Privacy Policy
This Privacy Practices Policy describes how Trillium may use and disclose a client’s protected health information to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law. It also describes a client’s rights to access and control their protected health information. “Protected health information” is information about the client, including demographic information, that may identify the client and that relates to their past, present or future physical or mental health condition and related health care services.
Trillium is required to abide by the terms of this Policy and its Notice (given to clients). Trillium may change the terms of our policy/notice, at any time. The new policy/notice will be effective for all protected health information that we maintain at that time. Upon a client’s request, Trillium will provide the client with any revised Notice of Privacy Practices by accessing our website WWW.TRILLIUMFS.ORG, calling the office and requesting that a revised copy be sent to them in the mail or asking for one at the time of their next appointment.
1. Uses and Disclosures of Protected Health Information Based Upon Written Consent: The client will be asked by their Trillium staff to sign a consent form. Once they have consented to use and disclosure of their protected health information for treatment, payment and health care operations by signing the consent form, the staff will use or disclose the protected health information as described in this Section 1. The protected health information may be used and disclosed by our direct service staff, our office staff and others outside of our office that are involved in the care and treatment for the purpose of providing health care services to the client. The protected health information may also be used and disclosed to pay health care bills and to support the operation of Trillium.
Following are examples of the types of uses and disclosures of protected health care information that Trillium is permitted to make once the client has signed our consent form. These examples are not meant to be exhaustive, but to describe the types of uses and disclosures that may be made by our office once the client has provided consent.
Treatment: Trillium will use and disclose protected health information to provide, coordinate, or manage a client’s mental health care and any related services. This includes the coordination or management of the client’s mental health care with a third party that has already obtained permission to have access to protected health information. For example, Trillium would disclose protected health information, as necessary, to a home health agency that provides care to the client. Trillium will also disclose protected health information to other physicians who may be treating the client when we have the necessary permission from the client to disclose protected health information. For example, protected health information may be provided to another agency to whom the client has been referred to ensure that the agency has the necessary information to diagnose or treat the client. In addition, Trillium may disclose protected health information from time-to-time to another physician or health care provider (e.g., a specialist or laboratory) who, at the request of the client’s physician, becomes involved in the client’s care by providing assistance with the health care diagnosis or treatment to the client’s physician. WE MAY ALSO DISCLOSE TO HOSPITALS AND COMMUNITY MENTAL HEALTH AGENCIES FOR THE PURPOSE OF FACILITATING CONTINUITY OF CARE. WE MAY EXCHANGE PSYCHIATRIC RECORDS AND OTHER PERTINENT INFORMATION WITH OTHER HOSPITALS, INSTITUTIONS, FACILITIES OF THE OHIO DEPARTMENT OF MENTAL HEALTH, AND WITH COMMUNITY MENTAL
HEALTH AGENCIES AND BOARDS OF ALCOHOL, DRUG ADDICTION AND MENTAL HEALTH SERVICES WITH WHICH THE DEPARTMENT OR AGENCY HAS A CURRENT AGREEMENT FOR PATIENT CARE OR SERVICES. YOUR FAMILY MEMBER(S) WHO ARE INVOLVED IN THE PROVISION, PLANNING AND MONITORING OF SERVICES TO YOU MAY RECEIVE MEDICATION INFORMATION, A SUMMARY OF YOUR DIAGNOSIS AND PROGNOSIS, AND A LIST OF THE SERVICES AND PERSONNEL AVAILABLE TO ASSIST YOU AND YOUR FAMILY, IF IT IS DETERMINED TO BE IN YOUR BEST INTEREST BY YOUR TREATING PHYSICIAN AND YOU ARE NOTIFIED FIRST. WE MAY EXCHANGE LIMITED PSYCHIATRIC RECORDS AND CERTAIN OTHER
INFORMATION WITH THE BOARDS OF ALCOHOL, DRUG ADDICTION AND MENTAL HEALTH SERVICES AND OTHER AGENCIES IN ORDER TO PROVIDE SERVICES TO A PERSON INVOLUNTARILY COMMITTED.
