THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

This Notice of Privacy Practices (“Notice”) describes how we may use and disclose your protected health information (“PHI”), as well as how you can obtain access to such PHI. This Notice also describes your rights with respect to your PHI. We are required by law to maintain the privacy of your PHI; provide you with notice of our legal duties and privacy practices with respect to your PHI; and to notify you following a breach of unsecured PHI.. A reference to “we” and “our” is defined to include Promises Behavioral Health, LLC, its employees and workforce members. This Notice does not apply to the care you may separately receive from health care professionals at their offices. Your health care professional may have his or her own policies and procedures regarding your PHI and you should review your health care professional’s notice of privacy practices for information on how your PHI will be handled outside of our facilities.

HOW WE MAY USE AND DISCLOSE YOUR PHI

We may use and disclose PHI without your prior authorization for purposes of Treatment, Payment or Health Care Operations. To the extent that there are more strict state requirements or restrictions, we will only use and disclose your PHI as permitted by those stricter requirements. For example, substance use disorder patient records may be further protected by the federal Confidentiality of Substance Use Disorder Patient Records, 42 U.S.C. § 290dd-2, 42 C.F.R. Part 2 (“Part 2”). Part 2 has more strict requirements on how we use and disclose PHI that consists of substance use disorder treatment records. To the extent that you have PHI that is protected under Part 2, we will only use and disclose that information as permitted by Part 2. Specific information about how we may use and disclose PHI that is governed under Part 2 is provided below. In addition, please be aware that certain state laws may have more strict requirements for certain categories of health information, such as mental health records and HIV/AIDS information. If there are specific more restrictive requirements, we will abide by those special protections.

USES AND DISCLOSURES OF PHI THAT DO NOT REQUIRE YOUR PRIOR AUTHORIZATION

Except where prohibited by federal or state laws that require special privacy protections, we may use and disclose your PHI for treatment, payment and health care operations without your prior authorization as follows. Not every use or disclosure in a category will be listed. Your PHI may be stored in paper, electronic or other form and may be disclosed electronically and by other methods.

Treatment. We may use or disclose PHI as necessary to treat you or perform services in connection with your treatment or to allow another covered entity or health care provider to treat you. For example, therapists, staff members and other personnel may need to know and discuss your PHI to carry out your treatment and to evaluate your response to treatment. We may disclose your PHI to your other health care providers to help coordinate your care and make sure that everyone who is involved in your care has the information that they need about you to meet your health care needs.

Payment. We may use or disclose your PHI as necessary to receive reimbursement or compensation for services provided. For example, if you have health insurance and we bill your insurance directly, we will have to include information that identifies you, as well as your diagnosis, and services provided in order to be compensated for the treatment provided. If another person is responsible for paying for your Promises – Notice of Privacy Practices 2 NPP 6-25-2019

care, we may disclose PHI to that person as necessary to bill them for the cost of the services provided to you. We may also disclose PHI as necessary for another covered entity’s payment activities.

Health Care Operations. We may use or disclose PHI for health care operations, such as for our own internal quality improvement activities and other business purposes. For example, we may use your PHI to review and improve the quality of our services and to evaluate the performance of our staff. We may also analyze PHI to improve the quality and efficiency of health care, for example, to assess and improve outcomes for health care conditions. We may also disclose your PHI to other HIPAA covered entities that have provided services to you so that they can improve the quality and effectiveness of the health care services that they provide. We may use your PHI to create de-identified data, which is stripped of your identifiable data and no longer identifies you.

Individuals Involved in Your Care or Payment for Your Care. We may release PHI about you to a friend or family member who is involved in your medical care. We may also give information to someone who helps pay for your care. We may also tell your family or friends your condition and that you are in the facility. We are also permitted to disclose PHI to family or friends of a deceased individual to the extent that the PHI pertains to their involvement in care or payment for care. We may use or disclose your PHI to notify your family or friends of your condition, status and location. In addition, we may disclose medical information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location.

Research. Under certain circumstances, we may use and disclose your PHI for research purposes. You will not be the subject of research without your prior written and informed consent. Unless otherwise described in the consent, your identity and your health information will remain private during and after the research. All research projects must comply with state and federal regulations.

As Required By Law. We will disclose your PHI when required to do so by federal, state or local law. For example, we may disclose PHI about you to the U.S. Department of Health and Human Services if it requests such information to determine that we are complying with federal privacy law.

To Avert a Serious Threat to Health or Safety. We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.

Organ and Tissue Donation. We may release your medical information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.

Military and Veterans. If you are a member of the armed forces, we may release your PHI as required by military command authorities. We may also release medical information about foreign military personnel to the appropriate foreign military authority.

