Privacy and Security Policy

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) protects
the confidentiality and security of a client’s healthcare information. It restricts HOPE Group Clinical’s ability to use and disclose protected health information.

Protected Health Information (PHI)

Protected health information is information created by HOPE Group Clinical or information received by another entity regarding the past, present, or future medical, mental, or physical condition of a client,
the provision of healthcare services to the client, and past, present or future payment of those services, in which a client can be reasonably identified. Examples of PHI can include but is not limited to:

§
Client full name, DOB, address, phone number

§
Client information included in the electronic medical record (EMR), CentralReach

§
Discussions with the client’s treatment team and others to coordinate care as part of the client’s treatment

§
Client information used for billing purposes

§
Any health information that can reveal the identity of the client

All HOPE Group Clinical employees who have access to PHI, including but not limited to trainees, volunteers, and business associates, will follow the expectations outlined in this plan to ensure compliance
with HIPAA’s requirements.

This policy can be amended at any time, with or without notice.

Section I: Responsibilities of HOPE Group Clinical

Privacy Team:
HOPE Group Clinical’s privacy team will consist of the Owner, Director of Operations, Executive Clinical Director, and interim CEO. The Director of Operations and the Executive Clinical Director will be responsible for
developing, implementing, and maintaining all information that is needed within the organization to adhere to this policy.

Employee Training:
Upon hire, all employees at HOPE Group Clinical will acknowledge by signing that they have understood and will abide by the contents of this policy. Additionally, all employees will complete
HIPAA training through Relias annually. The content in the Relias course is sourced from 45 CFR Parts 160, 162, and 164(2020)
or through Health and Human Services (HHS) unless otherwise noted.

Safeguards:
HOPE Group Clinical has safeguards in place to prevent PHI from intentionally or unintentionally being used or disclosed. Safeguards include:

§
Firewalls to limit access to PHI

§
Password protected and encrypted electronic information

§
Passwords to systems containing PHI must be changed quarterly

§
Labeling electronic information as ‘Confidential Protected Health Information’

§
Access to PHI on HOPE Group Clinical owned electronic devices (ie-tablets, computers, cell phones) only; accessing PHI through the use of personal devices is strictly prohibited

§
Limited connectivity to PHI using the minimum necessary rule. Employees within HOPE Group Clinical will have access to the minimum amount of information necessary to complete
assigned job functions

§
Double locked storage of portable electronic storage devices containing PHI

§
Avoidance of public areas when discussing PHI

§
Logging in and out of electronic devices using individual log in information.

§
Navigating back to a home screen when leaving an electronic device used for accessing PHI to avoid inadvertent disclosure of PHI to passersby

§
Leaving voicemails with PHI is strictly prohibited

Electronic Health Record, Data Storage, and Remote Access:
Each client’s health record is stored in a password protected, encrypted, electronic management record system. HOPE Group Clinical employees can access this system remotely by logging in with individual sign in and password
information. Employees are required to log out of the system immediately when access is no longer needed or when they are no longer in front of their electronic device.

Privacy Notice:
HOPE Group Clinical provides a Notice of Privacy Practices to all client’s receiving treatment. This notice includes information regarding client rights, company uses and disclosures of PHI, and company responsibilities to
protect client health information. Privacy practices will be reviewed and updated annually. Clients/their families will receive a Notice of Privacy Practices annually and will be required to acknowledge by signing that they have received and reviewed the
information in the Notice of Privacy Practices. The Notice of Privacy Practices will be available in electronic or paper format and will be provided to each client/family in his/her/their preferred format.

Complaints: Clients can file a written complaint with the Director of Operations or the Executive Clinical Director. The privacy team is responsible for reviewing,
investigating, and completing action steps to address and remediate complaints. Complaints may also be submitted to the US Department of Health and Human Services at the address below. Any client/legal guardian will be free from retaliation by HOPE Group
Clinical when filing a complaint.

Centralized Case Management Operations

US Dept of Health and Human Services

200 Independence Ave, SW

Washington, DC 20201

Phone: 1-877-696-6775

Email: OCRComplaint@hhs.gov

Violation of the Privacy and Security Policy:
Employees will notify the Director of Operations or the Executive Clinical Director immediately upon discovering a violation of this Privacy and Security policy. Individuals who violate the Privacy and Security Policy
are subject to disciplinary action that can lead up to termination of employment. HOPE Group Clinical, to the extent possible, will implement action steps to mitigate potential breaches or violations of the
HIPAA privacy rule when it learns that a violation has occurred.

