HIPAA Policy

RACKER
Notice of Health Information Privacy Practices
THIS NOTICE DESCRIBES HOW IDENTIFIABLE HEALTH (MEDICAL) INFORMATION ABOUT YOU MAY BE USED AND
DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY
This notice is effective as of September 23, 2013. If you have any questions about this notice, please contact Susan C. Budney, Racker’s Director of Quality Enhancement & Standards at (607) 272-5891 ext. 249 or 1-800-336-1660 ext. 249. .
Our Privacy Commitment to You
At Racker, we understand that information about you and your family is personal. We are committed to protecting your privacy and sharing information only with those who need to know and are allowed to see the information to assure quality services to you.
1. Who will follow this notice:
• All people who work for Racker in our services programs, and in Racker’s administrative offices will follow this notice. This includes employees, persons Racker contracts with (contractors) who are authorized to enter information in your clinical record or need to review your record to provide services to you, business associates who may come into contact with your clinical record and their subcontractors, if any, and volunteers that Racker allows to assist you.
2. What information is protected:
• All information we create or keep that relates to your health or care and treatment, including your name, address, birth date, social security number, your medical information, your individualized service plan, and other information about your care in our programs.

Your Health/Clinical Information Rights
You have the following rights concerning your health/clinical information. When we use the word “you” in this notice we also mean your personal representative. Depending on your circumstances and in accordance with state law, this may be your guardian, involved parent, spouse, or adult child, or your advocate.
 You have the right to review your health/clinical information and obtain a copy, including information stored electronically. This does not include access to psychotherapy notes or information compiled for use in court or administration proceedings. Records regarding incident reports and investigations may be made available to you depending on the services you receive and the applicable laws governing required disclosure. Your request to review your information should be put in writing. We will respond to your request within 30 days or as required by law, whichever is sooner. Upon approval of your request, a copy of your records will be provided either free of charge or according to a cost-based fee schedule. In the case of electronic records, you may request that they be provided electronically in a common file format (e.g.: .pdf, .csv, .xls) or printed. If you are provided with a copy of your records, Racker cannot be held responsible for disclosures of PHI emanating from the copy provided.
 If we deny your request to see your health/clinical information, you have the right to request a review of that denial. A professional chosen by Racker, who was not involved in denying your request, will review the record and decide if you may have access to the record. Denials will be explained in writing.
 You have the right to ask Racker to change or amend your health/clinical information that you believe is incorrect or incomplete. We may deny your request in some cases, for example, if the record was not created by Racker or if after reviewing your request, we believe that the record is accurate and complete. If we approve the request for amendment, we will change the health information and inform you of that action and tell others that need to know about the change in the protected health information (PHI).
 You have the right to request a list of the disclosures Racker has made of your health/clinical information. We will not however keep or provide you with a list of certain disclosures, for example, disclosures made
Updated: 1/21/14

for treatment, payment and health care operations, or disclosures made to you or made to others with your permission. The list of disclosures will also not include disclosures made for national security or intelligence purposes, to law enforcement officials or correctional institutions, or disclosures made before April 2003. We will respond to your written request for such an accounting within 60 days of receiving it.
 You have the right to ask that we limit how we disclose or use your PHI. We will consider your request, but are not legally bound to agree to the restriction, however we must agree to limit disclosures to your health plan(s) upon your request if the related services are already paid for in full. To the extent that we do agree to any restrictions on our use/disclosure of your PHI, we will put the agreement in writing and abide by it except in emergency situations.
o We cannot agree to limit uses/disclosures that are required by law.
 You have the right to request that Racker communicates with you in a way that will help keep your information confidential.
 You have the right to receive a paper copy of this notice. You may ask Racker staff to give you another copy or you may obtain one from our privacy officer – Susan C. Budney, Racker’s Director of Quality Enhancement & Standards, at (607)272-5891 ext. 249 or 1-800-336-1660 ext. 249.

To request access to your health/clinical information or to request any of the rights listed here, you may contact the director of the program in which you participate, at (607) 272-5891 or 1-800-336-1660.
Racker’s Responsibilities For Your Health Information
Racker is required by law to:
 Maintain the privacy of your information
 Give you this notice of our legal duties and practices concerning the health information we have about you.
 Follow the rules in this notice. Racker will use or share information about you only with your permission except for the reasons explained in this notice. We will inform you if we make changes to our privacy practices in the future. If significant changes are made, Racker will give you a new notice.
 Notify you of any breaches of unsecured protected health information that may affect you.

How Racker Uses and Discloses Health Care Information
Racker may use and disclose health/clinical information without your permission for the purposes described below. For each of the categories of uses and disclosures, we explain what we mean and offer an example. Not every use or disclosure is described, but all the ways we will use or disclose information will fall within these categories.
 Treatment Racker will use your health/clinical information to provide you with treatment and services. We may disclose health/clinical information to doctors, nurses, psychologists, social workers, qualified intellectual disabilities professionals (QIDP’s), direct support staff and other Racker personnel, volunteers or interns who are involved in providing you care. For example, involved staff may discuss your health/clinical information to develop and carry out your service plan. Other Racker staff may share your medical tests, respite care, transportation, etc. We may also need to disclose your health/clinical information to other providers outside of Racker who are responsible for providing you with the services identified in your service plan or to obtain new services for you.