Workers’ Compensation. We may release your PHI as authorized by applicable law to the extent necessary to comply with workers’ compensation laws or laws related to similar programs. These programs provide benefits for work-related injuries or illness.

Public Health Activities. We may disclose medical information about you for public health activities. These activities generally include the following: (i) to prevent or control disease, injury or disability; (ii) to report births and deaths; (iii) to report child abuse or neglect; (iv) to report reactions to medications or problems with products; (v) to notify people of recalls of products they may be using; (vi) to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; (vii) to notify the appropriate government authority if we believe a patient has been the Promises – Notice of Privacy Practices 3 NPP 6-25-2019

victim of abuse, neglect or domestic violence (We will only make this disclosure if you agree or when required or authorized by law).

Health Oversight Activities. We may disclose your PHI to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.

Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose medical information about you in response to a court or administrative order. We may also disclose medical information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.

Law Enforcement. We may disclose your PHI if asked to do so by a law enforcement official: (i) in response to a court order, subpoena, warrant, summons or similar process; (ii) to identify or locate a suspect, fugitive, material witness, or missing person; (iii) about the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement; (iv) about a death we believe may be the result of criminal conduct; (v) about criminal conduct at the facility; and (vi) in emergency circumstances, not occurring on the premises, to report a crime; the location of the crime or victims, or the identity, description or location of the person who committed the crime.

Coroners, Medical Examiners and Funeral Directors. We may disclose your PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release PHI to funeral directors as necessary to carry out their duties.

National Security and Intelligence Activities. We may disclose your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.

Protective Services for the President and Others. We may disclose your PHI to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations.

Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release medical information about you to the correctional institution or law enforcement official, if necessary (i) for the institution to provide you with health care; (ii) to protect your health and safety or the health and safety of others; or (iii) for the safety and security of the correctional institution.

Third Parties. We may disclose your PHI to third parties with whom we contract to perform services on our behalf. These third party service providers, referred to as Business Associates, may need to access your PHI to perform services for us. They are required by their contracts with us and by law to protect your PHI and only use and disclose it as necessary to perform their services for us.

OTHER USES OF MEDICAL INFORMATION

Other uses and disclosures of your PHI not covered by this Notice or the laws that apply to us will be made only with your written permission, including but not limited to (i) most uses and disclosures of psychotherapy notes; (ii) most uses and disclosures of your PHI for marketing purposes; and (iii) disclosures that constitute the sale of your PHI. If you provide us permission to use or disclose your PHI, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose your PHI for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we provided to you. Promises – Notice of Privacy Practices 4 NPP 6-25-2019

YOUR HEALTH INFORMATION RIGHTS

If you wish to exercise any of your health information rights described below, we will provide you a form to use to submit your specific request in writing. All requests will be reviewed and considered within the timeframes required under HIPAA. Under certain circumstances, we may deny your request. If this occurs, you may have the right to have the denial reviewed. If you have given another individual a medical power of attorney, if another individual is appointed as your legal guardian or if another individual is authorized by law to make health care decisions for you (known as a “personal representative”), that individual may exercise any of the following rights listed below.

Right to Inspect and Copy. You have the right to inspect and copy the PHI that we maintain about you, with limited exceptions. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies associated with your request. If we maintain this information electronically, you have the right to receive a copy of such information in an electronic format. Additionally, you have the right to ask us to send a copy of your PHI to other individuals that you designate. To do so, you must make provide us your signed written request that clearly identifies the designated person and where to send the copy of your PHI. In most cases, we will provide this access to you or the person you designate within 30 days of your request. This right applies to PHI used to make decisions about you or payment for your care, subject to limited exceptions.

Right to Request an Amendment. If you feel that PHI maintained about you is incorrect or incomplete, you may request that we amend it. We are obligated to review any such request, but are not obligated to agree to it. Specifically, we may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that: (i) was not created by us, unless the person or entity that created the information is no longer available to make the amendment; (ii) is not part of the medical information kept by or for the facility; (iii) is not part of the information which you would be permitted to inspect and copy; or (iv) is accurate and complete. If we deny your request for an amendment, we will provide you with a written explanation of why we denied it.

Right to Accounting of Disclosures. You have the right to request an accounting of certain disclosures that we have made of your PHI. This is a list of when, what, to whom, and why we disclosed your PHI for certain purposes. To request this list, you must submit your request in writing on the form described above. Your request must state a time period, within the six (6) years immediately preceding the request. Your request should indicate in what form you want the list (for example, on paper, electronically). The first list you request within a 12-month period will be free of charge. For additional requests in the same 12-month period, we may charge you a reasonable cost-based fee for providing you with the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.

