Privacy Policy

Safe Future LLC Privacy Practices Policy: Uses & Disclosures

Headquarters: 1400 NE 125th Street, North Miami, FL 33161

• Tel: (305) 915-8900
• Fax: (305) 392-1391
• www.safefutureaco.com
• info@safefutureaco.com

Policy Overview

Subject: Privacy

Policy Number: 1M-3

Joint Commission Standard(s): 1M.02.01.01, EP 3

Date: July 1, 2021

Safe Future LLC is committed to guaranteeing the protection of fundamental human, civil, constitutional, and statutory rights for individuals applying for or receiving mental health or substance abuse services.

Designated Record Set

The HIPAA Privacy Rule allows clients to request access and amendment to their Protected Health Information (“PHI”) maintained in a Designated Record Set. This policy outlines the contents and management of the Designated Record Set.

• Definition: The Designated Record Set includes all Medical Records and billing records about a client, used by Safe Future LLC to make decisions about the client. “Record” refers to any grouping of information containing PHI maintained, collected, used, or disseminated by or for Safe Future LLC.
• Contents:
• Client’s Medical Record
• Client’s Financial Records

Client Medical Record

• Activity documentation
• Admission/readmission documentation
• Assessments and flow sheets
• Care plan
• Informed consent
• Treatment records
• Progress notes and documentation
• Facesheet

Records from other providers used by Safe Future LLC for care and treatment decisions are also included in the Designated Record Set as part of the Medical Record. Clinical or case information is used only for legally and regulatorily permitted purposes, or as further limited by privacy policy.

Client Financial File

• Statement of Financial Responsibility
• Payment-related correspondence
• Account balance statements
• Collection activity documents and correspondence

Personal Health Records

Personal Health Records consist of health information provided by the client. If these records are used to make healthcare decisions, provide care, or document observations, they are considered part of the Designated Record Set.

Exclusions from the Designated Record Set

• Administrative data not containing PHI (e.g., audit trails, appointment schedules, practice guidelines)
• Incident reports, quality assurance data, vital certificate worksheets
• Derived data (e.g., accreditation reports, anonymous client data for research, public health records, and statistical reports)

The Designated Record Set is retained according to state, federal regulations, and Safe Future LLC’s retention procedures.

Minimum Necessary Uses and Disclosures of PHI

Safe Future LLC will make reasonable efforts to use, disclose, or request from other providers only the minimum PHI necessary, unless an exception applies. Role-based access to PHI is determined according to job description and duties. All non-routine requests for disclosure are reviewed individually to ensure compliance.

• Minimum requirements do not apply to disclosures for treatment purposes.
• Role-based access is defined for workforce members based on their duties and required PHI categories.
• Routine disclosures are limited to the minimum necessary for their purpose.
• Non-routine disclosures are individually reviewed for minimum necessary compliance.

Exceptions to minimum necessary requirements include disclosures for treatment, to the individual, pursuant to signed authorization, to the Secretary of HHS, as required by law, or for HIPAA compliance.

Safe Future LLC may use or disclose the entire Medical Record only when justified as reasonably necessary or if an exception applies. Requests for entire Medical Records not covered by an exception are reviewed using standard criteria.

Reasonable Reliance

• Reasonable reliance applies when disclosures are made to public officials, other covered entities, professionals within the workforce, business associates, or for research purposes with proper documentation.

PHI is released once the minimum necessary standard or an exception is confirmed.

When requesting PHI from another covered entity, Safe Future LLC limits requests to the minimum necessary. Routine requests are regularly monitored, and non-routine requests are evaluated for specificity, limited scope, supporting documentation, and HIPAA compliance.

References

• Safe Future LLC protects the privacy of health information.
• Written policy addresses health information privacy.
• Policy is implemented and health information used only as permitted by law and regulation.
• Disclosures are authorized by the individual or as permitted by law.
• For opioid treatment: confidentiality rights are maintained per federal regulations (42 CFR).
• Compliance with privacy policy is monitored.

Access Levels

• Level I: No access to Designated Record Set (e.g., volunteers)
• Level II: Minimum necessary PHI (not Designated Record Set) for assigned tasks
• Level III: Full access to Medical Record subset
• Level IV: Full access to Business Office File subset

Notice of Privacy Practices

Policy

A Notice of Privacy Practices is provided to each client upon admission, with a good faith effort to obtain a signed Acknowledgement. The Notice covers uses and disclosures of PHI, client rights, and legal duties.

Procedure

• Notice and Acknowledgement forms are included in the admission packet and provided at admission.
• In emergency treatment, the Notice is provided as soon as practicable.
• Admission staff obtain client signature on the Acknowledgement and file it in the Medical File.
• If signature is refused or unobtainable, actions and reasons are documented and filed in the Business Office File.
• Copies of the Notice are available to clients and others upon request.
• Notice is posted prominently in the office.
• Revised Notices are made available and posted; material changes are not implemented before the effective date.
• Copies of each Notice are retained for at least five years.
• Workforce members must report suspected violations to the Privacy Official.

