied by a valid authorization.
If the request for disclosure is not accompanied by a written authorization, SAFE FUTURE LLC Privacy Official shall notify the requestor that it is unable to provide the PHI requested. The Privacy Official will supply the requestor with an Authorization to Use or Disclose PHI ("Authorization") form.
If the request for disclosure is accompanied by a written authorization, the Privacy Official will review the authorization to assure that it is valid.
If the authorization is lacking a required element or does not otherwise satisfy the HIPAA requirements, the Privacy Official will notify the requestor, in writing, of the deficiencies in the authorization. No PHI will be disclosed unless and until a valid authorization is received.
If the authorization is valid, the Privacy Official will disclose the requested PHI to the requester. Only the PHI specified in the authorization will be disclosed.
Each authorization shall be filed in the client's Medical Record.

Preparing an Authorization for Use or Disclosure

When Safe Future is using or disclosing PHI and an authorization is required for the use or disclosure, SAFE FUTURE LLC will not use or disclose the PHI without a valid writtcn authorization from the client or the client's personal representative.
The Authorization form must be fully completed, signed and dated by the client or the client's personal representative before the PHI is used or disclosed.
SAFE FUTURE LLC may not condition the provision of treatment on the receipt of an authorization except in the following limited circumstances:
1. The provision of research-related treatment; or
2. The provision of health care that is solely for the purpose of creating PHI for disclosure to a third party (i.e., performing an independent medical examination at the request of an insurer or other third party).
An authorization may not be combined with any other document unless one of the following exceptions applies.
1. Authorizations to use or disclose PHI for a research study may be combined with any other type of written permission for the same research study, including a consent to participate in such research;
2. Authorizations to use or disclose psychotherapy notes may only be combined with another authorization related to psychotherapy notes; or
3. Authorizations to use or disclose PHI other than psychotherapy notes may be combined, but only if SAFE FUTURE LLC has not conditioned the provision of treatment or payment upon obtaining the authorization.

Revocation of Authorization

The client may revoke his authorization at any time.
The authorization may ONLY be revoked in writing. If the client or the client's personal representative informs Safe Future that he/she wants to revoke the authorization, SAFE FUTURE LLC will assist him/her to revoke in writing.
Upon receipt of a written revocation, the Privacy Official will write the effective date of the revocation on the Authorization form.
Upon receipt of a written revocation, SAFE FUTURE LLC may no longer use or disclose a client's PHI pursuant to the authorization.
Each revocation will be filed in the client's Medical Record.

CHECKLIST FOR VALID AUTHORIZATION

When the employee receives a request for release of Medical Records containing PHI from any entity other than the client or the client's personal representative, and the disclosure is not for purposes of treatment, payment or health care operations or another disclosure required or permitted by the HIPAA Privacy Rule, The employee may not release those records unless the requestor has provided a valid authorization. Use this checklist to assure that the authorization is valid. If any one element is missing, the Privacy Rule prohibits thc employee from disclosing the information. The employee should contact the requestor and explain why the employee cannot disclose the information.

The authorization must be written in plain language.
All of the following elements must be included in the authorization:
A specific and meaningful description of the information to be disclosed.
The name or other specific identification of the person (or organization or class of persons) authorized to make the requested disclosure.
The name or other specific identification of the person (or organization or class of persons) to whom the information will be disclosed.
The purpose of the requested disclosure. (If the client initiates the authorization, the statement "at the request of the client" is a sufficient description of the purpose).
An expiration date or an expiration event that relates to the client or the purpose of the disclosure.
Signature of the client or personal representative and date.
If signed by personal representative, a description of the representative's authority to act for the client.
Required Statements:
A statement that information disclosed pursuant to the authorization may be subject to re-disclosure and may no longer be protected by the Privacy Rule.
A statement of the client's right to revoke the authorization in writing and either,
A reference to the revocation right and procedures described in the Notice of Privacy

Practices;

A statement about the exceptions to the right to revoke and a description of how the client may revoke.
One of the following statements, or a substantially similar statement:

If the Covered Entity is not permitted to condition treatment or payment on the provision of an authorization: I understand that SAFE FUTURE LLC will not condition the provision of treatment or payment on the provision of this authorization.

