Client Records - Privacy
 Protected Health Information (PHI)

Cranberry Counseling Policies and Procedures

What About Privacy?

Protected Health Information - PHI

Protected Health Information (PHI) may not be used or disclosed in violation of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule (45C.F.R. parts 160 and 164) (hereinafter, the “Privacy Rule”) or in violation of state law.  These laws cover your records, especially when electronic.  These laws apply to records for children (unless otherwise stated).

We are permitted, but not mandated, under the Privacy Rule to use and disclose Protected Health Information without client consent or authorization in limited circumstances.  However, state or federal law may supersede, limit, or prohibit these uses and disclosures.

  • Under the Privacy Rule, these permitted uses and disclosures include those made:
    - To the client
    - For treatment, payment, or health care operations purposes, or
    - As authorized by the client
  • Additional permitted uses and disclosures include those related to or made pursuant to:
    - Reporting on victims of domestic violence or abuse, as required by law
    - Court orders
    - Workers’ compensation laws
    - Serious threats to health or safety
    - Government oversight (including disclosures to a public health authority, coroner, or medical examiner, military or veterans’ affairs, an agency for national security purposes, law enforcement)
    - Health research
    - Marketing or fundraising

We do not use or disclose Protected Health Information in ways that would be in violation of the Privacy Rule or state law.  We use and disclose PHI as permitted by the Privacy Rule and in accordance with state or other law.  In using or disclosing protected health information, we meet the Privacy Rule’s “minimum necessary requirement” as appropriate.


When using, disclosing or requesting PHI, we make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purposes of the use, disclosure or request.  We recognize that the requirement also applies to covered entities that request our clients’ records and require that such entities meet the standard, as required by law.

The minimum necessary requirement does not apply to disclosures for treatment purposes or when we share information with a client.  The requirement does not apply for uses and disclosures when client authorization is given.  It does not apply for uses and disclosures as required by law or to uses and disclosures that are required for compliance with the Privacy Rule.


While a client may authorize the release of any of their PHI, the Privacy Rule specifically requires client authorization for the release of Psychotherapy Notes.  Psychotherapy Notes authorization is different from client consent or authorization of other PHI, because a health plan or other covered entity, may not condition treatment, payment, enrollment, or eligibility for benefits on obtaining such authorization.

  • We abide by the Psychotherapy Notes authorization requirement of the Privacy Rule, unless otherwise required by law.  In addition, authorization is not required in the following circumstances—
    - For our use for treatment
    - To defend us in a legal action brought by the client, who is the subject of the PHI
    - For purposes of HHS in determining our compliance with the Privacy Rule
    - By a health oversight agency for a lawful purpose related to oversight of the practice
    - To a coroner or medical examiner
    - In instances of permissible disclosure related to a serious or imminent threat to the health or safety of a person or the public.

We recognize that a client may revoke an authorization at any time in writing, except to the extent that we have, or another entity has, taken action in reliance on the authorization.


The privacy rule indicates that because parents generally have the authority to make health care decisions about their minor children, parents are generally recognized as personal representatives and can therefore access PHI about their children.  There are three exceptions to this provision:

  • If state law allows a minor access to mental health services without the consent of a parent,
  • When a court makes the determination or a law authorizes someone other than the parent to make health care decisions for the minor,
  • When the parent/guardian/person legally acting as the parent assents to an agreement of confidentiality between the minor and the health care professional.

Under these exceptions, the privacy rule makes clear that although records do not have to be disclosed, the minor may still voluntarily choose to involve a parent or other adult.  However, if the minor does choose to involve a parent or adult, the minor maintains the exclusive ability to exercise his or her rights under the privacy rule to preserve the confidentiality of PHI.  The privacy rule also clarifies that when a parent, guardian or other legal representative for a child or minor signs an authorization for the release of records, it remains valid even when the child becomes an adult until it is revoked or expires.


