HIPAA Policy


The Health Insurance Portability and Accountability Act (HIPAA) has created patient protections surrounding the use of protected health information. Commonly referred to as the “medical records privacy law”, HIPAA provides patient protections related to the electronic transmission of data (“the transaction rules”), the keeping and use of patient records (“privacy rules”), and storage and access to health care records (“the security rules”). HIPAA applies to all health care providers, including mental health care. Providers and health care agencies throughout the country are required to provide patients a notification of their privacy rights as it relates to their health care records. You may have already received similar notices such as this one from your other health care providers.

As you might expect, the HIPAA law and regulations are extremely detailed and difficult to grasp if you don’t have formal legal training. This Patient Notification of Privacy Rights is our attempt to inform you of your rights in a simple yet comprehensive fashion. Please read this document as it is important you know what patient protections HIPAA affords all of us. In mental health care, confidentiality and privacy are central to the success of the therapeutic relationship and as such, you will find we do all we can do to protect the privacy of your mental health records. If you have any questions about any of the matters discussed in this document, please do not hesitate to ask for further clarification.

By law, we are required to secure your signature indicating you have received this Patient Notification of Privacy Rights Document. Thank you for your thoughtful consideration of these matters.

Catholic Charities of Tennessee, Inc.

I,______________________________, understand and have been provided a copy of Catholic Charities of Tennessee, Inc.’s Patient Notification of Privacy Rights Document which provides a detailed description of the potential uses and disclosures of my protected health information as well as my rights on these matters. I understand I have the right to review this document before signing this acknowledgment form.

Patient Signature or Parent if Minor or Legal Charge Date

If Legal Charge, describe representative authority:________________



I. Preamble

Records are kept documenting your care as required by law, professional standards, and other review procedures. HIPAA clearly defines what kind of information is to be included in your “designated medical record” or “case record” as well as some material, known as “Psychotherapy Notes” which is not accessible to insurance companies and other third-party reviewers and in some cases, not to the patient himself/herself.

HIPAA provides privacy protections about your personal health information, which is called “protected health information (PHI)” which could personally identify you. PHI consists of three (3) components: treatment, payment, and health care operations.

Treatment refers to activities in which we provide, coordinate or manage your mental health care service or other services related to your health care. Examples include a counseling session or communication with your primary care physician about your medication or overall medical condition.

Payment is when Catholic Charities obtains reimbursement for your mental health care or other services related to your health care. We do not work with insurance companies. When payment is made by you to Catholic Charities, this takes place solely between Catholic Charities and you versus filing insurance on your behalf.

Health care operations are activities related to our performance such as quality assurance. In our agency, the best example of health care operations is when a supervisor reviews our work together to see if your care is appropriate and best meeting your needs.

The use of your protected health information refers to activities our agency conducts for scheduling appointments, keeping records, and other tasks related to your care. Disclosures refer to activities you authorize such as the sending of your protected health information to other parties (i.e., your primary care physician, the school your child attends).

II. Uses and Disclosures of Protected Health Information Requiring Authorization

Tennessee requires authorization and consent for treatment, payment and health care operations. HIPAA does nothing to change this requirement by law in Tennessee. Catholic Charities may disclose PHI for the purposes of treatment, payment and health care operations with your consent. You have signed this general consent to care and authorization to conduct payment and health care operations, authorizing Catholic Charities to provide treatment and to conduct the administrative steps associated with your care.

Additionally, if you ever want Catholic Charities to send any of your protected health information of any sort to anyone outside this office, you will always first sign a specific authorization to release information to this outside party. A copy of that authorization form is available upon request. The requirement of you signing an additional authorization form is an added protection to help insure your protected health information is kept strictly confidential. An example of this type of release of information might be your request for a counselor to talk to your child’s school teacher about his/her ADHD condition and what this teacher might do to be of help to your child. Before talking with that teacher, you will have first signed the proper authorization consenting for the counselor to have such communication.

