BHGMHC.com

Health Insurance Portability and Accountability Act (HIPAA)

Notice of Privacy Practices - Effective April 14, 2003

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
If you have any questions about his Privacy Notice, please contact our Privacy Officer, Thomas C. Eachus at 319-234-2893 or 800-583-1526 or in writing at 3251 West 9th Street, Waterloo, IA. 50702.
I. Introduction
This Notice describes how the Black Hawk-Grundy Mental Health Center, Inc. may use and disclose or release your protected health information to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law. It describes your rights regarding health information we maintain about you and a brief description of how you may exercise these rights, as well as the obligations we have to protect your health information. We are required by law to maintain the privacy of your health information, something we have done since we began providing services in 1950 and will continue to do in the future. We are required to provide you with this notice of our legal duties and privacy practices with respect to your health information. We are also required to comply with the terms of our current Notice of Privacy Practices.
“Protected health information” means health information we have collected from you or received from your health care providers, health plans, your employer or a health care clearinghouse. It may include information about your past, present or future physical or mental health or condition, the provision of your health care and payment for your health care services.
II. How We Will Use and Disclose Your Health Information
We will use and disclose or release your health information as described in each category listed below. For each category, we will explain what we mean in general and try to give some examples, however not every use or disclosure of health information in a category will be listed. This notice covers treatment, payment and what are called health care operations. It also covers other uses and disclosure for which a consent or authorization are not necessary. Where Iowa law is more protective of your medical information, we will follow state law.
III. Uses and Disclosures for Treatment, Payment and Operations
1. For Treatment. We may use medical information about you to provide you with medical treatment or services unless otherwise required by applicable State law. We will generally only do this with a valid authorization or release, unless we believe an emergency exists. For example, we may send or telephone prescriptions for medication(s) to your pharmacy without an authorization. We may need to use and disclose your health information to coordinate and manage your health care. For example, we may need to coordinate care with a case manager involved in your case. We may disclose your health information among our clinicians and other staff who work at the Center to ensure that treatment is effective. We may refer you to other health care providers, such as a laboratory, with whom you do not have a direct patient relationship. These providers are called “indirect treatment providers” who are also required to comply with the privacy requirements of Iowa and federal law to keep your medical information confidential.
2. For Payment. We may use or disclose your health information so that the treatment and services you receive are billed to and payment is collected from your health plan or other third party payer. For example, we may need to disclose your health information to permit your health plan to take certain actions before your health plan approves or pays for your services. We will generally only do this with an authorization or release of information from you.
3. For Health Care Operations. We may use and disclose health information about you for our “health care operations”. These uses and disclosures are necessary to run our organization and make sure that individuals we serve receive quality care. These activities may include: quality improvement, reviewing the performance or qualifications of clinical staff, reminding you of appointments, training students in clinical activities, accreditation, business planning and development, etc.
4. Health-Related Benefits and Services. We may use and disclose health information to tell you about health-related benefits or services that may be of interest to you such as light therapy for depression.
5. Fundraising Activities. We may use or disclose health information about you to contact you about raising money for our programs, services or operations.
IV. Uses and Disclosures That May Be Made Without Your Authorization, But For Which You Will Have
An Opportunity To Object
6. Persons Involved in Your Care. Under limited circumstances, we will provide health information about you to someone who is responsible for you, unless we believe an emergency exists, e.g. if we believe you are a danger to yourself or others. If you are not in an emergency situation but are unable to make health care decisions, we will disclose your health information to a person designated to participate in your care in accordance with (a) an advance directive validly executed under state law, (2) your guardian or other fiduciary if one has been appointed by a court, or if applicable, (3) the state agency responsible for consenting to your care. We may also use or disclose your health information to an entity assisting in disaster relief efforts.
V. Uses and Disclosures That May be Made Without Your Authorization or Opportunity to Object.
7. Emergencies. We may use and disclose your health information in an emergency situation. For example, we may provide your health information to an emergency room professional who is providing treatment to you.
