It is the policy of Luxe Recovery to assure that the information in the Residents’ health records and any information pertaining to the identity of a Resident, the Resident’s diagnosis, prognosis, treatment, and condition are treated as confidential and disclosed only to authorized persons as stipulated by 42 Code of Federal Regulations, Part 2 governing the alcohol and drug abuse treatment records. Luxe Recovery Resident’s records are also protected under standards for privacy of individual identifiable health information 45 Code of Federal Regulations Parts 160- 164 (also referred to as HIPAA). When there is a conflict between the regulations, the most restrictive will be applied.
A “Consent and Authorization for Release of Information” form must be signed by the Resident indicating to whom Luxe Recovery is authorized to release information. The resident’s confidentiality will be maintained, and information will not be divulged without prior approval. The Resident may revoke consent at any time.
Prior to release, the Clinical Director or his/her designee must approve all authorized releases made by Luxe Recovery. When answering the telephone, Luxe Recovery staff will never confirm or deny a Resident is part of the program without express written consent of the Resident. In addition, the program assures confidentiality of closed files and their destruction, as outlined in the Resident files policy.
Federal and State Confidentiality Regulations authorize disclosure of information regarding the identity, diagnosis, prognosis, or treatment of alcohol and/or other drug program resident/Residents under specific guidelines. Luxe Recovery shall adhere to the regulations stipulated in the Code of Federal Regulations (Title 42, Section 2.1 through 2.67-1), the State of California Welfare and Institutions Code (Section 5326 through 5330) and other provisions.
Any information, recorded or not, related to a resident of Luxe Recovery is to be afforded full confidentiality as outlined in the above regulations. Exceptions to confidentiality are as follows:
- If information about suspected child/dependent adult/elderly abuse or neglect is reported.
- If resident/Residents threaten to harm themselves or others.
- If the Court orders that resident information be released.
- If the resident provides written permission to release information.
- Disclosure is made to medical personnel in a medical emergency or to qualified personnel for research, audit, or program evaluation.
Violation of the Federal and State Laws and Regulations by a program is a crime. Suspected violations may be reported to the United States Attorney in the district where the violation occurs. Federal regulations allow information sharing among programs with Qualified Service Organization Agreements (QSOA’s), as follows:
- All staff and volunteers shall sign an Oath of Confidentiality before they begin working with Luxe Recovery.
- The Confidentiality Policy and the exceptions to confidentiality must be explained fully to resident/Residents at the time of intake.
- Telephone Answering: Program staff properly trained to do so will answer the telephones. All staff shall be trained to not acknowledge whether a Resident is in the program. All inquiries regarding the Residents that are, or have been, or might be a potential resident/Resident in the program should be treated with complete confidentiality, the caller shall be respectfully informed that this information cannot be acknowledged either way and that if they would like to speak to another staff person, the call will be transferred.
- Resident/Residents file access: Resident/Resident’s files will be maintained in a locked office and file cabinet, which can also be locked. Information maintained in computer is protected by password.
- Release of information: Information regarding a resident/Resident may be shared to the extent that a release of information, signed by the resident/Resident permits.
- No employee shall use or disclose privileged or confidential information gained in the course of work or by reason of his/her official position or activities.
Staff who fail to abide by Luxe Recovery’ program’s Confidentiality Policy are subject to termination of employment. Luxe Recovery has a lawful duty to safeguard confidential information concerning residents, alumni, staff members and agency business. Unauthorized accessing and/or disclosure of confidential information by agency employees are prohibited and may result in disciplinary sanctions.
Luxe Recovery acknowledges that prospective, current, and former residents and staff members have the right to privacy and protection against release of personal information to sources that have no legitimate need for such data. Luxe Recovery residents and staff members alike shall receive maximum protection against invasion of their privacy.
Restrictions & Violations
There are state laws, federal guidelines, and agency policies that govern the release of confidential information:
- Staff members may not obtain access to or provide confidential information unless their positions within the agency authorize them to do so, and the appropriate release authorization has been obtained.
- When in question, staff members who receive requests for confidential information should seek direction from a supervisor before responding.
- Staff members who violate the agency’s Confidential Information policy may be disciplined up to and including dismissal.
Staff members are responsible for knowing the confidentiality laws, policies and guidelines that pertain to their location. Staff members sign a resident confidentiality acknowledgement upon hire. In addition, supervisors are responsible for informing staff members about restrictions on confidential information. All employees must strictly comply with this policy. When in doubt, they should assume information is confidential and not disclose it until if/when they are authorized to do so.
