HIPAA Privacy Policy

Hopebound Mental Health, Inc.

Effective Date of Updates Made: October 7, 2024

Introduction

Hopebound Mental Health, Inc. (“Company”) is committed to honoring the right to privacy of our patients and website visitors. The Company is subject to the Privacy Rule (as further identified below) as a “provider” and as a “business associate” of other “covered entities.”

When a person visits our website, we may collect and track data from our site’s server. We use this information to help improve upon the content we provide on our site. Among the information we collect may be how long you spend on our site, the pages you visit, your browser and operating system types, and the name of your internet service provider. Any information we collect is not shared with third parties unless we are legally required to do so or as necessary to process your requests. Please contact us if you have any questions about our privacy policy or our use of information gathered through our website.

This Notice of Privacy Practices and accompanying materials (for example, the Company’s authorization form or business associate agreements) summarize the Company’s privacy policies and are sometimes referred to collectively as the “Privacy Policy.” These deal with Company’s roles as a direct and indirect provider and as an employer (“Plan Sponsor”) within the same documents. When applicable and necessary, the two roles are distinguished; otherwise this Privacy Policy applies to all elements of Company’s HIPAA compliance program.

“Individuals” for purposes of this Privacy Policy means, unless otherwise designated, (1) as a provider both to patients of Company and to patients in which Company is involved in coordination of care where a patient may have one or more other healthcare providers such as when to Company for clinical psychology services; and (2) as employer/Plan sponsor, the employees of Company.

Members of the Company’s workforce may have access to the “protected health information” (as described below) of individuals (1) as a “provider” or if coordinating with other caregivers in collaboration with them in a coordination of care; and (2) as “Plan” and “Plan Sponsor” on behalf of Company’s Welfare Benefit Plan (“Plan”).

The Company complies with the Health Insurance Portability and Accountability Act of 1996, as amended, (“HIPAA”) and its implementing regulations, including its final privacy regulation, at 45 C.F.R. Parts 160 and 164 (the “Privacy Rule”), as administered by the Office for Civil Rights within the federal Department of Health and Human Services (“DHHS”). HIPAA restricts the Company’s use and disclosure of “protected health information” (“PHI” hereafter), as well as the use and disclosure of PHI by its “business associates”.

“PHI” means information that is created or received by Company or the Plan and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that tends to identify the individual directly or indirectly. PHI includes information concerning persons living or deceased.

PHI does NOT include non-PHI associated with Company’s employment or employee benefits records. Examples of information that is individually identifiable but is not PHI are any data or information in the Company’s employment records (not in health plan records) that are collected, created, and/or processed in connection with Company hiring, recruitment, and/or non-health-plan employee benefits. Examples of employment and/or employee benefits records that do not contain PHI are the following: personnel files; LTD, STD, Life Insurance and Workers’ Compensation Insurance.

The Company formally adopted this Privacy Policy as of the date noted above with regard to the use and disclosure of PHI and individuals’ rights relating to PHI. The Company expects all members of its workforce who have access to PHI to comply with this Privacy Policy. Individuals who are part of the Company’s “workforce” under HIPAA and this Privacy Policy include but are not limited to: employees, volunteers, trainees, and other persons whose work performance is under the direct control of Company, whether or not they are paid by Company or by any of Company’s employed and contracted therapists.

Should any questions, complaints or issues arise in any of Company’s locations, they should be referred to Company’s Executive Director at hello@hopebound.com or (404) 507-6149‬. Should any other member of the Company’s workforce receive any privacy-related questions, concerns, or inquiries, each is responsible for promptly referring the matter to the Executive Director and should direct a person or entity raising the issue to the Executive Director. The Company has a “see something, say something” policy and expects all members of its workforce to report privacy questions or concerns to the Executive Director, or when applicable, the Board of Directors.

Company’s Responsibilities as Covered Entity

Privacy Official

The Company’s Executive Director, who represents the Company Privacy Official, can be reached at hello@hopebound.com or(404) 507-6149‬.