8. As Required By Law. We will disclose health information about you when required to do so by federal, state or local law. For example, we are required by law to provide information during child abuse or dependent adult abuse investigations.
9. To Avert A Serious Threat to Health or Safety. We may use and disclose health information about you when necessary to prevent a serious and imminent threat to your health or safety or to the health and safety of the public
or another person. For example, if you are a danger to yourself or others.
10. Public Health Activities. We may disclose health information about you as necessary for public health activities. For example, reporting to public health authorities for the purpose of preventing or controlling disease, injury or disability, reporting certain events to the Food and Drug Administration (FDA) or to a person subject to the jurisdiction of the FDA including information about defective products or problems with medications, to notify individuals about FDA-initiated recalls of products they may be using, to notify a person who may have been exposed to a communicable disease or who is at risk of contracting or spreading a disease or condition, to notify the appropriate government agency if we believe you have been a victim or abuse, neglect or domestic violence. We will only notify an agency if we obtain your agreement or if we are required or authorized by law to report such abuse, neglect or domestic violence.
2
11. Health Oversight Activities. We may disclose health information about you to a health oversight agency for activities authorized by law. Oversight agencies include government agencies that oversee the health care system, government benefits programs such as Medicare or Medicaid, other government programs regulating health care and civil rights laws. These oversight activities may include audits, investigations, inspections and licensure.
12. Disclosures in Legal Proceedings. We may disclose health information about you to a court or administrative agency when a judge or administrative agency orders us to do so.
13. Law Enforcement Activities. We may disclose health information to a law enforcement official for law enforcement purposes when a court order, subpoena, warrant, summons or similar process requires us to do so, the information is needed to identify or locate a suspect, fugitive, material witness or missing person, we report a death that we believe may be the result of criminal conduct, we report criminal conduct occurring on the premises of our facility, we determine that the law enforcement purpose is to respond to a threat of an imminently dangerous activity by your against yourself or another person, a client is a victim of a crime if, under limited circumstances, we are unable to obtain the person’s agreement.
14. Medical Examiners or Funeral Directors. We may disclose medical information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death in certain circumstances.
15. National Security and Protective Services for the President and Others. We may disclose medical information about you to authorized federal officials for intelligence, counter intelligence, and other national security activities authorized by law. We may also disclose health information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or so they may conduct special investigations.
16. Inmates. If you are an inmate of correctional institution or under the custody of a law enforcement official, we may disclose health information about you these entities if that information is needed to treat you. We will disclose the minimum amount of information necessary to provide that treatment.
17. Worker’s Compensation. We may disclose health information about you to comply with the state Worker’s Compensation Law or other similar programs. These programs provide benefits for work-related injuries or illnesses.
VI. Uses and Disclosures of Your Health Information with Your Permission.
Uses and disclosures not described in Section III of this Notice of Privacy Practices will generally only be made with your written permission, called an authorization or release of information. This has been our practice for many years and will continue to be our practice. You have the right to revoke an authorization at any time, but this revocation needs to be in writing. If you revoke your authorization we will not make any further disclosures of your health information under that authorization, unless we have already taken an action relying upon the uses or disclosures you have previously authorized.
VII. Your Rights Regarding Your Health Information.
A. Right to Inspect and Copy. You have the right to request an opportunity to inspect and copy health information used to make decisions about your care. To inspect and copy medical information you must submit your request in writing to our Privacy Officer. If you request a copy of the information, we may charge a fee for the cost of copying, mailing and/or supplies associated with your request. We may deny your request in certain limited circumstances. If you are denied access to medical information, you may request that the denial be reviewed. Another licensed health care professional, selected by the Black Hawk-Grundy Mental Health Center, Inc., will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.