Right to Request Restrictions. You have the right to request a restriction or limitation on our use or disclose of your PHI for treatment, payment or health care operations. You also have the right to request a limitation on the PHI we disclose about you to someone who is involved in your care or the payment for your care. If we agree, we will comply with your request unless the information is needed to provide emergency treatment. We are not required to agree to the restrictions, unless your request is that we not disclose information to a health plan for payment or health care operations activities, if the disclosure is not otherwise required by law, and the PHI pertains solely to a health care item or service for which you, or a person on your behalf, has paid in full.

Right to Request Confidential Communications. You have the right to request that we communicate with you about your health matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. Please note if you choose to receive communications from us via e-Promises – Notice of Privacy Practices 5 NPP 6-25-2019

mail or other electronic means, those may not be a secure means of communication and your PHI that may be contained in our e-mails to you will not be encrypted. This means that there is risk that your PHI in the e-mails may be intercepted and read by, or disclosed to, unauthorized third parties.

Right to a Paper Copy of This Notice. You have the right to a paper copy of this Notice even if you have agreed to receive the Notice electronically. You may ask us to give you a copy of this Notice at any time. You may also obtain a copy of this Notice on our website.

Right to Notification of a Breach. You have the right to be notified following a breach of your unsecured PHI, and we will notify you in accordance with applicable law.

CHANGES TO THIS NOTICE

We are required to follow the terms of this Notice or any change to it that is in effect. We reserve the right to change our practices and this Notice at any time and to make the new Notice effective for all PHI we maintain and that we obtain in the future. If we make a material change to this Notice, we will post the revised notice at the facility where you receive services and on our website and make the revised notice available upon request.

COMPLAINTS OR INFORMATION REQUESTS

If you believe that we have violated your privacy rights you may file a complaint with the Privacy Officer listed below. You may also file a complaint with the U.S. Department of Health and Human Services Office of Civil Rights (“Office for Civil Rights”). Complaints to the Office for Civil Rights may be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal (https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf). To file a complaint in writing, open up and fill out the “Health Information Privacy Complaint Form Package” (http://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html) and mail it to the address below, or email it to OCRComplaint@hhs.gov.

Centralized Case Management Operations

U.S. Department of Health and Human Services

200 Independence Avenue, S.W.

Room 509F HHH Bldg.

Washington, D.C. 20201

You may also contact The Joint Commission at www.jointcommission.org, via email at patientsafetyreport@jointcommission.or, or via fax at (630) 792-5636.

We will promptly investigate any complaints in an effort to resolve the matter. We will not penalize or retaliate against you for filing a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights.

If you have questions or would like additional information about our privacy practices, please contact our Privacy Officer: Angela Smart (801) 597-2526.

Effective Date

This Notice is effective as of June 20, 2019

NOTICE OF CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS

APPLICABILITY OF PART 2: The confidentiality of substance use disorder patient records we maintain may also be protected by the federal Confidentiality of Substance Use Disorder Treatment Records, 42 U.S.C. § 290dd-2, 42 C.F.R. Part 2 (“Part 2”). To the extent that Part 2 governs one of our programs, our use and disclosure of any of your PHI that is covered under Part 2 will be done only as permitted by Part 2, as further described below.

HOW WE MAY USE OR DISCLOSE YOUR PART 2 PHI

NO AUTHORIZATION REQUIRED. Federal law permits us to disclose your Part 2 PHI without your prior written consent as follows:

i. Pursuant to an agreement (requiring compliance with Part 2) with a qualified service organization/ business associate that provides services to us;

ii. To qualified personnel for purposes of research, audit or program evaluation;

iii. To report a crime committed by you on our facility’s premises or against our personnel or any threat to commit such a crime;

iv. To medical personnel in a medical emergency;

v. To appropriate authorities to report suspected child abuse and/or neglect; and

vi. As allowed by a court order that is in compliance with the Part 2 requirements for court orders.

AUTHORIZATION REQUIRED. If you are receiving treatment covered by Part 2, we may not say to a person outside the program that you attend the program, nor disclose any information identifying you as having or having had a substance use disorder, or disclose any other protected information except as permitted by Part 2 or with your written consent. In addition, if applicable, Part 2 requires us to obtain your written consent before we can disclose information about you for payment purposes. For example, we must obtain your written consent before we can disclose information to your health insurer in order to be paid for services. Generally, you must also sign a written consent before we can share information for treatment purposes outside the program or for health care operations. A violation of Part 2 by a program is a crime and suspected violations may be reported to appropriate authorities in accordance with Part 2, along with contact information.

26694288.1

This entry was posted on October 20, 2015 and modified on June 27, 2019