REAL Recovery Centers – HIPAA Privacy and Security Policy

1. Purpose

The purpose of this policy is to ensure that REAL Recovery Center (RRC) complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including the Privacy, Security, and Breach Notification Rules, in the protection of patient health information. As a provider of substance use disorder (SUD) treatment services. RRC is also subject to 42 CFR Part 2, which provides additional privacy protections for SUD treatment records.

2. Scope

This policy applies to all employees, contractors, interns, volunteers, and business associates of RRC who have access to Protected Health Information (PHI), including electronic PHI (ePHI).

3. Definitions

  • PHI: Protected Health Information – any information, oral or recorded in any form or medium, that is created or received by RRC and relates to the past, present, of future physical or mental health or condition of a patient.
  • ePHI: Electronic Protected Health Information.
  • Designated Record Set: Records maintained by or for RRC used to make decisions about individuals.
  • Minimum Necessary Rule: Only the minimum amount of PHI necessary to accomplish the intended purpose may be accessed, used, or disclosed.

4. Policy

4.1 Use and Disclose of PHI
  • RRC will use and disclose PHI only as permitted or required by HIPAA and 42 CFR Part 2.
  • Patient consent is required for most uses and disclosures of PHI, especially those involving substance use treatment records.
  • PHI may be used without patient authorization for:
    • Treatment
    • Payment
    • Health care operations
    • Public health or legal reporting requirements, only as explicitly permitted
4.2 Patient Rights

Patients have the right to:

  • Receive a Notice of Privacy Practices
  • Access and obtain a copy of their PHI
  • Request corrections to their PHI
  • Request restrictions on uses and disclosures
  • Request confidential communications
  • Receive an accounting of disclosures
  • File a complaint if they believe their rights have been violated
4.3 Administrative Safeguards
  • A designated Privacy Officer and Security Officer will oversee HIPAA compliance.
  • All workforce members must receive HIPAA training upon hire and annually thereafter.
  • Business Associate Agreements (BAAs) must be executed with all vendors who handle PHI on behalf of RRC.
  • Policies and procedures are reviewed and updated annually or as required by law.
4.4 Physical Safeguards
  • PHI stored in physical form must be secured in locked filing cabinets or rooms.
  • Only authorized personnel may access areas where PHI is stored.
  • Visitors must be escorted in secure areas.

5. Confidentiality Under 42 CFR Part 2

Due to the sensitive nature of SUD treatment:

  • Patient identifying information may not be disclosed without specific, written patient consent unless explicitly allowed under Part 2 exceptions (e.g., medical emergencies, court orders).
  • All staff must receive annual training on 42 CFR Part 2 compliance.
Scroll to Top