3
B. Right to Amend. If you believe that medical information we have about you is incorrect or incomplete, you may ask us to amend the information. For as long as we keep records about you, you have the right to request to amend any health information used to make decisions about your care. To request an amendment, you must submit a written request to our Privacy Officer and tell us why you believe the information is incorrect or incomplete. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. We may also deny your request if you ask us to amend health information that was (1) not created by us (2) is not part of the health information we maintain to make decisions about your care (3) is not part of the health information that you would be permitted to inspect or copy, e.g. third party information or (4) is accurate and complete.
C. Right to an Accounting of Disclosures. You have the right to request that we provide you with an “accounting of disclosures” we have made of your health information. An accounting is a list of disclosures we have made of medical information about you that are not disclosures for treatment, payment and health care operations. To request an accounting of disclosures, you must submit your request in writing to the Privacy Officer. Your request must state a time period, which may not be longer that six years and may not include dates before April 14, 2003. The first list you request within a 12-month period will be provided free of charge. For additional lists, we may charge you for the costs of providing the list. We will notify you of the costs involved and you may choose to withdraw or modify your request at that time before any costs are incurred. .
D. Right to Request Restrictions. You have the right to request a restriction or limitation on the mental health information or other medical information we use or disclose about you for treatment, payment or health care operations. To request a restriction, you must request the restriction in writing and tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse. This request must be addressed to the Privacy Officer. We are not required to agree to a restriction that you may request. If we do agree, we will honor your request unless the restricted health information is needed to provide you with emergency treatment.
E. Right to Request Confidential Communications. You have the right to request that we communicate with you about your health care only in a certain location or though a certain method. For example, you may request that we contact you only at work or by mail. To request such a confidential communication, you must make your request in writing to the Privacy Officer. We will accommodate all reasonable requests. You do not need to give us a reason for the request, but your request must specify how or where you wish to be contacted.
F. Right to a Paper Copy of this Notice. You have the right to obtain a paper copy of this Notice of Privacy Practices at any time. To obtain a paper copy, contact our Privacy Officer or call 319-234-2893.
VIII. Complaints
If you believe your privacy rights have been violated, you may file a complaint with the Center or with the Secretary of the U.S. Department of Health and Human Services. To file a complaint with us, contact Thomas C. Eachus, Privacy Officer, at 3251 West 9th Street, Waterloo, IA. 50702. All complaints must be submitted in writing. You will not be penalized for filing a complaint.
IX. Changes to this Notice.
We reserve the right to change the terms of our Notice of Privacy Practices without additional notice to you. We also reserve the right to make the revised or changed Notice of Privacy Practices effective for all health information we already have about you as well as any health information we receive in the future. We will post a copy of the current Notice of Privacy Practices at our main office. You may also obtain a copy of the current Notice of Privacy Practices by calling us at 319-234-2893 and requesting that a copy be sent to you in the mail or by asking for one any time you are at our office.
4
Policy 12: Right to an accounting of disclosures of PHI
Purpose:
The Black Hawk-Grundy Mental Health Center, Inc. in an effort to be compliant with the Privacy Rules of HIPAA’s Administrative Simplification provisions, sets out in this policy, the process for providing individuals with an opportunity to receive an accounting of the disclosures made of their PHI.
Policy:
The Center will consider all requests from individuals receiving services or who have received services, to receive an accounting of certain disclosures of their PHI that have occurred in the six year period prior to their request or from the effective date of the Privacy Rule, whichever is shorter. We require that all requests for accounting be in writing using the Request for Accounting form.
It will be our responsibility to respond to requests for an accounting within 60 days from the date of the written request.