If the Covered Entity is permitted to condition the provision of research-related treatment on the provision of an authorization: I understand that SAFE FUTURE LLC will not provide research-related treatment to me unless I provide this authorization.

If the Covered Entity is permitted to condition the provision of health care that is solely for the purpose of creating PHI for disclosure to a third party on the provision of an authorization: I understand that SAFE FUTURE LLC will not provide health care that is solely for the purpose of creating PHI for disclosure to a third party to me unless I provide this authorization.

Defective Authorizations

If an authorization has any one of the following defects, it is invalid and any use or disclosure made pursuant to the authorization will be in violation of the Privacy Rule:

The authorization has expired.
One of the required elements or statements is missing.
SAFE FUTURE LLC has knowledge that the authorization has been revoked.
The authorization violates the regulations govcming conditioning treatment or payment upon signing the authorization, or combining authorizations.
SAFE FUTURE LLC has knowledge that information in the authorization is false.

Use and Disclosure of Protected Health Information for Research

POLICY

SAFE FUTURE LLC must obtain a client's authorization before releasing his/her PHI for research purposes.

SAFE FUTURE LLC will ensure that an appropriately instituted and formally designated (per Federal Drug Administration/FDA regulations) Institutional Review Board is utilized for the protection of human subjects in any research activity involving access to PHI under SAFE FUTURE LLC's control. The client has the right to refuse to participate in research. SAFE FUTURE LLC shall abide by the experimental subject's (client's) privacy rights.

POLICY

SAFE FUTURE LLC must obtain a client's authorization before releasing his/her PHI for research purposes.

PROCEDURE

Federal regulations and state laws regulate the use of human subjects (clients) in any investigation designed to develop or contribute to specific knowledge. Such laws require that specific information be disclosed so that a subject (client) may give informed authorization and that authorization must be documented.
1. At the beginning of any research project, SAFE FUTURE LLC and the entity involved in the research must determine and agree on who will be responsible for obtaining an authorization to use or disclose PHI.
2. If an outside authorization is utilized, SAFE FUTURE LLC Privacy Designee will review the client's authorization to assure that it is valid in accordance with the HIPAA Privacy Rules and those special provisions related to research,
Special Authorization Provisions Related to Research
1. Expiration Date: The Authorization form will state the expiration date or that the expiration event is "end of research study," "none," or similar language,
2. Combining Authorization: The Authorization form may be combined with any other type of written permission for the same research study, including another authorization for the use or disclosure of PHI for such research or a consent to participate in such research.
3. Condition Treatment on Authorization: The provision of research-related treatment may be conditioned on the provision of an authorization for the use or disclosure of PHI for such research.
Federal law requires the establishment of an Institutional Review Board ("IRB") to review and approve proposed research and the process by which the investigator intends to secure the informed authorization of participants.
1. Institutions engaged in research involving human subjects (e.g., medical schools, universities, large hospitals) will usually have their own IRB to overscc research conducted within the institution or by staff of the institution.
2. It is the responsibility of SAFE FUTURE LLC or institution conducting the research to establish or contract with an IRB; it is SAFE FUTURE LLC's responsibility to ensure that an IRB is utilized.
If the research study is approved by the IRB and de-identified health information can be used or disclosed, then no further privacy implications exist.
If the research study is approved by the IRB and de-identified health information cannot be used or disclosed, then an Authorization form is required and must be obtained from each client included in the research study.
Appropriate Office staff will manage requests to participate in research studies and coordinate the review process by the IRB.
1. Contact/communications with the IRB and related findings must be documented and communicated to SAFE FUTURE LLC Privacy Designee.
2. If SAFE FUTURE LLC participates in research projects, SAFE FUTURE LLC Privacy Designee must have a method of tracking the correspondence, decisions and other communications regarding the research project.
SAFE FUTURE LLC will inform every client of any research or economic interest (for example, any direct or indirect remuneration that may come to SAFE FUTURE LLC as a result of the research) that may result from his or her treatment.
SAFE FUTURE LLC or the entity conducting the research will obtain the client's Authorization form when required. (See Item l)
SAFE FUTURE LLC Privacy Designee will file the original copy of the request and the associated response in the participant's Medical Record.