Appointment Reminders: We may use and disclose medical information to contact you as a reminder that you have an appointment for treatment or services at one of our programs.
 Payment Racker will use your health/clinical information so that we can bill and collect payment from you, a third party, an insurance company, Medicare or Medicaid or other government agencies. For example, we may need to provide the NYS Department of Health (Medicaid) with information about the services you received in our facility or through one of our HCBS waiver programs so they will pay us for the services. In addition, we may disclose your health/clinical information to receive prior approval for payment of services you may need. Also, we may disclose your health/clinical information to the US Social Security Administration, or the Department of Health to determine your eligibility for coverage or your ability to pay for services.
 Health Care Operations Racker will use health/clinical information for administrative operations. These uses and disclosures are necessary to operate Racker’s programs and residences and to make sure all
Updated: 1/21/14

consumers receive appropriate, quality care. For example, we may use health/clinical information for quality improvement to review our treatment and services and to evaluate the performance of our staff in caring for you. We may also disclose information to clinicians and other personnel for on the job training. We will share your health/clinical information with other Racker staff for the purposes of obtaining legal services through Racker’s Counsel’s office, conducting fiscal audits, and for fraud and abuse detection and compliance through our Division of Quality Development and Support. We will also share your health/clinical information with Racker’s staff to resolve complaints or objections to your services. We may also disclose health/clinical information to our business associates who need access to the information to perform administrative or professional services on our behalf.
 Public Relations/Fund Raising/Grants Racker may use health/clinical information in summary format to describe the scope of agency services for public relations, fund raising and/or grant applications. For example, a grant application may ask for the organization to describe the nature of individuals served by a specific Racker’s program. Such information would describe the general population served and not disclose individual information of a person. Any need to disclose individualized information for public relation funding or grant purposes would not be disclosed unless specific authorization from the person is obtained.

Other Uses and Disclosures that Do Not Require Permission
In addition to treatment, payment and health care operations, Racker will use your health/clinical information without your permission for the following reasons:
When we are required to do so by federal or state law:
 For public health reasons, including prevention and control of disease, injury or disability, child abuse or neglect, reactions to medication or problems with products, and to notify people who may have been exposed to a disease or are at risk of spreading the disease;
 To report domestic violence and adult abuse or neglect to government authorities if you agree or if you agree or if necessary to prevent serious harm;
 For health oversight activities, including audits, investigations, surveys and inspections and licensure. These activities are necessary for government to monitor the health care system, government programs, and compliance with civil rights laws.
 For judicial and administrative proceedings, including hearings and disputes. If you are involved in a court or administrative proceeding we will disclose health/clinical information if the judge or presiding officer orders us to share the information.
 For law enforcement purposes, in response to a subpoena, or other legal process, to identify a suspect or witness or missing person, regarding a victim of a crime, a death, criminal conduct at the facility, and in emergency circumstances to report a crime;
 Upon your death, to coroners or medical examiners for identification purposes or to determine cause of death, and to funeral directors to allow them to carry out their duties;
 To organ procurement organizations to accomplish cadaver, eye, tissue or organ donations in compliance with state law;
 For workers compensation, to the extent authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs established by law.
 For research purposes when you have agreed to participate in the research and an Institutional Review Board or Privacy Committee has approved the use of the health/clinical information for the research purposes;
 To prevent or lessen a serious and imminent threat to your health and safety or someone else’s;
 To authorized federal officials for intelligence and other national security activities authorized by law or to
 provide protective services to the President and other officials.
 To correctional institutions or law enforcement officials if you are an inmate and the information is necessary to provide you with health care, protect your health and safety or that of others, or for the safety of the correctional institution.
Updated: 1/21/14
 To governmental agencies that administer public benefits if necessary to coordinate the covered functions of the programs.

Uses and Disclosures that Require Your Agreement or Authorization
Racker may disclose health/clinical information to the following persons if we tell you we are going to use or disclose it and you agree or do not object:
 To family members and personal representatives who are involved in your care if the information is relevant to their involvement and to notify them of your condition and location; or
 To disaster relief organizations that need to notify your family about your condition and location should a disaster occur.

Authorization Required for All Other Uses and Disclosures
 For all other types of uses and disclosures not described in this Notice, Racker will use or disclose health/clinical information only with a written authorization signed by you or an authorized personal representative that states who may receive the information, what information is to be shared, the purpose of the use or disclosure and an expiration for the authorization. Written authorizations are always required for use and disclosure of psychotherapy notes and for marketing and fundraising purposes.
o You will be provided the opportunity to opt out of receiving communications for fund raising purposes.

Note: If you cannot give permission due to an emergency, Racker may release health/clinical information in your best interest. We must tell you as soon as possible after releasing the information. This notification will be made in writing.
You may revoke your authorization at any time. If you revoke your authorization in writing we will no longer use or disclose your health/ clinical information for the reasons stated in your authorization. We cannot, however take back disclosures we made before you revoked and we must retain health/clinical information that indicates the service we have provided to you.
Changes to this Notice
We reserve the right to change this notice. We reserve the right to make changes to terms described in this notice and to make the new notice terms effective to all health/clinical information that Racker maintains. We will have copies of the notice available at our sites, and post the new notice in our facilities and on Racker’s website. In addition, we will provide a copy to you upon request.
Complaints
If you believe your privacy rights have been violated:
 You may file a complaint with Racker’s Privacy Officer at [3226 Wilkins Rd., Ithaca, NY 14850, (607)272-5891 ext. 249 or 1-800-336-1660].
 You may also file a complaint with the federal Dept. of Health and Human Services’ Office for Civil Rights. These complains must be in writing, either on paper or electronically and should be directed to OCRComplaint@hhs.gov or your OCR regional office at the following address: