One Health Center
One Health Center
  • Home
  • About us
  • Services
  • Contact Us
  • Location
  • More
    • Home
    • About us
    • Services
    • Contact Us
    • Location
  • Home
  • About us
  • Services
  • Contact Us
  • Location

Privacy Policy

PURPOSE: To provide guidelines regarding the management of private and confidential information. 


POLICY: One Health Center follows all applicable Federal, State, and local laws and regulations regarding the creation, disclosure, maintenance, storage and protection of a patient’s privacy relative to the healthcare records. This includes regulations such as the Privacy Act of 1974 and Health Insurance Portability and Accountability Act (HIPAA). 


POLICY STATEMENT: One Health Center works diligently to ensure privacy and confidentiality through

  • Limited Access: One Health Center allows only authorized personnel with legitimate need to know access to individual’s personal information
  • Transparency: One Health Center ensures that patients are informed of what information is being collected and how it is used
  • Data Minimization: One Health Center collects only information/data necessary to perform necessary functions. 
  • Individual Rights: Individuals have the right to access, correct, and restrict the use of their personal information.
  • Senior Official for Privacy: One Health Center has a designated official that oversees privacy practices and compliance. 


PROCEDURE:

1. HIPAA and Other Relevant Regulations 

HIPAA Privacy, Security, and Breach Notification Rules are Federal laws that created nation-wide standards to protect the privacy and security of health information and give patients' rights to their health information. Many parts of HIPAA law are stricter than California law, but in other instances, California law is stricter. Healthcare providers must follow the stricter rules. Therefore, the complexity of this management requires understanding of both California’s and HIPAA’s expectations.

  • a. Protected Health Information
    • i. Any information about health status, provision of health care, or payment for health care that is connected to a person.
      • 1. This broadly includes any part of a patient’s medical record or payment history.
      • 2. Common identifiers, such as name, address, birth date, and Social Security number
      • 3. Patients’ past or present, or future physical or mental health condition
      • 4. The past, present, or future payment for health care that is provided to patient
  • b. Privacy Rule
    • i. Protects PHI held or transmitted in any form, including electronic, paper, or verbal.
    • ii. Protects patients’ PHI while allowing the secure exchange of information to coordinate patients’ care. It also gives patients the right to:
      • 1. Examine and get copy of their medical records, including electronic copy of their medical records
      • 2. Request corrections
      • 3. Restrict their health plan’s access to information about treatments they paid directly


2. Implementation of Notice of Privacy Practices (45 CFR164.520)

  • a. One Health Center will have a Notice of Privacy Practices (NPP) accessible to patients and explained at first visit, or as soon as possible, if emergency exists. The NPP will address the following required elements:
    • i. NPP will be in plain language and available in languages to meet the needs of the demographics served by One Health Center.
    • ii. One Health Center will abide by the terms of the notice, maintain the privacy of the protected health information (PHI), and notify patients of any breach,
    • iii. One Health Center reserves the right to change the terms of the notice and provide the patient with the revised NPP,
    • iv. Each type of disclosure in the notice must provide sufficient detail as required by applicable laws, this includes:
      • 1. Types of uses and disclosures of PHI permitted for the purpose of providing treatment, billing, and health care operations, with description and at least one example
      • 2. Disclosures required by law without the patient’s authorization for purposes related to victims of abuse or domestic violence, victims of crime, threat to health and safety, or workman’s compensation or similar programs, with a description and example
      • 3. Disclosures permitted without the patient’s authorization for the purpose of fundraising, disclosures permitted with the patient’s permission for marketing, and the restrictions regarding such disclosures, with description and example
      • 4. Statement regarding other uses and disclosures that require a patient’s authorization,
      • 5. Statement that One Health Center may contact the patient regarding appointments and health-related benefits and services, as well as notifications regarding fundraising and right to opt out of receiving such notices,
      • 6. Statement describing the patient’s rights and how the patient may exercise these rights.
      • 7. Statement regarding the right to file a complaint regarding potential privacy violations with contact information for both the One Health Privacy Contact Person and the Secretary of the Department of Health and Human Services.
  • b. One Health Center will provide an NPP to each patient (or patient’s representative as appropriate) on the initial day of service and thereafter whenever there is a material change to the NPP. The patient/patient’s representative will be asked to sign an acknowledgement of receipt of the NPP which will be scanned into the patient’s record. If the patient/patient’s representative declines to sign the acknowledgement, efforts will be made to provide further education regarding the importance of signing. This process and outcome will be documented on the “Acknowledgement of Receipt of the Privacy Practice Notice” form.
  • c. One Health Center will post notices of the NPP in clear and prominent places in the service delivery areas where patients will likely read. Additionally, the NPP will be posted on the One Health Center’s website.
  • d. Revisions to the NPP will be made in accordance with regulatory or legal provisions, as necessary and appropriate.


