Client Privacy, Confidentiality & Release of Information

POLICY: During the delivery of its services and programs, the Company collects personal information from its clients. Personal information means any information that could be used on its own, or with other information, to establish the identity of a client, the client's service provider, or the client's substitute decision-maker. Personal information also includes any other information about a client, including information that is contained in a client record.

The Company collects, uses, and shares clients' personal information for the following purposes:

• Providing quality programs and services to clients.
• Providing information to other people or organizations with client consent (e.g., making a referral for service).
• Contacting clients, donors, and members to evaluate the Company's service and work.
• Conducting research to understand the kinds of issues our clients are facing.
• Contacting individuals about our fundraising and membership activities.
• Reviewing client files to ensure high quality of service and documentation.

The Company may also collect, use, and share personal information with consent or as permitted or required by law. The Company is committed to protecting the privacy of its clients and ensuring that:

• The personal information it receives from clients is kept safe, secure, confidential, accurate, and up to date.
• Clients understand why their personal information is collected by the Company.
• The Company obtains client consent (Appendix 7) before collecting, using, sharing, or releasing client information, except as set out in this policy or permitted or required by law.
• Only the personal information necessary for the purposes listed above is collected from clients, unless otherwise consented to by the client or permitted or required by law.
• Access to client information is limited to Company employees and students involved in delivering services to clients.
• Any external agents to whom the Company releases information have a need to know and only use and disclose client information for the purposes for which it was originally provided.
• Clients can withdraw their consent at any time to the collection, use, and disclosure of their personal information.
• Clients have access to their records, except where the Company is entitled to refuse an access request, and can copy or correct their record and ask questions about the Company's privacy policies and procedures.
• Complaints about the Company's privacy policies and procedures are handled efficiently and effectively.
• All legal and regulatory requirements regarding client information are met and maintained.

Procedures

Obtaining Consent

As the Company's services often involve collaboration and consultation among employees, Company employees will discuss the following with new clients:

• The nature and extent of consultation and collaboration in the Company program or service which the new client is accessing.
• The personal information that the Company may collect.
• The purposes for which the Company collects, uses, and shares personal information, as listed above.

Client's rights and responsibilities, including rights related to keeping client's personal information private, will be reviewed with all new clients at their first appointment following intake.

Clients will be asked to use a form indicating that the organization's privacy policies have been discussed and that the client consents to the collection, use, and sharing of personal information for the purposes listed in the policy.

The signed forms will be maintained by the program (e.g., in the client's paper record, filed centrally within the program). A note will be made in the client's electronic record that the form has been signed.

In cases where it is not possible or practicable to obtain the client's written acknowledgment (e.g., telephone-only service), verbal acknowledgment that the organization's privacy practices have been explained to, and accepted by, the client will be recorded in an activity note in the client's record.

Consent will be that of the individual and must be knowledgeable, relate to the personal information, and not be obtained through deception or coercion. A consent to the collection, use, or sharing of personal health information about an individual is knowledgeable if it is reasonable in the circumstances to believe that the individual knows (a) the purposes of the collection, use, and/or disclosure and (b) that the individual may give or withhold consent.

If employees are concerned that a client does not have the capacity to consent to the collection, use, and disclosure of his or her personal information, employees should:

• Consider whether the client understands the decision they are being asked to make.
• Question whether the person understands the reasonably foreseeable consequences of the decision or lack of decision.
• Consult with their supervisor.

Client Withholding, Limiting, or Withdrawing Consent

Clients have the right to stipulate who will have access to their personal information. This means that they can withhold, limit, or withdraw their consent to the collection, use, or disclosure of personal information. The request may cover all or a specific part of a client's record. When this happens, staff will implement the following "lock-box" procedure.

Electronic Records: The Company employee receiving the client's request to withhold, limit, or withdraw their consent will:

• Record the verbal instructions by the client in an activity note in the client's electronic record.
• Scan any written instructions by the client into the client's electronic record.

Paper Records:

• If the client also has a paper file, the client's file (either in whole or in part depending on the client's instructions) to which access is to be limited, will be placed inside an envelope that will be sealed with the instructions from the client stapled to the outside of the file.
• If the client's request is to withdraw consent, the file will be safeguarded by the Company.
• If the client's request is to withhold or limit consent, the supervisor responsible for the program will determine how best to comply with the client's request.

Disclosure without Consent Including Responding to Summons/Subpoenas/Court Orders and Requests from Police

The Company will not disclose the personal information of clients without their consent, except where:

• It is believed the client or someone else is in imminent danger of serious physical harm (see Abuse Reporting and Documentation Policy).
• A child is at risk of or has been abused, abandoned, or neglected, or a vulnerable adult is at risk of or has been abused, neglected, or exploited (see Abuse Reporting and Documentation Policy).
• The Company is subpoenaed or is otherwise served with a court order, summons, warrant, or a similar requirement issued by a person who has jurisdiction to compel the production of information in a proceeding.
• It is otherwise permitted or required by law.

