It is the policy of Villa Oasis that information concerning any resident will not be released except when in conformance with rules and regulations indicated in this policy while maintaining resident confidentiality.
It is a general policy that Villa Oasis will not voluntarily use a resident record in any manner, which will jeopardize the interest of the resident. The organization may, if necessary, defend itself or its agents when the disclosure of such information is consistent with applicable legal and evidentiary principles of confidentiality and privilege.
Members of the professional staff may freely consult the medical record as it pertains to their work and when such records are necessary for treatment, maintenance of adequate documentation, a compilation of treatment data, or evaluation of programs. Access to any medical record may be refused and the matter referred to the Clinical Director for final decision. Medical records may be used by staff members in Utilization Review, Resident Record Review, Quality Assessment, and Performance Improvement as required by regulations of the Joint Commission and the Department of Health Care Services.
No member of the staff may release any verbal or written information concerning a resident to anyone without the prior written authorization of the resident or legal representative. All requests for information should be referred to the Clinical Director for proper processing according to protocol. The progress of the resident may be discussed by a member of the staff when such discussion is exclusive with:
- A person authorized in writing by the resident or resident’s legal representative to receive such information;
- If a resident declares intention to harm other persons and is in a position to carry out such a threat, such a declaration may be disclosed to the party or parties in The Clinical Director, or their designee is assigned responsibility for notification of the party against whom the threat is directed. Documentation in the resident record of the date, time, and to whom the information was given shall be authenticated by the party disseminating such information.
It is the policy of Villa Oasis to provide all residents with reasonable access to their resident records. Requests by residents for information concerning their own medical records will be referred to the Clinical Director.
Requests for release of Resident records must be presented on an Authorization for Release of Information Form. If the form is not signed by the resident in the presence of a member of the staff, the residents’ signature must be verified against a copy of their signature within the record.
All requests for resident review of their own records made by the resident will be presented to the Clinical Director who shall approve, except where the resident’s review of the record would adversely affect the resident. If it is the determination of the Clinical Director that the record should not, for the resident’s own safety be reviewed by the resident, then the Clinical Director shall set forth his/her reasons for refusing access to the record. The Clinical Director’s written position shall be delivered to the resident and made part of the resident’s record. In making the decision, however, all doubt should be resolved in favor of releasing the requested information.
If the resident’s access to medical records has been deemed unreasonable due to the resident’s condition, the Clinical Director shall immediately notify the resident or the resident’s legal representative, of the resident’s right to have the record released to another person or agency. An Authorization for Release of Information form stating what is to be released and to what person or agency must be signed by the resident.
All records to be released shall be made available during normal business hours. Inspection will be permitted within fourteen (14) working days of request and copies will be available within 30 days after a valid written request is received. If a summary of treatment is requested, it will be available within fourteen (14) days, which time may be extended to 30 days if the record is lengthy or if the resident was discharged within the prior fourteen (14) days. The request will not be considered valid until the information furnished is adequate to identify the record properly. When a resident requests to review his/her record, such review will occur in the presence of the Clinical Director.
Verbal requests for any information will not be honored in any instance. Requests for information from a resident record must be in writing and signed by the resident and/or legal representative authorizing the release of such information. The authorization for such release of information must contain the wording “Medical, Psychiatric, and/or Psychological information”. Should the record in question make any reference to drug or alcohol abuse, the authorization must specifically state that such information may be released by the facility. The Authorization for Release of Information shall be current (signed within the past 90 days or as otherwise indicated on the release) and shall delineate precisely which portion of the record may be disseminated.
The written consent of a resident and/or legal representative, should the resident be incompetent before disclosure of information shall be considered valid only if the following conditions are met:
- The resident and/or legal representative is informed in a manner to assure his/her understanding of the specific type of information that has been requested and the reason for the
- The resident and/or legal representative gives consent
- The resident and/or legal representative are informed that the provision of services is not contingent upon his/her decision concerning the release of
- The resident’s consent is acquired in accordance with all applicable Federal, State, and local laws, Rules, and Regulations.
Ensure the resident or legal representative signs the authorization. If the authorization is not valid, it must be returned. An authorization is not needed for a court order. An authorization must be signed and dated by a witness whenever possible. If not, there must be a signature in the record to compare the two (2) signatures. If neither of these two (2) criteria is met, then the authorization must be returned. Important – If ever you have doubts as to what may or may not be released, contact the Clinical Director.
If the resident is interested in obtaining his/her records, bring them to the immediate attention of the Clinical Director. Please DO NOT release any information over the telephone. If there is a need to obtain information by the outside party, offer to mail, fax, or electronic mail a Release of Information Form.
Disposal & Maintenance of Resident Files
All resident files are maintained, and information released in accordance with HIPAA and Title 42, Code of Federal Regulations, Part 2, and explicitly held with the utmost confidentiality and always appropriately secured. Resident files are considered confidential information to the extent allowed by law and will only be available to authorized personnel with a specific business need (Clinical Director, counselors, and detox staff); these files will also be available to the appropriate auditing agencies (states and insurance) for review.
Resident records are retained electronically, accessible only to authorized staff using a login id with password protection. When participation is terminated, the resident records will be electronically stored in the inactive portion of the electronic record for not less than three years from the date of discharge.
