Notice of privacy practices (npp)

---

This notice supplements the HIPAA Notice of Privacy Practices form and describes how medical information about you may be used and disclosed, and how you can get access to this information. Please review it carefully.

1. Our practice is dedicated to maintaining the privacy of your personal health information as part of providing professional care. We are also required by law to keep your information private. These laws are complicated, but we must give you this important information. This is a shorter version of the attached, full, legally required notice of privacy practices. Please talk to our privacy officer (see the end of this form) about any questions or problems.

There are times when the laws require us to use or share your information. For example:

1. When there is a serious threat to your or another’s health and safety or to the public. We will only share information with persons who are able to help prevent or reduce the threat.
2. When we are required to do so by lawsuits and other legal or court proceedings.
3. If a law enforcement official requires us to do so.
4. For workers’ compensation and similar benefit programs.
5. There are some other rare situations. They are described in the longer version of our Notice of Privacy Practices.

We will use the information we collect about you mainly to provide you with treatment, to arrange payment for our services, and for some other business activities that are called, in the law, health care operations. After you have read this notice, we will ask you to sign a consent form to let us use and share your information in these ways. If you do not consent and sign this form, we cannot treat you. If we want to use or send, share, or release your information for other purposes, we will discuss this with you and ask you to sign an authorization form to allow this.

1. You can ask us to communicate with you in a particular way or at a certain place that is more private for you. For example, you can ask us to call you at home, and not at work, to schedule or cancel an appointment. We will try our best to do as you ask.
2. You can ask us to limit what we tell people involved in your care or the payment for your care, such as family members and friends.
3. You have the right to look at the health information we have about you, such as your medical and billing records. You can get a copy of these records, but we may charge you for it, as allowed by law. Contact our privacy officer to arrange how to see your records. See below.
4. If you believe that the information in your records is incorrect or is missing something important, you can ask us to make additions to your records to correct the situation. You have to make this request in writing and send it to our privacy officer. You must also tell us the reasons you want to make the changes.  We have the right to deny an amendment or addition if we feel it is not appropriate, but we will note your request.
5. You have the right to a copy of this notice. If we change this notice, we will post the new version in our waiting area, and you can always get a copy of it from the privacy officer.
6. You have the right to file a complaint if you believe your privacy rights have been violated. You can file a complaint with our privacy officer and with the Secretary of the U.S. Department of Health and Human Services. All complaints must be in writing. Filing a complaint will not change the health care we provide to you in any way. Also, you may have other rights that are granted to you by the laws of our state, and these may be the same as or different from the rights described above. We will be happy to discuss these situations with you now or as they arise. If you have any questions regarding this notice or our health information privacy policies, please contact our privacy officer, who is Dr. Anthony Rivers and can be reached by phone at 614-664-3175 or by e-mail at arivers@customizedbehavioralhealthcare.com.

General Standard of Non-Disclosure

1. Except as allowed by law, in the absence of a valid, written Release of Information (ROI), Customized Behavioral Healthcare staff shall not disclose any information regarding an adult patient (18+) to any third party. This includes spouses, parents, partners, or employers.
2. The "Neither Confirm nor Deny" Rule: If a third party calls to inquire about a patient, staff must not confirm that the individual is receiving services.

Scheduling and Attendance

Without a signed ROI specifically granting access to scheduling:

• Third-Party Scheduling: No third party may schedule, cancel, or reschedule appointments on behalf of the patient.
• Confirmation of Attendance: Staff may not confirm to a third party whether a patient attended or missed a specific session.
• Waiting Room Protocol: If a third party accompanies a patient, staff may not discuss the patient's care with the companion unless the patient provides verbal consent in that specific moment (a written ROI is preferred for ongoing communication).

Access to Treatment Records

• Treatment records, including intake assessments, progress notes, and billing statements, are the sole property of the patient (or the clinical entity) and are protected by law.
• Requests for Records: All requests for records from third parties (lawyers, family, other doctors) must be accompanied by an ROI signed by the patient that specifies exactly what information can be shared and for what duration.
• Digital Access: Patient portal credentials must only be issued to the patient.

Exceptional Circumstances

Privacy is not absolute. Information may be released without an ROI typically  in the following scenarios:

1. Safety/Duty to Warn: If the patient is a danger to themselves or others.
2. Court or Administrative Order: If a judge or administrative agency issues a subpoena specifically ordering the release of records (a subpoena from an attorney alone is usually not sufficient without a patient's signature).
3. Mandated Reporting: Suspected abuse of a child, elder, or dependent adult.

The Rights of Natural Parents

Under standard healthcare laws (like HIPAA), if parents are married or were never married, both typically have equal rights to the minor’s medical records and the ability to schedule or cancel appointments unless blocked by court order and if the minor is the only client, what both parents say is typically available to the other parent.

