THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.  PLEASE REVIEW IT CAREFULLY.

MY COMMITMENT TO YOUR PRIVACY

As a psychologist and owner of Within RANGE Counseling and Consultation Services (WRCACS), PLLC I, Dr. Melissa Jenkins-Fernández am ethically and legally bound to uphold client confidentiality and ensure the privacy and safeguarding of protected health information (PHI) entrusted to me. Every time you visit a health care provider, hospital, or clinic, your PHI is collected about you and your physical and/or behavioral health.  It may be information about your past, present, or future health, medical conditions, tests, and/or treatments you received from providers, demographic information, and other basic information pertaining to your treatment or about payment for health care.

The federal law called the Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides you protection related to the electronic transmission of your PHI (“transaction rules”), the use and disclosure of your PHI (“privacy rules”), and the storage and access of your PHI (“security rules”), which I must follow. Additionally, I am also the designated Privacy & Security Officer of my practice ensuring HIPAA compliance as it relates to my policies and practices involved in your behavioral health care.  HIPAA requires my office to give you this notice about my legal duties and privacy practices described in the notice (45 C.F.R. § 164.520).

In order to administer my services effectively, I will collect, use and disclose your PHI for treatment, payment for health care services, and for health care operations.  If I use your PHI for other purposes, I must tell you about them and ask you to sign a written authorization form. HIPAA law also says that there are some uses and disclosures that do not need your consent or authorization.  Please note, that I can change the terms of this Notice, and such changes will apply to all information I have about you. The new Notice will be available in my office, on the client portal, and on my website. After you have read this notice, you will be asked to sign a separate authorization form to allow me to share your PHI.

USE AND DISCLOSURE WITH YOUR CONSENT

• Treatment: I use and disclose your PHI to provide and coordinate your health care and any related services.  I may also share your PHI with other past, present, or future health care providers.  These providers may include your primary care physician, psychiatrist, treatment team, or other health care professional.  For example, I may discuss your diagnosis with your primary care doctor who may prescribe medication to help with your health issue (with a signed HIPAA compliant authorization form from you)

• Payment for Health Care Services: I use SimplePractice’s HIPAA-compliant electronic health record (EHR) and client portal with integrated “Stripe” PCI compliant secure credit card processor to bill and receive payment from you for services provided. I may use and disclose PHI to obtain payment from you and provide you with a WRCACS, PLLC “superbill” (i.e., payment receipt, CPT Code, session date and time, and diagnosis if required) for you to submit to your insurance company directly if you choose to seek reimbursement. My practice is private pay only and I do not contract with any insurance companies or managed care.

• Other Permitted Uses and Disclosures: I may use, if you have elected to receive SimplePractice appointment reminders, and disclose your PHI to contact you to remind you that you have an appointment with me generated from the client portal. Please note, these are only reminders and I can’t respond directly to these reminders.

The ethics code of the American Psychological Association (APA), Pennsylvania State law and the Federal HIPAA regulations protect the privacy of all communications between a client and a mental health professional. In most situations, I can only release information about your treatment to others if you sign a written authorization. This authorization will remain in effect for a specified length of time you and I determine. You may revoke the authorization at any time unless I have taken action in reliance on it. However, be advised that there are some disclosures of PHI that do not require your consent or authorization.

USE AND DISCLOSURE WITHOUT YOUR CONSENT AND AUTHORIZATION

When permitted by HIPAA (45 CFR § 164.512) and in accordance with Pennsylvania state law when the use or disclosure complies with and is limited to the relevant requirements of such law, I may use and/or disclose your PHI without your consent or authorization:

• For Health Care Operations:  I may use and disclose some PHI in order to support quality improvement and other business activities of my organization.  These uses and disclosures are necessary for my operations to ensure the quality of care and see where I can make improvements in the care and services provided.

• Business Associates:  I hire other businesses to do work for me called “business associates” and need some of PHI to do their job properly.  To protect your privacy, they have agreed in their contract with me to safeguard your PHI evidenced by signing a Business Associates Agreement (BAA) and comply with HIPAA Privacy standards.

