Privacy Policy



The Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191, amends the Internal Revenue Service Code of 1986. Title II includes a section, Administrative Simplification, requiring improved efficiency in healthcare delivery by standardizing electronic data interchange and protection of confidentiality and security of health data through setting and enforcing standards. More specifically, HIPAA calls for standardization of electronic client health, administrative and financial data, unique health identifiers for individuals, employers, health plans and health care providers, and security standards protecting the confidentiality and integrity of “individually identifiable health information,” past, present or future.


The four parts of the Administrative Simplification are:

A. Electronic Health Transactions Standards.

The term Electronic Health Transactions Standards includes health claims, health plan eligibility, enrollment and disenrollment, payments for care and health plan premiums, claim status, first injury reports, coordination of benefits, and related transactions. Implementation of a national standard will force the use of one format, thereby “simplifying” and improving transaction efficiency nationwide. Health organizations also must adopt standard code sets to be used in all health transactions.

B. Unique Identifiers.

The current system allows multiple ID numbers when dealing with other agencies. This section will standardize those identifiers and reduce the confusion.

C. Security and Electronic Signature Standards.

The Security Standard provides a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual. The Security Standard mandates safeguards for physical storage and maintenance, transmission, and access to individual health information.

In accordance with 907 KAR 1:044 Community Mental Health Center Services, Section 5, Pennyroyal Center has:

  1. A written security policy that stipulates which individuals have access to electronic signatures and password authorization.
  2. Ensured that electronic signature are created, transmitted and stored securely.
  3. Developed a consent form which is completed and executed by each individual utilizing an electronic signature, attests to the signature’s authenticity, and includes a statement that each individual has been notified of the responsibility in allowing the use of the electronic signature.

D. Privacy and Confidentiality Standards.

Privacy defines who has the right to access personally identifiable health information, in all forms.

The standards:

  • Limit the non-consensual use and release of private health information, give clients rights.
  • Give clients rights to access their medical records and to know who else has accessed them.
  • Restrict most disclosure of health information to the minimum needed for the intended purpose.
  • Establish new criminal and civil sanctions for improper use or disclosure.
  • Establish new requirements for access to records by researchers and others.

In accordance with the Regulation, Privacy and Security Officer is appointed, who is responsible for the development and implementation of the policies and procedures for the Pennyroyal Center.


The following sections from the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Pennyroyal Center’s Policy and Procedures provide an outline of the policies that must be documented to be compliant with HIPAA Privacy Regulations.


A copy of the Privacy Notice will be posted in a prominent place at the intake of each service delivery site and will be posted on the Web Site. A copy of the Privacy Notice will be given to all new clients on admission and once annually. Receipt of the Privacy Notice will be signed by the client and witnessed by a staff member on the Permission for Treatment (PC-237). A copy of the Privacy Notice is in the Pennyroyal Center HIPAA Handbook maintained in the office of the Coordinator of Quality Management.


The Pennyroyal Center will complete Releases of Information (PMHC-155 and PMHC-156) on each person who receives services at the Pennyroyal Center, when applicable. Both Releases detail the client’s right to revoke in writing a consent at any time unless the action has already been taken. See Release of Information for policies regarding releasing information and requests to receive information from other agencies.


The Pennyroyal Center will apply the minimum necessary standards to all uses, disclosures, and requests for confidential information. Any request for entire medical records, other than for treatment purposes, must be justified in writing and made a part of the medical record as documentation of that justification. Disclosures of confidential information to Department of Health and Human Services for compliance purposes and disclosures that we are required to make in order to comply with the HIPAA regulations on standard transactions are not subject to the minimum necessary requirements. If staff receives a request for confidential information from a person purporting to be a representative of DHHS or any of its sub-agencies, they should contact the management on site at the time and the Privacy Officer about the request before disclosing any information. If the person representing DHHS presents in person at a site and states they are involved in an investigation, audit or any other type of fact-finding mission, staff should confirm their credentials and inform the Privacy Officer, but should not interfere with the investigation or audit process. More detailed procedures are found in the HIPAA Handbook.


The Health Insurance Portability and Accountability Act (HIPAA) of 1996 Sections 164.522 and 164.524 allow individuals the right of access to inspect and obtain a copy of their confidential information, for as long as the Pennyroyal Center maintains the information. This is documented in Release of Clinical Information to Clients and Fee Policy for Duplicating Client Records, a copy of which is in the HIPAA Handbook.


A Business Associate Agreement will be signed with any vendor or independent contractor who proposes to do business with the Pennyroyal Center. Any entity who performs a function or activity on behalf of the Pennyroyal Center that involves the use or disclosure of Confidential Information or who provides any legal, actuarial, accounting, consulting, data aggregation or management, administrative, accreditation, or financial services, and who is not involved in the treatment of a client, must sign a Business Associate Agreement with the Pennyroyal Center. A copy of this Agreement is in the HIPAA Handbook.


Section 164.526 gives an individual the right to amend confidential information about that individual for as long as the information is maintained. Instructions for amending confidential information is in the Notice of Privacy Practices.


Section 164.528 provides a right for individuals to receive an accounting of all disclosures of confidential information. Disclosure information must be made available for a 6-year period from date of service. A record of disclosures does not have to be made when those disclosures are to carry out treatment, payment and health care operations, when made to individuals with confidential information about them, to persons involved in the individual’s care, for national security or intelligence purposes, or to correctional institutions or law enforcement officials.


Section 164.404 requires a covered entity to notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. The Pennyroyal Center will provide a notification to the individual without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach. The Pennyroyal Center, as required, will notify the prominent media outlets in the surrounding areas and the Secretary for breaches that involve more than 500 individuals. For breaches involving less than 500 individuals, the Pennyroyal Center will notify the U.S. Department of Health and Human Services (HHS) annually as specified on the HHS website.

If it is unclear as to whether or not a breach has occurred, a risk assessment will be completed based on the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

If a risk assessment is completed and a possible determination of a HIPAA breach is being considered the Corporate Compliance Officer will be consulted.


Section 164.530(d) requires a procedure to document all complaints received, and their disposition, if any, and will work to mitigate any problems known to the Pennyroyal Center. Any complaint regarding a breech of confidentiality or a security risk should be referred immediately to the Privacy Officer, who will make every effort to mitigate the situation. In accordance with Section 164.530(g) the Privacy Officer will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against complaining individuals. In accordance with Section 164.530(h) the Pennyroyal Center will not require individuals to waive their rights to this procedure as a condition to provide treatment.


The Pennyroyal Center will use appropriate administrative, technical, and physical safeguards to protect the privacy of confidential information. The Pennyroyal Center will “reasonably” safeguard confidential information from any intentional or unintentional use or disclosure. Administrative, technical, and physical safeguards, access control, disaster recovery, maintenance records, and audit procedures are documented in Computer Policies and Procedures, Computer and Information Usage Agreement (PMHC-375) and the Pennyroyal Center Technology and System Plan.


Section 164.530(b) requires a healthcare entity to train all members of its workforce on HIPAA policies and procedures. Training will be done for current employees at the time of compliance, April 2003, and thereafter, for all new members of the workforce during new employee orientation. Training will also be completed by staff members on a reoccurring basis utilizing E-Learning.

Training will be documented by use of a service document and entered into the computer with the appropriate training service code.