We will account for all uses and disclosures of individual’s PHI except for those in the following categories:
1. disclosures made to the individual
2. disclosures made to carry out treatment, payment or health care operations
3. disclosures made for national security or intelligence purposes
4. disclosures made to correctional institutions or law enforcement officials when the individual is an inmate
5. disclosures made prior to April 14, 2003
It will be our policy to provide the first accounting your request within a 12-month period free of charge. For additional requests for accounting, we may charge you for the costs of providing the list. We will notify you of the costs involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
Request for Accounting of PHI Disclosed by the Center
I am requesting an accounting of all PHI disclosed by the Black Hawk-Grundy Mental Health Center, Inc. pursuant to the requirements of the Privacy Rule. I understand that this accounting will not include disclosures that were:
1. made to me
2. made to carry out the treatment, payment or health care operations of the Center
3. made for national security and intelligence purposes
4. made prior to April 14, 2003
5. made to a correctional institution or to law enforcement
The period of time I am requesting the accounting for is from:
___________________________________________ to ___________________________________________.
I understand that this period of time cannot include any time period before April 14, 2003, the date the Privacy Rule became effective.
I also understand that the first accounting I request in any 12-month period will be given to me at no charge.
_________________________________________________ ______________________________________
Client Signature Date
_________________________________________________ ______________________________________
Witness Date
I understand that because I have requested more than one accounting in a 12 month period that I will be charged the cost to the Center for completing this accounting. I understand and agree that this cost will be $___________ and that payment must be made at the time I receive the accounting or prior to the accounting being mailed to me.
__________________________________________________ _____________________________________
Client Signature Date
__________________________________________________ _______________________________
Witness Date
PHI Disclosures
Date of Request
Date of Disclosure
Name and address of person and organization receiving the disclosure
Description of what information was disclosed
Brief statement of the purpose of the disclosure
Signature of staff person making the disclosure
Policy 16: Administrative Requirements – Complaint Process
Purpose:
The Black Hawk-Grundy Mental Health Center, Inc. in an effort to be compliant with the Privacy Rules of HIPAA’s Administrative Simplification provisions, sets out in this policy, the process it will establish to receive complaints from individuals.
Policy:
The Center will appoint a person to receive and be responsible for complaints about:
• privacy policies and procedures required by the Privacy Rule
• compliance with such policies and procedures and
• compliance with the Privacy Rule
All privacy complaints, as defined above, received by the Center will be directed to the Privacy Officer for proper processing and handling.
Our policy with regard to any privacy complaints received will be that the Privacy Officer will:
1. retain the original copy of every complaint
2. enter the complaint in a file
3. request that the complainant to submit the complaint in writing
4. send a letter to the complainant within 5 days of receipt of complaint acknowledging receipt of complaint, thanking them for strengthening our privacy practices, providing a copy of the procedures for processing the complaint, establishing a time frame for responding and an address for the correspondence and a statement that the complainant always has the right to complain to the Secretary of HHS as well as the information needed to make that complaint
5. review the complaint
6. investigate the complaint
7. report the results of the investigation to the appropriate individuals
8. periodically submit a summary report of the activity to the Board of Directors
The Center will inform individuals either orally or in writing at the time of the complaint of their right to complain directly to the Secretary of Health and Human Services and will give them the contact information.
Policy 6: The Designated Record Set and PHI
Purpose:
The Black Hawk-Grundy Mental Health Center, Inc. in an effort to be compliant with the Privacy Rules of HIPAA’s Administrative Simplification provisions, sets out in this policy, the elements of the designated record set and the creation and maintenance of data sources that contain PHI. This Policy mandates that the Center maintain accurate and complete medical and billing records for each of our clients so that they can exercise their rights to access, review and amend their PHI maintained in a designated record set as required under HIPAA.
Policy:
The Center will maintain the following items in its designated record set for medical records:
1. clinical diagnostic information
2. treatment plans
3. consents for treatment
4. reports from indirect treatment providers
5. medication logs
6. progress notes and documentation of care provided
7. telephone notations
8. discharge or closing summaries
9. social history information
The Center will maintain the following items in its designated record set for billing records:
1. signature on file
2. consent or authorization to bill third parties
3. financial assessments to establish eligibility
4. copies of insurance cards or other data on insurance coverage
5. fee agreements
6. requests for prior authorization of services
7. authorizations for services or other written acknowledgment of client eligibility for services
8. billing records including dates of service, services provided, provider of services, billing and payment records and other information used to bill or to record and report encounters or services
PHI is kept in many forms throughout the Center, however the medical record on each client will be created, stored and secured so as to protect the privacy of the information contained therin.