Payment: Protected health information will be used, as needed, to obtain payment for mental health care services. This may include certain activities that the client’s health insurance plan may undertake before it approves or pays for the mental health care services we recommend for the client such as; making a determination of eligibility or coverage for insurance benefits, reviewing services provided to the client for medical necessity, and undertaking utilization review activities.
Healthcare Operations: Trillium may use or disclose, as-needed, protected health information in order to support the business activities of Trillium. These activities include, but are not limited to, quality assessment activities, employee review activities, training of social service students, licensing, marketing and fundraising activities, and conducting or arranging for other business activities. For example, we may disclose protected health information to social service students that see clients at our office. In addition, Trillium may use a sign-in sheet at the receptionist’s desk where the client will be asked to sign their name and indicate their staff worker. Trillium may also call the client by name in the waiting room when the staff worker is ready to see the client. Trillium may use or disclose protected health information, as necessary, to contact the client to remind them of their appointment. Trillium will share protected health information with third party business associates” that perform various activities (e.g., billing, transcription services) for the agency. Whenever an arrangement between our office and a business associate involves the use or disclosure of protected health information, Trillium will have a written contract that contains terms that will protect the privacy of protected health information. Trillium may use or disclose protected health information, as necessary, to provide the client with information about treatment alternatives or other health-related benefits and services that may be of interest to them. Trillium may also use and disclose protected health information for other marketing activities. For example, a client’s name and address may be used to send them a newsletter about our agency and the services we offer. Trillium may also send information about products or services that we believe may be beneficial to the client. The client may contact the Privacy Officer/Client Rights Officer to request that these materials not be sent to them. IN THE EVENT OUR AGENCY WOULD CEASE TO OPERATE, WE MAY TRANSFER CLIENT INFORMATION TO THE AGENCY ASSUMING THE CASELOAD OR TO THE BOARD/S OF ALCOHOL, DRUG, ADDICTION, AND MENTAL HEALTH SERVICES OF THE DISTRICT IN WHICH THE CLIENT RESIDES.
Trillium may use or disclose demographic information and the dates that a client received treatment from their staff worker, as necessary, in order to contact the client for fundraising activities supported by our agency. If the client does not want to receive these materials, they may contact the Privacy Officer/Client Rights Officer and request that these fundraising materials not be sent to them.
2. Uses and Disclosures of Protected Health Information Based upon Written Authorization
Other uses and disclosures of protected health information will be made only with written authorization, unless otherwise permitted or required by law as described below. A client may revoke this authorization, at any time, in writing, except to the extent that Trillium has taken an action in reliance on the use or disclosure indicated in the authorization.
3. Other Permitted and Required Uses and Disclosures That May Be Made With Consent, Authorization or Opportunity to Object
Trillium may use and disclose protected health information in the following instances. The client has the opportunity to agree or object to the use or disclosure of all or part of their protected health information. If the client is not present or able to agree or object to the use or disclosure of the protected health information, then the staff worker may, using professional judgment, determine whether the disclosure is in the client’s best interest. In this case, only the protected health information that is relevant to the client’s health care will be disclosed. If the client objects to the disclosure of their protected health information, the client can utilize the Client Grievance Procedure to resolve the conflict between the client’s consent and authorization made to disclose information.
Others Involved in the Client’s Healthcare: Unless the client objects, Trillium may disclose to a member of their family, a relative, a close friend or any other person they identify, the client’s protected health information that directly relates to that person’s involvement in the client’s health care. If the client is unable to agree or object to such a disclosure, Trillium may disclose such information as necessary if we determine that it is in the client’s best interest based on our professional judgment. Trillium may use or disclose protected health information to notify or assist in notifying a family member, personal and/or legal representative or any other person that is responsible for the care of the client’s location, general condition or death. Finally, Trillium may use or disclose protected health information to an authorized public or private entity to assist in disaster relief efforts and to coordinate uses and disclosures to family or other individuals involved in the client’s mental health care.
