Policy
It is the policy of Serenity Park, as required by and in compliance with 42 C.F.R. Part 2, and applicable laws, including the federal Health Insurance Portability and Accountability Act (HIPAA), as amended, and rules promulgated, to protect the records of the persons served and to protect confidential administrative records.
Procedure
Client Records
- The Clinical Supervisor is responsible for control of clinical records and implementing the policies and procedures pertaining to client records.
- Electronic client records are automatically backed up through Serenity Park’s computer EMR system.
- Access to client records by personnel is on a “need-to-know” job requirement bases only.
- Serenity Park maintains identification and filing systems which enable prompt record location and accessibility to clinical staff.
- When a person’s record becomes inactive, the individual client information is maintained in the EMR as inactive for the required amount of time.
- Serenity Park retains records for seven (7) years after the last treatment activity.
- If after seven (7) years, it is determined that all treatment is completed and there is no litigation or other circumstances to prohibit doing so, the record is destroyed.
- All destruction of records ceases in the event that a legal process is initiated against Serenity Park.
Safeguarding of Records and Confidential Client Information
1. Serenity Park employees have access to client records on a “need-to-know” job requirement basis only.
- Client information is only available to persons actively engaged in the treatment of clients or in related administrative work.
- The information available to persons actively engaged in the treatment of the client or in related administrative work is limited to the minimum amount of information necessary. The Clinical Supervisor ensures that client records are released only to persons or agencies actively engaged in the treatment of the client and only to the extent that the information is necessary to carry out the purpose for which it is being released.
2. Serenity Park employees protect records and confidential information as follows:
- All mental health and addiction treatment information, whether recorded or not, and all communications between a counselor, physician or a psychotherapist and a client are both privileged and confidential and are not released without the written consent of the client or the client’s legally authorized representative;
- The identity of a client who has received or is receiving mental health or addiction treatment services is both confidential and privileged and is not released without the written consent of the client or legally authorized representative;
- The Executive Director and Clinical Supervisor ensure that consent forms and statements of rights make clear that Serenity Park may release the information without consent of the client pursuant to certain state and federal law exceptions that require or allow disclosure of such information; and
- The Clinical Supervisor ensures that consent forms and statements of rights make clear the procedures by which the client is notified of his or her right to confidentiality.
- Release of information from psychiatric records requires the consent of the physician or practitioner.
- Information may be shared without a signed “Consent to Release of Confidential Information” if there is an order from a court of proper jurisdiction to release such information.
- Serenity Park does not act upon authorizations or consents for release of information, attorney requests, or subpoenas via fax; authorizations and consents to release must be received in the original form, not as a copy from a facsimile.
3. All employees are responsible for safeguarding client information against loss, theft, defacement, tampering, or use by unauthorized persons as follows:
- Keep client records protected when making necessary use of EMRs;
- Refrain from the use of e-mail or FAX to share client information, unless doing so is a standard expectation of a government agency or government- agency contractor;
- All computers and electronic devices containing client information must be encrypted for EMR use
- Do not take client information from office on floppy disks, CDs, removeable hard drives, flash drives, or any other portable storage device, or in hard copy.
- If failure of encrypted electronic transmission systems or the need to operate one or more temporary alternative service sites makes it necessary to transport records on a laptop in order to serve persons served promptly and effectively, the laptop is transported in secure fashion and records are deleted from the laptop as soon as normal operations are restored.
4. When a client record becomes inactive, it will continue to be maintained in the EMR software for 7 years.
5. No employee or person or firm with which Serenity Park has a Business Associate Agreement conducts any research involving identifiable client information without the written consent of the Executive Director and the written consent of every client whose information is examined or utilized.
6. Employees and associates designated by the Executive Director to conduct research analysis for management or other internal purposes may use identifiable client information without obtaining consent of client but only to the extent necessary for the purpose of the research analysis.
7. All research or analytical work utilizing Serenity Park client information, whether or not identifiable, must have the prior approval of the Executive Director.
Computer Security and Backup of Electronic Recos
1. Every Serenity Park computer is password-protected.5. Employees permitted to use remote access comply scrupulously with all security requirements established by the Executive Director.
For more information regarding privacy policies, contact Serenity Park at 479-448-5251 or send a message on our Contact page.