Luxe Recovery staff members shall maintain resident confidentiality in all communications in accordance with Federal Guidelines (42 CFR Part 2) and HIPAA Regulations (45 CFR). In addition to a Confidential Information Release Authorization, the following disclosure will accompany all electronic transmissions of confidential resident information in compliance with Federal Guidelines and HIPAA Regulations on confidentiality:
“Protected Health Information (PHI) is personal and sensitive information related to a person ‘s health care. It is being faxed to you after appropriate authorization from the resident or under circumstances that do not require resident authorization. You, the recipient, are obligated to maintain it in a safe, secure, and confidential manner. Re-disclosure without additional resident consent or as permitted by law is prohibited.
Unauthorized disclosure or failure to maintain confidentiality could subject you to penalties described in federal and state laws. This transmission is intended only for those to which it is addressed and may contain information that is privileged, confidential, or protected by law. All others are hereby notified that receipt of this message does not waive any applicable privilege or exemption from disclosure and that any dissemination, distribution, or copying of this communication is prohibited. If you have received this communication in error, please notify us immediately and shred this documentation.”
Resident Notification of Confidentiality Requirements
At the time of the resident’s initial assessment, staff shall inform the resident of California and federal laws and regulations that protect the confidentiality of their treatment episode along with records thereof. Upon intake the resident shall be given a written summary of the laws and regulations governing confidentiality. The resident will read, acknowledge, and sign the summary. A copy of this acknowledgement is to be kept in the resident record.
Release of Confidential Employee Information
The agency limits the authorized release of reference information on current/former employees to confirmation of dates of employment, position(s) held, and salary verification. Requests for employment verification must be received via fax, email or postal mail and include an authorized signature for release of the information. Any further information provided by residents is construed to be a personal reference for which the agency is not responsible.
All resident files are maintained, and information released in accordance with HIPAA and Title 42, Code of Federal Regulations, Part 2, and explicitly held with the utmost confidentiality and always appropriately secured. Resident files are considered confidential information to the extent allowed by law and will only be available to authorized personnel with a specific business need (Program Director, counselors, and detox staff); these files will also be available to the appropriate auditing agencies (states and insurance) for review. Resident records are retained electronically, accessible only to authorized staff using a login id with password protection. When participation is terminated, the resident records will be electronically stored in the inactive portion of the electronic record for not less than three years from date of discharge.
All resident files shall be electronically stored in password protected manner, accessible only to authorized personnel with a business need, for not less than three years from the date they are officially closed, with files electronically erased using a method of sanitization that applies programmatic, software-based techniques to sanitize data in all user-addressable storage locations for protection against simple non- invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device in a manner that ensures the confidentiality of residents.
All passwords should be reasonably complex and difficult for unauthorized people to guess. Employees should choose passwords that are at least eight characters long and contain a combination of upper- and lower-case letters, numbers, and punctuation marks and other special characters. These requirements will be enforced with software when possible. In addition to meeting those requirements, employees should also use common sense when choosing passwords. They must avoid basic combinations that are easy to crack. For instance, choices like “password,” “password1” and “Pa$$w0rd” are equally bad from a security perspective.
A password should be unique, with meaning only to the employee who chooses it. That means dictionary words, common phrases and even names should be avoided. One recommended method to choosing a strong password that is still easy to remember: Pick a phrase, take its initials, and replace some of those letters with numbers and other characters and mix up the capitalization. For example, the phrase “This may be one way to remember” can become “TmB0WTr!”. Employees must choose unique passwords for all of their company accounts and may not use a password that they are already using for a personal account.
All passwords must be changed regularly, with the frequency varying based on the sensitivity of the account in question. This requirement will be enforced using software when possible. If the security of a password is in doubt– for example, if it appears that an unauthorized person has logged in to the account — the password must be changed immediately.
Employees may never share their passwords with anyone else in the company, including co- workers, managers, administrative assistants, IT staff members, etc. Everyone who needs access to a system will be given their own unique password. Employees may never share their passwords with any outside parties, including those claiming to be representatives of a business partner with a legitimate need to access a system.
Employees should take steps to avoid phishing scams and other attempts by hackers to steal passwords and other sensitive information. All employees will receive training on how to recognize these attacks. Employees must refrain from writing passwords down and keeping them at their workstations. Employees may not use password managers or other tools to help store and remember passwords without permission.
Luxe Recovery is governed by Federal, State, County and accreditation regulations that protects the confidentiality of our Residents. We protect the privacy of residents being treated at Luxe Recovery in compliance with CFR 42 and HIPAA Regulations. Resident identifying information is defined as the name, address, social security number or other similar information by which the identify of a resident can be determined with reasonable accuracy and speed either directly or by reference to other publicly available information.
1 Telephone calls
a. Callers requesting information about a current or former Residents at Luxe Recovery are to be informed that under Federal confidentiality law, we are unable to confirm whether or not a resident is or has ever been a Resident at Luxe Recovery without the appropriate signed releases.
b. You may inform the caller that he/she is welcome to leave their name and telephone number and, if the individual in question is a resident, this information will be forwarded to the resident only if there is a consent form for the caller signed by the resident. The choice to contact the caller is the resident’s, depending upon whether or not the resident wishes to reveal that she is a resident of Luxe Recovery.