Emergencies: Trillium may use or disclose protected health information in an emergency treatment situation. If this happens, Trillium shall try to obtain the client’s consent as soon as reasonably practicable after the delivery of treatment. If the staff worker is required by law to treat the client and the staff worker has attempted to obtain consent but is unable to obtain consent, he or she may still use or disclose protected health information to treat the client.
Communication Barriers: Trillium may use and disclose protected health information if the staff worker attempts to obtain consent from the client but is unable to do so due to substantial communication barriers and the staff worker determines, using professional judgment, that the client intends to consent to use or disclosure under the circumstances.
4. Other Permitted and Required Uses and Disclosures That May Be Made Without Consent, Authorization or Opportunity to Object Trillium may use or disclose protected health information in the following situations without the client’s consent or authorization. These situations include:
Required By Law: Trillium may use or disclose protected health information to the extent that the use or disclosure is required by law, INCLUDING A COURT ORDER SIGNED BY A JUDGE. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law. The client will be notified, as required by law, of any such uses or disclosures.
Public Health: Trillium may disclose protected health information for public health activities and purposes to a public health authority that is permitted by law to collect or receive the information. The disclosure will be made for the purpose of controlling disease, injury or disability. Trillium may also disclose protected health information, if directed by the public health authority, to a foreign government agency that is collaborating with the public health authority.
Communicable Diseases: Trillium may disclose protected health information, if authorized by law, to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition.
Health Oversight: Trillium may disclose protected health information to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies seeking this information include government agencies that oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.
Abuse or Neglect: Trillium may disclose protected health information to a public health authority that is authorized by law to receive reports of child abuse or neglect. In addition, Trillium may disclose protected health information if we believe that the client has been a victim of abuse, neglect or domestic violence to the governmental entity or agency authorized to receive such information. In this case, the disclosure will be made consistent with the requirements of applicable federal and state laws.
Food and Drug Administration: Trillium may disclose protected health information to a person or company required by the Food and Drug Administration to report adverse events, product defects or problems, biologic product deviations, track products; to enable product recalls; to make repairs or replacements, or to conduct post marketing surveillance, as required.
Legal Proceedings: Trillium may disclose protected health information in the course of any judicial or administrative proceeding, in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized), in certain conditions in response to a subpoena, discovery request or other lawful process.
Law Enforcement: Trillium may also disclose protected health information, so long as applicable legal requirements are met, for law enforcement purposes. These law enforcement purposes include (1) legal processes and otherwise required by law, (2) limited information requests for identification and location purposes, (3) pertaining to victims of a crime, (4) suspicion that death has occurred as a result of criminal conduct, (5) in the event that a crime occurs on the premises of the agency, (6) medical emergency (not on the agency’s premises) and it is likely that a crime has occurred AND (7) IF THE CLIENT WAS COMMITTED PURSUANT TO SECTION 2945.38, 2945.39, 2945.40, 2945.401, OR 2945.402 OF THE ORC.
.
Coroners, Funeral Directors, Organ Donation AND EXECUTORS OF ESTATES:
Trillium may disclose protected health information to a coroner or medical examiner for identification purposes, determining cause of death or for the coroner or medical examiner to perform other duties authorized by law. Trillium may also disclose protected health information to a funeral director, as authorized by law, in order to permit the funeral director to carry out their duties. Trillium may disclose such information in reasonable anticipation of death. Protected health information may be used and disclosed for cadaveric organ, eye or tissue donation purposes. WE MAY DISCLOSE INFORMATION TO THE EXECUTOR OR ADMINISTRATOR OF AN ESTATE OF A DECEASED CLIENT WHEN THE INFORMATION IS NECESSARY TO
ADMINISTER THE ESTATE.
