Federal Privacy Standard

Your Rights under the Federal Privacy Standard

Although your records are the physical property of the CDDO, you have the following rights with regard to the information contained therein:

Request restriction on uses and disclosures of your information for service, payment, and health care operations.

The right to request restriction does not extend to uses or disclosures permitted or required under the following sections of the federal privacy regulations: § 164.502(a)(2)(i) (disclosures to you), § 164.510(a) (for facility directories, but note that you have the right to object to such uses), or § 164.512 (uses and disclosures not requiring a consent or an authorization). The latter uses and disclosures include, for example, those required by law, such as mandatory communicable disease reporting. In those cases, you do not have a right to request restriction. The consent to use and disclose your individually identifiable information provides the ability to request restriction. We do not, however, have to agree to the restriction, except in the situation explained below. If we do, we will adhere to it unless you request otherwise or we give you advance notice. You may also ask us to communicate with you by alternate means, and if the method of communication is reasonable, we must grant the alternate communication request.

Obtain a copy of this notice of information practices.

Although this is in the CDDO handbook, you have a right to a hard copy upon request.

Inspect and copy your information upon request.

Again, this right is not absolute. In certain situations, such as if access would cause harm, we can deny access. You do not have a right of access to the following:

  • Psychotherapy notes. Such notes consist of those notes that are recorded in any medium by a health care provider who is a mental health professional documenting or analyzing a conversation during a private, group, joint, or family counseling session and that are separated from the rest of your medical record.
  • Information compiled in reasonable anticipation of or for use in civil, criminal, or administrative actions or proceedings.
  • Protected health information (“PHI”) that is subject to the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”), 42 U.S.C. § 263a, to the extent that giving you access would be prohibited by law.
  • Information that was obtained from someone other than a health care provider under a promise of confidentiality and the requested access would be reasonably likely to reveal the source of the information.
  • Information that is copyright protected, such as certain raw data obtained from testing.
    • In other situations, we may deny you access, but if we do, we must provide you a review of our decision denying access. These “reviewable” grounds for denial include the following:
  • A licensed health care professional, such as your attending physician, has determined, in the exercise of professional judgment, that the access is reasonably likely to endanger the life or physical safety of yourself or another person.
  • PHI makes reference to another person (other than a health care provider) and a licensed health care provider has determined, in the exercise of professional judgment, that the access is reasonably likely to cause substantial harm to such other person.
  • The request is made by your personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that giving access to such personal representative is reasonably likely to cause substantial harm to you or another person.
    • For these reviewable grounds, another licensed professional must review the decision of the provider denying access within 60 days. If we deny you access, we will explain why and what your rights are, including how to seek review. If we grant access, we will tell you what, if anything, you have to do to get access. We reserve the right to charge a reasonable, cost-based fee for making copies.

Request amendment/correction of your information.

We do not have to grant the request if the following conditions exist:

  • We did not create the record. If, as in the case of a consultation report from another provider, we did not create the record, we cannot know whether it is accurate or not. Thus, in such cases, you must seek amendment/correction from the party creating the record. If the party amends or corrects the record, we will put the corrected record into our records.
  • The records are not available to you as discussed immediately above.
  • The record is accurate and complete.
    • If we deny your request for amendment/correction, we will notify you why it was denied, how you can attach a statement of disagreement to your records (which we may rebut), and how you can complain. If we grant the request, we will make the correction and distribute the correction to those who need it and those whom you identify to us that you want to receive the corrected information.

Obtain an accounting of non-routine uses and disclosures, those other than for intake, eligibility, assessment and quality assurance until a date that the federal Department of Health and Human Services will set after January 1, 2011.

