This notice describes how medical and clinical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
I. Who We Are
This notice describes the privacy practices of Comprehensive Addiction Solutions LLC and Lorraine K. Bockman, LCSW, LAC located at 6402 S. Troy Circle, Suite 340, Centennial, Colorado 80111.
II. Our Privacy and Confidentiality Obligations
We are required by law to maintain the privacy and confidentiality of information about your health, health care, and payment for services related to your health (referred to in this notice as “protected health information” (PHI)); and to provide you with this notice of our legal duties and privacy practices with respect to your PHI. When we use or disclose your PHI, we are required to abide by the terms of this policy.
The Federal Confidentiality Law, 42 U.S.C & 290dd-2, 42 C.F.R. Part 2 and the Federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 42 U.S.C. & 1320d et seq., 45 C.F.R. Parts 160 & 164 protect your health information if you are applying for or receiving services (including diagnosis, referral or treatment) for substance abuse or mental health services. If you are applying for or receiving services for substance abuse or mental health issues, the provider is prohibited from disclosing any information, including involvement and participation in assessment and treatment services, payment information, and assessment and treatment results, to a person or agency without your express permission in writing. There are several exceptions to this regulation, which are listed in this notice.
III. Professional Records
Pursuant to HIPAA regulations, we may keep protected health information about you in two sets of records, a Clinical Record and Psychotherapy Notes. Your Clinical Record will be your formal chart. Any information that is disclosed as a result of a standard release of information (ROI) signed by you will be disclosed from this record. The Psychotherapy Notes are kept in a separate file and are for my own use. These notes are designed to assist me in providing you a high quality clinical experience during the therapy process. Any information disclosed from this record must be authorized by you through a separate and distinct release of information (ROI). Insurance companies and employee assistance programs may not require you to sign an Authorization as a condition of coverage nor may they penalize you in any way if you refuse to sign an ROI.
The Clinical Record will contain the following information:
- The reason(s) that you are seeking therapy or an evaluation
- A description of impact your problem has had on your life
- Your medical, social, and treatment history
- Any prescription medication information
- Any past treatment records that receive from other providers
- The treatment modality, frequency, and duration of the therapy sessions
- Results of any clinical tests
- A summary of your diagnosis(es), your treatment goals, and your progress towards those goals
- The prognosis of your care
- Your billing records
- Copies of any reports that have been sent to anyone
The content of the Psychotherapy Notes may vary between clients; however, in general, they may include the following information:
- Reports of any professional consultations
- The specific content of our conversations
- Intimate personal content or facts
- Details of fantasies and dreams
- Sensitive information about other individuals in your life
- My analysis of our therapy sessions and your case
You may examine and receive a copy of your Clinical Record. We will discuss it prior to you receiving a copy. If you are interested in your Psychotherapy Notes, we may go over them and discuss them but you may not have a copy of them. Because these are professional records, they can be misinterpreted and/or upsetting to untrained readers.
IV. Uses and Disclosures of Protected Health Information WITH Your Authorization:
A. We may use or disclose your protected health information from your Clinical Record when you give your authorization to do so in writing on a Release of Information form that specifically meets the requirements of the laws and regulations that apply.
B. We may use or disclose your protected health information from your Psychotherapy Notes when you give your authorization to do so in writing on a Psychotherapy Notes Release of Information form that specifically meets the requirements of the laws and regulations that apply.
C. Please be aware that a court with appropriate jurisdiction or other authorized third party may request that you to sign a Release of Information. Failure to do so may result in consequences for you that are beyond our control.
V. Uses and Disclosures of Protected Health Information WITHOUT Your Authorization:
There are circumstances that we are required to use and disclose your protected health information even though you have not provided your authorization in writing. These circumstances are listed below.
A. Health Care Operations: We may use or disclose your protected health information for the purposes of health care operations within our agency. However, the information used may not identify, directly or indirectly, or otherwise disclose the identities of any individual in any final report. Health care operations may include internal administration, planning, and activities that improve the quality and effectiveness of client care. For example, we may use information about your care to evaluate the quality and competence of our clinical staff or to resolve any complaints or issues that arise regarding your care. We may disclose information to qualified personnel for outcome evaluation, management audits, financial audits, or program evaluation. We may also disclose your protected health information to an agent or agency which provides services to our organization under a Qualified Service Organization Agreement (QSOA) and/or a Business Associate Agreement (BAA), in which they agree to abide by the applicable federal laws and related regulations (42 CFR Part 2 and HIPAA). Health Care Operations may also include the use of your protected health information to contact you regarding future appointments or to provide you with information regarding additional programs offered by our organization. This list of examples is for illustration only and is not an exclusive list of all of the potential uses and disclosures that may be made for health care operations.