As required under the Privacy Rule, and in accordance with state law, we provide notice to clients of the uses and disclosures that may be made regarding their PHI and our duties and client rights with respect to notice.  We make a good faith effort to obtain written acknowledgement that our client receives this notice.


The Privacy Rule permits patients to request restrictions on the use and disclosures of PHI for treatment, payment, and health care operations, or to family members.  While we are not required to agree to such restrictions, we will attempt to accommodate a reasonable request.  Once we have agreed to a restriction, we may not violate the restriction; however, restricted PHI may be provided to another health care provider in an emergency treatment situation.

A restriction is not effective to prevent uses and disclosures when a client requests access to his or her records or requests an accounting of disclosures.  A restriction is not effective for any uses and disclosures authorized by the client, or for any required or permitted uses recognized by law.

The Privacy Rule also permits clients to request receiving communications from us through alternative means or at alternative locations.  As required by the Privacy Rule, we will accommodate all reasonable requests.


In accordance with state law, the Privacy Rule, and other federal law, clients have access to and may obtain a copy of the medical and billing records that we maintain.  Clients are also permitted to amend their records in accordance with such law.


We provide our clients with an accounting of disclosures upon request, for disclosures made up to six years prior to the date of request.  While we may, we do not have to provide an accounting for disclosures made for treatment, payment, or health care operations purposes, or pursuant to client authorization.  We also do not have to provide an accounting for disclosures made for national security purposes, to correctional institutions or law enforcement officers, or that occurred prior to April 14, 2003.


We rely on certain persons or other entities, who or which are not our employees, to provide services on our behalf.  These persons or entities may include answering services, accountants, lawyers, billing services, and collection agencies.  Where these persons or entities perform services, which require the disclosure of individually identifiable health information, they are considered under the Privacy Rule to be our business associates.

We enter into a written agreement with each of our business associates to obtain satisfactory assurance that the business associate will safeguard the privacy of the PHI of our clients.  We rely on our business associate to abide by the contract, and we will take reasonable steps to remedy any breaches of the agreement that we become aware of.


As required by the Privacy Rule, We train all members of our staff, as necessary and appropriate, to carry out their functions, on the policies and procedures to protect PHI.  We have the discretion to determine the nature and method of training necessary to ensure that staff appropriately protects the privacy of our clients’ records.


To protect the privacy of the PHI of our clients, we have in place appropriate administrative, technical, and physical safeguards, in accordance with the Privacy Rule.


The privacy of our clients’ PHI is critically important for our relationship with our clients and for our practice.  We provide a process for our clients to make complaints concerning our adherence to the requirements of the Privacy Rule.


We have and apply appropriate sanctions against a member of our staff who fails to comply with the requirements of the Privacy Rule or our policies and procedures.  We may not apply sanctions against an individual who is testifying, assisting, or participating in an investigation, compliance review, or other proceeding.


We mitigate, to the extent possible, any harmful effect that we become knowledgeable of regarding my use of disclosure, or our business associate’s use or disclosure, of PHI in violation of policies and procedures or the requirements of the Privacy Rule.


We believe that clients should have the right to exercise their rights under the Privacy Rule.  We do not take retaliatory action against a client for exercising his or her rights or for bringing a complaint.  Of course, we will take legal action to protect ourselves, if we believe that a client undertakes an activity in bad faith.

We will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against a client for exercising a right, filing a complaint or participating in any other allowable process under the Privacy Rule.

We will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against a client or other person for opposing any act or practice made unlawful under the Privacy Rule, provided that the client or other person has a “good faith belief” that the practice is unlawful and the manner of opposition is reasonable and does not involve disclosure of PHI.

We will not require a client to waive his or her rights provided by the Privacy Rule of his or her right to file an HHS compliance complaint as a condition of receiving treatment.


To ensure that we are in compliance with the Privacy Rule, we have implemented policies and procedures to ensure compliance with the Privacy Rule.


We meet applicable state laws and the Privacy Rule’s requirements regarding documentation.