The effective date of this notice is September 2019

A. Introduction—To Clients of The Women’s Center

The Women’s Center (the “Center) is committed to protecting your privacy and understands the importance of safeguarding your medical information. We are required by federal law to maintain the privacy of health information that identifies you or that could be used to identify you (known as “PHI” or “PHI”). We also are required to provide you with this Notice of Privacy Practices (“Notice”), which explains our legal duties and privacy practices, as well as your rights, with respect to PHI that we collect and maintain.

We are required by federal law to abide by the terms of this Notice currently in effect. However, we reserve the right to change the privacy practices described in this Notice and make the new practices effective for all PHI that we maintain. Should we make such a change, you may obtain a revised Notice by calling our office and requesting a revised copy be sent in the mail, or accessing our website at (www.thewomenscenter.org) This Notice will tell you about how The Center handles your PHI. It tells how The Center uses PHI in our offices, how The Center shares it with other professionals and organizations, and how you can see it. If you have any questions our Privacy Officer, will be happy to help you. Contact information for the Privacy Officer at 703-281-2657 x.272.

B. What The Women’s Center Means by Your Medical Information

Each time you visit The Center or any doctor’s office, hospital, clinic, or any other “health care provider,” PHI is collected about you and your physical and mental health. It may be information about your past, present, or future health or conditions, or the treatment or other services you received from The Center or from others, or about payment for health care. The information the Center collects from you is called, in the law, PHI, which stands for PHI. This information goes into your medical or health care record or file at our offices.

At The Center, PHI is likely to include these kinds of information:

• Your history–As a child, in school and at work, and marital and personal history.
• Reasons you came for treatment–Your problems, complaints, symptoms, needs, and goals.
• Diagnoses–Diagnoses are the medical terms for your problems or symptoms.
• Treatment plan–These are the treatments and other services which your therapist thinks will best help you.
• Progress notes–Each time you come in, your therapist will write down some things about how you are doing, what she/he observes about you, and what you tell your therapist.
• Records–These include records The Center receives from others who treated or evaluated you.
• Psychological test scores, school records, etc.
• Information about medications you took or are taking.
• Billing, payment, and insurance information.

This list is just to give you an idea and there may be other kinds of information that go into your health care record at the Center. The Center uses this information for many purposes. For example, we may use it:

• To plan your care and treatment.
• To decide how well our treatments are working for you.
• When we talk with other health care professionals who are also treating you, such as your family doctor, psychiatrist, or the professional who referred you to us.
• To show that you actually received the services from us which we billed to you or to your health insurance company.
• For teaching and training other health care professionals.
• For medical or psychological research.
• For public health officials trying to improve health care in this country.
• To improve the way we do our job by measuring the results of our work.

When you understand what is in your record and what it is used for, you can make better decisions about who, when, and why others should have this information

C. How Your Protected Health Information (PHI) Can Be Used and Shared

When your PHI is read by your therapist or others at The Center it is considered, under the law, “use.” If PHI is shared with or sent to others outside of this office, that is considered, under the law, “disclosure.” Except in some special circumstances, when we use your PHI at The Center or disclose it to others, we share only the minimum necessary PHI needed for the purpose. The law gives you rights to know about your PHI and to know how it is used.

The Center uses and discloses PHI for several reasons. Mainly, we will use and disclose it for routine purposes, and we will explain more about these below. For uses and disclosures not described in this Notice, we must tell you about them and have a written Authorization form unless the law lets or requires us to make the use or disclosure without your authorization. However, the law also says that we are allowed to make some uses and disclosures without your authorization.

D. Uses and Disclosures of PHI in Health Care Allowed under HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) allows us to use your PHI for treatment, payment, and health care operations (TPO). In almost all cases, we intend to use your PHI here or share your PHI with other people or organizations to provide treatment to you, arrange for payment for our services, or some other business functions called health care operations. Together these routine purposes are called TPO and HIPAA allows us to use and disclose your PHI for TPO.