Documentation and Records Management:
All versions of the Privacy and Security Policy will be stored for 6 years following the effective date. All documentation related to Note of Privacy Practices, complaints, security breaches, or documentation required
to comply with the HIPAA privacy rule will be stored for at least 6 years following the creation or implementation date of the
document.

Breach Reporting:
HOPE Group Clinical will follow the Breach Notification Rules outlined by the Department of Health and Human Services when a breach of unsecured protected health information has occurred. Written notices will be sent to clients/families,
media (when applicable), and to the Secretary. Breaches by a business associate must be reported to HOPE Group Clinical upon discovery of the breach. All breach reports will be documented. For additional information,
please see the Breach Reporting Policy.

Section II: Uses and Disclosures

Use

Use is the sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within HOPE Group Clinical, or by a Business
Associate of HOPE Group Clinical.

Disclosure

For information that is protected health information, disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons
not employed by or working within HOPE Group Clinical with a business need to know PHI.

Authorized Use of PHI:
Employees of HOPE Group Clinical will access only the minimum necessary PHI to perform his/her/their job function.

Unauthorized Use of PHI:
Employees of HOPE Group Clinical may not access PHI for themselves, family members, friends, or other employees of the company for personal or non-work-related purposes.

·
Authorized Disclosure:
PHI will be disclosed upon written authorization from the client or legal guardian of the client through completion and acknowledgement of the Release of Information form. Employees will verify that the release of PHI
is authorized by applicable law or by a current release signed by the client as well as verify the identity of individuals requesting PHI to ensure that they are authorized to receive it.

Unauthorized Disclosure:
PHI will be disclosed without an authorization under the following circumstances in accordance with the
HIPAA Privacy Rule.

§
To the individual

o
Authorization is not needed with the client or legal guardian requests his/her/their own medical record

§
Treatment, payment, and healthcare operations

§
Uses and disclosures with opportunity to agree or object

§
Incidental use and disclosure

§
Public interest and benefit activities

o
Required by law

o
Public health activities

o
Victims of abuse, neglect or domestic violence

o
Health oversight activities

o
Judicial or administrative proceedings

o
Law enforcement purposes

o
Decedents

o
Cadaveric organ, eye or tissue donation

o
Research

o
Serious threat to health or safety

o
Essential government functions

o
Worker’s compensation

§
Limited data set

o
Direct identifiers have been removed from a data set used for research, healthcare operations and public health purposes

Section III: Client Rights

·
Request an electronic or paper copy of your medical record 

·
You can ask to see or get an electronic or paper copy of your medical record. 

·
HOPE Group Clinical will provide a copy or summary of your health information, usually within 30 days of request. 

·
Request a correction to your medical record

·
You can request a correction to your health information if you think it is incorrect or incomplete.

·
HOPE Group Clinical may deny your request, we but will explain why in writing within 60 days.

·
Request confidential communications

·
You can request a specific method of communication. For example, you may request calls go to your home phone or cell phone. You may request information mailed to a different
address. 

·
HOPE Group Clinical will follow all reasonable requests.

·
Request a limit to what information is shared

·
You can request a withhold of certain health information related to treatment, payment or operations. For example, if you pay for a service out-of-pocket in full, you can ask
HOPE Group Clinical not to share that information with your health insurer.

·
HOPE Group Clinical will follow reasonable requests unless it is determined it would affect your quality of care.

·
Request who may receive information 

·
You have the right to share information with your family, close friends, or others involved in your care.

·
HOPE Group Clinical will follow all reasonable requests.

·
Request a list of those with whom we’ve shared information

·
You can request a list (accounting) of the times we’ve shared your health information for six (6) years prior to the date you ask, who we shared it with, and why.

·
HOPE Group Clinical will provide all disclosures except for those related to treatment, payment, and operations.

·
Request a copy of this privacy notice

·
You can request a paper copy of this notice, even if you previously received a copy.

·
A copy of the
HIPAA Notice of Privacy Practices is also available on the HOPE Group Clinical website 

·
Choose someone to act for you

·
If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.

·
HOPE Group Clinical will respect any legal representative you choose.

·
File a complaint if you feel your rights are violated

·
You can call our office at 480-610-6981 to make a complaint if you feel HOPE Group Clinical has violated your information rights. HOPE Group Clinical will immediately investigate
any potential HIPAA violation.

·
You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C.
20201, or calling 1-877-696-6775