Notice of Privacy Practice

This Notice explains how client medical information may be used and disclosed, and how clients can access their information. Safe Future LLC is legally required to provide this Notice and adhere to its terms.

Understanding the Client Health Record and Information

A record is created for each client admission, including health and financial details. This record is used for care planning, communication, documentation, education, research, public health reporting, care evaluation, and payment. Understanding the record helps ensure accuracy, define access, and inform disclosure decisions.

Permitted Uses and Disclosures of Health Information

• Treatment: Disclosure to personnel involved in client care; coordination among departments and external providers.
• Payment: Disclosure to insurers and third parties for billing and coverage approval.
• Health Care Operations: Disclosure for quality improvement, protocol development, business planning, compliance, and training.
• Other Allowable Uses:
• Business associates performing contracted services
• Providers participating in organized healthcare arrangements
• Treatment alternatives and health-related benefits
• Appointment reminders
• Fundraising activities (limited contact info)
• Office directory listings
• Disclosures to individuals involved in care or payment (unless client objects)

As Required by Law: Disclosures to comply with federal, state, or local law.

To Avert Serious Threats: Disclosures to prevent threats to health or safety.

Organ and Tissue Donation: Disclosures for procurement and transplantation.

Military and Veterans: Disclosure as required by military authorities.

Research: Disclosure for approved research projects, subject to special approval processes.

Workers’ Compensation: Disclosure for work-related injury/illness benefits.

Reporting: Disclosures for public health risks, health oversight, judicial and administrative proceedings, abuse/neglect, law enforcement, coroners, national security, and correctional institutions.

Other uses and disclosures not covered by this Notice require written permission, which can be revoked in writing at any time. Revocation does not affect disclosures already made and records must be retained.

Client Rights Regarding Health Information

• Right to Inspect and Copy: Clients may review and copy their health information, subject to certain exceptions. Requests must be in writing and may incur copying and mailing fees.
• Right to Amend: Clients may request corrections to their health information if it is incomplete or incorrect. Requests must be in writing with a reason, and may be denied under certain circumstances.
• Right to an Accounting of Disclosures: Clients may request a list of certain disclosures made, excluding those for treatment, payment, or operations.
• Right to Request Restrictions: Clients may request limitations on use or disclosure of health information. Safe Future LLC is not required to agree but will comply if agreed, except in emergencies.
• Right to Request Alternate Communications: Clients may request confidential communications or specify contact locations. All reasonable requests are accommodated.
• Right to a Paper Copy of Notice: Clients may request a paper copy of the Notice at any time, even if previously agreed to receive it electronically.

Changes to the Notice

Safe Future LLC reserves the right to change the Notice and make changes effective for all collected or future health information. The current Notice is posted in the office and on the website, with effective dates clearly indicated. Material changes are not implemented before the effective date.

Complaints

If a client believes their privacy rights have been violated, they may file a complaint with Safe Future LLC or with the Secretary of the Department of Health and Human Services. Complaints must be submitted in writing and clients will not be penalized for filing a complaint.

Safeguarding and Storing Protected Health Information

Policy

Safe Future LLC uses computer email in lieu of facsimile machines for PHI transmission, limiting released information to the minimum necessary.

Procedure

• Computers for receiving facsimiles are placed in secure, non-public areas accessible only to authorized staff.
• Documents received are promptly distributed to appropriate staff and instructions on the cover page are followed for secure delivery.
• Facsimile-transmitted information may be included in the client’s Medical Record, unless prohibited by state law.
• Destination numbers are pre-programmed and tested to avoid errors.
• Frequent recipients are asked to notify Safe Future of any fax number changes.

Disclosure of Protected Health Information Policy

Disclosures of PHI are made in compliance with laws, regulations, and standards. Disclosure to family, friends, or designated persons is allowed only with proper authorization, except when allowed or required by law or for treatment, payment, or health care operations.

• Disclosure is centralized through the Privacy Official who may need to track certain disclosures for accounting purposes.
• Original Medical Records are not removed from premises except by court order.

Meetings and Conversations Involving PHI

• Meetings discussing PHI are held in private, secure areas with access limited to authorized staff.
• Meetings include shift change reports, daily standups, interdisciplinary care planning, bill reviews, and family care conferences.
• PHI shared in meetings is limited to the minimum necessary.
• Telephone and in-person conversations involving PHI are conducted privately and measures are taken to avoid unauthorized disclosure.

Safeguards for Written PHI

• Documents containing PHI are stored securely, inaccessible to unauthorized individuals.
• Active records are not left unattended; only authorized staff may review them.
• Records are protected against loss, damage, and destruction via an electronic medical record (EMR) system.
• Inactive records are securely stored and systematically filed; scanned into EMR and destroyed via approved methods after scanning.
• Staff with keys to storage areas are documented and limited to the minimum necessary.
• Use of “shadow” charts or files is not permitted.