- Postal Service
a. Staff members who are responsible for picking up mail delivered to Luxe Recovery are not to pick up or accept Resident mail that requires a signature. In such cases, the staff member must do the following:
– Note the name of the sending party;
– Note the name of the individual the letter is being sent to; and
– The staff member is to the call the Resident and inform her that there is a letter/parcel that requires a signature at the post office and inform them of who is sending the parcel/letter.
b. If the Resident requests that Luxe Recovery pick up the parcel/letter, that Resident must sign a release form, allowing Luxe Recovery to make a disclosure to the Postal Service and the individual sending the letter.
- Visitors – All visitors/vendors must sign a Visitor’s/Vendors Log located in the case management office or other designated areas. Affixed to this book is to be a notice of confidentiality, visitor’s responsibility regarding confidentiality of any Resident they may see at Luxe Recovery and their obligation to follow the Federal Rules and Regulations. For additional guidance on issues of confidentiality, please refer to your supervisor, review release forms.
Responding to Subpoenas, Search Warrants, & other Legal Actions Residents in treatment for alcohol and drug abuse have their privacy protected under Federal Law (United States Code, Title 42 §290ddB3 and ddE3) and the Federal Regulations that implement it (Title 42, Part 2 of the Code of Federal Regulations, a.k.a. 42 C.F.R. Part 2). It is extremely important that Luxe Recovery employees understand and respond appropriately to all subpoenas, search warrants and other legal actions. No employee of Luxe Recovery may release any information, verbally or in writing, that identifies a resident as a substance abuser or discloses information about her treatment unless these in a consent signed by the Resident authorizing the release of such information. The only exception to this is in the case of a medical emergency that poses an immediate threat to health and requires immediate medical intervention.
Definitions: There are generally three types of subpoenas. The subpoena is a court order issued by an attorney or government program requiring that a person appear in and/or testifies in court or in front of a program. The subpoena duces tecum is a court order that instructs a person to provide certain documents, such as medical or employee records, to a court, attorney’s office, or government program. This subpoena may also demand the person accompany said documents and give testimony as a witness. The grand jury subpoena is a court order that indicates a criminal investigation is being conducted and the recipient is summoned to appear as a witness or to testify.
Subpoenas are not the type of court order required by the confidentiality regulations; therefore, Luxe Recovery is prohibited from responding to them by disclosing information concerning current or former Residents unless said Resident has signed a consent to authorize such a disclosure. Subpoenas that request Resident records are to be directed to the Clinical Director, those requesting employee files are directed to the Clinical Director, and all others are to be given directly to the Clinical Director, who will seek legal counsel to examine and advise a course of action.
Search warrants may not be used to allow law enforcement officers to enter Luxe Recovery facilities. This would breach the confidentiality regulations protecting all Residents in the facility. However, arrest warrants do permit law enforcement officers to enter, but only to search for a particular Resident who has committed or threatened a crime on the Luxe Recovery premises or against Luxe Recovery personnel. Unless the arrest warrant is accompanied by a proper court order, Luxe Recovery need not cooperate with a search for a Resident who has committed a crime elsewhere. If a law enforcement officer or government agent shows up at Luxe Recovery with either an arrest warrant or search warrant, employees must contact the Clinical Director, to ensure the protection of the staff and Resident. If this occurs at a time when the Clinical Director cannot be reached, personnel may contact the Executive Director or CEO.
Special Exception to the above rules governing warrants: If a Resident in treatment is already aware she has a warrant and wishes to allow a law enforcement officer or government agent to come to Luxe Recovery to serve them with it, staff may have the Resident sign a consent form outlining this.
Courts, both federal and state, may issue an order compelling Luxe Recovery to release information that would otherwise be forbidden. These orders may only be issued after the court follows certain procedures and Luxe Recovery has the right to request this process be done prior to disclosing any information.
Note: a subpoena, search warrant, or arrest warrant alone, even when signed by a judge, is NOT sufficient to permit or require Luxe Recovery to make such a disclosure. First, a program or Resident whose records are sought must be given notice of the application for the order and the opportunity to make an oral or written statement to the court regarding said application. Prior to the order being issued, there must be finding of “good cause” for the disclosure. Only thatinformation which is essential for the purpose of the order may be released and only those persons who need the information may receive it.
Audits of Luxe Recovery files may be deemed appropriate and necessary by a government program, third party payer (i.e., insurance company), or peer review organization. These persons or agencies may review Luxe Recovery records without Resident consent as long as they have agreed in writing that they will not disclose Resident identifying information unless it is pursuant to a court order to investigate or prosecute Luxe Recovery and not a Resident.