Website Privacy Policy InnerVision, Inc. is committed to honoring the privacy and the wishes of our supporters at all times. We collect and maintain only personal information that is specifically and knowledgeably provided to us by individuals or their companies. InnerVision will never rent, exchange or sell information in exchange for services, referrals and/or contributors. We will only share personally identifiable information with a third party if (I) we are required to by law or if the person submitting the information asks that it be shared. We do maintain records, which we regard as private and confidential and store securely with access limited to authorized staff (please also see our security policy).
There are opportunities within the website to provide InnerVision with contact information, such as when you email us for information or inquire about volunteering or employment opportunities. If you provide us with this information, we may contact you for additional information or send you updates about our services in the community, such as via our newsletter. You can contact us to restrict our use of your contact information at any time.
In addition, like almost all websites, we do collect broad, general statistical information about how visitors use our site, such as how often each page is visited, for the purpose of creating a better site for our community. We do not collect information on individual visits to the site without the expressed permission of the user.
There are links to other websites on our site for the purpose of providing more useful and complete information to our visitors. We do not take responsibility for the contents or privacy practices of any website other than our own
If you have any questions about our privacy policies, please contact us.
Security Policy To prevent unauthorized access, maintain data accuracy and ensure the correct use of information, we maintain physical, electronic and administrative safeguards to protect the information we collect online. We have taken all standard industry precautions to protect you from the loss, misuse or alteration of information you provide to us.
We currently do not accept online commerce transactions.
Please refer to our Data Privacy and Confidentiality Policy for more information on InnerVision, Inc.’s commitment to safeguard the privacy of all your personal information
Data Privacy and Confidentiality Policy This policy identifies standards related to client data privacy and security. InnerVision Inc. has a long-standing commitment, rooted in the history of social work and psychology practice principles, to respect the privacy and dignity of its clients. Application of the principle of client informed consent and client opportunity to inspect and comment on their records enhances the right of privacy. Substantial state and federal legislation also protects the privacy of client data, including the Federal Privacy Act (1974), the federal Freedom of Information Act (1996), State of North Carolina Government Data Practices Act (revised 2001) and the federal Health Insurance Portability and Accountability Act (also known as HIPPA, revised 2012). Agency data privacy standards are continuously reviewed to make sure that they meet or exceed all applicable legislative and regulatory standards, professional standards of licensing organizations governing activities of agency clinical staff (i.e. National Association of Social Workers) and standards of the Council on Accreditation (COA), which reviews and accredits agency practices (most recent review completed in February 2013).
Scope The standards described in this policy pertain to all client records created or maintained by the agency, whether in physical or electronic form.
Administrative and leadership responsibilities The agency's Director serves as the agency's data privacy officer. The Director is responsible for maintaining data privacy standards, policies, and supporting documents, assuring the quality of implementation of these standards, assuring appropriate training of staff, implementation of physical and electronic safeguards, monitoring internal compliance, and reviewing client appeals of agency data practices. The Director is responsible for amending this policy as appropriate based on emerging legal, regulatory or professional practice requirements. Client complaints with respect to data practices that cannot be resolved at the site level are reviewed by the President of the Board of Directors. Finally, the Director maintains processes that review and document internal allegations of data privacy breaches. Quality Operations Managers, program managers and office managers are responsible for the day- to-day practices that ensure the privacy and security of client records. These responsibilities include training all staff on the agency's data privacy standards and practices. Quality Operations Managers, program managers, and office managers are also responsible for evaluating issues raised by other staff or agency clients related to data privacy. Personnel within InnerVision programs are responsible for ensuring that all third-party (typically health insurance providers) (other than clinicians we retain and other health-care providers we utilize) who provide health-related services requiring access to private information understand agency data privacy practices and have signed “business agreements” with the agency. Finally, Quality Operations Managers, program managers and office managers are responsible for investigating and reporting data privacy breaches to the agency's Director immediately.
Staff Responsibilities All staff are responsible for understanding this policy and acting in accordance with the standards described. Staff should raise questions about these practices to their supervisors. Any staff person may raise a concern about client data privacy to his or her Quality Operations Manager, program manager, or office manager or to the agency's privacy officer (Director) at any time. Staff violation of client data privacy may result in disciplinary action up to and including termination.