Research: Trillium may disclose protected health information to researchers when their research has been approved by the agency’s Board of DIRECTORS that has reviewed the research proposal and established protocols to ensure the privacy of protected health information.
Criminal Activity: Consistent with applicable federal and state laws, Trillium may disclose protected health information, if we believe that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Trillium may also disclose protected health information if it is necessary for law enforcement authorities to identify or apprehend an individual.
Military Activity and National Security: When the appropriate conditions apply, Trillium may use or disclose protected health information of individuals who are Armed Forces personnel (1) for activities deemed necessary by appropriate military command authorities; (2) for the purpose of a determination by the Department of Veterans Affairs of your eligibility for benefits, or (3) to foreign military authority if the client is a member of that foreign military services. Trillium may also disclose protected health information to authorized federal officials for conducting national security and intelligence activities, including for the provision of protective services to the President or others legally authorized.
Workers’ Compensation: Protected health information may be disclosed by Trillium as authorized to comply with workers’ compensation laws and other similar legally-established programs.
Inmates: Trillium may use or disclose protected health information if the client is an inmate of a correctional facility and the staff worker created or received protected health information in the course of providing care to the client.
Required Uses and Disclosures: Under the law, Trillium must make disclosures to the client and when required by the Secretary of the Department of Health and Human Services to investigate or determine our compliance with the requirements of Section 164.500 et. seq.
5. Clients Rights The following is a statement of clients rights with respect to protected health information and a brief description of how the client may exercise these rights:
The client has the right to inspect and copy their protected health information. This means the client may inspect and obtain a copy of protected health information about them that is contained in a designated record set for as long as we maintain the protected health information. A “designated record set” contains treatment and billing records and any other records that the staff worker and the agency uses for making decisions about the client. The client may also refuse to sign the authorization to disclose information. Under federal law, however, the client may not inspect or copy the following records; psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding, and protected health information that is subject to law that prohibits access to protected health information. Depending on the circumstances, a decision to deny access may be reviewable. In some circumstances, the client may have a right to have this decision reviewed. The client can contact the Privacy Officer/Client Rights Officer if they have questions about access to their medical record.
The client has the right to request a restriction of their protected health information. This means the client may ask Trillium not to use or disclose any part of their protected health information for the purposes of treatment, payment or healthcare operations. The client may also request that any part of their protected health information not be disclosed to family members or friends who may be involved in their care or for notification purposes as described in this Privacy Practices Policy. The client’s request must state the specific restriction requested and to whom they want the restriction to apply. The staff worker is not required to agree to a restriction that the client may request. If the staff worker believes it is in the client’s best interest to permit use and disclosure of protected health information, protected health information will not be restricted. If the staff worker does agree to the requested restriction, we may not use or disclose protected health information in violation of that restriction unless it is needed to provide emergency treatment. With this in mind, the client should discuss any restriction they wish to request with their staff worker. The client may request a restriction by doing so in writing.
The client has the right to request to receive confidential communications from us by alternative means or at an alternative location. Trillium will accommodate reasonable requests. Trillium may also condition this accommodation by asking the client for information as to how payment will be handled or specification of an alternative address or other method of contact. Trillium will not request an explanation from the client as to the basis for the request. The client should make this request in writing to the Privacy Officer/Client Rights Officer.
The client may have the right to have the staff worker amend protected health information. This means the client may request an amendment of protected health information about them in a designated record set for as long as we maintain this information. In certain cases, we may deny the request for an amendment. If we deny the request for amendment, the client has the right to file a statement of disagreement with us and we may prepare a rebuttal to the client’s statement and will provide the client with a copy of any such rebuttal. The client should contact the Privacy Officer/Client Rights Officer to determine if there are questions about amending a medical record.
The client has the right to receive an accounting of certain disclosures we have made, if any, of protected health information. This right applies to disclosures for purposes other than treatment, payment or healthcare operations as described in this Privacy Practices Policy. It excludes disclosures we may have made to the client, for a facility directory, to family members or friends involved in your care, or for notification purposes. The request must state a time period that may not be longer than six years and may not include dates before February 26, 2003. The request should indicate in what form the client wants the list (for example, on paper, electronically). The first list the client requests with in a 12 month period will be free. For additional lists, Trillium may charge for the costs of providing the list. Trillium will notify the client of the costs involved and the client may choose to withdraw or modify the request at that time before any costs are incurred.
The client has the right to obtain a paper copy of the notice from us, upon request, even if they have agreed to accept this notice electronically.
6. Complaints The client may complain to Trillium or to the Secretary of Health and Human Services if they believe their privacy rights have been violated by Trillium. The client may file a complaint with us by notifying the Privacy Officer/Client Rights Officer of the complaint. Trillium will not retaliate against the client for filing a complaint. The client may contact the Privacy Officer/Client Rights Officer for further information about the complaint process.
This notice was published and becomes effective on April 14, 2003.
I. ADOPTION OF IDENTITY THEFT PREVENTION PROGRAM
Trillium Family Solutions developed this identity theft prevention program (“the program”) pursuant to the Federal Trade Commission’s Red Flags Rule (“the rule”), 16 C.F.R.. §681.2. The program was developed with the oversight and approval of the agency who has determined that our agency is a creditor with covered accounts (as defined below) and is obligated to comply with the rule. After due consideration of the rule’s requirements and its guidelines (and including in the program those guidelines in appendix a of the rule that are appropriate), and of the size and complexity of the agency’s operations and systems, and the nature and scope of the agency’s activities, the agency determined that this program is reasonable and appropriate for the practice and, therefore, approved this program on the day of October 28 , 2009.
II. PROGRAM PURPOSE AND DEFINITIONS
A. Fulfilling the obligations of the rule
Under the rule, every “creditor” with “covered accounts” is required to establish an identity theft prevention program tailored to the size, complexity and nature of its operations. The program must contain policies and procedures reasonably designed to:
Identify relevant “red flags” for new and existing “covered accounts” and incorporate those red flags into the program.
Be able to detect red flags that have been incorporated into the program.
Respond appropriately to any red flags that are detected in order to prevent and mitigate “identity theft.”
Update the program periodically to reflect changes in risks to our patients/clients and to the safety and soundness of our agency from identity theft.
B. Definitions of terms used in the program Account means a continuing relationship established by a person with a creditor to obtain a product or service for personal, family, household or business purposes, including an extension of credit.
A covered account is:
I. An account that a creditor offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions; and
Ii. Any other account that the creditor offers or maintains for which there is a reasonably foreseeable risk to customers (our patients) of, or to the safety and soundness of the creditor from, identity theft.
Credit is an arrangement by which a person or entity defers payment of debts or accepts deferred payments for the purchase of services or property.
A creditor is any person or entity who:
I. Regularly extends, renews or continues credit;
Ii. Regularly arranges for the extension, renewal or continuation of credit; or
Iii. Any assignee of an original creditor who participates in the decision to extend, renew or continue credit.
Identifying information is defined under the rule as any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including name, address, telephone number, social security number, date of birth, government-issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, unique electronic identification number, computer’s internal protocol address, or routing code.
Identity theft is fraud committed using the identifying information of another person, which can be medical identity theft and/or financial identity theft.
Program administrator is the agency’s administrative personnel charged with the implementation of the program (which may be one or more persons and may be the AGENCY’s HIPAA Privacy Officer).
Red flag means a pattern, practice or specific activity that indicates the possible existence of identity theft in connection with a covered account.
Service provider means a person or entity that provides a service directly to a creditor.
III. POLICIES AND PROCEDURES
A. Identification of red flags
Because our agency regularly extends credit to patient/clients by establishing an account that permits multiple payments, our agency is a creditor offering covered accounts. Commentary to the rule states that “creditors in the health care field may be at risk of medical identity theft (i.e., identity theft for the purpose of obtaining medical services) and, therefore, must identify red flags that reflect this risk.”
In order to identify relevant red flags, our agency considers the types of accounts it offers and maintains, the methods it provides to open its accounts, the methods it uses or provides to access its accounts, and its previous experience with identity theft. The agency has identified the following red flags for our program:
1. Alerts, notifications and warnings received from consumer reporting agencies or service providers of the practice
A. Report of fraud or other alert accompanying a credit or consumer report
B. Notice of a credit freeze in response to a request for a consumer report
C. Report, such as from one of our service providers, indicating a pattern of activity that is inconsistent with the history and usual pattern of activity of a patient account
1. Suspicious documents
A. Identification document that physically appears to be forged, altered or otherwise not authentic
B. Identification document on which a person’s photograph or physical description is not consistent with the person presenting the document
C. A patient/client who has an insurance number but never produces an insurance card or other physical documentation of insurance (unless the practice can confirm that there is a legitimate reason for the absence of such documentation)
D. Other document containing information that is not consistent with existing patient/client information (such as if a person’s signature appears forged, based on previous instances of the person’s signature on file)
1. Suspicious personal identifying information
A. Identifying information presented that is inconsistent with other information the patient/client provides (e.g., inconsistent birth dates)
B. Identifying information presented that is inconsistent with other sources of information (e.g., an identification number presented that does not match a number on the person’s insurance card)
C. Identifying information presented that is the same as information shown on other documents that were found to be fraudulent
D. Identifying information presented that is consistent with fraudulent activity (e.g., invalid phone number or fictitious billing address)
E. Identifying information presented that is the same as information provided as identifying information by another patient/client
F. A patient fails to provide complete identifying information on any patient/client information form when reminded to do so and the agency is not prohibited by law from requiring the information be provided
G. A patient/client provides identifying information that is not consistent with the information the practice has on file for the patient/client
1. Suspicious account or medical record activity
A. Payments stop on an otherwise consistently up-to-date account
B. Mail sent to the patient/client is repeatedly returned as undeliverable
C. Breach in the agency’s computer system security
D. Unauthorized access to or use of covered account information
E. Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient/client, e.g., discrepancies in age, race, blood type or other physical descriptors
1. Alerts from others
A. A complaint or question from a patient/client based on the patient/client’s receipt of:
I. A bill for another individual
Ii. A bill for a product or service that the patient/client denies receiving
Iii. A bill from a health care provider that the patient/client never patronized
Iv. A notice of insurance benefits or explanation of benefits for health services never received
B. A complaint or question from a patient/client about the receipt of a collection notice from a bill collector
C. A complaint or question from a patient/client about information added to a credit report by the practice or the patient/client’s insurer
D. A dispute of a bill by a patient/client who claims to be the victim of any type of identity theft
E. A patient/client or insurance company report that coverage for legitimate medical services is denied because insurance benefits have been depleted or a lifetime cap has been reached
F. A notice or inquiry from an insurance fraud investigator regarding a patient/client’s account (which could indicate internal or external identity theft)
G. A notice or inquiry from a law enforcement agency regarding possible identity theft in connection with a covered account held by the agency
H. A notice from a victim of identity theft regarding possible identity theft in connection with a covered account held by the agency
B. Detecting red flags
New accounts – in order to detect any of the red flags identified above associated with the opening of a new covered account, agency
Personnel will take the following steps to obtain and verify the identity of the person opening the account:
A. Require certain identifying information such as: name, date of birth, residential or business address, insurance card, employer name and address, driver’s license or other identifying information.
B. Actually verify the patient’/clients identity by reviewing the identifying information presented and contacting the patient/client’s insurer, if appropriate.
