Last updated: June 22, 2022
Essentials Recovery (“us”, “we”, or “our”) operates the Essentials Recovery website (the “Service”).
This page informs you of our policies regarding the collection, use and disclosure of Personal Information when you use our Service.
The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights.
How the Rule Works
General Rule. The Privacy Rule provides that an individual has a right to adequate notice of how a covered entity may use and disclose protected health information about the individual, as well as his or her rights and the covered entity’s obligations with respect to that information. Most covered entities must develop and provide individuals with this notice of their privacy practices. The Privacy Rule does not require the following covered entities to develop a notice:
- Health care clearinghouses, if the only protected health information they create or receive is as a business associate of another covered entity. See 45 CFR 164.500(b)(1).
- A correctional institution that is a covered entity (e.g., that has a covered health care provider component).
- A group health plan that provides benefits only through one or more contracts of insurance with health insurance issuers or HMOs, and that does not create or receive protected health information other than summary health information or enrollment or disenrollment information. See 45 CFR 164.520(a).
Content of the Notice. Covered entities are required to provide a notice in plain language that describes:
- How the covered entity may use and disclose protected health information about an individual.
- The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity.
- The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information.
- Whom individuals can contact for further information about the covered entity’s privacy policies.
The notice must include an effective date. See 45 CFR 164.520(b) for the specific requirements for developing the content of the notice. A covered entity is required to promptly revise and distribute its notice whenever it makes material changes to any of its privacy practices. See 45 CFR 164.520(b)(3), 164.520(c)(1)(i)(C) for health plans, and 164.520(c)(2)(iv) for covered health care providers with direct treatment relationships with individuals.
Providing the Notice.
- A covered entity must make its notice available to any person who asks for it.
- A covered entity must prominently post and make available its notice on any web site it maintains that provides information about its customer services or benefits.
- Health Plans must also:
Provide the notice to individuals then covered by the plan no later than April 14, 2003 (April 14, 2004, for small health plans) and to new enrollees at the time of enrollment.
Provide a revised notice to individuals then covered by the plan within 60 days of a material revision.
Notify individuals then covered by the plan of the availability of and how to obtain the notice at least once every three years.
- Covered Direct Treatment Providers must also:
Provide the notice to the individual no later than the date of first service delivery (after the April 14, 2003 compliance date of the Privacy Rule) and, except in an emergency treatment situation, make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained.
When first service delivery to an individual is provided over the Internet, through e-mail, or otherwise electronically, the provider must send an electronic notice automatically and contemporaneously in response to the individual’s first request for service. The provider must make a good faith effort to obtain a return receipt or other transmission from the individual in response to receiving the notice.
In an emergency treatment situation, provide the notice as soon as it is reasonably practicable to do so after the emergency situation has ended. In these situations, providers are not required to make a good faith effort to obtain a written acknowledgment from individuals.
Make the latest notice (i.e., the one that reflects any changes in privacy policies) available at the provider’s office or facility for individuals to request to take with them, and post it in a clear and prominent location at the facility.
- A covered entity may e-mail the notice to an individual if the individual agrees to receive an electronic notice. See 45 CFR 164.520(c) for the specific requirements for providing the notice.
- Any covered entity, including a hybrid entity or an affiliated covered entity, may choose to develop more than one notice, such as when an entity performs different types of covered functions (i.e., the functions that make it a health plan, a health care provider, or a health care clearinghouse) and there are variations in its privacy practices among these covered functions. Covered entities are encouraged to provide individuals with the most specific notice possible.
- Covered entities that participate in an organized health care arrangement may choose to produce a single, joint notice if certain requirements are met. For example, the joint notice must describe the covered entities and the service delivery sites to which it applies. If any one of the participating covered entities provides the joint notice to an individual, the notice distribution requirement with respect to that individual is met for all of the covered entities. See 45 CFR 164.520(d).
Information Collection And Use
While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information (“Personal Information”) may include, but is not limited to:
- Email address
- Telephone number
We collect information that your browser sends whenever you visit our Service (“Log Data”). This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages and other statistics.
Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer’s hard drive.
We use “cookies” to collect information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
We may employ third party companies and individuals to facilitate our Service, to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used.
These third parties have access to your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
The security of your Personal Information is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.
Links To Other Sites
We have no control over, and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
Our Service does not address anyone under the age of 18 (“Children”).
We do not knowingly collect personally identifiable information from children under 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Information, please contact us. If we discover that a child under 18 has provided us with Personal Information, we will delete such information from our servers immediately.
Compliance With Laws
We will disclose your Personal Information where required to do so by law or subpoena.
PROTECTED HEALTH INFORMATION POLICY
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GAIN ACCESS TO THIS INFORMATION. PLEASE REVIEW THE FOLLOWING CAREFULLY.