General Definition and Standards InnerVision maintains client files for each individual receiving service. The nature of information and records stored in files varies with the type of program. Information in client files facilitates providing appropriate services and ensuring quality standards. Client files may also include other information required by law. Entries in client files must be typed or written legibly. All client files include identifying information, the nature of the problem, the service or treatment plan, and the services provided to the person served by the agency or through referral. This basic information may be supplemented by clinical assessments, diagnostic assessments, psychological evaluation, court reports and documents, as well as financial information used to establish fees as indicated by the nature of the client's needs. All entries into the client file are made only by authorized personnel and are signed, dated, with the clinician’s credentials or job title. Confidential client information received from outside the agency, whether received in physical or electronic form, is either placed in the client's file or destroyed. Informal, personal jottings or interview notes are meant to facilitate the clinician's work with each client. They are not part of the official record and should be destroyed once summaries are prepared. Peer case review reports and findings are not included in client files. The agency may use various methods of client identification suited to its internal management needs. Clients may be identified by name, address, telephone number and/or other agency codes that permit data collected about clients to be aggregated for use by outside groups or in the agency's management information processing systems without the client's informed consent. In the absence of legal compulsion, clients will not be identified by social security number unless the client’s social security number is required by law or administrative regulation for reimbursement of services provided under contract.
Overview Clients will be informed before their first appointment with InnerVision that the agency will obtain and provide information only under strict rules of informed consent, as attested to by client signatures. "Informed consent" means the client knows the nature of the request for information and whether s/he is legally required to comply. It also means that the client is aware of the nature of his or her record, may see his or her record, knows with whom the data is to be shared, a time frame within which it is to be handled, knows what may be revealed and is aware of the implications of providing this information. Finally, clients also have the right to revoke consent they provide at any time in the future. When initial contact with the agency is made by phone, the following notice (often called the "Tenneson warning") will be read to the client seeking service: "Before we can ask you to give us any personal information, I must explain who can see it and how it will be used. The information you give will be used by the staff to help you determine the kind of service or assistance which may be helpful. No law requires that you give us information, but we cannot help you without some information. What you say will be kept private, but could be reviewed by staff who work in the program in which you participate. If you are under eighteen years of age, you can ask that data about you be kept from your parents under certain circumstances." Clients should also be advised during their initial telephone contact or intake that they have the right not to provide information they choose not to disclose. Information about clients may be shared with InnerVision staff for the purposes of consultation, supervision or collaboration without a signed client release. Staff access to confidential data is governed by a "need to know" basis. For example, management and supervisory staff may need to review records for a wide range of administrative purposes, including organizational planning, evaluation, and development of training, assurance of quality standards or internal accountability. Administrative support staff may need access to prepare client file documents, manage client files, to prepare information for billing, to process payments, etc. Research personnel may only use records as they relate to specific research projects. Board members are not permitted to view any client files or confidential information. In all other cases, information about clients may not be shared, either with agency staff or externally, without specific informed consent by the clients. (Also Client Rights and Responsibilities Handbook)
Consents for Release of Information All authorizations for release of information are completed in triplicate. The top, or original is attached to any information released. The second copy, on yellow paper, is provided to the client. The bottom copy, on pink paper, is stored in the client file.
Recording of client sessions No audio or video recording of a client interview without the prior written permission of the client. Clients may indicate their willingness to have services at InnerVision audio or videotaped through signing the consent for release of information form. Clients must be informed that they may refuse such taping, and that permission can be revoked at any time. Such recordings may only be used for clinical purposes unless the client approves such use in writing after having an opportunity to review the recording or provides a written waiver of this opportunity to review the recording. The agency will not withhold services to any clients because of the client's refusal to consent to release of information.
Client Involvement in Agency Public Relations Activities InnerVision will, on occasion, seek clients' participation in public relations activities, including agency newsletters, annual reports and media articles or events. Clients will be informed of the potential risks and opportunities of such participation, and their right to refuse any and all participation. Informed consent must be obtained in the form of a signed release of information. Whenever possible, initial contact with clients for potential participation in public relations activities will be made by the client's direct service staff person. Clients who have been involved in public relations activities shall be provided with follow-up material whenever possible, such as copies of the newsletter, annual report or media report in which they participated.
