Policy Old

Serenity Treatment Center of Louisiana

Privacy & Procedure

SUBJECT: Information Management Technology Plan
DATE REVIEWED: August 2015, October 2016, 10/17, 10/18, 10/19, 10/20, 10/21


Serenity Treatment Center takes all precautions to ensure the efficiency, productivity, and security with the Information Management System that is currently in place. The present management information system does comply with all federal and state requirements on confidentiality, patient rights, protection of personal health information, and safeguarding of records. Serenity Treatment Center information system is web based and is securely encrypted protecting against violations in accessing company information. All data is secured to assure integrity, authentication, non­ repudiation, and audit ability is not compromised in anyway and is accessible to authorized personnel at all times.

Performance goals are set annually for each program and data is obtained through various means within the Information Management System. Annual reviews of the organization’s technology and systems will be conducted by the Compliance Officer. This evaluation of current performance levels and information management status will enhance the overall productivity and accessibility of our services.


The Technology and Systems plan encompasses several areas that are regulated by outsourced technology companies. The technology and information management systems are continuously assessed and improved upon. Updates occur on a regular basis and are reviewed for relevance. All leadership is actively engaged in planning related to the organization’s implementation of technology systems and solutions that support and enhance its business and service delivery system. This evaluation of current problems or errors that occur should be reported to Serenity Treatment Center’s IT department (administrator).


Technological evaluations will take place on an on-going basis.

  • Hardware and Software: Quarterly, the IT department will review system to assess versions used are most up-to-date and functioning properly.
  • Back-Up Policies: Data is web based and back up in not necessary.
  • Assisted Technology: Serenity Treatment Center has service agreement with the El\1R Company. Ongoing communication is available.
  • Virus Protection: Serenity Treatment Center currently uses Virus Protection on each computer. Each computer is configures to update weekly and perform full scan weekly. Serenity Treatment Center also has a firewall; providing unified threat management.
  • Disaster Recovery Preparedness: If a disaster should occur, the data is web based and will be available.
  • All users of patient information must be authorized by Serenity Treatment Center’s server with matching usemame and password.
  • Security: Security of Electronic Transmittals Policy is in place and does protect patient and organizational information from inappropriate or non-secure transmissions.
A. Confidentiality: Serenity Treatment Center has both Confidentiality Policies and Procedures in place which ensure that any patient or staff information is maintained under strict guidelines and regulations.


No electronic information is shared. The current systems are in compliance with HIPAA.


Currently no clinical services are provided through Serenity Treatment Center web site. People may retrieve information on our services, make treatment fee payments, contact personnel, and receive links for outside referral sources. Serenity Treatment Center web site is available 24 hours a day, seven days a week. At no time is staff allowed to use the computer for personal use including the internet services.


Annually goals are set for each program by the Executive Management Committee and monitored by the Compliance Officer to ensure programs are meeting the standards set in order to deliver the quality of care, meet the needs of the patients, and service the community. A Performance Analysis, including the system and services is conducted on an annual basis, or more frequently if needed, to review this process and relevance, and is updated as needed and required.


Information Management System: All equipment and technology systems are assessed annually for improving efficiency and productivity, communicating with persons served, and improving services to meet the needs of the communities we service. The Compliance Officer completes the Annual Risk Analysis Review and the Annual Outcomes Performance and submits the final summary to the Administrator.

Performance Improvement: As part of the Quality Assurance & Performance Improvement Plan, Serenity Treatment Center provides ongoing review and assessment of all aspects of the organization to ensure systems are effective and efficient in provision of services, programming, operations, and environment of care.



DATE REVIEWED: August 2015, October 2016, October 2017, October 2018, 10/19, 10/20, 10/21


The Health Insurance Portability and Accountability Act of 1996 mandates that all covered healthcare providers meet compliance by April 14th, 2003. HIPAA laws protect patients’ Personal Health Information (PHI) from being disclosed without consent and electronically on an unsecured site. The difference from 42 CFR Part 2 is that the latter protects substance abuse treatment patient rights and, in cases where it is more stringent, over rules HIPAA.


