BOSS Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW YOUR PROTECTED HEALTH INFORMATION, INCLUDING MEDICAL, MENTAL HEALTH, OR OTHER PROTECTED PERSONAL INFORMATION, MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
If you have any questions about this Privacy Notice, please contact a Program Director or our Privacy Officer at (510) 649-1931. The mailing address for our Privacy Officer is 1918 University Avenue, Suite 2A, Berkeley, California, 94704. I. Overview A. Introduction This notice describes Building Opportunities for Self-Sufficiency’s™ privacy practices and those of all employees, staff, and other personnel who work for this agency and who are authorized to enter information into your client chart or have access to your Protected Health Information or Protected Personal Information at BOSS, including any student, intern or volunteer who might help you while you are here. These people all may share medical or mental health information about you with each other for purposes of treatment, payment, or operations as described in this notice. B. Protected Health Information (PHI) Protected Health Information means medical or mental health information we have collected from you or received from your health care providers or health plans. It may include information about your past, present or future physical or mental health care or condition, the provision of your health care, and payment for your health care services. C. Protected Personal Information Protected Personal Information is a subset of Protected Health Information and refers to information that can be used to identify you in the Alameda County Homeless Management Information System, also known as InHOUSE. As a recipient of federal homeless funding through the Alameda County Continuum of Care, BOSS is required to participate in the InHOUSE system for purposes of data collection and reporting on homeless services in Alameda County. Further information on the use of your Protected Personal Information in the InHOUSE system can be found in Section IV of this document. D. BOSS’s Responsibility We understand that your medical and mental health information is personal and we are committed to protecting this information. We create a record of the care and services you receive at this agency so that we can provide you with quality care and comply with certain legal requirements. This notice applies to all of the records of your care that are generated by BOSS, its providers and staff, and those who provide services to you at BOSS. E. What This Notice Tells You This notice will tell you about the ways in which we may use and disclose medical or mental health information about you. It also describes your rights and certain obligations we have regarding the use and disclosure of your Protected Health Information. We are required by law to make sure the medical/mental health information that identifies you is kept private, to give you notice of our legal duties and privacy practices with respect to this information, and to follow the terms of the notice currently in effect. II. How We Will Use and Disclose Your Health Information We will use and disclose your health information as described in each category listed below. For each category, we will explain what we mean in general, but not describe all specific uses or disclosures of health information. In this document, when we use the term health information, we will always be referring to protected health information, including both medical and mental health information, as well as other protected personal information. A. Uses and Disclosures for Treatment, Payment and Operations 1. For Treatment We will use and disclose your health information without your authorization to provide your health care and any related services. For example, we may need to disclose information to a case manager who is responsible for coordinating your care. We may disclose your health information among our clinical staff and other staff who work at BOSS. For example, our staff may discuss your care at a case conference. We may also disclose your health information to qualified behavioral health care professionals at other agencies, clinics, services, laboratories or individual practitioner offices who are involved with your treatment. Examples of other qualified behavioral and physical health care professionals include (but are not limited to): psychiatrists, psychologists, social workers, marriage and family therapists and registered interns, and other behavioral healthcare providers; medical doctors, nurses, medical students, dentists, and technicians. For example, we may discuss how you are doing with your psychiatrist or therapist to coordinate treatment or talk about any concerns about medications. We may also disclose information when a referral is made to a new provider. 2. For Payment We may use or disclose your health information without your authorization so that the treatment and services you receive are billed to, and payment is collected from, your health plan or other third party payer. By way of example, we may disclose your health information to permit your health plan to take certain actions before your health plan approves or pays for your services.
These actions may include: making a determination of eligibility or coverage for health insurance;
reviewing your services to determine if they were medically necessary;
reviewing your services to determine if they were appropriately authorized or certified in advance of your care; or
reviewing your services for purposes of utilization review, to ensure the appropriateness of your care, or to justify the charges for your care.