Former Client's Rights to Protected Health Information

POLICY

Every client has the light to access his or her Protected Health Information ("PHI"). The right of access is not absolute and there may be situations where access is not allowed; however, SAFE FUTURE LLC will respond to all requests to access a client's health information. Some states may have more stringent regulations and it is the responsibility of each Office to research state laws- The Privacy Rule specifies the time for responding to requests for access. These time lines must be adhered to unless state laws require SAFE FUTURE LLC to respond in a shorter time frame.

PROCEDURE

A client will be notified of the right to access PHI in SAFE FUTURE LLC's Notice of Privacy Practices. The Notice of Privacy Practices is given to the client upon admission to SAFE FUTURE LLC
A client has the right to inspect and obtain a copy of PHI in his or her Designated Record Set, except for information compiled in reasonable anticipation of, or for use in a civil, criminal, or administrative action or proceeding.
Requests for access to PHI and release of information will be managed by SAFE FUTURE LLC privacy Official or the Medical Record Coordinator/Health Information Manager.
The client or representative will be provided with a copy of an Access to Protected Health Information ("Access") form upon receiving an inquiry from a client to obtain copies of his or her PHI. The request will not be evaluated until the form is completed.
If a former client or client's personal representative requests to view or review PHI SAFE FUTURE LLC must respond to the request within 30 days.
A reasonable cost-based fee may be charged for the copies provided. The cost per page may not exceed the state statute for copying In the absence of a state statute, the fee will include the cost of the supplies and labor used in preparing the copy and postage, if applicable.
Processing the Request and Providing Access to the PHI:
1. SAFE FUTURE LLC must respond to a request from former clients within 30 days of the receipt of the request if the PHI is available on-site, If the PHI is stored off-site, SAFE FUTURE LLC must take action within 60 days of the receipt of the request.
2. SAFE FUTURE LLC may have a one4ime extension of 30 days to the time frames noted in Item Ia., provided that:
  1. A written statement of the reasons for the delay are provided, and
  2. The date by which SAFE FUTURE LLC will complete its action on the request is stated.
3. SAFE FUTURE LLC Privacy Official shall provide the client with permitted access to the PHI in the form or format requested. If the PHI is not accessible in the format requested, a readable hard copy or a fonnat to which SAFE FUTURE LLC and the client agree is acceptable will be provided.
4. SAFE FUTURE LLC may provide a summary of the PHI requested if the client agrees, in advance, to this summary and to any fees imposed.
Guidelines for Denying the Request for Access to PHI:
1. SAFE FUTURE LLC must provide a timely, written denial to the individual, which includes the basis for the denial, and, if applicable, a statement of the individual's review rights. In addition, it must provide a description of how the individual may complain to SAFE FUTURE LLC or to the Secretary of the Office of Civil Rights.
2. SAFE FUTURE LLC may deny the request if the PHI is not contained in its Designated Record Set.
3. SAFE FUTURE LLC may deny the request for access to a client's PHI without a right to review if:
  1. The request is for information compiled in anticipation of a legal proceeding; or
  2. The request is for PHI created or obtained during the course of research which includes treatment for as long as the research continues, provided that the client has agreed to the denial of access and SAFE FUTURE LLC as informed the client that this right will be reinstated upon completion of the research; or iii. The request is for PHI obtained from someone other than a provider under the promise of confidentiality and disclosure would likely reveal the source,
4. SAFE FUTURE LLC may deny the request for access to a client's PHI provided that the client has been given a right to review the denial if
  1. A licensed health care professional has determined, in the exercise of professional judgment, that the access of requested PHI is reasonably likely to endanger the life or physical safety of the individual or another person; or ii. The PHI refers to another person (unless such other person is a health care provider (for example, a doctor) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial ham to such other person; or iii. The individual's personal representative makes a request for access and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.
Providing a Review Process for Denied Requests for Access to PHI:

Clients have the right to request a review of the denial. If a request is received, the following steps must be taken:
1. SAFE FUTURE LLC privacy Official will promptly refer the request to review the denial to the Privacy Officer.
2. The Privacy Officer shall refer the case to a licensed health professional who was not directly involved in the denial.
3. SAFE FUTURE LLC shall promptly provide written notice of the results of the review and based on the review, take any necessary steps outlined in this Policy.

If the client request to copy the requested infbrmation has been granted, the client will be charged a reasonable feefor photocopying and mailing.

Distribution of copies: Original to client's Medical Record, copy to client

Current Client's Access to Protected Health Information

POLICY

Every client has the right to access his or her protected health inf01mation (PHI). SAFE FUTURE LLC will respond to all requests to access a client's health information. Some states may have more stringent regulations and it is the responsibility of each office to research state laws. For current clients, OBRA time lines must be adhered to unless state laws require SAFE FUTURE LLC to in a shorter time frame.

PROCEDURE

Request to View Medical Records.

Refer the client or legal* representative to SAFE FUTURE LLC designated Health Information Manager/Medical Records Coordinator.
Confirm the requestor has the legal authority to view the record by determining who is considered a legal representative based on state law (e.g., guardian, conservator, durable power of attorney).
Set up a meeting within 24 hours as required by law. If the requestor cannot accommodate a meeting within the 24-hour time frame, the review should be set up at a mutually agreed upon time.
Assure a staff member is in attendance at all times during the meeting, to:
1. Answer questions,
2. Assure the record is not altered in any way, and
3. Assure documents are not removed/destroyed.
Allow the client or legal representative to review and read the record without intervention from the staff member present.

* "Legal representative" is the same as "personal representative" as defined under HIPAA rules.
Request for a Copy of Medical Records:

Refer the client or legal representative to SAFE FUTURE LLC designated Health Information Manager/Medical Records Coordinator.
Confirm the requestor has the legal authority to view the record by determining who is considered a legal representative based on state law (e.g., guardian, conservator, durable power of attorney).
Disclose SAFE FUTURE LLC's charge for copying to the client or legal representative at the time of the request.
Provide the client or legal representative with the copies within two working days.

Accountin of Disclosures of Protected Health Information

POLICY

Each client may request and receive an accounting of track-able disclosures of PHI made by SAFE FUTURE LLC The potential areas where accounting of disclosures applies are listed in the Notice of Privacy Practices. SAFE FUTURE LLC will provide such an accounting, in accordance with the HIPAA Privacy Rule, when requested by a client or a client's personal representative. The requested information will not include PHI released or disclosed on or prior to April 13, 2003. Records of disclosures are retained for a six-year period.

PROCEDURE

I. Upon receiving an inquiry from a client, SAFE FUTURE LLC privacy Official provides the client or personal representative with a copy of a Request for an Accounting of Disclosures of PHI ("Request") fom. (See sample Request form following this Policy.)

Requests are not evaluated until the Request form is completed and signed by the client or personal representative.

Safety First

Safe Future LLC
Privacy Practices Policy And Uses & Disclosures'
1400 NE 125th Street, North Miami, FL 33161

Safeguard policies

Safe Future LLC

Carol Joy Owens RNc, MS

Safety First

Safe Future LLCPrivacy Practices Policy And Uses & Disclosures'1400 NE 125th Street, North Miami, FL 33161

Safeguard policies

Safe Future LLC

Carol Joy Owens RNc, MS

Safe Future LLC
Privacy Practices Policy And Uses & Disclosures'
1400 NE 125th Street, North Miami, FL 33161