Third-party payers The agency maintains a set of relationships with third-party payers (i.e. managed care insurance authorities such as Cardinal Innovations, Healthcare Solutions, etc.), units of government(i.e. Medicaid), and other organizations that may pay the agency directly or reimburse the client for certain services (all of these organizations are referred to in this section as "third-party payers). These third-party payers may request private data on clients for whose services they are paying in order to ascertain that the client was eligible for services, that services were appropriate, that costs were charged appropriately, and that reported objectives and service outcomes were achieved. This data can be provided with informed consent of the client. The data may be made available to the third-party payer in any form requested by the third-party payer as long as it conforms to applicable law. Examples include billing forms, custom reports, and electronic data. Third-party payers may also view applicable copies of appointment records. Subject to client permission, the third-party payer may also contact a representative sample of clients for confirmation of the amount, type, and quality of service received. Any other service notes and records that InnerVision may create and maintain concerning a client are for the agency's own use to serve the client and are available for review by authorized third-party payers. The agency will only contract or interact with third-party payers who can assure the confidentiality and privacy of client information. The agency's Director is responsible for assuring conformance of third-party payers and administrators to applicable federal and state law protecting client privacy as well as to the agency's standard of client privacy.
Disclosures without informed consent Client files and client information are potentially subject to be made available in litigation and some types of official investigations. Legal access efforts include subpoenas, which are directions to produce records in connection with legal proceedings. Whenever feasible, the client whose record is sought should be notified promptly of the effort and should be given the opportunity, with or without benefit of his/her own legal counsel, to comment on the propriety and scope of the particular legal process. The agency, rather than the client, is normally obligated to comply; furthermore, the agency or its personnel may be subject to legal penalties for failing to comply with such orders. In these instances of legal requests, the agency and its personnel may have no legal privilege to refuse disclosing information concerning dealings with clients, particularly disclosures made by its clients. Legal privilege will be utilized whenever possible to exempt disclosure when there is no client release. No oral requests or demands for records in connection with legal proceedings will be honored. All such requests must be in writing and submitted to the Director or designee who will review the request and determine the extent to which the agency will comply. The Director will secure legal counsel to review such requests when deemed advisable. Any client or clients whose information has been provided under legal compulsion will be informed of such reporting, and the agency's finding that the legal mandate takes precedence over its other policies protecting the privacy of the client. Staff obligations to protect the client from himself/herself and to protect persons the client may have threatened also supersede the client's right to privacy. In the event of a threat of suicide, a medical referral or hospitalization may be necessary. If a client is potentially homicidal, the police must be informed, and, if possible, the threatened person or persons. Any such situations must also be identified to the Director. In the absence of legal compulsion, client information will not be used in criminal procedure or investigations, nor will it be made available for inquiries related to employment, credit, etc. Disclosures made without client consent are documented in the client file.
Use of client information for research InnerVision does not permit the use of client information for research.
Special considerations for information on minors The definition of "individual" in the case of guardian includes the legal guardian or guardian of the minor. This means that the parents or legal guardian have access to client information about the individual served and can access the information about their individual. It also means that when the legal guardian or the parent is asked to provide private information, that they should be given a Confidentiality (Privacy) Warning.
Access to Information by Contracted Service Providers InnerVision does not contract with private practitioners to conduct their business at any InnerVision sites. The agency may choose to enter into employee relationships with licensed individual practitioners such as psychiatrists and other licensed clinicians solely for the purpose of conducting business as employees of InnerVision Inc... Clients are made aware of these employees and these licensed clinicians are required to disclose that they have private nonrelated practices (if applicable) before rendering services to any InnerVision client.
All InnerVision Inc. personnel with authorized access to or use of private client information must engage in confidentiality and documentation training and abide by confidentiality and records safeguard procedures as outlined in this document. Failure to comply shall result in disciplinary actions, fines, termination and/or imprisonment.