Serenity Treatment Center has incorporated into the administrative and clinical practices HIPAA policies and procedures that have been extracted from the Privacy Rule and summarized to communicate the key points to staff and persons served.


This form will be given to ALL persons coming into Serenity Treatment Center for an assessment. This notice must be posted in all offices and on the website as well. Beginning April 14th, 2003 every person given an assessment is to receive a Notice of Privacy Practice and Confidentiality and will sign acknowledging receipt. A copy will remain in the person’s chart.

If an Acknowledgement is not signed by the person, a “good faith” effort should be completed at the bottom of the Acknowledgement section and signed by the counselor. This remains in the person’s chart.

The Notice includes individual’s rights (HIPAA regulations 42 U.S.C. § 1320d et seq., 45 C.F.R. Parts 160 & 164, and the Confidentiality Law, 42 U.S.C. § 290dd-2, 42 C.F.R. Part 2) pertaining to his or her PHI and records, and how such rights may be exercised. It covers Serenity Treatment Center’s legal duties, describes the types of uses and disclosures that are permitted under this law, and how to file a formal grievance.


Serenity Treatment Center Release of Information form has been revised to allow revocation of the release in writing. Limitations on information desired released may be indicated on the form. Psychotherapy notes are covered under HIPAA, thus are considered Serenity Treatment Center’ property and are not required to be disclosed to the patient. In cases when a patient’s information is subpoenaed follow the RESPONDING TO A REQUEST FOR PATIENT RECORDS (INCLUDING SUPOENAS AND COURT MANDATES) CLINICAL PROTOCOL. All other PHI in the patient’s
chart is their property and can be requested by and copied for the patient.


HIPAA requires an accounting of disclosures, which is a list of disclosures made without consent or authorization (in order for treatment, payment, or health care operations). All Qualified Service Organization / Business Associate Agreements state that all inadvertent re-disclosures need to be reported to Serenity Treatment Center within 24 hours of the incident. If there are cases where information is disclosed without an authorization a disclosure log needs to be implemented in the patient’s chart.


A new policy (SECURITY OF ELECTRONIC TRANSMITTALS) has been created to explain allowances for unintended or incidental disclosures. Please review; however, this does not remove the need to obtain an authorization for releasing PHI.


Patients may update their records by completing the Request for Amending Personal Health Information form. Procedures for amending PHI can be found in CLINICAL PROTOCOLS.


New employees are trained in HIPAA within the first week of employment. Each staff member signs an agreement acknowledging the HIPAA regulations and penalties for violations of these regulations.

The minimal penalties are:
$100 per person per violation up to $25,000 or more.
Criminal – $50,000. fine and up to I year imprisonment or more for wrongful disclosure
Intent to sell, transfer or use PHI for gain is a $250,000, fine or more and up to 10 years imprisonment or more.



SUBJECT: Release of Information Consent/Confidentiality
DATE REVIEW: August 2015, October 2016, 10/17, 10/18, 10/19, 10/20, 10/21


In keeping with State and Federal guidelines protecting the confidentiality of patients’ medical record, information shall be released only upon the expressed written consent of the patient or patient’s conservator.


1. Upon admission to the program, patients shall complete Release of Information: consent forms. Both verbal and written. Patient must be specific as to who is authorized to receive information and their relationship to patient. The patient identifies what information is to be released and purpose of such information. The facility is then authorized to release information to only those parties listed.

2. In the event that patient is unable to give consent or denial, this inability shall be documented and daily attempts to acquire the consent/denials shall be made and documented. The consent expires one year from the date signed unless otherwise specified on the consent form.

3. With the patient’s written consent, the facility may release information to professionals other than program staff if the release is for making a referral, providing of services, or in the case of conservatorship for the patient.

4. Release may also be made to a non-professional if that party is assisting the patient to make a claim or receive assistance or aid to which the patient is entitled.

5. A patient has the right to revise or rescind his Release of Information at any time in writing.

6. If patient has conservator, the authorization or denial to release information may be obtained via the conservator’s signature.

7. Medical records will be responsible for Release of Information after patient is discharged.