B. Medical Emergencies: We may disclose your protected health information to medical personnel to the extent necessary to meet a bona fide medical emergency (as defined by 42 CFR Part 2).
C. Judicial and Administrative Proceedings: We may disclose your protected health information in a judicial or administrative proceeding in response to a court order that meets the requirements of federal regulations, 42 CFR Part 2 concerning Confidentiality of Alcohol and Drug Abuse Patient Records. These types of proceedings could be related to, but not limited to, malpractice, collections, involuntary commitments, or criminal proceedings as required by law.
D. Commission of a Crime on Premises or against Program Personnel: We may disclose your protected health information to the police or other law enforcement officials if you commit a crime on the premises or against program personnel or threaten to commit such a crime.
E. Abuse: We may disclose your protected health information for the purpose of reporting child or elder abuse and neglect to public health authorities or other government authorities authorized by law to receive such reports.
F. Duty to Warn: We may disclose your protected health information for the purpose of reporting a specific threat of serious physical harm to another specific person or the public. Information may be provided to the specific person, to the police, to other law enforcement agencies, or to government authorities as appropriate.
G. Audit and Evaluation Activities: We may disclose protected health information to those who perform audit or evaluation activities for certain health oversight agencies. Such agencies might include the Colorado Alcohol and Drug Abuse Division (ADAD) or the Department of Regulatory Agencies (DORA), independent accrediting bodies such as the Joint Commission on Accreditation of Healthcare Organizations (JCAHO), or federal agencies monitoring client care such as the Department of Transportation.
VI. Electronic Records
Under any circumstance, client communication cannot be guaranteed to be private. Conversations can be overheard, e-mails can be sent to the wrong recipients and phone conversations can be listened to by others. Electronic media, including emails, cell phones, computers and fax machines is not private. Although they add convenience and expedite communication, it is very important to be aware that computers, e-mail, fax machines, and cell phone communication can be accessed relatively easily by unauthorized people and hence can compromise your privacy and confidentiality.
Pursuant to the HIPAA Security Rule, health care providers must have policies and procedures in place regarding the creation, use, storage, transmission, and destruction of Electronic Personal Health Information (e-PHI) in electronic media. Electronic media can include: memory devices in computers (hard drives) or tablets, any removable/transportable digital memory medium such as magnetic tape or disk, optical disk, or digital memory card; the internet (wide-open), an intranet or extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, and private networks.
A. Electronic Records: We do keep electronic records. These records are created and stored in text, spreadsheet, or database documents on a computer hard drive. Electronic records include any information kept in your Clinical Record and any Psychotherapy Notes. These two records are kept in separate files. These records could include any information provided by you or by outside sources related to your case, provided through any medium including traditional mail service, email, voice mail, text message, chat sessions, verbal information, or written information.
B. Access to PHI: The computer is only used by the therapist and the therapist has a personal password that allows access to the computer. The computer is kept in a locked state when it is not being used or when the therapist walks away from the desk. If the computer is left unattended and unlocked, it is locked automatically after 5 minutes of inactivity.
C. Storage of Records Containing PHI: Any records with e-PHI are kept in an encrypted file with a single password known only to the individual therapist. Records are encrypted and backed up on a monthly basis to an external hard drive which is stored in an external location from the office under lock and key, access only by the individual therapist. The computer is maintained with a firewall to prevent unauthorized access and virus software utilized to protect the data in the electronic records.
D. Transmission of Records Containing PHI: There are three issues related to the transmission of PHI: confidentiality, authenticity, and integrity. In order to protect your confidentiality, any electronic transmission of PHI sent by the therapist to another individual is encrypted. The password attached to the encryption will only be known to the therapist and the individual designated to receive the information. The therapist requests that any individual sending PHI also encrypts that data, but we have no way of ensuring that happens.
In order to protect the integrity of your e-PHI and ensure that it is not improperly modified, we have a policy in place that requires any transmitted e-PHI to be unalterable. Any records that contain PHI that are transmitted through electronic means shall either be a document that password protected and cannot be altered by the receiving individual, or shall be transmitted in portable document format (pdf).
In order to protect your e-PHI, we require authentication of the individual on the other end of the transmission. To verify that the individual is the person they claim to be, we may require one of following methods: knowledge of them by meeting them in person previously, requesting proof of identity through letterhead or an identification card, or the provision of a personal identification number established previously between you and the therapist.
E. Services Provided Through Electronic Media: If you are requesting telemental health services through video conferencing or through chat messaging, we are able to serve those requests through HIPAA compliant services. Be aware that even HIPAA compliant third-party services provide limited security and privacy dependent on the intention of someone attempting to access the information. Communication on such systems may unintentionally expose confidential client data to third parties and these messages may be intercepted by others.