There is a third, special authorization provision potentially relevant to the privacy of your records: a counselor’s psychotherapy notes. In recognition of the importance of the confidentiality of conversations between therapist-patient in treatment settings, HIPAA permits keeping “psychotherapy notes” separate from the overall “designated medical record”. “Psychotherapy notes” are the therapist’s notes “recorded in any medium by a mental health provider documenting and analyzing the contents of a conversation during a private, group, or joint family counseling session and that are separated from the rest of the individual’s medical record.” “Psychotherapy notes” are necessarily more private and contain much more personal information about you hence, the need for increased security of the notes. “psychotherapy notes” are not the same as your “progress notes” which provide the following information about your care each time you have an appointment: medication prescriptions and monitoring, assessment/treatment start and stop times, the modalities of care, frequency of treatment furnished, results of clinical tests, and any summary of your diagnosis, functional status, treatment plan, symptoms, prognosis and progress to date.

You may, in writing, revoke all authorizations to disclosure of protected health information at any time. You cannot revoke an authorization for an activity already done that you instructed your counselor to do.

III. Business Associates Disclosures

HIPAA requires that we train and monitor the conduct of those performing ancillary administrative services for our office and refers to these people as “Business Associates”. In our office, “business associates” include our secretaries who provide such services as typing and billing-all activities which bring them into some measure of contact with your protected health information. Our other “business associates” include student interns or certain volunteers who have signed a formal contract which very clearly spells out to them the importance of protecting your mental health information as an absolute condition for their placement at our agency. We train them in our privacy practices, monitor their compliance, and correct any errors, should they occur.

IV. Uses and Disclosures Not Requiring Consent nor Authorization

By law, protected health information may be released without your consent or authorization under the following conditions:
-Suspected or known child abuse or neglect
-Suspected or known sexual abuse of a child
-Adult and Domestic abuse
-Health oversight activities (i.e. licensing boards in Tennessee)
-Judicial or administrative proceedings (i.e. you are ordered here by the court)
-Serious threat to health or safety (i.e. our “Duty to Warn” Law, national security

V. Patient’s Rights and Our Duties

You have a right to the following:

-The right to request restrictions on certain uses and disclosures of your protected
health information which I may or may not agree to but if I do, such restrictions
shall apply unless our agreement is changed in writing
-The right to receive confidential communications by alternative means and at
alternative locations. For example, you may not want forms mailed to your home
address so we will send them to another location of your choosing
-The right to inspect and copy your protected health information in the designated
record and any billing records for as long as protected health
information is maintained in the record
-The right to insert an amendment in your protected health information, although the
therapist may deny an improper request and/or respond to any amendment(s) you
make to your record of care
-The right to an accounting of non-authorized disclosures of your protected health
-The right to a paper copy of notices/information from Catholic Charities, even if you
have previously requested electronic transmission of notices/information
-The right to revoke your authorization of your protected health information except to
the extent that action has already been taken
For more information on how to exercise each of these aforementioned rights, please do not hesitate to ask your therapist/staff member for further assistance on these matters. Catholic Charities is required by law to maintain the privacy of your protected health information and to provide you with a notice of your Privacy Rights and our duties regarding your PHI. Catholic Charities reserve the right to change our privacy policies and practices as needed with these current designated practices being applicable unless you receive a revision of these policies when you come for future appointment(s). Our duties on these matters include maintaining the privacy of your protected health information, to provide you with this notice of your rights and our privacy practices with respect to your PHI, and to abide by the terms of this notice unless it is changed and you are so notified. If for some reason, you desire a copy of these internal policies for executing privacy practices, please let your therapist know and you will get a copy of these documents kept on file for auditing purposes.

VI. Complaints

The Executive Director of Catholic Charities is the appointed “Privacy Officer” for our agency per HIPAA regulations. If you have any concerns of any sort that your privacy rights may have been somehow compromised, please do not hesitate to speak to the appointed privacy officer immediately about this matter. You may also send a written complaint to the Secretary of the U.S. Department of Health and Human Services.

VII. This notice shall go into effect September 1, 2004 and remain so unless new notice provisions effective for all protected health information are enacted accordingly.