Availability of information to clients Clients have the right to access and have copies of their records. Clients may view their files (without a charge) and obtain copies of their files (for a fee of .15/page). The rights of privacy include the individual's right to access all records generated by InnerVision staff and the right to be informed about their access rights. A client must present identification along with a written request to inspect their file in the offices of InnerVision Inc. The agency will act on all requests in a timely fashion, not exceeding thirty days of receipt of the request. Normally, the staff person assigned to the case will be present when the client reviews the file. The client may be accompanied at the examination by any person he or she designates in writing. The client, furthermore, may challenge the accuracy of the record. The client's primary staff person, in consultation with the Director, will review any client challenge of accuracy in the file. If the staff person and Director agree with the client's challenge, the client's staff will revise such information in the client file, and make sure that corrected information is sent to any party to whom the incorrect information was previously provided. Should the staff person and Quality Operations Manager disagree with the client's challenge, the Director will inform the client in writing on the basis for disputing the client's assertion. Such communications will also identify the client's right to appeal this determination to the Director as well as inform the client of his/her right to add a statement to the client file. Statements added by clients become part of the client's file and will be released upon written request with the rest of the file. When clients request viewing files that include individuals in a group, conjoint or group treatment, the client may only view the file after all other clients' identities are removed or masked. As an alternative, the assigned staff will read to the requesting client that portion of the record pertaining solely to him/her. Agency staff may determine that the release of information to a person served may be harmful to the client or to others. Initial staff determination will be reviewed by both a licensed clinician and the Director. Any final decision not to release client information based on this determination requires written approval by the Director and will be included in the client file. When a client is denied access to their files based on this determination, the client must be informed that s/he has the right to appeal this determination. Such appeals will be directed to the Vice President of Behavioral Health. When appropriate and or requested by the person or family served, the agency may allow another qualified professional to review the records, provided that the professional signs a written statement agreeing not to release the information to the client.
Case files where the client has been a volunteer, board, staff or committee member will be kept in a separate file apart from other records and access will be limited to those staff members actively involved with the case. Case files of clients who have filed a grievance or formal complaint will be maintained at a different branch than that where they were served when filing the grievance or complaint.
Agency Response to External Requests When the agency receives a written request for release of information from a source outside the agency, the client's primary staff will make an initial determination of the appropriateness of the request. Where there is doubt or concern about the legitimacy of the request, the staff should consult with his or her supervisor or the Director. The client served may also be contacted if appropriate. Once staff has determined the legitimacy of the request, information will be released immediately, if possible, but in any case within ten business days.
Physical Protection of Client Information The agency's Director or designee is responsible for maintaining a secure physical plant, including exterior locks and/or other physical access controls on buildings and interior locks where confidential client information is accessed or stored. The Director will also ensure that capacity to destroy documents and files, normally through shredding, is available at each agency location. Staff must assume a vigilant approach to protecting confidential client information. Client information may not be discussed in open areas, nor should clients be asked for confidential information where others can readily overhear. Client interviews, whether done in person or over the phone, must be held in locations that do not permit unnecessary disclosure of confidential information to other clients or unauthorized staff. Likewise, staff must exercise care to make sure that confidential client data that is not part of the client file is destroyed (and not just discarded) immediately after its use. All client files, as well as any other materials containing identifiable client information are stored in locked file cabinets identified by the agency for such storage. Staff working with client files must take adequate safeguards to protect these files while in their custody. Minimum standards include retaining all files in locked storage (either central storage or locked storage in their office) when not in immediate use. Quality Operations Managers, program managers, and office managers must have copies of all keys used to secure files in staff offices. Staff may not leave files unsecured overnight. Support staff must ascertain that all client file storage is locked at the end of each day, and that no private client information remains in staff mail boxes overnight. Staff must return all keys and other agency property upon termination of their employment.
Transport of files Files and private client information must remain physically secure when sent from one branch to another (as permitted by this policy), or to an external location where agency staff provide service (such as a school or community setting), or when transported by car. Files and private client information must be sealed in an envelope before being placed in interoffice mail. Courier bags used to transport materials from one site to another must be locked. Likewise, staff taking client files to other locations must first secure these files in a locked bag or briefcase.