Workforce Training

It is Company’s policy to limit access to PHI to circumstances where individual members of its workforce have a need to know, use or disclose it.  The Company develops training programs and schedules to assure that practical role-based training has occurred to help all members of its workforce carry out their functions.

How We Protect your Information: Administrative, Technical and Physical Safeguards

The Company has implemented sufficient safeguards to assure the confidentiality, integrity and availability of PHI entrusted to its care.  It periodically reviews those administrative, physical and technical safeguards to assure they are adequate to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA.  

Administrative safeguards include, but are not limited to, training, workforce clearance efforts, documented privacy policies and procedures, and designation of a Privacy Official.

Technical safeguards include but are not limited to issuing all members of the workforce unique credentials for accessing any PHI, limiting access to PHI to individuals with a work related “need to know, limiting  computers from accessing PHI in any unsecure manner;  programming computers to have automatic shut-off after nonuse; users shall use reasonable means to shield computer screens when accessing PHI to keep others from viewing the screen; and PHI shall not be e-mailed unless required or it is otherwise not feasible to use paper means.

Physical safeguards include keeping PHI stored in enclosed offices with the doors locked or in locked filing cabinets, all with limited access. No papers contained PHI shall be left unattended (such as left out on a desk) unless behind locked doors in offices with restricted access. Personnel shall conduct telephone conversations involving PHI in an enclosed office behind closed doors whenever possible and otherwise lower voices and take similar actions to avoid others from overhearing the conversation. Fax machines conveying PHI will be accessible only to members of the workforce with a need to know.

These safeguards are intended to assure that only authorized members of the workforce will have access to PHI, that they will have access to only the minimum amount of PHI necessary for their functions, and that they will not further use or disclose PHI in violation of HIPAA’s Privacy Rule.

Any paper copies of patient records (“charts”) will be maintained in locked file cabinets. Website postings of daily schedules will limit PHI to the minimum necessary disclosure, and the website will be accessible only to members of the workforce with a need to know.   Medical consultations will be in closed rooms or partially enclosed rooms with privacy panels.

Complaints

If you believe that your privacy has been violated or that the privacy of a Company patient or member of workforce has been violated, please file a complaint with us at hello@hopebound.com or with DHHS.  We will not retaliate or penalize you for alerting us about a privacy compliance issue or for filing a complaint with us or the DHHS.  To file a complaint with the DHHS, their phone is 800-537-7697, their address is 200 Independence Avenue, SE, Washington, DC  20201, or you may file a complaint online at https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf

Sanctions for Violations of Privacy Policy

The Company takes its privacy obligations seriously and will investigate all complaints and impose appropriate sanctions if PHI has been improperly used and/or disclosed.

Mitigation of Inadvertent Disclosures of Protected Health Information

Company shall mitigate, to the extent possible, any harmful effects that become known to it from a use or disclosure of an individual’s PHI in violation of the policies and procedures set forth in this Policy. As a result, if an employee becomes aware of a disclosure of PHI which violates this Policy, either by another member of the Workforce or a third-party administrator or insurer, the employee must report that immediately to the Privacy Official so that the situation can be investigated and in appropriate cases steps can be taken to mitigate the harm to the individual.

Breach Notification Requirements

If a member of the Company’s workforce, a patient, or other individual becomes aware of a security incident or potential breach of unsecured PHI, contact the Privacy Official. Promptly after a report of suspected breach of unsecured PHI, the Privacy Official shall direct and undertake an investigation to determine if a breach of unsecured PHI occurred and the scope of such breach.

The Company shall, following the discovery of a breach of unsecured PHI that is required to be reported, the Company shall provide timely notices to law enforcement, affected individuals (if any), state and federal regulators, and the media (if appropriate).

No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy

As noted above, it is the Company’s policy that no member of its workforce may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.