If you have any questions regarding, please contact Essentials Recovery, 1607 NW Federal Hwy, Stuart, FL 34994; by phone at: 772-252-6524; or by email at [email protected]entialsrecovery.com
Client Health Information As per 45 CFR 164.520, this Notice of Privacy Practices (the Notice) describes how medical information about clients may be used or disclosed and how clients can access this information. Clients personal health record contains private and confidential information about you and your health. Both State and Federal laws protect the confidentiality of this information. Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes any individually identifiable health information. PHI relates to clients past, present or future physical or mental health or condition and any related health care services.
How We May Use and Disclose Health Information About Clients
Below are examples of the uses and disclosures that we may make of client Protected Health Information (PHI). These examples are not exhaustive but simply describe the uses and disclosures that may be made.
Uses and Disclosures of PHI for Treatment, Payment and Health Care Operations
Treatment – Client PHI may be used and disclosed by client’s physicians, counselors, our program staff and others outside of our program that are involved in clients care for the purpose of providing, coordinating or managing clients health care treatment and any related services. Example: Clients care while with us may require coordination or management from a third party, consultation with other health care providers, or referral to another provider for health care treatment. Additionally, we may disclose clients protected health information to another physician or health care provider who becomes involved in clients care.
Payment – With client authorization, we may use and disclose PHI about clients so that we can receive payment for the treatment and services provided to clients from client insurance or other payor sources. Example: We give information about clients to client health insurance, so it will pay for client services.
Healthcare Operations – We may use and share client health info to run our business, improve client care, and contact clients when necessary. This may include quality assessment activities, employee review activities, licensing, and conducting other business activities. Examples: using a sign-in sheet where clients will be asked to sign your name and indicate your physician, counselor or staff. We may share client PHI with third parties that perform various business activities for us, such as a billing company. Also, we may contact clients by phone to remind clients of appointments or to provide clients with additional information regarding your treatment or other health-related benefits.
Special Rules Regarding Disclosure of Behavioral Health, Substance Abuse, and HIV- Related Information: For disclosures concerning protected health information relating to care for psychiatric conditions, substance abuse or HIV-related testing and treatment, special restrictions may apply.
- HIV-Related Information: We may disclose HIV-related information as permitted or required by State law. For example, clients HIV-related information, if any, may be disclosed without clients authorization for treatment purposes, certain health oversight activities, pursuant to a court order, or in the event of certain exposures to HIV by personnel of the company, another person, or a known partner (if certain conditions are met).
- Minors: We will comply with State law when using or disclosing protected health information of minors. For example, if clients are an un-emancipated minor consenting to a health care service related to HIV/AIDS, venereal disease, abortion, outpatient mental health treatment or alcohol/drug dependence, and clients have not requested that another person be treated as a personal representative, clients may have the authority to consent to the use and disclosure of client health information.
Other Uses and Disclosures That Do Not Require Clients Authorization
Required by Law
We may use or disclose client PHI to the extent that the use or disclosure is required by law, made in compliance with the law, and limited to the relevant requirements of the law. Clients will be notified, as required by law, of any such uses or disclosures. Under the law, we must make disclosures of your PHI to clients upon your request. In addition, we must make disclosures to the Secretary of the Department of Health and Human Services for the purpose of investigating or determining our compliance with the requirements of the Privacy Rule.
We may disclose PHI to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies seeking this information include government agencies and organizations that provide financial assistance to the program (such as third-party payors) and peer review organizations performing utilization and quality control. If we disclose PHI to a health oversight agency, we will have an agreement in place that requires the agency to safeguard the privacy of client information.
We may use or disclose client PHI for public health activities to a public health authority authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, or if directed by a public health authority, to a government agency that is collaborating with that public health authority. In certain circumstances outlined in the Privacy Regulations, we may disclose client PHI to a person who is subject to the jurisdiction of the Food and Drug Administration with respect to the reporting of certain occurrences involving food, drugs, or other products distributed by such person. In certain limited circumstances, we may also disclose client PHI to a person that may have been exposed to a communicable disease or may otherwise be at risk of spreading or contracting such disease, if such disclosure is authorized by law. For example, we may disclose PHI regarding the fact that clients have contracted a certain communicable disease to a public health authority authorized by law to collect or receive such information.
We may use or disclose client protected health information in a medical emergency situation to medical personnel only. Our staff will try to provide clients a copy of this notice as soon as reasonably practicable after the resolution of the emergency. Child Abuse or Neglect. We may disclose client PHI to a state or local agency that is authorized by law to receive reports of child abuse or neglect. However, the information we disclose is limited to only that information which is necessary to make the initial mandated report.
We may disclose PHI regarding deceased patients for the purpose of determining the cause of death, in connection with laws requiring the collection of death or other vital statistics or permitting inquiry into the cause of death.
We may disclose PHI to researchers if:
(a) an Institutional Review Board reviews and approves the research and a waiver to the authorization requirement;
(b) the researchers establish protocols to ensure the privacy of client PHI;
(c) the researchers agree to maintain the security of client PHI in accordance with applicable laws and regulations; and
(d) the researchers agree not to re-disclose client protected health information except back to the company.
Criminal Activity on Program Premises/Against Program Personnel
We may disclose client PHI to law enforcement officials if clients have committed a crime on program premises or against program personnel or its agents. Court Order. We may disclose client PHI if a court of competent jurisdiction issues an appropriate court order and the disclosure of PHI is explicitly permitted under Federal and State law.
Limited PHI may be disclosed for the purpose of coordinating services among government programs that provide mental health services where those programs have entered into an interagency agreement.
If clients are in a mental health treatment program only, we may disclose PHI to avert a serious threat to health or safety, such as physical or mental injury being inflicted on clients or someone else.
Specialized Government Functions
If clients are or have been a member of the U.S. Armed Forces, we may disclose client PHI as required by military command authorities. We may disclose client PHI to authorized federal officials for national security and intelligence reasons and to the Department of State for medical suitability determinations.
Family and Friends
We may disclose health information about clients to your family members or friends if we obtain clients verbal agreement to do so or if we give clients an opportunity to object to such a disclosure and clients do not raise an objection. We may also disclose health information to client’s family or friends if we can infer from the circumstances, based on our professional judgment that clients would not object. For example, we may assume clients agree to our disclosure of client personal health information to client’s spouse when clients bring their spouse into treatment center or while treatment is discussed. In situations where clients are not capable of giving consent (because clients are not present or due to client incapacity or medical emergency), we may, using our professional judgment, determine that a disclosure to client’s family member or friend is in the clients best interest. In that situation, we will disclose only health information relevant to the person’s involvement in your care.
Uses and Disclosures of PHI That Require Client Written Authorization
Other uses and disclosures of client PHI will be made only with client written authorization. Clients may revoke this authorization at any time, unless the program or its staff has taken an action in reliance on the authorization of the use or disclosure clients permitted. If clients revoke it, we will no longer use or disclose protected health information about clients for the reasons covered by clients written authorization, unless required to do so by law. Clients should understand that we are unable to take back any disclosures we have already made with client authorization and that we are required to retain our records of the treatment and care that we have provided to clients.
Client Rights Regarding Client Protected Health Information
Clients rights with respect to client protected health information are explained below. Any requests with respect to these rights must be in writing and made to the attention of the Privacy Officer. A brief description of how clients may exercise these rights is included:
Clients have the right to inspect and copy client PHI – Clients may inspect and obtain a copy of client PHI that is contained in a designated record set for as long as we maintain the record. A “designated record set” contains medical and billing records and any other records that the program uses for making decisions about clients. Client request must be in writing. We may charge clients a reasonable cost-based fee for the copies. We can deny clients access to client PHI in certain circumstances. In some of those cases, clients will have a right to appeal the denial of access.
Clients may have the right to amend client PHI – Clients may request, in writing, that we amend client PHI that has been included in a designated record set. In certain cases, we may deny clients request for an amendment. If we deny clients request for amendment, clients have the right to file a statement of disagreement with us. We may prepare a rebuttal to client’s statement and will provide clients with a copy of it.
Clients have the right to receive an accounting of some types of PHI disclosures. Clients may request an accounting of disclosures for a period of up to six years, excluding disclosures made to clients, made for treatment purposes or made as a result of client authorization. We may charge clients a reasonable fee if clients request more than one accounting in any 12-month period.
Clients have a right to receive a paper copy of this notice. Clients have the right to obtain a copy of this notice from us whether by paper or via email.
Clients have the right to request added restrictions on disclosures and uses of client PHI – Clients have the right to ask us not to use or disclose any part of client PHI for treatment, payment or health care operations or to family members involved in client care. Client request for restrictions must be in writing and we are not required to agree to such restrictions.
Clients have a right to request confidential communications. Clients have the right to request to receive confidential communications from us by alternative means or at an alternative location. We will accommodate reasonable, written requests. We may also condition this accommodation by asking clients for information regarding how payment will be handled or specification of an alternative address or other method of contact. We will not ask clients why clients are making the request.
Clients have a right to receive notification of unauthorized disclosure of client PHI (Breach Notification). We are required to notify clients upon a breach of any unsecured PHI. The notice must be made without unreasonable delay, but no later than 60 days from when we discover the breach.