• Abuse or Neglect: If I have reason to suspect that a child is or has been abused, or If anyone tells me of any identifiable child who is currently being abused even when I do not see the child in my professional capacity or If anyone over the age of 14 tells me that he/she committed child abuse, even if the victim is no longer in danger, I am mandated to report to a government authority that is authorized by law to receive reports of suspected child abuse (including taking, viewing, sharing child sexual abuse material) exploitation, neglect, or abandonment. If I have reasonable cause to believe that an older adult or vulnerable adult is in need of protective services (regarding abuse, neglect, exploitation, or abandonment), I am mandated to report to the local agency which provides protective services for adult and domestic abuse.

• To Avert Serious Threat to Health and Safety: Consistent with applicable federal and state laws, PHI may be disclosed if I believe that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person (i.e., this includes you) or the public (i.e., this also includes impaired driving). Reasonable measures may include directly advising the potential victim, contacting the police, or initiating proceedings for hospitalization.

• Others Involved In Your Health Care: PHI may be disclosed to a friend, family member, or responsible party (e.g., power of attorney) that you have identified as being involved in your health care in an emergency or to an entity in a disaster relief effort for notification. In an emergency and you are not present/able to agree to disclosure of your PHI to the aforementioned individuals/agencies; I will try to get your retroactive consent.

• U.S. Armed Service Members: PHI may be disclosed only as required by DoDI 6490.08 to military command authorities published by notice in the Federal Register and only for the purposes for which the PHI may be used and disclosed. This disclosure (i.e., risk of harm to self, others including child and domestic abuse, or the mission) is discussed at the outset with a military client during the intake process and limitations to confidentiality.

• Judicial or Administrative Proceeding: PHI may be disclosed in response to an order of a court, administrative tribunal and only as required by law. If you are involved in a court proceeding and a request is made about the professional services I have provided you or the records thereof, such information is privileged under state law, and I will not release the information without your written consent or a court order. The privilege does not, however, apply when the evaluation is mandated by a third party or court ordered. You will be informed in advance if this is the case. 

• Client Complaint: PHI may be disclosed if a complaint is filed against me in order to defend myself.

• Law Enforcement Activities: PHI may be disclosed regarding mental health services to law enforcement agencies or officials pursuant to a court order or in special circumstances required by law. For example, I may disclose some PHI to report a death or criminal conduct on my premises.

• Specialized Government Functions: PHI may be disclosed under court order to authorized federal officials.

• U.S. Department of Human Health Services (HHS): PHI may be disclosed to demonstrate HIPAA compliance.

• Workers’ Compensation: PHI may be disclosed to comply with workers’ compensation laws.

• DEBT Collection for Defaulted Payment: I will notify you before disclosure of some of your PHI to a collection agency with BAA if you are more than 30 days delinquent on payment, as stated on my Informed Consent.

• Decedent: PHI may be disclosed under a court order to a coroner.

YOUR RIGHTS REGARDING YOUR HEALTH INFORMATION

Right to Inspect and Copy: I use SimplePractice, a HIPAA-compliant electronic health record system. Except in certain specific circumstances, you have the right to examine and/or get an electronic or a paper copy of your behavioral health PHI in a designated clinical record set, which contains psychological, medical, and billing records, as well as records of decisions made about your health care for as long as the PHI is maintained in my record. I do not write and therefore do not keep additional “Psychotherapy Notes,” as defined by HIPAA. In addition, you have a right to designate a third party, such as a physician, who may receive your PHI in a designated record set either in paper or electronic format. A request must be in writing to obtain your clinical record, or if you agree to a summary of it with associated summary fee, within 30 days of receiving your written request. I may charge a reasonable, cost-based fee for doing so for a paper copy and for mailing. Any actual test forms used in psychological testing are not authorized for release. I may deny your request to inspect and copy your PHI in certain specific circumstances (e.g., danger to yourself or others). If you are denied, you have the right to a review. A licensed professional health care provider, chosen by me, will review your request and the denial. Under certain circumstances, my denial will not be reviewable. If this event occurs, I will inform you that my denial is not reviewable and the next step in the process.

Right to Amend Your PHI: If you believe that the information in your records is incorrect or missing something important, you can ask me to make additions, but not deletions, to your records to correct the situation.   You must make this request in writing and the reason you want to make a change and send it to me, the Privacy & Security Officer.