For example, your health plan may ask us to share your Protected Health Information in order to approve additional length of stay in our program. We may also disclose your Protected Health Information to another health care provider so that provider can bill you for services they provided to you, for example an ambulance service that transported you to the hospital. 3. For Health Care Operations We may use and disclose health information about you without your authorization for our health care operations. These uses and disclosures are necessary to run our organization and make sure that our consumers receive quality care. These activities may include, by way of example: quality assessment and improvement; reviewing the performance or qualifications of our clinicians; licensing and accreditation; training students in clinical activities; and general administrative activities. We may combine health information of many of our clients to decide what additional services we should offer, what services are no longer needed, and whether certain treatments are effective. We may also provide your health information to other health care providers or to your health plan to assist them in performing certain of your own health care operations. We will do so only if you have or have had a relationship with the other provider or health plan. We may also use and disclose your health information to contact you to remind you of your appointment. Finally, we may use and disclose your health information to inform you about possible treatment options or alternatives that may be of interest to you. 4. Health-Related Benefits and Services We may use and disclose health information to tell you about health-related benefits or services that may be of interest to you. For example, we may send you a notice of a health fair you may want to attend. If you do not want us to provide you with information about health-related benefits or services, you must notify the Privacy Officer in writing at the address at the top of this notice. Please state clearly that you do not want to receive materials about health related benefits or services. B. Disclosures Only After You Have Been Given Opportunity to Object There are situations where we will not share your health information unless we have discussed it with you (if possible) and you have not objected to this sharing. These situations are: 1. Persons Involved in Your Care In limited circumstances, we may disclose to a family member, a close personal friend, or another person that you have named as being involved in your health care (or the payment for your healthcare) your health information that is related to the person’s involvement. For example, if you ask a family member or friend to pick up a medication for you at the pharmacy we may tell that person what the medication is and when it will be ready. Also, we may notify a family member about your location and medical condition providing you do not object. If you are physically present and have the capacity to make health care decisions, your health information may only be disclosed with your agreement to persons you designate to be involved in your care. But, if you are in an emergency situation, we may disclose your health information to a spouse, a family member, or a friend so that such person may assist in your care. In this case we will determine whether the disclosure is in your best interest and, if so, only disclose information that is directly relevant to participation in your care. And, if you are not in an emergency situation but are unable to make health care decisions, we will disclose your health information to:
a person designated to participate in your care in accordance with an advance directive validly executed under state law;
your guardian if one has been appointed by a court, or, if applicable, the state agency responsible for consenting to your care. We may also disclose your health information to an entity assisting in disaster relief efforts and to coordinate disclosure for this purpose to family and other individuals involved in your care.
2. Sharing of your Protected Personal Information in the InHOUSE system While BOSS is required to collect your Protected Personal Information for its data collection and reporting purposes, you have the right to limit what BOSS can share with other agencies that also participate in the InHOUSE system. Further information on your rights and the use of your Protected Personal Information in the InHOUSE system can be found in Attachment A of this document. C. Use and Disclosures That May Be Made without Your Authorization or Opportunity to Object 1. Emergencies We may use and disclose your health information in an emergency treatment situation. By way of example, we may provide your health information to a paramedic who is transporting you in an ambulance. If a clinician is required by law to treat you and your treating clinician has attempted to obtain your authorization but is unable to do so, the treating clinician may nevertheless use or disclose your health information to treat you. 2. Research We may disclose your health information to researchers when your research has been approved by an Institutional Review Board or a similar privacy board that has reviewed the research proposal and established protocols to protect the privacy of your health information. 3. As Required By Law We will disclose health information about you when required to do so by federal, state or local law. 4. To Avert a Serious Threat to Health or Safety We may use and disclose health information about you when necessary to prevent a serious and imminent threat to your health or safety or to the health or safety of the public or another person. Under these circumstances, we will only disclose health information to someone who is able to help prevent or lessen the threat. 5. Public Health Activities We may disclose health information about you as necessary for public health activities including, by way of example, disclosures to:
notify the appropriate government agency if we believe you have been a victim of abuse, neglect or domestic violence. We will only notify an agency if we obtain your agreement or if we are required or authorized by law to report such abuse, neglect or domestic violence.
report to public health authorities for the purpose of preventing or controlling disease, injury or disability;
report vital events such as birth or death;
conduct public health surveillance or investigations;
report child, elder, or dependent abuse or neglect;
report certain events to the Food and Drug Administration (FDA) or to a person subject to the jurisdiction of the FDA including information about defective products or problems with medications;
notify consumers about FDA-initiated product recalls;
notify a person who may have been exposed to a communicable disease or who is at risk of contracting or spreading a disease or condition.
6. Health Oversight Activities We may disclose health information about you to a health oversight agency for activities authorized by law. Oversight agencies include government agencies that oversee the health care system, government benefit programs such as Medicare or Medicaid, other government programs regulating health care, and civil rights laws. 7. Disclosures in Legal Proceedings We may disclose health information about you to a court or administrative agency when a judge or administrative agency orders us to do so. We also may disclose health information about you in legal proceedings without your permission or without a judge or administrative agency’s order when we receive a subpoena for your health information. We will not provide this information in response to a subpoena without your authorization unless we are ordered to do so by the court. 8. Law Enforcement Activities We may disclose health information to a law enforcement official for law enforcement purposes when:
a court order, subpoena, warrant, summons or similar process requires us to do so; or
the information is needed to identify or locate a suspect, fugitive, material witness or missing person; or
we report a death that we believe may be the result of criminal conduct; or
we report criminal conduct occurring on the premises of our facility; or
we determine that the law enforcement purpose is to respond to a threat of an imminently dangerous activity by you against yourself or another person; or
the disclosure is otherwise required by law.