• If a Company employee, student, or volunteer is served with a warrant, summons, subpoena, order, or similar requirement issued in a proceeding, the individual must immediately notify their supervisor, who will provide advice and direction as to how to respond. Company employees and students should follow the same procedure in response to requests by police officers for client information.
• In general, where an order, summons, warrant, subpoena, or other requirement to produce documents has been served on the Company, the organization will:
  • Make every attempt to respond in a way that is respectful of the order or other requirement, while at the same time taking steps to preserve the client's right to confidentiality.
  • Make an exact copy of the file to remain at the Company and deliver the documents to the court or other proceeding in a sealed envelope marked "Private and confidential."
• When the Company discloses personal information without the client's consent, the client will be notified of such disclosure as soon as is reasonably practical, safe, and/or legally possible in the circumstances.

Release of Information with Client Consent

Subject to Section 4, personal information, whether all or part of a client record, will not be released to third parties without the written consent of the client or the client's substitute decision-maker, where applicable. Clients are required to complete the Company Authorization to Release or Release Information Form, depending on the nature of the request. Consents provided on these forms are valid for one year unless otherwise limited or withdrawn by the client in advance of that date. The Company may disclose a client's personal information, provided that the disclosure, to the best of the Company's knowledge, is for a lawful purpose.

• Reports from third parties contained in a client record may not be released without the written consent of the third party. Clients will be encouraged to pursue access to this information directly with the third party.
• In exceptional circumstances, where written consent is not possible, the oral consent of the client to the release of personal information will be accepted and will be recorded in the client's file.
• In response to requests to release information to third parties, the Company service provider will ensure that the client understands the purpose for which the information is being released and to whom the information is being released. The Company service provider will also explain that the Company cannot guarantee the confidentiality of the information once it has been released.

Safeguarding of Personal Information

• Client information stored electronically is protected by password. Access to the Company electronic database is limited on a need-to-know basis for added security.
• Client information collected in hard copy form is stored in locked cabinets accessible only by the counselors or other Company employees and students providing service to the client, and the relevant program managers.
• Access to client information will be limited to those who need to know the information for the purposes set out in the client's consent or as otherwise permitted or required by law.
• Company employees will never leave client personal information, in paper or electronic form, unattended or exposed to anyone other than the client.
• The Company will not send confidential personal information to clients by email without the client's prior consent. Personal information sent to clients or about clients will employ secure email. (Note that secure e-mail ensures messages are encrypted. The Company's regular e-mail program is not secure email).
• Web-based counseling will use an encrypted website to protect client privacy and confidentiality.
• The Company requires external agents, such as third-party auditors, to maintain the confidentiality of client information and to refrain from using client information for any purpose other than the purposes for which consent was provided by the client. Where appropriate and necessary, the Company will obtain the consent of the client to the disclosure of information to external agents. (External agents are persons or companies with which the Company has contracts and that may need personal information.)
• When disposal is permitted, or required, records of client personal information will be disposed of in a secure manner such that reconstruction of the records is not reasonably foreseeable in the circumstances.

Notice to Clients of Theft, Loss, Unauthorized Access, Use or Disclosure of Personal Information

• Employees are required to report to their supervisor and to the Company Privacy Officer any theft, loss, unauthorized access, use, or disclosure of personal information of the Company's clients. In programs where funders require it, managers will file a serious occurrence report in this situation.
• In the event of such theft, loss, unauthorized access, use, or disclosure of personal information of a Company client, the Company will notify the client as soon as possible.
• Oral contact with the clients will be logged in the client record and will be followed up by a letter, which will be included in the client record.
• In the case of former clients, contact will be made orally, if possible, and in writing, at the last known address for the client recorded in the Company's database.

Client Access to and Correction of Personal Information

• Clients wishing to review their records should contact the Company service provider, relevant program supervisor, or Privacy Officer.
• Within 30 days of any such request, an appointment will be made for the client to review his/her personal information in a confidential manner on Company premises, in the presence of a Company employee, unless the Company is entitled to refuse the request, in which case written notice will be given. Clients may bring a support person to this appointment if they wish. Up to 60 days may be required in the case of complex searches for records. In exceptional circumstances (e.g., a client is unable to come to the Company office due to health issues), a copy of the record may be sent to the individual with consent.
• The Company is required to retain client personal information that is the subject of a request for access for as long as necessary to allow the client to exhaust any recourse under the HIPaa, Florida Statutes Chapter 456 & 491 and Florida Medicaid General Policies that he or she may have with respect to the request. This may require the Company to maintain the record for longer than the typical client record retention period.
• Clients who wish an explanation of their records may contact their Company service provider, the relevant program supervisor, or the Company Privacy Officer.
• Clients will not be permitted to access third-party records without the consent of the third party. In such cases, the Company service provider will direct the client to obtain the requested information directly from the third party.
• Clients wishing to correct information in their file shall provide the correction in writing to the Company. The written correction will be included in the client's record and, within three weeks of receipt, the Company will notify the client of its response to the correction.

Inquiries and Complaints

Questions, comments, or complaints about the Company's privacy policies and procedures or about the collection, use, or disclosure of personal information will be directed to the board of directors.

Oversight, access, and management of personal information collected during the delivery of services are limited to authorized personnel in accordance with their designated roles and responsibilities. Specific duties related to supervision, quality assurance, financial processing, human resources, and organizational governance are outlined in Appendix 18 - Job Description: Clinical QA Specialist; Appendix 19 - Job Description: Finance / Billing Liaison; Appendix 20 - Job Description: Director of Human Resources; and Appendix 21 - Job Description: President / Administrator / CEO. These appendices define role-based access and accountability standards to ensure that personal information is collected, maintained, and protected in compliance with applicable privacy laws and organizational policy.