Policy 8: Minimum Necessary
Purpose:
The Black Hawk-Grundy Mental Health Center, Inc. in an effort to be compliant with the Privacy Rules of HIPAA’s Administrative Simplification provisions, sets out in this policy, the process for applying the minimum necessary standards to uses, disclosures and requests for PHI.
Policy:
The Center will apply the minimum necessary standards to all uses, disclosures and requests for PHI except for:
1. disclosures to the client
2. disclosures required to comply with the Privacy Rule
3. uses and disclosures that are required for compliance with HIPAA standardized transactions
Our policy for uses of PHI will be that all employees and contractors of the Center will have access to medical records of clients that contain PHI.
Our policy for routine and recurring disclosures of PHI will be to disclose, with a valid release of information, the following information from the designated record set:
• medication log
• diagnosis sheet
• last two progress notes
Non-routine, non-recurring disclosures of PHI will be reviewed, prior to the release of PHI, by an authorized clinical person. This person will make the determination that the minimum necessary PHI is being used or disclosed in accordance with our criteria for non-routine, non-recurring disclosures.
When we receive requests for PHI from external sources, we will generally relay upon the written representation of the requestor that it is requesting the minimum PHI necessary for its purpose, however it remains our clinical judgement to decide what PHI should be disclosed.
Policy 9: De-Indentification
Purpose:
The Black Hawk-Grundy Mental Health Center, Inc. in an effort to be compliant with the Privacy Rules of HIPAA’s Administrative Simplification provisions, sets forth in this policy, the process for creating and using de-identified health information.
Policy:
The Center will create de-identified health information for use or disclosure in any circumstance where that information can be used, effectively and efficiently, in place of PHI>
We will consider PHI to be de-indentified health information if it meets one of the two following criteria:
1. A qualified person with appropriate knowledge and experience with generally accepted statistical and scientific principles and methods, had determined that the risk is very small that the information could be used alone or in comibnation with other reasonably available information by an anticipated receipient to identify an individuals and documents the methods and results of the analysis that justify such determination.
2. All of the following identifiers have been removed and we don’t have actual knowledge that the remaining information could be used alone or with other information to identify an individual who is the subject of the information.
a. names
b. geographic subdivisions smaller than a state, except for the 3 digits of a zip code for geographic areas with more than 20,000 people
c. all elements of dates including birth, admission and discharge dates
d. telephone or fax numbers or email addresses
e. social security numbers
f. medical record numbers
g. health plan beneficiary numbers
h. account numbers
i. certificate or license numbers
j. vehicle identifiers and serial numbers
k. full face photographic images and the like
l. any other unique identifying number, code or characteristic
Policy 4: Uses and Disclosures – No Permission Required
Purpose:
The Black Hawk-Grundy Mental Health Center, Inc. in an effort to be compliant with the Privacy Rules of HIPAA’s Administrative Simplification provisions, sets out in this policyk, the conditions for responding to requests for disclosure of PHI in compliance with law and limited to the relevant requirements of the law that do not require the initial authorization or prior consent of the client.
Policy:
The Center has appointed a Privacy Officer who is responsible for processing all requests for disclosures of PHI from external authorities in compliance with law and limited to the relevant requirements of that law. As HIPAA defines a more extensive list of permissive situations than Iowa law permits, the Center’s policies will follow Chapter 228 of the Iowa Code regarding disclosures of confidential mental health information.
Policy 5: Uses and Disclosures: Business Associates
Purpose:
The Black Hawk-Grundy Mental Health Center, Inc. in an effort to be compliant with the Privacy Rules of HIPAA’s Administrative Simplification provisions, sets out in this policy, the nature of third party relationships that will be considered to be Business Associates ands the requirements for contracting with them.