No individual shall be required to waive their privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility.

Documentation and Document Retention

The Company’s privacy policies and procedures shall be maintained for at least six years. Policies and procedures will be changed as necessary or appropriate to comply with changes in the law, standards, requirements, and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures will be documented. Please review the Company’s website occasionally to view any revisions, updates, additions, or corrections.

When a change affects this Privacy Policy, the Company will revise its Privacy Policy and make the updated Privacy Policy available on its website. Such change is effective only with respect to PHI created or received after the effective date of the Notice. The Company will retain retired versions of the Privacy Policy in its archives.

Company shall document certain events and actions (including direct patients’ declining receipt of a copy of the Privacy Policy, as well as authorizations, requests for information, sanctions, and complaints) relating to an individual’s privacy rights. The documentation of any policies and procedures, actions, activities and designations may be maintained in either written or electronic form. Company will maintain such documentation for at least six years (beginning May 1, 2020).

How We Use and Disclose PHI

How We Collect and Maintain Your Health Information

The health information or PHI that we collect or maintain may include:

  • Billing information that you provide us, such as credit card information, or that we receive from a health plan, employer or other provider of healthcare benefits on your behalf.
  • Your name, age, date of birth, insurance policy information, email address, username, password, and other registration information.
  • Health information that you provide us, which may include information or records relating to your medical or health history, health status and laboratory testing results, diagnostic images, and other health-related information.
  • Health information about you prepared or obtained by members of our workforce who provide services through our electronic health record, such as medical and therapy records, treatment and examination notes, and other health-related information.

How We Use and Disclose Health Information

We use and disclose your health information for our routine activities, treatment, payment, and healthcare operations and as required by law.  Generally, we do not need your permission for these disclosures under applicable laws. 

To follow are examples of situations in which we may disclose PHI as required under applicable laws:  

  1. Treatment – We keep a record of the health information you provide us. This record may include your test results, diagnoses, medications, your response to medications or other therapies, and information we learn about your medical condition through therapy or psychiatry services. We may disclose this information so that other doctors, nurses, and entities such as laboratories can meet your healthcare needs.
  2. Payment – We document the services and supplies you receive when we are providing care to you so that you, your insurance company, or another third party can pay us. We may tell your health plan about upcoming treatment or services that require prior approval by your health plan.
  3. Health Care Operations – Health information is used to improve the services we provide, to train staff, for business management, quality assessment and improvement, and for customer service. For example, we may use your health information to review our treatment and services and to evaluate the performance of our staff in caring for you.

We may also use and disclose your health information to:

  • Comply with federal, state, or local laws that require disclosure.
  • Assist in public health activities, such as tracking diseases or medical devices.
  • Inform authorities to protect victims of abuse or neglect.
  • Comply with federal and state health oversight activities, such as fraud investigations.
  • Respond to law enforcement officials or to judicial orders, subpoenas, or other processes.
  • Inform coroners, medical examiners and funeral directors of information necessary for them to fulfill their duties.
  • Facilitate organ and tissue donation or procurement.
  • Conduct research following internal review protocols to ensure the balancing of privacy and research needs.
  • Avert a serious threat to health or safety.
  • Assist in specialized government functions, such as national security, intelligence, and protective services.
  • Inform military and veteran authorities if you are an armed forces member (active or reserve).
  • Inform a correctional institution if you are an inmate.
  • Inform workers’ compensation carriers or your employer if you are injured at work.
  • Recommend treatment alternatives.
  • Tell you about health-related products and services.
  • Communicate within our organization for treatment, payment, or healthcare operations.
  • Communicate with other providers, health plans, or their related entities for their treatment or payment activities, or health care operations activities relating to quality assessment and improvement, care coordination, and the qualifications and training of healthcare professionals.
  • Provide information to other third parties with whom we do business, such as a record storage provider. However, you should know that in these situations, we require third parties to sign a business associate agreement (BAA) in order to confirm that they will safeguard your information and will comply with HIPAA.
  • We may also use or disclose your personal or health information for operational purposes. For example, we may communicate with individuals involved in your care or payment for that care, such as family or guardians, and send appointment reminders. All other uses and disclosures, not previously described, may only be done with your written authorization. You may revoke your authorization at any time; however, this will not affect prior uses and disclosures. In some cases, state law may require that we apply extra protections to some of your health information.