F. Social Media: Please see our social media policy for details on this issue.
If the security or privacy of your PHI is compromised through improper acquisition, access, use, or disclosure, federal law requires health care providers to complete a risk assessment and based on those findings, notify the government and the client of a “breach” of protected health information as required by law. Examples of HIPAA Security breaches that must be evaluated for reporting include, but are not limited to, a lost or stolen computer, tablet, or other mobile device that is used to store PHI, sending an unencrypted e-mail containing PHI to the wrong person, or unauthorized access of a computer or email program that is used to store or transmit PHI. Notification about the breach would be provided to you in writing to your last address of record and include the date and type of breach and the steps that you could take to protect yourself.
VII. Destruction of Records
Records include any information kept as a part of your Clinical Record and your Psychotherapy Notes. Paper and electronic records will be maintained in accordance with State law and ethical guidelines of the profession. Currently it is required that social workers in the State of Colorado maintain their Clinical records for a minimum of 7 years. Once any paper records are filed electronically, all information is shredded by the therapist using a shredder. The pieces are then divided into two separate bags and sent to a local recycling facility.
The HIPAA Security Rule requires that any data recorded on electronic media must also be disposed of properly. Any electronic media that contains PHI will be overwritten with information that is not of a sensitive nature or exposed to a magnetic field of sufficient strength to disrupt the recorded data. The therapist may also physically destroy the disks or tapes by melting, shredding, incinerating or pulverizing them. Only after the media is rendered unreadable may such media be placed in an accessible dumpster or trash can. Tapes, disks and computers may be reused if all protected information is first purged from the media, hardware or software that held the data.
VIII. Your Individual Rights
A. Right to Receive Confidential Communications: We will communicate with you through the phone number, street address, or email address that you provide. You may request, and we will accommodate, any reasonable, written request for you to receive your protected health information by alternative means of communication or at alternative locations.
B. Right to Request Additional Restrictions: You may request restrictions on our use and disclosure of protected health information for treatment, payment and health care operations. We will consider all requests for additional restrictions carefully however; we are not required to comply with requested restrictions. If you wish to request additional restrictions and you are currently receiving services, please contact your therapist. Once you are no longer receiving services, contact our organization in writing. We will send you a written response.
C. Right to Inspect and Copy Your Health Information: You may request access to your clinical file and billing records maintained by us in order to inspect and request copies of the records. Under limited circumstances, we may deny you access to a portion of your records. If you desire access to your records and you are currently receiving services, please ask your therapist for the records. Once you are no longer receiving services, contact our organization in writing. If you request a copy of your record, you may receive it in digital format. If you request a paper copy, there will be a charge for each page copied and you will be told the cost prior to the copies being made.
D. Right to Amend Your Records: You have the right to request that we amend protected health information maintained in your clinical file or billing records. Our organization may approve or deny your request dependent on the circumstances. If your request to amend your records is denied, we will notify you of this denial in writing. If your requested amendment to your records is accepted, a copy of your amendment request will become a permanent part of your record. When we “amend”, a record, we may add information to the original record, as opposed to physically removing or changing the original record. If your requested amendment is denied, you will be informed of your right to have a brief statement of disagreement placed in your medical records. If you desire to amend your records and you are currently receiving services, contact your therapist. Once you are no longer receiving services, contact our organization in writing.
E. Right to Receive an Accounting of Disclosures: Upon request, you may obtain a list of instances that we have disclosed your protected health information with or without your written authorization; in those instances related to your treatment and payment for services; or in the course of our health care operations. The list will apply only to covered disclosures prior to the date of your request and will include the date and method of transmission, the information disclosed, and the information recipient.
F. Right To File A Complaint: See the complaint section of this notice below.
G. Right to Revoke Consent: You may revoke any signed authorization at any time except to the extent that we have already taken action upon the authorization. If you wish to revoke your authorization, you may do so verbally or in a written statement to your therapist and that information must be documented in your file.
H. Right to Provide Authorization For Other Uses: You have the right to request that other individuals be provided information about your treatment. You may request to sign a release of information at any time to allow your therapist to speak with these individuals.
I. Right to Receive a Copy of This Notice: Upon request, you may obtain a copy of this notice.
As a solo practitioner, I am the appointed “Privacy Officer” for my practice per HIPAA regulations. If you desire further information about your privacy and confidentiality rights; if you are concerned that your rights have been violated; or if you disagree with a decision that had been made about access to your protected health information, you may contact:
6402 S. Troy Circle, Suite 340
Centennial, Colorado 80111
You may also send a written complaint to the Secretary of the U.S. Department of Health and Human Services. We will not retaliate against you if you file a complaint. Complaints can be filed online at:
US Department of Health and Human Services Complaint Portal
or can be filed by mail via the Department of Health and Human Services Complaint Package:
X. Effective Date and Duration of This Notice
A. Effective Date: This notice is effective on January 1, 2021 and overrides any pre-existing notices.