3. Patient’s Rights (45 CFR §164.524)

Patients have the following rights:

  • a. Receive an NPP in either or both (if requested) a hard copy or electronic version, outlining patient’s rights as well as the responsibilities of One Health Center for management and disclosure of the patient’s PHI,
  • b. Request restrictions on certain uses and disclosures of PHI and receive a statement from One Health Center when One Health Center is not required to agree to this request,
  • c. Receive confidential communications of PHI,
  • d. Standard Access: Patients have the right to access to inspect, have copies made and/or make amendments to the PHI. Exceptions include
    • i. Psychotherapy notes
    • ii. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding
  • e. Informed of a decision to deny access to PHI
  • f. Request a review of the denial where allowed by law.
    • i. If the denial was based upon “professional judgement” that indicates a likely endangerment to life or physical safety of the patient or other person and/or likely substantial harm to the patient or another person, the denial may be reviewed by the CMO or designee. Once the review is complete, the patient will be provided written notice of the determination.
    • ii. If the denial was based on any of the following circumstances, the denial would not be reviewable:
      • 1. Information anticipated to be used for possible civil, criminal or administrative action/proceeding
      • 2. Psychotherapy notes
      • 3. Information subject to Clinical Laboratory Improvements of 1988 (42 U.S.C. §263(a)
      • 4. Request is from an inmate and PHI information may jeopardize the health, security or safety of the inmate, inmates, institution staff or other persons responsible for the inmate
      • 5. The patient is a participant in a research study and has agreed to denial of access as a part of the study
      • 6. The information is subject to the Federal Privacy Act 5 U.S.C. §552(a)
      • 7. The PHI was obtained from a non-One Health Center clinician under the promise of confidentiality.

Process to attain records:

  • a. Patient must submit a written request for authorization to access the PHI
    • i. One Health Center staff will verify the authenticity of the request;
  • b. One Health Center has up to 30 days to fulfill this request or 60 days if the records are kept offsite.
    • i. If One Health Center is unable to meet the 30-day deadline, a written explanation as to reason for the delay and updated timeframe will be provided to the patient. This shall not to exceed an additional 30 days;
  • c. Records will be complete prior to patient access;
  • d. Only the portion of the record requested by the patient will be provided;
  • e. When copies are requested, One Health Center will provide a time frame for completion and charge a reasonable fee. Fees may be waived due to financial need.


4. Management of PHI Records and Documents

All electronic and hard copy records and documents that contain PHI will be stored and maintained in a manner that preserves the confidentiality and the integrity of the PHI. Only authorized persons will have access to the PHI.