Office Equipment Safeguards

• Computer access is restricted to staff with work-related needs; all users have unique logins and passwords, changed every 90 days.
• Passwords are not shared or posted; access is limited to treatment, payment, or health care operations.
• Staff must log off workstations when leaving and position monitors to avoid unauthorized viewing.
• Employee access is removed promptly upon departure.
• Violations are reported to supervisors, the Administrator, or Privacy Official.
• Printers, copiers, and fax machines are in secure locations; signs posted if relocation is not possible.
• Documents containing PHI are promptly removed and securely stored; erroneous documents are shredded or placed in secure bins.

Destruction of PHI

• Non-Medical Record documentation is destroyed promptly when no longer needed.
• Electronic PHI is deleted from equipment before disposal, donation, or sale.

Authorization for Release of Protected Health Information

Policy

PHI used or disclosed for purposes other than treatment, payment, or health care operations requires a valid, written authorization unless otherwise permitted or required by law.

Procedure

• Exceptions to authorization: disclosures for treatment, payment, health care operations, client requests, or required by law do not require authorization.
• Psychotherapy notes, marketing, or fundraising require written authorization.
• Requests without authorization are denied and the requester is informed; a valid authorization form is provided.
• Authorizations are reviewed for validity, filed in the client’s Medical Record, and only specified PHI is disclosed.

Preparing and Managing Authorizations

• Authorization forms must be complete, signed, and dated by the client or representative.
• Treatment may be conditioned on authorization only for research-related treatment or creation of PHI for third-party disclosure.
• Authorizations may be combined only under specific exceptions.
• Clients may revoke authorization in writing at any time; revocations are documented and filed.

Checklist for Valid Authorization

• Authorization must be in plain language and include a meaningful description of the information, names of disclosing and receiving parties, purpose, expiration date or event, signature, representative authority, required statements about disclosures and revocation, and statements about conditioning treatment or payment.
• If any element is missing, the request is denied and the requester is informed of deficiencies.

Defective Authorizations

• Invalid if expired, missing elements, revoked, violates regulation, or contains false information.

Use and Disclosure of PHI for Research

Policy

• Client authorization is required for research use of PHI.
• Research activities involving PHI require Institutional Review Board (IRB) approval and protection of privacy rights.

Procedure

• Research participation is voluntary and privacy rights are honored.
• Research and IRB responsibilities are coordinated between Safe Future LLC and research entities.
• Authorization forms for research state expiration date or event and may be combined with other permissions for the same study.
• IRB reviews and approves research and informed authorization procedures.
• Tracking and documentation of research correspondence and findings are maintained by the Privacy Designee.
• Clients are informed of any research or economic interests resulting from treatment.
• Authorization forms are filed in participants’ Medical Records.

Former Client’s Rights to PHI

Policy

Clients have the right to access their PHI, subject to certain limitations. Safe Future LLC responds to all requests, complying with state and federal timeframes.

Procedure

• Clients are notified of access rights in the Notice of Privacy Practices provided at admission.
• Access requests are managed by the Privacy Official or Medical Record Coordinator/Health Information Manager.
• Clients are given an Access form for requests; requests are processed only after form completion.
• Requests are responded to within 30 days if PHI is on-site, 60 days if off-site, with one 30-day extension allowed upon written notice.
• PHI is provided in the requested format or in an agreed format.
• Summaries may be provided if agreed to by the client.
• Reasonable cost-based fees apply for copies.

Denial of Access to PHI

• Timely, written denial is provided, with reasons and complaint options.
• Denial applies if PHI is not in the Designated Record Set, is compiled for legal proceedings, research continues, or confidentiality would be breached.
• Review rights are provided in certain cases, such as when access may endanger someone’s safety or cause substantial harm.

Review Process for Denied Requests

• Requests for review are referred to the Privacy Officer, who involves a health professional not part of the original denial.
• Clients are notified of the review outcome and necessary steps are taken.
• Photocopying and mailing fees apply for granted requests.

Copies are distributed with originals to the Medical Record and a copy to the client.

Current Client’s Access to PHI

Policy

Every client has the right to access their PHI. Safe Future LLC will respond to all access requests, adhering to state and federal timelines.

Procedure

• Clients or legal representatives are referred to the designated Health Information Manager/Medical Records Coordinator.
• Legal authority to view the record is confirmed according to state law.
• Meetings to review records are set up within 24 hours or at a mutually agreed time, with staff present to answer questions, prevent alteration, and ensure documents are not removed or destroyed.
• Clients or representatives review records without staff intervention.
• Requests for copies are processed within two working days, with disclosed copying charges.

Accounting of Disclosures of PHI

Policy

Clients may request an accounting of trackable PHI disclosures made by Safe Future LLC, as outlined in the Notice of Privacy Practices. Records of disclosures are retained for five years.

Procedure

• Upon inquiry, clients are provided with a Request for Accounting of Disclosures of PHI form, which must be completed and signed before evaluation.