We may also disclose health information about a client who is a victim of a crime, without a court order or without being required to do so by law. However, we will do so only if the disclosure has been requested by a law enforcement official and the victim agrees to the disclosure or, in the case of the victim’s capacity, the following occurs:
the law enforcement official represents to us that:
the victim is not the subject of the investigation, and
an immediate law enforcement activity to meet a serious danger to the victim or others depends upon the disclosure; and
we determine that the disclosure is in the victim’s best interest.
9. Medical Examiners or Funeral Directors We may provide health information about our consumers to a medical examiner. Medical examiners are appointed by law to assist in identifying deceased persons and to determine the cause of death in certain circumstances. We may also disclose health information about our consumers to funeral directors as necessary to carry out your duties. 10. Military and Veterans We may disclose your health information for the purpose of determining your eligibility for benefits provided by the Department of Veterans Affairs. 11. National Security and Protective Services for the President and Others We may disclose medical information about you to authorized federal officials for intelligence, counter-intelligence, and other national security activities authorized by law. We may also disclose health information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or so they may conduct special investigations. 12. Inmates If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may disclose health information about you to the correctional institution or law enforcement official. 13. Workers’ Compensation We may disclose health information about you to comply with the state’s Workers’ Compensation Law. 14. Uses and Disclosures of Your Health Information with Your Permission Uses and disclosures not described in this Notice of Privacy Practices will generally only be made with your written permission, called an authorization. You have the right to revoke an authorization at any time. If you revoke your authorization we will not make any further uses or disclosures of your health information under that authorization, unless we have already taken an action relying upon the uses or disclosures you have previously authorized. III. Your Rights Regarding Your Health Information. A. Right to Inspect and Copy You have the right to request an opportunity to inspect or copy health information used to make decisions about your care, whether they are decisions about your treatment or payment of your care. Usually, this would include clinical and billing records, but not psychotherapy notes. You must submit your request in writing to our Privacy Officer at BOSS, 1918 University Avenue, Suite 2A, Berkeley, California, 94704. If you request a copy of the information, we may charge a fee for the cost of copying, mailing and supplies associated with your request. We may deny your request to inspect or copy your health information in certain limited circumstances. In some cases, you will have the right to have the denial reviewed by a licensed health care professional not directly involved in the original decision to deny access. We will inform you in writing if the denial of your request may be reviewed. Once the review is completed, we will honor the decision made by the licensed health care professional reviewer. B. Right to Amend For as long as we keep records about you, you have the right to request us to amend any health information used to make decisions about your care whether they are decisions about your treatment or payment of your care. Usually, this would include clinical and billing records, but not psychotherapy notes. To request an amendment, you must submit a written document to our Privacy Officer at BOSS, 1918 University Avenue, Suite 2A, Berkeley, California, 94704 and tell us why you believe the information is correct or inaccurate. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. We may also deny your request if you ask us to amend health information that:
was not created by us, unless the person or entity that created the health information is no longer available to make the amendment;
is not part of the health information we maintain to make decisions about your care;
is not part of the health information that you would be permitted to inspect or copy; or
is accurate and complete.