Policy:
Any vendor or independent contractor who proposes to do business with the Center will be subject to a procedure that will determine if the they are a Business Associate. We will consider any vendor or independent contractor to be a Business Associate if the have the following characteristics:
1. they perform a function or activity on our behalf that involves the use or disclosure of PHI or provide any legal, actuarial, accounting, consulting, data aggregation or management, administrative, accreditation or financial servides to or for us
2. they are not involved in the treatment of a client
3. they are not providing consumer conducted financial transactions
Any vendor or independent contractor who qualifies as a Business Associate will be required to sign a Business Associate Agreement.
Protection of our client’s health information is important to us, therefore we require our employees and independent contractors to be sensitive to the behavior of our Business Associates and to report any conduct that appears inappropriate.
Policy 10: Individual’s Right to Access
Purpose:
The Black Hawk-Grundy Mental Health Center, Inc. in an effort to be compliant with the Privacy Rules of HIPAA’s Administrative Simplification provisions, sets forth in this policy, the processes for requesting, granting, denial of and review of denial of client requests for access to PHI.
Policy:
The Center will consider all requests from our clients or previous clients, for access to their PHI that is maintained in their designated record set and that is dated after April 14, 2003. We will consider client requests to either inspect or obtain a copy of their PHI for as long as we maintain their PHI in the designated record set.
We will require that clients make their request in writing using the form that has been designed for that purpose – the Access Request Form. At a minimum, the form will contain:
1. identification of the specific PHI that the client wishes to access
2. the reason for their request
3. whether they wish to inspect or obtain copies of the PHI
4. notification of the cost we will charge for copying, staff time and postage
5. notification of their right to obtain a summary or explanation of their information, along with the cost of that service
We will deny a client access to PHI – and that denial will not be subject to review – if:
1. the PHI requested is contained in
a. records or documents compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding or
b. records or documents from clinical laboratories subject to clinical laboratory laws or
c. clinical information obtained by the Center from other treatment providers, e.g. third party information not generated by the Center.
2. the PHI is subject to the Federal Privacy Act
3. the information was obtained under the promise of confidentiality from another person (not a healthcare provider) and the access requested would be reasonably likely to reveal the source of that information
4. the information was created or obtained in the course of research when the individual agreed to the denial of access for the duration of the research when consenting to participate in the research and the client has been informed that access will be reinstated upon completion of the research or
5. an inmate requests a copy of PHI and it is determined that such a copy would jeopardize the health, safety, security, custody or rehabilitation of the individual or other inmates or the safety of an officer or other person responsible for transporting the inmate. We will provide an inmate with the right to inspect his PHI unless other grounds for denial exist.
We will deny access to any PHI that a licensed healthcare professional determines:
1. exercising professional judgement, is reasonably likely to endanger the life or physical safety of the client or another person
2. exercising professional judgement, makes reference to another person (not a health care provider) and access is reasonable likely to cause substantial harm to that other person or
3. has been requested by a personal representative and access by that person is reasonably likely to cause substantial harm to the client or another person
When denying a client access for any of these three reasons, these denials will be subject to review by the Privacy Officer.
It is our policy to deny clients access to their PHI only infrequently and in unusual circumstances and, when access is denied, it must be for one of the specific reasons listed above. Furthermore, we will provide access to the extent possible, to any other requested PHI that is not part of the PHI to which access has been denied. We will make an effort to redact the denied PHI from the designated record set and allow inspection or copying of any remaining information.
When a client has been denied access for one of the reasons that is subject to review, it will be our policy to respond in writing giving the basis for the denial in plain language within the time frame set forth below. We will also information them of their right to request a review of the denial of access and provide a description of how the client may file a complaint with us or with the Secretary of HHS.