  • a. Printed documents must be secured and under the protection of the individual who accessed the information and/or secured in an area that cannot be accessed by unauthorized individuals.
  • b. Electronic documentation will be stored on networks to which only authorized users have access. The CEO will assign rights to access the Electronic Health Records (EHR) to users based upon their job functions and responsibilities.
  • c. Providers may safely use laptops and remote locations for any patient related documentation directly into the EHR. No additional security steps need to be taken when using these devices for direct EHR documentation.
  • d. When transmitting any documents containing PHI, staff must take all necessary precautions to ensure that the information is not received or reviewed by any unauthorized person or entity.
  • e. When the PHI documentation concerns a known patient, this material will be filed in the patient’s medical record, or other appropriate location, within one day of receipt, or will be kept in a secured location until able to file.
  • f. When One Health Center receives PHI documentation that concerns a potential patient whose medical record has not been established:
    • i. The PHI will be stored in a secured location until a medical record has been established,
    • ii. One Health Center will confirm receipt with the sender and coordinate any follow-up needed,
    • iii. The medical records staff will alert the Appointment Schedulers regarding the potential patient and his/her PHI
    • iv. If it is been determined that One Health will not be treating the patient and there is no need to store the PHI, it will be destroyed per One Health policy,
  • g. One Health Center will maintain and store all PHI and patient relevant documentation for at least 6 years or the period defined by law regarding the maintenance of medical records.
  • h. When disposing any PHI, One Health will shred and secure prior to disposal. If a third-party vendor is used, the vendor will be expected to follow all guidelines regarding the management and disposal of PHI.


5. Disclosure of PHI – General

One Health Center, in accordance with all applicable laws and regulations, will only disclose PHI when authorization is required and provided by the patient or a person designated to act in the patient’s behalf, or when disclosure is legally required without patient authorization. When disclosing PHI, One Health Center will only disclose “minimally necessary” information to meet the purpose of the disclosure or request.

  • a. One Health will verify the identity and, if applicable, the authority of the person making the request for PHI disclosure. Additionally, when required, One Health will obtain any documentation, statements, or representations (oral and written) when needed to support the request to disclose or access PHI.
  • b. Required verification of identity and authority will not apply when disclosures are made by One Health with the patient’s oral agreement or as otherwise permitted by One Health policy governing disclosure to family members, friends and others involved in the patient’s care or notification purposes.
  • c. Patient is a minor
    • i. Disclosure of records is similar to that as an adult. If the minor has the right to consent for his/her own care, the minor usually has the right to access and restrict access to his/her record. There are some exceptions and in certain circumstances, the provider may have the option or be required to release information to the parents or guardian. These include when the minor is:
      • 1. Self-sufficient
      • 2. Sexual assault victim
      • 3. Recipient of outpatient mental health services
      • 4. Recipient of residential shelter services
      • 5. Recipient of substance abuse disorder services
    • ii. When the minor does not have the authority to consent to treatment, the parent or guardian is usually authorized to access the minor’s PHI. However, the following circumstances may need caution when allowing or limiting the parent or guardian access:
      • 1. Parent/guardian has agreed to allow confidentiality between the provider and the minor
      • 2. Providing access to the parent may be detrimental to the minor
      • 3. The minor’s record is blended with treatment that the minor has consented to and other treatment that the parent has consented to.
    • iii. In the absence of any applicable law, One Health will recognize the following situations where the parent or guardian will not be designated as the minor’s representative and therefore, will not be allowed access to the minor’s PHI without the minor’s authorization:
      • 1. Minor has consented for treatment
      • 2. No other consent is required by law
      • 3. The minor has not requested that the parent/guardian be recognized as his/her representative.
  • d. Patient is an adult
    • i. Patient has the ability to consent for treatment and this the authority to access and disclose PHI. However, if the patient meets one of the following circumstances, a patient representative may be the person providing consent:
      • 1. Patient has an agent designated by an Advance Directive- the agent only has authority if the patient is unable to make decisions or has given permission for the agent to act in his/her behalf regardless of whether he/she remains capable of making own decisions.
      • 2. Patient has a court appointed Conservator- the Conservator’s powers may be limited and the Conservator may only be able to access the patient’s PHI if the Court has authorized power over the person. It is recommended that the Court order be reviewed to confirm the Conservator’s authority to access PHI prior to releasing any information.
      • 3. Patient lacks the capacity to make decisions and there is no known designated representative- there is no one to authorize disclosure and OHC may need to seek legal advisement prior to any disclosure.


