Privacy Statement

Chestnut Health Systems’ Notice of Privacy Practices
(Chestnut Health Systems and Chestnut Family Health Center)

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.

This Notice of Privacy Practices (this “Notice”) describes how Chestnut Health Systems, Inc. and all of its programs, including Chestnut Family Health Center (collectively, “Chestnut” or “we”) may use and disclose your protected health information (“PHI”), as well as your rights regarding your PHI. We are required by law to protect your PHI, to comply with this Notice, and to give you a copy of this Notice. We reserve the right to change the terms of this Notice at any time. Any new Notice will be effective for all PHI that we maintain at that time. We will make available a revised Notice by posting a copy on our website https://www.chestnut.org/ or by posting at our facilities. You may request a copy of the Notice at any time.

We must also comply with separate Federal laws that protect the confidentiality of alcohol and drug abuse patient records, as well as State laws that protect the confidentiality of mental health treatment records. Violation of these laws is a crime. You may report a suspected violation to the proper authorities. Additionally, individual Chestnut programs will share PHI with each other, as necessary, to carry out treatment, payment and health care operations.

How We May Use and Disclose Health Information about You

Listed below are some examples of the uses and disclosures that Chestnut may make of your PHI. The disclosure may be made verbally, in writing, or electronically, such as by email or text message.

Treatment. We may use or disclose your PHI to provide, coordinate, or manage your care or any related services, including sharing information with others outside Chestnut that we are consulting with or referring you to for your care, such as a specialist or a laboratory.

Payment. We may use or disclose your PHI for purposes related to payment, such as determining if you have insurance benefits, and if your insurance company will cover the cost of your treatment; processing claims with your insurance company; and reviewing services provided to you to determine medical necessity. We may use your PHI to obtain payment for your health care services without your written authorization.

Health Care Operations. We may use or disclose, as needed, your PHI in order to coordinate our business activities, for patient safety activities, or to share your PHI with third parties that provide services to us, such as billing or typing, who have entered into agreements with Chestnut to maintain the confidentiality of your PHI. This may include reviewing your care, training students and staff, or setting up your appointments. We may use a sign-in sheet at the registration desk or call you by name in the waiting room when it is time to be seen. We may also contact you concerning Chestnut’s fundraising activities. If we contact you about fundraising activities, we will only use your name, address, phone number, gender, date of birth, treatment dates, health insurance status, health outcome, and in certain limited cases not involving substance abuse or mental health treatment your treating physician and department of service. You can choose not to receive any communications or only certain communications about fundraising by notifying the Privacy Officer in writing or by telephone. You may choose to opt back into future fundraising communications by notifying the Privacy Officer, as well.

Chestnut also participates with other behavioral health services agencies (each, a “Participating Covered Entity”) in the IPA Network established by Illinois Health Practice Alliance, LLC (“Company”). Through Company, the Participating Covered Entities have formed one or more organized systems of health care, in which the Participating Covered Entities participate in joint quality assurance activities and/or share financial risk for the delivery of health care with other Participating Covered Entities, and as such qualify to participate in an Organized Health Care Arrangement (“OHCA”), as defined by the HIPAA Privacy Rule. As OHCA participants, all the Participating Covered Entities may share the PHI of their patients for the treatment, payment, and health care operations purposes of all the OHCA participants.

Information That Can Be Disclosed Without Your Authorization

Required by Law. We may use or disclose your PHI if it is required by law. For example, we must make disclosures of your PHI to you upon your request, and we must make disclosures to the Secretary of the Department of Health and Human Services for the purpose of determining our compliance with the HIPAA Privacy Rule. We may also disclose your PHI if a court issues a subpoena and appropriate order and follows required procedures. Mental health information may also be disclosed to coordinate services between government agencies that have entered into an interagency agreement.

Health Oversight. We may disclose PHI to a health oversight agency for activities authorized by law, such as audits, investigations, inspections, and licensure, and for accreditation purposes.

Medical Emergencies. We may use or disclose your PHI in a medical emergency situation to medical personnel only.