Destruction of client files Client files (electronic and/or hard copy) with no activity within eleven years from date of discharge will be destroyed. In compliance with HIPAA regulations; InnerVision Inc. Implements safeguards to limit incidental, and avoid prohibited, uses and disclosures of Protected Health Information (PHI), including in connection with the disposal and destruction of such information. This includes, but is not limited to the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as removal of electronic PHI from electronic media before the media are made available for re-use. See 45 CFR 164.310(d)(2)(i)
In compliance with HHS HIPAA Security Series 3: Security Standards – Physical Safeguards; InnerVision engages in the following practices: For PHI of hard copy records, InnerVision utilizes HIPAA approved shredding devices that renders PHI essentially unreadable, indecipherable, and otherwise cannot be reconstructed. For PHI on electronic media, InnerVision clears PHI using software or hardware products to overwrite media with non-sensitive data that purges (degauss) the media to a strong magnetic field in order to disrupt the recorded magnetic domains) thus, destroying the media essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
Electronic safeguards The agency's Director or designee is responsible for maintaining appropriate safeguards of electronic information, including both security and recovery of data in case of disaster. The agency maintains numerous safeguards to protect its electronic information from unauthorized use. Critical safeguards include the following: • general network security precautions, including use of "firewall" hardware and software to prevent unauthorized intrusion by external parties • use of virus detection software • general access controls for system users, including regular changes in passwords, requirements for length and nature of passwords, limited access to menus and data • Electronic logging of access and updates (in so far as this is supported by the agency's software and technology capabilities). Computerized agency information is backed up daily with an electronic management firm and can provide access to this information in case of overall system disaster. In addition, the agency maintains a set of customary practices designed to control the technology environment, including maintaining a registry of all agency computer hardware and software. Computer user accounts are managed carefully and terminated aggressively as part of the staff termination process. All agency staff must exercise extreme care with the use of electronic client information. Computer monitors must be positioned or shielded so that client or confidential information does not become visible to others. Staff may only use computers after signing on with their assigned user name. Staff may not perform any of the following actions which tend to compromise electronic security: • use or attempt to use other person's user name or passwords • inquire about another person's passwords • share their passwords with other staff (including supervisors) • attempt to view or obtain electronic information for which they are not authorized or that would violate any of the terms of this policy (including accessing client information without a specific clinical or administrative purpose) Monitors in staff offices must be turned off or "locked" electronically when clients are in the office or when the area is unattended. Staff must sign off their system at the end of each day. Electronic transmission of private client information, including transmission by e-mail, is protected by law. Electronic mail, by its nature, is an insecure, poorly controlled medium. Risks of messages being mis-directed, re-directed, or read by unauthorized persons are significant and cannot be mitigated with technology we control. Staff should therefore refrain from including confidential information in electronic mail when other alternatives are available. In any case, staff may not include any private client information in an e-mail unless (1) the communication (information disclosed, recipient, etc.) complies with this policy's other terms and (2) the text of the e-mail clearly states that confidential information is enclosed. Confidential client information may only be stored on network drives managed by agency technical staff; confidential client information may not be stored on the local drive (i.e., the "C" drive) of any computer, nor can it be copied to CD-ROM, "zip" drives, or any other removable media. Similarly, users of agency-owned laptop computers or personally owned computing devices (e.g., Palm Pilots and other similar personal devices) may not store any confidential data on such equipment.
Other Security Measures Agency fax machines used with client data (either incoming or outgoing) must be placed in locations where client files are managed and responsible staff can take appropriate safeguards with client information arriving by fax. Outgoing faxes that include confidential information must include cover sheets clearly identifying that the information is confidential and that the agency should be notified if it has been received by an unauthorized party.
Computing Devices Personnel may not store any confidential data on computing devices such as tablets, cell phones and other similar personal devices.
Other Security Measures Agency fax machines used with client data (either incoming or outgoing) must be placed in locations where client files are managed and responsible staff can take safeguards with client information arriving by staff. Outgoing faxes that include confidential information must include cover sheets clearly identifying that information is confidential and that the agency should be notified if it has been received by an unauthorized party.
Internal Review Identification of concerns Staff who believes the agency may have violated this policy should identify those concerns to the Director or Quality Operations Manager immediately.
Review of Concerns The appropriate Quality Operations Manager or Director is responsible for investigating alleged violations of data privacy in a timely and thorough manner. Once the investigation is completed, the Quality Operations Manager or Director forwards his or her findings and recommendations to the Director. After reviewing all relevant information, the Director or designee will take appropriate measures which may include changes to procedures, changes to the physical environment, or action with regard to employees, including disciplinary action up to and including termination.