The "Equal Access" Rule: Unless a legal document is provided to the contrary, Customized Behavioral Healthcare will treat both biological parents as having full authority to access treatment information.

Joint Legal Custody Protocols

In the event of a divorce or legal separation, the policy follows the Custody Agreement on file.

Documentation Requirement: Parents must provide a copy of the most recent court-approved custody decree prior to us seeing a minor.

Joint Legal Custody: If the court grants "Joint Legal Custody," both parents have the right to access medical records and discuss treatment with the provider, regardless of who the "primary residential parent" is, unless that right is blocked by Court order.

Sole Legal Custody: If one parent has "Sole Legal Custody," only that parent may authorize treatment and access records, unless the Court order specifies otherwise. The non-custodial parent may still have "access rights" to records unless a judge has explicitly revoked them.

Scheduling and Communication

To ensure the focus remains on the minor’s care, Customized Behavioral Healthcare maintains a neutral stance in cases of parental disagreement. Staff will not act as a liaison between parents. It is the responsibility of the legal guardians to coordinate schedules and share appointment information with one another in accordance with their parenting plan.

• Appointment Management: Either parent with legal custody may schedule or cancel appointments. However, Customized Behavioral Healthcare encourages both parents to use a shared portal or communication log to avoid double-booking.
• Notifications: Staff will not act as a mediator. If Parent A schedules an appointment, staff is not responsible for notifying Parent B; that responsibility rests with the parents per their parenting plan.

Adolescent Privacy

While parents usually have a legal right to records, clinical best practice suggests a level of "informal privacy" for minors (typically ages 12–17) to encourage honesty in treatment.

The Privacy Agreement: Providers will discuss with parents an agreement at the start of treatment promising not to request detailed session notes, provided the minor is safe, although since they may later revoke this agreement, the minor cannot be guaranteed confidentiality under this Agreement.  Minors 14 years of age and older should be aware that they have an option to see a therapist on a limited basis without their parents’ knowledge, except where there is a compelling need for disclosure based on a substantial probability of harm to the minor or to other persons, and if the minor is notified of your therapist’s intent to inform the minor’s parent, or guardian. Only the minor is responsible for paying for services under this option.

Limits of Confidentiality: Parents will be notified immediately if the minor is at risk of self-harm, harm to others, or if there is ongoing abuse.

As part of their ongoing commitment to provide the best possible service, your provider has opted to use an artificial intelligence note-taking tool that assists in generating clinical documentation based on your sessions. This allows for more time and focus to be spent on our interactions instead of taking time to jot down notes or trying to remember all the important details. 

A temporary recording and transcript or summary of the conversation may be created and used to generate the clinical note for that session. Your provider then reviews the content of that note to ensure its accuracy and completeness.

After the note has been created, the recording and transcript are automatically deleted.

This artificial intelligence tool prioritizes the privacy and confidentiality of your personal health information. Your session information is strictly used for the purpose of your ongoing medical care. Your information is subject to strict data privacy regulations and is always secured and encrypted. Stringent business associate agreements ensure data privacy and HIPAA compliance. Please discuss any questions or concerns you may have about this feature with your provider.

Examples of how we may use AI include:

• Helping draft or organize clinical notes or summaries that your clinician reviews and edits before they become part of your record.
• Transcribing or summarizing session audio with your consent, to reduce documentation time for your clinician.
• Supporting scheduling, reminders, secure messaging, or other routine administrative tasks.
• Analyzing de-identified or limited data sets to improve the quality, safety, and efficiency of our services.

When we use AI tools with your information:

1. We treat your information as protected health information (PHI) and follow all applicable privacy and security laws, including HIPAA and relevant state mental health privacy laws.
2. We only share the minimum necessary information with AI systems and vendors to accomplish the intended purpose.
3. We require vendors who handle PHI on our behalf to sign written agreements that include safeguards to protect your information and limit how it can be used or disclosed.
4. We maintain administrative, technical, and physical safeguards (such as access controls, encryption, and audit logs) to protect the confidentiality and security of your information when AI tools are used.
5. We will always review and modify information that the AI platform provides to us and will never totally rely on it to document information that we retain in your record.  Typically, the AI platform will ensure that the PHI is eliminated after a short period of time.  We will not retain what AI produces, only the final product that we’ve reviewed and modified.

We do not:

1. Use public or consumer-facing AI tools that are not configured to protect PHI and do not have appropriate privacy and security agreements in place.
2. Allow AI systems to independently diagnose, prescribe, or determine your treatment. All decisions about your care are made by qualified clinicians.

You have the right to deny our use of AI if you want to do that.  Please let us know if that is your choice and we will not utilize it in connection with your mental health services.