In any case where the client requests a review, we will promptly refer the denial to another licensed healthcare professional, who has not been directly involved in the denial, for their review. We will also promptly inform the client, in writing, if the reviewer upholds the denial. In those cases where the reviewer permits access, the client will be informed.
When we have agreed to grant access to PHI, we will notify the client and arrange for access within 30 days from the date of the request. We may request a 30 day extension of time in those rare cases where we are unable to respond in the initial time period. We will notify the client of the reasons for the delay and the date of completion by means of a written statement. When we have agreed to inspection of the designated record set, we will arrange a mutually agreeable time for the inspection.
When we have agreed to provide copies of the requested PHI, we will confer with the client and determine their preference for the media in which to receive it. We will charge a fee for preparation of the material and copying of the material and postage if the copies are to be mailed and the client will be notified of that charge in the Access Request Form.
It will be our policy to charge for the cost of making the copies – both in the labor and machine and paper cost – but we will not include in our charges the cost of the retrieval and handling of information nor will we charge for the costs of processing the request.
We will provide summaries of PHI in those cases where the individual has requested them. We will charge for the costs associated with producing the summary and the client will be notified of that charge in the Access Request Form.
Policy 11: Individual’s Right to Amendment of PHI
Purpose:
The Black Hawk-Grundy Mental Health Center, Inc. in an effort to be compliant with the Privacy Rules of HIPAA’s Administrative Simplification provisions, sets forth in this policy, the process for providing clients with an opportunity to amend their PHI that is maintained in a designated record set.
Policy:
The Center will consider all requests from clients or former clients, to amend their PHI that is maintained in a designated record set for as long as we maintain it. We will require that all requests for amendment be in writing and be prepared using the Request for Amendment form. In any case where our form cannot be obtained, we will provide the client or former clients with the information they need to submit in lieu of the form. We will require that the individual informatio us, in writing, as to the reason for the amendment. We will notify our clients of our policies for requesting amendments in our Privacy Notice.
We will respond to requests for amendment within 60 days from the date of the request. Should, in rare circumstances, we be unable to respond within 60 days, we will notify the individual prior to the expiration of the 60 day period in writing, and provide them with the reason that we need additional time and give them the date by which we expect to complete action on their request.
In those instances where we grant the request for amendment, we will do the following:
1. inform the client in writing
2. obtain their agreement about the list of people or organizations that they, and you, believe should be informed of the amendment
3. notify the list identified in Number 2 above of the amendment
In those instances where we deny the request for amendment, we will do the following:
1. provide the client with a written denial that is in plain language and that:
a. contains the basis for the denial and
b. the notification that the individual has the right to provide a written statement disagreeing with the denial and how they might file such a statement
2. describe to the client the procedure for filing a complaint either with:
a. DHHS or
b. With the person in our organization who is responsible for receiving complaints – including their name or title and their telephone number
3. inform the individual that they may file a statement of disagreement with our denial that does not exceed 250 words
4. inform the individual that they may request, should they not file a statement of disagreement, that their request for amendment and the related denial be attached to all future disclosures of the subject PHI.
We will prepare rebuttals in those instances where a licensed healthcare professional determines that a rebuttal in necessary to add clarity to the other material created around this request for amendment.
Designated Record Set
It is our policy to take the following actions with respect to the designated record set in amendment situations:
1. when the amendment request has been granted:
a. identify the subject PHI in the designated record set; and
b. append the amendment to the PHI or
c. provide a link to the location in the file of the amendment
2. when the amendment request has been denied and the client requests it:
a. identify the subject PHI in the designated record set; and
b. append the request for amendment and the denial to the PHI or
c. provide a link to the location in the file of the request and the denial.
3. when the amendment request has been denied and the client has filed a statement of disagreement and we have or have not prepared a rebuttal:
a. identify the subject PHI in the designated record set; and
b. append the request for amendment, the denial, the statement of disagreement and if prepared, our rebuttal to the PHI or
c. provide a link to the location in the file of all items listed in b

Black Hawk Grundy Mental Health Center