Disposal & Maintenance of Resident Files
All resident files shall be electronically stored in a password-protected manner, accessible only to authorized personnel with a business need, for not less than three years from the date they are officially closed, with files electronically erased using a method of sanitization that applies programmatic, software-based techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device in a manner that ensures the confidentiality of residents.
All passwords should be reasonably complex and difficult for unauthorized people to guess. Employees should choose passwords that are at least eight characters long and contain a combination of upper- and lower-case letters, numbers, and punctuation marks, and other special characters. These requirements will be enforced with software when possible. In addition to meeting those requirements, employees should also use common sense when choosing passwords. They must avoid basic combinations that are easy to crack. For instance, choices like “password,” “password1” and “Pa$$w0rd” are equally bad from a security perspective.
A password should be unique, with meaning only to the employee who chooses it. That means dictionary words, common phrases, and even names should be avoided. One recommended method to choosing a strong password that is still easy to remember is: Pick a phrase, take its initials and replace some of those letters with numbers and other characters and mix up the capitalization. For example, the phrase “This may be one way to remember” can become “TmB0WTr!”. Employees must choose unique passwords for all of their company accounts and may not use a password that they are already using for a personal account.
All passwords must be changed regularly, with the frequency varying based on the sensitivity of the account in question. This requirement will be enforced using software when possible. If the security of a password is in doubt– for example, if it appears that an unauthorized person has logged in to the account — the password must be changed immediately.
Employees may never share their passwords with anyone else in the company, including co-workers, managers, administrative assistants, IT staff members, etc. Everyone who needs access to a system will be given their own unique password. Employees may never share their passwords with any outside parties, including those claiming to be representatives of a business partner with a legitimate need to access a system.
Employees should take steps to avoid phishing scams and other attempts by hackers to steal passwords and other sensitive information. All employees will receive training on how to recognize these attacks. Employees must refrain from writing passwords down and keeping them at their workstations. Employees may not use password managers or other tools to help store and remember passwords without permission.
All evaluation, treatment, and referral services provided through Villa Oasis are confidential and protected under the Federal Confidentiality Guidelines for Alcohol and Substance Abuse Records.
Villa Oasis takes confidentiality seriously. Confidentiality of clients, their files, and information is assured. Villa Oasis provides confidentiality in accordance with HIPAA and Title 42, Code of Federal Regulations, Part 2 and Health and Safety Code, Sections 11812(c) and 11977. A copy of the federal regulations is available at our program location, as required in Title 42, Code of Federal Regulations, Part 2, and is located in our P&P binder.
Client files shall be accessible only to authorized personnel which includes all staff members. However, staff will always keep all information confidential and only discuss confidential information with other staff members if necessary, to help with treatment planning, treatment goals, or discharge. Client files may also be viewed if a complaint is filed or if a request is made by a Licensing and Certificate Analyst from the Department of Health Care Services from the Substance Use Disorder Compliance Division. This person will have to document his/her credentials by showing a badge and/or business card. These people will have access to both paper and electronic files.
When answering the telephone, staff will never divulge the names of clients in the program unless they have been presented with a signed release from the client with the caller’s name on the form. Employees will be instructed to handle telephone calls in this manner to avoid breaching confidentiality in the following manner:
Caller: ‘Can I speak to/ leave a message for Joe’ (client in the program). Or ‘Is Joe in your program?’
Employee: ‘I cannot confirm or deny that person or any other person is in our program without a signed release. You are welcome to leave a message and if that person happens to be here, and they wish to contact you, they will do so.’
In addition, the program assures confidentiality of closed files and their destruction, as outlined in the client files policy. When answering the telephone, staff will never divulge the names of clients in the program unless they have been presented with a signed release from the client with the caller’s name on the form.
Client files shall be accessible only to authorized personnel which includes all staff members. However, staff will always keep all information confidential and only discuss confidential information with other staff members, if necessary, to help with treatment planning, treatment goals, or discharge. Client files may also be viewed if a complaint is filed or if a request is made by a Licensing and Certificate Analyst from the Department of Health Care Services from the Substance Use Disorder Compliance Division. This person will have to document his/her credentials by showing a badge and/or business card.
Villa Oasis does not normally conduct research as a matter of practice; however, we reserve the right to initiate this process. If Villa Oasis does conduct research using clients as subjects, we shall comply with all standards of the California Research Advisory Panel and the federal regulations for the protection of human subjects (Title 45, Code of Federal Regulations, 46).
A file will be established for all Residents at the time of admission until discharge. Each file will contain signed consents, social history, treatment plan, progress notes, and related materials. All files will be maintained in the Resident’s electronic health record. Only staff of Villa Oasis will have access to the Resident’s chart.
To ensure that staff is aware of how to handle arrest warrants, search warrants, and subpoenas and that the organization protects persons’ served information in accordance with the law.
Federal confidentiality laws and regulations protect information about a person served or former person served who has applied for services or received AOD related services. The rule still applies when the person making the inquiry has a subpoena or warrant. It is the policy to comply with the federal laws and regulations should law enforcement officials arrive at our location with a warrant. Staff is trained to respond to law enforcement with courtesy but to inform them that we cannot provide any information on the person indicated in the subpoena or warrant, including whether they are or were in treatment per federal law. Any staff members responding to law enforcement are to direct the officer to a supervisor or, if not on-site at the time, advise the supervisor of the occurrence.