D1. The Basic Uses and Disclosures—For Treatment, Payment, and Health Care Operations (TPO)

The Center needs information about you and your condition to provide care to you. Generally, we may use or disclose your PHI for three purposes: treatment, obtaining payment, and what are called health care operations, all of which are described below.

For Treatment – We use your PHI to provide you with psychological treatment or services. These might include individual, family or group therapy, psychological, educational, or career assessment, treatment planning, or measuring the effects of our services.

Under HIPAA, providers such as The Center may share or disclose your PHI to others who provide treatment to you, such as your psychiatrist or personal physician, without obtaining your authorization to do so. For example, if you are being treated by a team, we can share your PHI with them so that the services you receive will be coordinated.

During the course of your treatment at The Center, we may refer you to other professionals or consultants for services we cannot offer such as special testing or treatments. When we do this, we need to tell them some things about you and your conditions.

For Payment – Under HIPAA, we may use your PHI to bill you, your insurance, or others to be paid for the treatment we provide to you. We may contact your insurance company to check on exactly what your insurance covers. We may have to tell them about your diagnoses, what treatments you have received, and what we expect as we treat you. We do not have to receive your authorization to share this information, but we are required to inform you of how we use your PHI for payment.

For Health Care Operations – There are some other ways we may use or disclose your PHI which are called health care operations. For example, we may use your PHI to see where we can make improvements in the care and services we provide. We may be required to supply PHI to government health agencies so they can study disorders and treatment and make plans for the services that are needed. We do not have to receive your authorization to share PHI, but we are required to inform you of how we use your PHI for health care operations.

D2. Other Uses and Disclosures in Health Care

• Appointment Scheduling/Rescheduling. We may use and disclose PHI to schedule or reschedule your appointments for treatment or other care. If you want us to call or write to you only at your home or your work or prefer some other way to reach you, you can note that on your Client Data Sheet.
• Treatment Alternatives. We may use and disclose your PHI to tell you about or recommend possible treatments or alternatives that may be of interest to you.
• Other Benefits and Services. We may use and disclose your PHI to tell you about health-related benefits or services that may be of interest to you.

D3. Professional Records

• Psychotherapists are required, by law, to keep medical records of mental health services provided.
• All paper records are secured in a locked location following HIPAA standards. Records include, but are not limited to, documentation of attendance; purpose of treatment; any medical, social, and treatment history; evaluations and diagnoses; anecdotal notes of topics and discussions; copies of legal forms and consents; documents and copies of any forms or information shared with other professionals; and information provided by other professionals.
• The Center uses health information technology (HIT) – AdvancedMD. HIT involves the storage and exchange of health information in an electronic environment. The Center is committed to upholding
  privacy and security standards for the protection of electronic health information standardized by HIPAA. The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic PHI (e-PHI). The Center is committed to ensuring the confidentiality and integrity of all e-PHI created, received, stored, or transmitted. This includes protecting client information from potential security threats, maintaining privacy disclosure statements, and using only authorized technical devices that have security systems.
• The primary benefits of gathering, managing, and storing information electronically are convenience and cost. Using technology can save time and money for organizations, psychotherapists, and clients. For example, when the Center keeps its administrative costs down, sessions fees are less likely to be increased. On the other hand, the risks of gathering, managing, and storing information electronically
  may include the following:
  • Someone intentionally hacks the system and gains access to the data;
  • Computers, smartphones, flash drives, external hard drives, or other devices used to gather and
    store the data are stolen or misplaced;
  • information stored electronically may be subpoenaed for use during legal proceedings, just as with
    paper records;
  • Government or law enforcement organizations may try to gain access to information stored
    electronically; and
  • Electronic information may be unintentionally sent to the wrong person, especially when sending email or text messages.

D4. Uses and Disclosures Requiring Your Authorization

If we want to use your PHI for any purpose besides TPO or those we described above, we need your permission on an Authorization form. If you do authorize us to use or disclose your PHI, you can revoke (or cancel) that permission, in writing, at any time. After that time, we will not use or disclose your PHI for the purposes to which we agreed. Of course, we cannot take back any PHI we had already disclosed with your permission or that we had used in our office.