Child Abuse or Neglect. We may disclose your PHI to a state or local agency as authorized by law. We only disclose necessary information to make the initial mandated report.

Deceased Patients. We may disclose PHI regarding deceased patients as required by law and certain limited PHI to family members or others who were involved in the deceased patient’s care or payment for care prior to death, but only such PHI as is relevant to the family member’s or other’s involvement in the deceased’s care or payment. In addition, PHI of persons who have been deceased more than 50 years is no longer protected and may be disclosed without an authorization.

Research. If you are in a research study or future research studies, we may disclose PHI to researchers if our Institutional Review Board reviews and approves the research and either (a) you have signed an authorization, or (b) the Institutional Review Board reviews and approves a waiver to the authorization requirement.

Criminal Activity on Program Premises/Against Program Personnel. We may disclose your PHI to law enforcement officials if you have committed a crime on our premises or against our personnel.

Public Safety. We may disclose PHI to avert a serious threat to health or safety, such as physical or mental injury being inflicted on you or someone else. Chestnut is also required by State law to provide information concerning mental health recipients who pose an imminent threat to themselves or others to the Illinois Department of Human Services for the purposes of determining whether the individual holds a Firearm Owner Identification (“FOID”) Card. Any person who holds a FOID card, or who has applied for a FOID card, may have their FOID card revoked if that person is deemed a threat to themselves or others.

Public Health. We may use or disclose your PHI to a public health authority authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability. In certain limited circumstances, we may also disclose your PHI to a person that may have been exposed to a communicable disease or may otherwise be at risk of spreading or contracting such disease, if such disclosure is authorized by law. We may disclose proof of immunization to a school where the school must have such information prior to admitting a student. Before doing so, we will obtain verbal or written agreement from you.

Uses and Disclosures of PHI With Your Written Authorization

Other uses and disclosures of your PHI will be made only with your written authorization. Examples of such situations include the disclosure of psychotherapy notes, marketing communications, or certain situations where your PHI may be transferred to another covered entity.

You may revoke this authorization at any time. Although Chestnut will honor your revocation going forward, Chestnut may have already made a use or disclosure based on your authorization.

Your Rights Regarding Your Protected Health Information

You have the following rights, which we describe below. Please contact our Privacy Officer in writing if you have any questions:

Inspect and Copy Your PHI. You can view and get a copy of your PHI for as long as we maintain the record. If we maintain a copy of your PHI in electronic format then we will provide that PHI to you in the electronic format that is readily producible. Upon your request, we will provide a copy of your PHI to another person. Your request must be in writing and signed by you. We may charge you a reasonable cost-based fee for the copies. We can deny you access to your PHI in certain circumstances. In some of those cases, you will have a right to appeal the denial of access.

Amend Your PHI. You may request, in writing, that we amend your PHI in our records. We may deny your request in certain cases. If we deny your request, you have the right to file a statement that you disagree with us. We will respond to your statement and will provide you with a copy.

Accounting of PHI Disclosures. You may request an accounting of our disclosures of your PHI for a period of up to six years (excluding disclosures made to you, made for treatment purposes, made with your authorization, and certain other disclosures). We may charge you a reasonable fee if you request more than one accounting in any 12-month period.

Notice of Breach of Unsecured PHI. You have the right to receive notification from Chestnut in the event of a breach of unsecured PHI that relates to you. A breach generally involves the acquisition, use, or disclosure of PHI in a manner that is not allowed under HIPAA, which compromises the security or privacy of the PHI.

Copy of Notice. You have the right to obtain a copy of this notice from us.

Restrictions on Disclosures and Uses of Your PHI. You have the right to ask us not to use or disclose your PHI for treatment, payment or health care operations or to family members involved in your care.
Your request for restrictions must be in writing and we are not required to agree to such restrictions, unless you paid in full and out of pocket for a health care item or service and you do not want us to tell your health plan. In that case, we must comply with your request for restriction. You can request a restriction by completing a Request for Confidential Communications form available from reception staff.

