HIPAA Privacy and Security Policy

Heartfelt Recovery Centers – HIPAA Privacy and Security Policy 

1. Purpose

The purpose of this policy is to ensure that Heartfelt Recovery Centers (HRC) complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including the Privacy, Security, and Breach Notification Rules, in the protection of patient health information. As a provider of substance use disorder (SUD) treatment services, HRC is also subject to 42 CFR Part 2, which provides additional privacy protections for SUD treatment records.

2. Scope 

This policy applies to all employees, contractors, interns, volunteers, and business associates of HRC who have access to Protected Health Information (PHI), including electronic PHI (ePHI).

3. Definitions 

• PHI: Protected Health Information – any information, oral or recorded in any form or medium, that is created or received by HRC and relates to the past, present, or future physical or mental health or condition of a patient.
• ePHI: Electronic Protected Health Information.
• Designated Record Set: Records maintained by or for HRC used to make decisions about individuals.
• Minimum Necessary Rule: Only the minimum amount of PHI necessary to accomplish the intended purpose may be accessed, used, or disclosed.

4. Policy 

4.1 Use and Disclosure of PHI

• HRC will use and disclose PHI only as permitted or required by HIPAA and 42 CFR Part 2.
• Patient consent is required for most uses and disclosures of PHI, especially those involving substance use treatment records.
• PHI may be used without patient authorization for:
  • Treatment
  • Payment
  • Health care operations
  • Public health or legal reporting requirements, only as explicitly permitted
  • Medical emergencies
  • Court order

4.2 Patient Rights 

Patients have the right to:

• Receive a Notice of Privacy Practices
• Access and obtain a copy of their PHI
• Request corrections to their PHI
• Request restrictions on uses and disclosures
• Request confidential communications
• Receive an accounting of disclosures
• File a complaint if they believe their rights have been violated
  • To file a complaint with HRC, contact:
    Janene Brandolini
    Privacy & Security Officer
    Janene@heartfeltrecoverycenters.com
    (603) 207-1633

4.3 Administrative Safeguards 

• A designated Privacy Officer and Security Officer will oversee HIPAA compliance.
• All workforce members must receive HIPAA training upon hire and annually thereafter.
• Business Associate Agreements (BAAs) must be executed with all vendors who handle PHI on behalf of HRC.
• Policies and procedures are reviewed and updated annually or as required by law.

4.4 Physical Safeguards 

• PHI stored in physical form must be secured in locked filing cabinets or rooms.
• Only authorized personnel may access areas where PHI is stored.
• Visitors must be escorted in secure areas.

5. Confidentiality Under 42 CFR Part 2

Due to the sensitive nature of SUD treatment:

• Patient identifying information may not be disclosed without specific, written patient consent unless explicitly allowed under Part 2 exceptions (e.g., medical emergencies, court orders).
• All staff must receive annual training on 42 CFR Part 2 compliance.

1. HRC legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information. 
2. HRC is legally required by HIPAA and 42 CFR Part 2 to maintain the privacy and security of protected health information (PHI). 
3. HRC must provide patients with a Notice of Privacy Practices and must comply with the terms outlined therein.
4. HRC is required to notify affected individuals following a breach of unsecured PHI, in accordance with the HIPAA Breach Notification Rule.
5. HRC must maintain policies and procedures to ensure ongoing compliance and conduct regular training and audits.
6. Whom individuals can contact for further information about your company’s privacy policies and their contact information.
   1. Janene Brandolini is the designated Privacy Officer and Security Officer responsible for HIPAA and 42 CFR Part 2 compliance.

To file a complaint with HRC, contact:
Janene Brandolini
Privacy & Security Officer
Janene@heartfeltrecoverycenters.com
(603) 207-1633