D5. Uses and Disclosures Not Requiring Your Authorization

The law lets us use and disclose some of your PHI without your authorization in some cases.

When Required by Law. We may use or disclose your PHI to the extent that the use or disclosure is otherwise required by federal, state or local law.

For Law Enforcement Purposes. We may disclose your PHI, so long as applicable legal requirements are met, for law enforcement purposes, such as providing PHI to the police about the victim of a crime.

For Public Health Activities. We might disclose some of your PHI to agencies which investigate diseases or injuries.

For Health Oversight. We may disclose PHI to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies include government agencies that oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.

Relating to Abuse or Neglect. If you have been a victim of abuse, neglect, or domestic violence, we may disclose your PHI to a government agency authorized to receive such PHI. In addition, we may disclose your PHI to a public health authority that is authorized by law to receive reports of child abuse or neglect.

For Judicial and Administrative Proceedings. We may disclose your PHI in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized), and, in certain conditions, in response to a subpoena, discovery request or other lawful process.

To Coroners and Funeral Directors. We may disclose your PHI to a coroner, medical examiner, or funeral director if it is needed to perform their legally authorized duties.

For Organ Donation. If you are an organ donor, we may disclose your PHI to organ procurement organizations as necessary to facilitate organ donation or transplantation.

For Research. Under certain circumstances, we may disclose your PHI to researchers when their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your PHI.

Specialized Government Functions. When the appropriate conditions apply, may disclose PHI for purposes related to military or national security concerns, such as for the purpose of a determination by the
Department of Veterans Affairs of your eligibility for benefits.

To the Secretary of Health and Human Services. We may be required to disclose your PHI to the Secretary of Health and Human Services to investigate or determine our compliance with the requirements of the final rule on Standards for Privacy of Individually Identifiable Health Information.

To Prevent a Serious Threat to Health or Safety. If we come to believe that there is a serious threat to your health or safety, or that of another person or the public, we can disclose some of your PHI.

For National Security and Intelligence Activities. We may disclose your PHI to authorized federal officials for intelligence, counterintelligence, protection of the President, other authorized persons or foreign heads of state, for purpose of determining your own security clearance and other national security activities authorized by law

For Workers’ Compensation. We may disclose your PHI as necessary to comply with workers’ compensation laws and other similar programs.

Inmates. We may use or disclose your PHI if you are an inmate of a correctional facility and we created or received your PHI in the course of providing care to you.

To Business Associates. We may disclose your PHI to persons who perform functions, activities or services to
us or on our behalf that require the use or disclosure of PHI.

D6. Uses and Disclosures of PHI Based upon Your Written Authorization

Psychotherapy Note: We must obtain your written authorization for most uses and disclosures of psychotherapy notes.
Marketing. We must obtain your written authorization to use and disclose your PHI for most marketing purposes.
Sale of PHI. We must obtain your written authorization for any disclosure of your PHI which constitutes a sale of PHI.

D7. State Law

We are required to comply with state privacy laws when they are stricter (or more protective of your PHI) than federal law. Some types of sensitive PHI, such as HIV information, genetic information, alcohol and/or substance abuse records and mental health records may be subject to additional confidentiality protections under state or federal law

E. Your Rights Regarding Your PHI

Right to Notice. You have the right to receive adequate notice of the uses and disclosures of PHI that may be made by The Center and of your rights and The Center’s legal duties with respect to PHI. The Center is providing you with a written copy of our Notice to give you this information.

Right to Request Restrictions. You have the right to request restrictions on certain uses and disclosures of your PHI. You have the right to ask us to limit what we tell certain individuals involved in your care or the payment for your care, such as family members and friends. While we do not have to agree to your request, if we do agree, we will keep our agreement except if it is against the law, or if there is an emergency, or when the information is necessary to treat you. If you would like to request restrictions on certain uses and disclosures of your PHI, please contact The Center’s Privacy Officer.

Right to Confidential Communications. You have the right to receive confidential communications of your PHI. You can ask us to communicate with you about your health and related issues in a particular way or at a certain place. For example, you can ask us to call you at home, and not at work, to schedule or cancel an appointment. We will try our best to do as you ask. You can tell us how we should communicate with you by noting your preferred means of communication on your Client Data Sheet and your Financial Policies Statement.

Right to Inspect and Copy. You have the right to inspect and copy your PHI. You have the right to look at the PHI we have about you, such as your medical and billing records. You can even get a copy of these records, but we may charge you. If you would like to inspect and copy PHI, please ask The Center’s Privacy Officer.

Right to Amend. You have the right to amend your PHI maintained in the designated record set. If you believe the information in your records is incorrect or incomplete, you can ask us to amend, or make some changes to, your PHI. You must tell us the reasons you want to make these changes. If you would like to amend your PHI, please contact The Center’s Privacy Officer.

Right to Receive an Accounting of Disclosures. You have the right to receive an accounting of disclosures of your PHI that The Center has made. If you would like to request an accounting of disclosures, please contact The Center’s Privacy Officer.

Right to Receive a Copy of This Notice. You have the right to obtain a paper copy of The Center’s Notice of Privacy Practices. If we change this NPP, we will post it in our lobby and on our web site and you can always get a copy of the NPP from The Center’s Privacy Officer.

Right to Make a Complaint. You have the right to file a complaint if you believe that your privacy rights have been violated. You can file a complaint with The Center’s Privacy Officer or The Center’s Compliance Officer, as well as with the Secretary of the Department of Health and Human Services. All complaints must be in writing. Filing a complaint will not change the health care we provide to you in any way. We will not retaliate against you in any way for filing a complaint. If you would like to make a complaint, you may complete a form which is called, “How can we help you” and you do not have to include your name on this complaint form if you do not wish to do so.

F. The Center and the HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities, such as the Center to notify affected individuals; Health and Human Services; and, in some cases, the media of a breach of unsecured PHI. This rule applies to all covered entities and their Business Associates.

Breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. The Center policy below applies to breaches within the Center or within the systems of the Center’s Business Associates.

I. Notification of individuals affected by the breach will occur as soon as possible following the breach.
A. Affected individuals must be notified without reasonable delay, but in no case later than sixty (60) calendar days after discovery, unless instructed otherwise by law enforcement or other applicable
state or local laws.
B. If law enforcement authorities have been contacted, those authorities will assist in determining whether notification may be delayed in order not to impede a criminal investigation.

II. The required elements of notification vary depending on the type of breach and which law is implicated. As a result, the Center’s Privacy Officer and Legal Counsel should work closely to draft any notification that is distributed

III. Indirect notification (website posted notices or media announcements) of a breach may be used if there is no contact information for the affected clients.

IV. Using multiple methods of notification in certain cases may be the most effective approach

G. If You Have Questions or Problems

If you need more information or have questions about the privacy practices described above, please speak to The Center’s Privacy Officer whose name and telephone number are listed below.

If you have a problem with how your PHI has been handled, or if you believe your privacy rights have been violated, contact the Privacy Officer or the Compliance Officer (contact information provided below) for instructions on how to file a complaint. You may telephone, write, or come in person to either the Privacy Officer or the Compliance Officer to make a complaint. If you do not wish to include your name on a complaint, you may fill out a complaint form without including your name and place it in the designated box in the lobby area.

You may have someone represent you during the complaint process if you wish. If the matter is not resolved satisfactorily by the Privacy Officer, you may take the matter to the Compliance Officer. If the matter is not resolved satisfactorily by the Compliance Officer, you have the right to file a complaint with the Secretary of the Federal Department of Health and Human Services. We will not limit your care here or take any actions against you if you complain.

If you have any questions regarding this Notice or our health information privacy policies, please contact

The Center’s Privacy Officer
703-281-2657 x.272.