1. Existing accounts – in order to detect any of the red flags identified above for an existing account, agency personnel will take the following steps to monitor the transactions and activity on an account, in compliance with our agency’s HIPAA privacy policies and procedures:
A. Verify the identification of a patient/client who requests information (in person, via telephone, via facsimile, via email)
B. Verify the validity of requests to change a billing address
C. Verify changes in credit card or other information given for purposes of billing and payment
C. Preventing and mitigating identity theft
In the event agency personnel detect any identified red flags, the agency shall take one or more of the following steps, depending on the red flag detected and on the degree of risk posed by the red flag:
Prevent and mitigate
A. Notify the program administrator who may determine it is necessary to contact the agency’s legal counsel for determination of the appropriate step(s) to take
B. Comply with state and federal requirements related to a breach of computer security
C. Contact the patient/client, in compliance with applicable law
D. Notify law enforcement, in compliance with applicable law
E. Continue to monitor an account for evidence of identity theft
F. Change any passwords or other security devices that permit access to a covered account
G. Not open an account for a new patient/client if a red flag is detected in relation to such account
H. Place a hold on further transactions related to an account for which a red flag has been detected
I. Not attempt to collect on an account
J. Determine that no response is warranted under the circumstances
Protect patient/clients’ identifying information
The agency’s HIPAA privacy and security program will be utilized, and updated along with this program, if necessary, to further prevent the likelihood of identity theft occurring with respect to agency accounts.
1. Protecting and correcting medical information
If our agency determines that medical identity theft has occurred, there may be errors in the patient/client’s chart as a result. Fraudulent information may have been added to a pre-existing chart, or the contents of an entire chart may refer only to the health condition of the identity thief, but under the victim’s personal identifying information. In such cases, our agency shall take appropriate steps to avoid mistreatment due to the fraudulent information, such as file extraction, cross-referencing charts, etc.
D. Program updates
The program administrator will periodically, but no less than annually, review and update this program to reflect changes in risks to patient/clients and the soundness of the agency in protecting against identity theft, taking into consideration the agency’s experience with identity theft occurrences, changes in methods of how identity theft is being perpetrated, changes in methods of detecting, preventing and mitigating identity theft, changes in the types of accounts the agency offers, and changes in the agency’s business relationships with other entities. After considering these factors, the program administrator will determine whether changes to the program are warranted. The program administrator will present any recommended changes to the trillium family solutions board, which will make a determination whether to accept, modify or reject the recommended changes to the program.
IV. PROGRAM ADMINISTRATION
A. Oversight of the program
The agency is responsible for the development, implementation and updating of this program and will approve the initial program, as well as any updates. The program administrator is responsible for taking steps to ensure appropriate training of agency personnel regarding the program, receipt and review of reports regarding the detection of red flags, determining (with the assistance of the board/partner/member and/or legal counsel) the steps for preventing and mitigating identity theft when a red flag is detected, and recommending updates to the program.
B. Staff training and reporting
Agency personnel whose role requires their participation in implementing the program will be trained by or under the direction of the program administrator. Training shall cover the red flags identified in the program, detecting red flags, and reporting and responding to detected red flags. The program administrator shall report annually to the trillium family solutions management team on the agency’s compliance with the rule in terms of effectiveness of addressing identity theft, service provider arrangements, significant incidents involving identity theft and the agency’s response, and recommendations for material changes to the program.
C. Oversight of service provider arrangements
The agency will require, by written contract, that service providers that provide services or perform activities on our practice’s behalf in connection with a covered account have policies and procedures in place designed to detect, prevent and mitigate the risk of identity theft in regard to the covered accounts. If the service provider is a HIPAA business associate of the practice, the business associate agreement with that service provider shall be amended to incorporate the above requirements.
Proud members of:
View our publications below!
|
Persons interested in accessing our 990 should submit their request to Megan Gettan, Executive Manager, at mgettan@trilliumfs.org |
Visit us on Facebook!
Treatment Works. People Recover.