Right to Choose Someone to Act for You: If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information. I will make sure the person has this authority and can act for you before I take any action.                                                                               

Right to Request Restrictions: You have the right to request a restriction in writing on the PHI I use or disclose about you for treatment, payment, or other health care operations. I am not required to agree with these restrictions, but if I do, I will abide by our agreement unless the PHI is needed to provide emergency treatment to you. You have the right to restrict certain disclosures of PHI to an insurance company or health care operations purposes and if the PHI pertains solely to a health care item or a health care service health care service that you have paid for out-of-pocket in full.          

Right To Request Confidential Communications: You have the right to request that I communicate with you about your health and related issues in a particular way or at a certain place that is more private for you.  For example, you may ask that I contact you only at your home phone number, but not your cell phone number.  You must make your request in writing and give alternative ways of communication of your PHI.  
       
Right To File A Complaint: If you are concerned that I have violated your privacy right, or disagree with a decision I made about access to your record, please contact me, the WRCACS Privacy & Security Officer to discuss your concerns. You have the right to file a formal complaint to HHS if you believe that your privacy rights have been violated.  You can file a complaint with the Secretary of the U.S. Department of Health and Human Services.  All complaints must be in writing.  Anti-Retaliation: Filing a complaint will not change the health care I provide to you in any way.     

Right to Get a List of the Disclosures: You have the right to request a list of instances in which I have disclosed your PHI for purposes other than treatment, payment, or health care operations, or for which you provided me with an Authorization. I will respond to your request for an accounting of disclosures within 60 days of receiving your request. The list I will give you will include disclosures made in the last six years unless you request a shorter time. I will provide the list to you at no charge, but if you make more than one request in the same year, I will charge a reasonable cost-based fee for each additional request.            

Right to Be Notified if There is a Breach of Your PHI: You have the right to be notified if there is a breach (a use or disclosure of your PHI in violation of the HIPAA Privacy Rule) involving your PHI; if your PHI has not been encrypted to government standards or if my  risk assessment shows there is a probability that your PHI has been compromised.  In addition, HHS will also be notified of this breach. 

Right To A Copy Of This Notice: You have a right to a copy of this notice.  I have the right to change the terms of this notice.  If I change this privacy notice, I will post the new privacy notice on my website and inform you.

HOW I PROTECT INFORMATION

The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI) and The Security Rule protects all identifiable health information a Covered Entity (CE) creates, receives, maintains or transmits in electronic form called “electronic protected health information” (e-PHI). The HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) specifies that I must use a series of “administrative, technical, and physical security procedures” to “assure the confidentiality, integrity, and availability of e-PHI.” As both the Privacy & Security Officer of Within RANGE Counseling & Consultation Services (WRCACS), PLLC, I apply best practices of risk analysis and management that consider client needs of security.  As such, I take HIPAA trainings and continuing education to stay current on evolving technology and risks of ePHI and conduct risk analysis with risk management to ensure appropriate administrative, technical and physical safeguards that comply with state and federal regulations to guard ePHI from unauthorized access, use and disclosure. Additionally, WRCACS, PLLC will never sell clients’ PHI or share clients’ PHI for marketing purposes. If clients are contacted for a WRCACS fundraising event, they can decline notification and will not be contacted again.

Administrative Safeguards: I restrict access to my client’s PHI because I am a sole practitioner in WRCACS, PLLC. I use SimplePractice, a HIPAA compliant electronic health record (EHR) system with integrated client portal, telehealth, and Stripe payment processing with a signed Business Associate Agreement (BAA).

Technical Safeguards: I utilize a private computer with an encrypted hard drive only for my business that is not shared, I utilize protective and authentication measures, and I do not dictate or type notes in any unsecure means of recording ePHI. I use a firewall and antivirus software with regular updates, and encrypted communication messaging through SimplePractice Portal with a Business Associate Agreement (BAA). I use Hushmail web contact form and email for informational purposes that is also HIPAA compliant and encrypted with a BAA. Payments are made through SimplePractice Stripe credit processing. My website is hosted by SquareSpace with SSL and HSTS.

Physical Safeguards: I protect ePHI data by keeping my device in a secure location when not in use with restrictive access to anyone other than me.

For questions about this Privacy Notice and/or if I change our Privacy Notice policies you can request a copy from WRCACS, PLLC Privacy & Security Officer, Dr. Jenkins-Fernández, via client portal.  Learn more about HIPAA at https://www.hhs.gov/hipaa/for-individuals/index.html

The effective date of this notice is October 28, 2020

Back to FAQ