Confidentiality, HIPAA and 42 CFR Part 2

Revision Date: 07/01/2019; 02/08/2021; 01/20/2022; 07/06/2022; 01/29/2024

Policy: Racing for Recovery values the privacy of each person served. Clinical Services rendered at Racing for Recovery are confidential.

Purpose: To outline the ways in which information about clinical services is kept confidential.

Procedure:

  • We will limit access to clinical records, treatment information, diagnosis, and other clinical and substance use disorder information to only that which is legally permitted to be released, or specifically authorized. Specifically, Racing for Recovery staff members are only permitted to access individual client information, treatment information, diagnosis, or other protected information in accordance with applicable federal and state laws and regulations. No record should be accessed unless that person must access it to do their job.
  • As a program providing Substance Abuse services, Racing for Recovery is subject to 42 CFR Part 2. Therefore, the following information is protected; 42 CFR Part 2 applies to all records relating to the identity, diagnosis, prognosis, or treatment of any patient in a substance abuse program that is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.
    • Racing for Recovery will comply with 42 CFR Part 2 by:
      • Not releasing information except as allowed by 42 CFR Part 2 without specific instructions from the person served indicating what will be released, why it is being released and specifically who will receive the information.
      • Including 42 CFR Part 2 training at orientation and annually
      • Including reference to 42 CFR Part 2 on all records release documents
      • Information will only be shared under 42 CFR Part 2 as follows:
        • Information can be shared if written consent is obtained with these 10 elements:
          • The names or general designations of the programs making the disclosure.
          • The name of the individual or organization that will receive the disclosure.
          • The name of the patient who is the subject of the disclosure.
          • The specific purpose or need for the disclosure.
          • A description of how much and what kind of information will be disclosed.
          • The patient’s right to revoke the consent in writing and the exceptions to the right to revoke or, if the exceptions are included in the program’s notice, a reference to the notice.
          • The program’s ability to condition treatment, payment, enrollment, or eligibility of benefits on the patient agreeing to sign the consent, by stating.
            • The program may not condition these services on the patient signing the consent, or
            • The consequences for the patient refusing to sign the consent.
          • The date, event, or condition upon which the consent expires if not previously revoked.
          • The signature of the patient and/or another authorized person
          • The date on which the consent is assigned.

Mandatory Disclosures – 42 CFR Part 2 allows for disclosure where the state mandates child abuse and neglect reporting (42 C.F.R. 2.12(c)(6); 45 C.F.R 164.512(b)(1)(ii)); when cause of death 42 C.F.R 2.15(b)) is being reported; or with the existence of a valid court order.

Permitted Disclosures – Programs are permitted to disclose patient-identifying information in cases of medical emergency (42 C.F.R 164.506©; 42 C.F.R 2.51); in reporting crimes that occur on program premises or against staff (45 C.F.R 164.502(j)(2), 164.512(f)(2); 42 C.F.R 2.12 ©(5)); to entities having administrative control (45 C.F.R 164.502(a)(1), 164.506(a), (c); 42 C.F.R 2.12 (c)(3)); to qualified service organizations (45 C.F.R 160.103, 164.504€, (c); 42 C.F.R 2.12 (c)(4); and to outside auditors, evaluators, central registries, and researchers (45 C.F.R. 164.501, 164.506, 164.512; (c); 42 C.F.R 2.53 (c)-(d); 42 C.F.R 2.52; 45 C.F.R 164.512 (i)(1)(ii)).

  • Racing for Recovery will comply with HIPAA by:
    • Storing information in a secure area
    • Complying with the 42 CFR Part 2 requirements above
    • Assuring electronic data is secure through device security, network security and use of 2015 Certified Electronic Health Records
    • Staff members must adhere to the following guidelines to maintain confidentiality in accordance with HIPAA:
      • Never disclose passwords or share login credentials.
      • Never leave portable devices signed on or documents unattended.
        • All PHI must be kept face down on the desk.
      • Do not text patient information.
      • Do not dispose of PHI in the trash – must be shredded.
      • Only access patient records to do your job.
      • Do not remove PHI from the site unless necessary. When necessary (court, probation) keep all PHI on your person and return it to the office as soon as possible. Removing PHI due to a job change is prohibited.
      • Do not share any PHI on social media, including photos.
    • Report potential HIPAA violations to the Leadership Team of Executive Director, Clinical Director, and Human Resources & Compliance Manager
  • Exclusions – any member of the Racing for Recovery workforce who become aware of a conflict of interest regarding a specific person’s record must inform either the Leadership Team of Executive Director, Clinical Director, and Human Resources & Compliance Manager immediately, and will have access excluded from the Electronic Health Record by way of an email request to the EHR Manager.