Confidential Communications. You have the right to request that we communicate with you about your PHI or medical care in a certain way or at a certain location. We will accommodate reasonable, written requests. We may also condition this accommodation by asking you for information regarding how payment will be handled or specification of an alternative address or other method of contact. We will not ask you why you are making the request. Please contact your clinician if you would like to make this request.

Complaints. If you believe we have violated your privacy rights, you may file a complaint in writing by contacting us at privacy@chestnut.org or by contacting our office and speaking to one of our Privacy Officers. We will not retaliate against you for filing a complaint.

You may also file a complaint with the U.S. Secretary of Health and Human Services as follows:

200 Independence Avenue S.W.
Washington, D.C. 20201
1 (202) 619-0257

The effective date of this Notice is May 6, 2019.

Chestnut Health Systems’ Homeless Management Information System (HMIS) Privacy and Security Notice

A written copy of this Policy is available to all who request it.

I.  PURPOSE:

This notice describes the privacy policy of this agency as it pertains to the homeless Missourians information system (HMIS). The policy may be amended at any time.  We may use or disclose your information to provide you with services, and to comply with legal and other obligations. We assume that, by requesting services from our agency, you agree to allow us to collect information and to use or disclose it as described in this notice and as otherwise required by law.                   

The Homeless Management Information System (HMIS) was developed to meet a data collection requirement made by the United States Congress and the Department of Housing and Urban Development (HUD). Congress passed this requirement in order to get a more accurate count of individuals who are homeless and to identify the need for and use of different services by those individuals and families. We are collecting statistical information on those who use our services and report this information to a central data collection system.

In addition, many agencies in this area use HMIS to keep computerized case records. This information may be provided to other HMIS participating agencies. The information you may agree to allow us to collect and share includes basic identifying demographic data, such as name, address, phone number and birth date; the nature of your situation and the services and referrals you receive from this agency. This information is known as your Protected Personal Information or PPI.  All agencies using the HMIS share their data with other participating agencies, with the exception of Blind Service Providers. These blind agencies serve specific protected client populations, such as domestic abuse, sexual abuse, HIV/AIDS, alcohol and/or substance abuse, and mental health, and do not share client information.

GENERALLY, all personal information we maintain is covered by this policy. Generally, your personal information will only be used by this agency and other agencies to which you are referred for services.

Information shared with other HMIS agencies helps us to better serve our clients, to coordinate client services, and to better understand the number of individuals who need services from more than one agency. This may help us to meet your needs and the needs of others in our community by allowing us to develop new and more efficient programs. Sharing information can also help us to make referrals more easily and may reduce the amount of paperwork.

Maintaining the privacy and safety of those using our services is very important to us.  Information gathered about you is personal and private. We collect information only when appropriate to provide services, manage our organization, or as required by law.
 

II.  CONFIDENTIALITY RIGHTS:

This policy follows all HUD confidentiality regulations that are applicable to this agency, including those covering programs that receive HUD funding for homeless services. Separate rules apply for HIPAA privacy and security regulations regarding medical records.

This agency will use and disclose personal information from HMIS only in the following circumstances:

1. To provide or coordinate services to an individual.
2. For functions related to payment or reimbursement for services.
3. To carry out administrative functions including, but not limited to legal, audit, personnel, planning, oversight or management functions.
4. Databases used for research, where all identifying information has been removed.
5. Contractual research where privacy conditions are met.
6. Where a disclosure is required by law and disclosure complies with and is limited to the requirements of the law.  Instances where this might occur are during a medical emergency, to report a crime against staff of the agency or a crime on agency premises, or to avert a serious threat to health or safety, including a person’s attempt to harm himself or herself.
7. To comply with government reporting obligations.
8. In connection with a court order, warrant, subpoena or other court proceeding where disclosure is required.

III. YOUR INFORMATION RIGHTS:

As a client receiving services at this agency, you have the following rights:

1. Access to your record. You have the right to review your HMIS record. At your request, we will assist in viewing the record within five working days.
2.             Correction of your record. You have the right to request to have your record corrected so that information is up-to-date and accurate to ensure fairness in its use.
3.             Refusal. Our ability to assist you depends on having certain personal identifying information. If you choose not to share the information we request, we reserve the right to decline to provide you with services as doing so could jeopardize our status as a service provider. 
4.             Agency’s Right to Refuse Inspection of an Individual Record. Our agency may deny you the right to inspect or copy your personal information for the following reasons:
   1. information is compiled in reasonable anticipation of litigation or comparable proceedings;
   2. information about another individual other than the agency staff would be disclosed;
   3. information was obtained under a promise of confidentiality other than a promise from this provider and disclosure would reveal the source of the information; or
   4. information, the disclosure of which would be reasonably likely to endanger the life or physical safety of any individual.
5.             Harassment. The agency reserves the right to reject repeated or harassing requests for access or correction. However, if the agency denies your request for access or correction, you will be provided written documentation regarding your request and the reason for denial. A copy of that documentation will also be included in your client record.
6.             Grievance. You have the right to be heard if you feel that your confidentiality rights have been violated, if you have been denied access to your personal records, or if you have been put at personal risk, or harmed. Our agency has established a formal grievance process for you to use in such a circumstance. If you believe we have violated your privacy right, you may file a complaint in writing by contacting us at privacy@chestnut.org or by contacting our office (618-877-4420) and speaking to one of our privacy officers.

IV.  HOW YOUR INFORMATION WILL BE KEPT SECURE:

Protecting the safety and privacy of individuals receiving services and the confidentiality of their records is of paramount importance to us. Through training, policies, procedures, and software, we have taken the following steps to make sure your information is kept safe and secure:

1.             The computer program we use has the highest degree of security protection available.
2.             Only trained and authorized individuals will enter or view your personal information. 
3.             Your name and other identifying information will not be contained in HMIS reports that are issued to local, state, or national agencies.
4.             Employees receive training in privacy protection and agree to follow strict confidentiality standards before using the system.
5.             The server/database/software only allows individuals access to the information.  Only those who should see certain information will be allowed to see that information.
6.             The server/database will communicate using 128-bit encryption-an Internet technology intended to keep information private while it is transported back and forth across the Internet. Furthermore, identifying data stored on the server is also encrypted or coded so that it cannot be recognized.
7.             The server/database exists behind a firewall-a device meant to keep hackers/crackers/viruses/etc. away from the server.
8.             The main database will be kept physically secure, meaning only authorized personnel will have access to the server/database.
9.             System Administrators employed by the HMIS and the agency support the operation of the database. Administration of the database is governed by agreements that limit the use of personal information to providing administrative support and generating reports using aggregated information. These agreements further ensure the confidentiality of your personal information.

V.  BENEFITS OF HMIS AND AGENCY INFORMATION SHARING:

Information you provide us can play an important role in our ability and the ability of other agencies to continue to provide the services that you and others in the community are requesting.

Allowing us to share your name results in a more accurate count of individuals and the services they use.  Obtaining an accurate count is important because it can help us and other agencies:

1.             Better demonstrate the need for services and the specific types of assistance needed in our area.
2.             Obtain more money and other resources to provide services.
3.             Plan and deliver quality services to you and your family.
4.             Assist the agency to improve its work with families and individuals who are homeless.
5.             Keep required statistics for state and federal funders, such as HUD.

VI.  COMPLIANCE WITH OTHER LAWS

This agency complies with all other federal, state and local laws regarding privacy rights.  Consult with an attorney if you have questions regarding these rights.

VII. PRIVACY NOTICE AMENDMENTS:

The policies covered under this Privacy Notice may be amended over time and those amendments may affect information obtained by the agency before the date of the change.  All amendments to the Privacy Notice must be consistent with the requirements of the Federal Standards that protect the privacy of consumers and guide HMIS implementation and operation. 

VIII.  Web Site

We maintain a copy of the Privacy Notice on our web site at: www.chestnut.org.