After that date, we will have to provide an accounting to you upon request for uses and disclosures for service, payment, and health care operations under certain circumstances, primarily if we maintain an electronic health record. We do not need to provide an accounting for the following disclosures:

  • Protected health information (“PHI”) to you.
  • For the organization directory or to persons involved in your support or for other notification purposes as provided in § 164.510 of the federal privacy regulations (uses and disclosures requiring an opportunity for the individual to agree or to object, including notification to family members, personal representatives, or other persons responsible for your support of your location, general condition, or death).
  • For national security or intelligence purposes under § 164.512(k)(2) of the federal privacy regulations (disclosures not requiring consent, authorization, or an opportunity to object).
  • To correctional institutions or law enforcement officials under § 164.512(k)(5) of the federal privacy regulations (disclosures not requiring consent, authorization, or an opportunity to object).
  • That occurred before April 14, 2003.
  • We must provide the accounting within 60 days. The accounting must include the following information:
  • Date of each disclosure.
  • Name and address of the organization or person who received the protected health information.
  • Brief description of the information disclosed.
  • Brief statement of the purpose of the disclosure that reasonably informs you of the basis for the disclosure or, in lieu of such statement, a copy of your written authorization or a copy of the written request for disclosure.
    • The first accounting in any 12-month period is free. Thereafter, we reserve the right to charge a reasonable, cost-based fee.
  • Revoke your consent or authorization to use or disclose information except to the extent that we have taken action in reliance on the consent or authorization.

Our Responsibilities under the Federal Privacy Standard

In addition to providing you your rights, as detailed above, the federal privacy standard requires us to take the following measures:

  • Maintain the privacy of your information, including implementing reasonable and appropriate physical, administrative, and technical safeguards to protect the information.
  • Provide you this notice as to our legal duties and privacy practices with respect to individually identifiable health information that we collect and maintain about you.
  • Abide by the terms of this notice.
  • Train our personnel concerning privacy and confidentiality.
  • Implement a sanction policy to discipline those who breach privacy/confidentiality or our policies with regard thereto.
  • Mitigate (lessen the harm of) any breach of privacy/confidentiality.

Disclose or your information

We will not use or disclose your information without your consent or authorization, except as described in this notice or otherwise required by law. These include most uses or disclosures of psychotherapy notes, marketing communications, and sales of protected health information. Other uses and disclosures not described in this notice will be made only with your written authorization.

Examples of Disclosures for Service, Payment and Health Care Operations

Quality Assurance

Members of the CDDO quality assurance team may use information in your record to assess your supports and the competence of the providers. We will use this information in an effort to continually improve the quality and effectiveness of the services that we provide. Note that some health information, such as substance abuse treatment information, may not be used or disclosed without your consent.

Business associates

We provide some services through contracts with business associates. Examples include database developments, shredding of confidential documents and the like. When we use these services, we may disclose your information to the business associates so that they can perform the function(s) that we have contracted with them to do and bill you or your third-party payer for services provided. To protect your health information, however, we require the business associates to appropriately safeguard your information. After February 17, 2010, business associates must comply with the same federal security and privacy rules as we do.


We may use or disclose information to notify or assist in notifying a family member, a personal representative, or another person responsible for your care, location, and general condition.

Communication with family

Unless you object, we, as service professionals, using our best judgment, may disclose to a family member, another relative, a close personal friend, or any other person that you identify information relevant to that person’s involvement in your support or payment related to your support.


We may disclose information to researchers when their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your information.

Funeral directors

We may disclose health information to funeral directors consistent with applicable law to enable them to carry out their duties.

Food and Drug Administration (“FDA”).

We may disclose to the FDA health information relative to adverse effects/events with respect to food, drugs, supplements, product or product defects, or post marketing surveillance information to enable product recalls, repairs, or replacement.

Workers compensation

We may disclose health information to the extent authorized by and to the extent necessary to comply with laws relating to workers compensation or other similar programs established by law.

Public health

As required by law, we may disclose your health information to public health or legal authorities charged with preventing or controlling disease, injury, or disability.

Correctional institution

If you are an inmate of a correctional institution, we may disclose to the institution or agents thereof health information necessary for your health and the health and safety of other individuals.

Law enforcement

We may disclose information for law enforcement purposes as required by law or in response to a valid subpoena.

Health oversight agencies and public health authorities

If members of our work force or business associates believe in good faith that we have engaged in unlawful conduct or otherwise violated professional or clinical standards and are potentially endangering one or more clients, employees, or the public, they may disclose your health information to health oversight agencies and/or public health authorities, such as the Department of Health.

The federal Department of Health and Human Services (“DHHS”)

Under the privacy standards, we must disclose your health information to DHHS as necessary to determine our compliance with those standards.

We reserve the right to change our practices and to make the new provision effective for all individually identifiable information that we maintain. If we change our information practices, we will mail a revised notice to the address you have provided