Our Workforce’s Responsibilities

We are required by law to:

  • Maintain the privacy of your health information.
  • Provide this Privacy Policy of our duties and privacy practices.
  • Abide by the terms of the Privacy Policy currently in effect.
  • Tell you if there has been a breach that compromises your health information.

We reserve the right to change our privacy practices and make the new practices effective for all the information we maintain. Revised notices will be posted on www.hopebound.com/hipaa-privacy-policy/ 

Mandatory Disclosures of PHI to Individual and DHHS

The Company will disclose an individual’s PHI as required by HIPAA in two situations:

  • The disclosure is made to DHHS for purposes of enforcing HIPAA.
  • The disclosure is to the individual who is the subject of the information; and

Disclosures of PHI Pursuant to an Authorization

PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the individual. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.

Complying With the “Minimum-Necessary” Standard

HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure, as determined by the Privacy Official case-by-case, or, in the instance of routine and recurring disclosures, as set forth here in this Privacy Policy.

Disclosures of PHI to Vendors and other Third Parties – “Business Associates”

From time to time the Company may work with vendors or other third parties to perform its services who are known as “business associates.” The Company requires its business associates to provide adequate assurances that they will comply with HIPAA and have the means to safeguard any PHI entrusted to their care. The Company may disclose PHI to Company’s business associates and allow Company’s business associates to create or receive PHI on its behalf. The Privacy Official maintains an up-to-date record of all the Company’s business associates and maintains copies of their business associate agreements. All members of the workforce must check with the Privacy Official to assure a third party is an approved business associate before sharing PHI with them.

Disclosures of De-Identified Health Information and Limited Data Sets

Company may freely use and disclose de-identified health information. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.

Your Individual Rights

Patients (and their legal representatives) have the following rights when exercised in writing directed to the Company’s Privacy Official:

  • right to  access and obtain copies of their PHI that Company (or its business associates) maintains in “designated record sets”
  • right to request an amendment or other update to their designated record set; and

right to receive an accounting of any non-routine disclosures of the individual’s designated record set.   

A “Designated Record Set” is a group of records maintained by or for Company that includes:

  • the enrollment, payment, and claims adjudication record of an individual maintained by or for Company or its patients; or
  • other protected health information used, in whole or in part, by or for Company.

Please allow thirty (30) days from the date the Company receives your written request to exercise one of these rights for the Company to review and respond to your request.  In some instances records may be archived and the Company may request an additional thirty (30) days to process your request.

Requests for Confidential Communications

Individuals or another covered entity on their behalf may request to receive communications regarding their PHI by alternative means or at alternative locations. For example, individuals may ask to be called only at work rather than at home. Such requests shall be honored if, in the sole discretion of Company, the requests are reasonable.

However, Company shall accommodate such a request if the individual clearly provides information that the disclosure of all or part of that information could endanger the individual. The Privacy Official has responsibility for addressing requests for confidential communications

Requests for Restrictions on Uses and Disclosures of PHI

An individual or another covered entity on his/her behalf individual’s may request restrictions on the use and disclosure of the individual’s PHI. It is Company’s policy to attempt to honor such requests if, in its sole discretion, the requests are reasonable. The Privacy Official is charged with responsibility for addressing requests for restrictions.

General

  • The Company reserves the right to amend or change this Privacy Policy at any time.
  • No third party rights (including, but not limited to, rights of plan participants, beneficiaries, covered dependents, or business associates) are intended to be created by this Privacy Policy.