If we deny your request to amend, we will send you a written notice of the denial stating the basis for the denial and offering you the opportunity to provide a written statement disagreeing with the denial. If you do not wish to prepare a written statement of disagreement, you may ask that the requested amendment and our denial be attached to all future disclosures of the health information that is the subject of your request. If you choose to submit a written statement of disagreement, we have the right to prepare a written rebuttal to your statement of disagreement. In this case, we will attach the written request and the rebuttal (as well as the original request and denial) to all future disclosures of the health information that is the subject of your request. C. Right to an Accounting of Disclosures You have the right to request that we provide you with an accounting of disclosures we have made of your health information. An accounting is a list of disclosures. But this list will not include certain disclosures of your health information, by way of example, those we have made for purposes of treatment, payment, and health care operations. To request an accounting of disclosures, you must submit your request in writing to the Privacy Officer at BOSS, 1918 University Avenue, Suite 2A, Berkeley, California, 94704. For your convenience, you may submit your request on a form called a Request For Accounting, which you may obtain from our Privacy Officer. The request should state the time period for which you wish to receive an accounting. This time period should not be longer than six years and not include dates before April 14, 2003. The first accounting you request within a twelve month period will be free. For additional requests during the same 12-month period, we will charge you for the costs of providing the accounting. We will notify you of the amount we will charge and you may choose to withdraw or modify your request before we incur any costs. D. Right to Request Restrictions You have the right to request a restriction on the health information we use or disclose about you for treatment, payment or health care operations. To request a restriction, you must request the restriction in writing addressed to the Privacy Officer at Privacy Officer at BOSS, 1918 University Avenue, Suite 2A, Berkeley, California, 94704 . The Privacy Officer will ask you to sign a request for restriction form, which you should complete and return to the Privacy Officer. We are not required to agree to a restriction that you may request. If we do agree, we will honor your request unless the restricted health information is needed to provide you with emergency treatment. E. Right to Request Confidential Communications You have the right to request that we communicate with you about your health care only in a certain location or through a certain method. For example, you may request that we contact you by leaving messages only at a specific number or sending you mail only to a specific address. To request such a confidential communication, you must make your request in writing to the Privacy Officer at BOSS, 1918 University Avenue, Suite 2A, Berkeley, California, 94704. We will accommodate all reasonable requests. You do not need to give us a reason for the request; but your request must specify how or where you wish to be contacted. F. Right to a Paper Copy of This Notice You have the right to obtain a paper copy of this Notice of Privacy Practices at any time. Even if you have agreed to receive this Notice of Privacy Practices electronically, you may still obtain a paper copy. To obtain a paper copy, contact our Privacy Officer at Privacy Officer at BOSS, 21918 University Avenue, Suite 2A, Berkeley, California, 94704. IV. Privacy and Confidentiality in the Alameda County Homeless Mangement Information System (InHOUSE) A. Purpose of This Section As a recipient of federal homeless funding through the Alameda County Continuum of Care, BOSS is required to participate in the InHOUSE system for purposes of data collection and reporting on homeless services in Alameda County. Protected Personal Information is a subset of Protected Health Information and refers to information that can be used to identify you in the Alameda County Homeless Management Information System, also known as InHOUSE. The purpose of this section is to describe the uses of your Protected Personal Information in the InHOUSE system, the procedures used to protect that information, and your rights regarding the use of your information in the InHOUSE system. B. Statement of Policy BOSS will comply with all applicable laws governing Homeless Management Information System client privacy and confidentiality. Applicable standards include, but are not limited to the following:
Federal Register Vol. 69. No. 146 (I IMIS FR 4848-N-02) – Federal statute governing HMIS information Friday, July 30, 2004.
HIPAA – the Health Insurance Portability Act.
42 CFR Part 2. – Federal statute governing drug and alcohol treatment.
Alameda County-wide Continuum of Care InHOUSE Policy and Procedures manual.
Alameda County-wide Continuum of Care InHOUSE partner agency sharing agreement(s).
C. Use of Information Protected Personal Information is information which can be used to identify you as a specific client and can be used only for the following purposes:
To provide or coordinate services for you.
For functions related to payment or reimbursement for services provided to you.
To carry out administrative functions such as legal, audit, personnel planning, oversight and management functions.
For creating de-personalized identification for unduplicated counting.
Where disclosure is required by law.
To prevent or lessen a serious and imminent threat to the health or safety of an individual or the public.
To report abuse, neglect, or domestic violence as required or allowed by law.
Contractual research where privacy conditions are met (including a written agreement).
To report criminal activity on agency premises.
For law enforcement purposes in response to a properly authorized request for information from a properly authorized source.
D. Collection and Notification Information will be collected only by fair and lawful means with your knowledge or consent.
Protected Personal Information will be collected only for the purposes listed above.
You and all other clients will be made aware that personal information is being collected and recorded and will be asked to express written consent to have your information entered in the InHOUSE system.
A written sign will be posted in locations where Protected Personal Information is collected. This written notice will read:
“We collect personal information directly from you for reasons that are discussed in our Privacy. Notice. We may be required to collect some personal information by law or by organizations that give us money to operate this program. Other personal information that we collect is important to run our programs, to improve services for homeless persons, and to better understand the needs of homeless persons. We only collect information that we consider to be appropriate. The collection and use of all personal information is guided by strict standards of confidentiality. Our Privacy Notice is posted. A copy of our Privacy Notice will be made available to you and all other clients upon request.”
Staff will explain the sign if a client is unable to read or understand it.
E. Data Quality Protected Personal Information data will be accurate, complete, timely, and relevant.
All Protected Personal Information collected will be relevant to the purposes for which it is to be used.