6. Disclosure of PHI Authorized by Law

  • a. One Health may disclose PHI for the purpose of mandated reporting:
    • i. Child Abuse,
    • ii. Dependent Adult Abuse,
    • iii. Victims of Crime,
    • iv. Intimate Partner Abuse (AKA: Domestic Violence), and
    • v. Any situation where there is reasonable suspicion of imminent harm or threat to safety ex: 5150, Tarasoff.
      • 1. Disclosure is generally given to local protective service agencies and/or law enforcement and should be limited to the “minimally necessary” information to complete the reporting process. Because California laws may be stricter regarding releasing information beyond the “minimally necessary”, One Health may require a subpoena or court order when additional information is requested unless the release is authorized by the patient.
  • b. Law Enforcement Purposes- One Health may provide the following limited PHI to law enforcement for reporting a death for investigation or when requested by law enforcement for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person:
    • i. Name and address
    • ii. Date and place of birth
    • iii. Social Security Number
    • iv. ABO blood type and rh factor
    • v. Type of injury (if applicable)
    • vi. Date and time of treatment
    • vii. Date and time of death if applicable
    • viii. Description of distinguishing physical characteristics.
    • ix. The patient should be notified when any of the above disclosures are made unless it is believed that informing the patient or patient representative would put the patient at risk of harm or would not be in the best interest of the patient.
  • c. Workers’ Compensation and Other Similar Programs- One Health may disclose PHI without the patient’s authorization to workers’ compensation insurers, state administrators, employers, and other persons and entities in workers compensation systems for the purpose of:
    • i. Providing benefits for work-related injuries and illnesses,
    • ii. Payment of healthcare provided to the injured/ill worker.
  • d. Marketing and Fund-Raising
    • i. One Health may disclose PHI without the patient’s consent in the form of demographic information or dates of service for the purpose of fund-raising.
      • 1. One Health will notify the patient regarding the ability to opt out of any fund-raising communications.
    • ii. One Health will obtain consent prior to using or disclosing any PHI for the purpose of marketing.


7. Use of Telehealth

  • a. Telehealth is remote treatment via the use of technology including phone (audio), texts, emails, and audio-visual platforms. Due to the fact that security and confidentiality of most technology cannot be absolutely guaranteed, the following guidelines have been adopted to provide safeguards for One Health patients.
    • i. One Health will use technology that is HIPAA compliant wherever possible.
    • ii. One Health will ensure that staff is trained or familiar with the technology used to ensure safe practices.
    • iii. All reasonable steps will be taken to protect the privacy and confidentiality of the telehealth sessions.
    • iv. One Health will follow all applicable regulations, laws and community standards when it comes to the use of telehealth and the patient’s/client’s rights.
    • v. One Health will make all reasonable efforts to verify the patient’s identity with each use of telehealth.
    • vi. One Health will assess the patient’s/client’s ability to participate effectively with each session.
    • vii. Patients/clients will be provided informed consent which includes possible risks such as technology or security failures and benefits such as convenience, increased access to care, and more flexible scheduling.
    • viii. Since telehealth occurs where a patient/client is located, One Health prohibits the use of telehealth when a patient is out of state, avoiding potential conflicts with other state regulations and practicing without a license in another state.
    • ix. The use of social media when interacting with any patient/client is prohibited.
  • b. Telehealth will only be used when:
    • i. Appropriate to a client’s need,
    • ii. In-person treatment is not available or not appropriate,
    • iii. Crisis availability is needed,
    • iv. Professional interventions with clear guidelines for the patient regarding the use of telehealth and contacts outside scheduled sessions.


8. Patient Electronic Communications

  • a. Collection and use of patient contact information for electronic communication:
    • i. Mobile numbers and e-mail addresses will be collected to communicate with patients via text messages (SMS and/or RCS) and e-mail for purposes such as appointment reminders, billing notifications, and care coordination.
    • ii. Contact information will not be sold or shared beyond service providers (e.g. those directly involved in delivering messages such as messaging vendors, telecom providers, etc.) and will not be used for unrelated marketing without consent.
  • b. Maintaining patient electronic communication methods:
    • i. Web Portal – Electronic communication methods can be modified at any time by the patient via the Welcome patient portal.
    • ii. Health Center Employee – A health center employee can assist the patient with updating or changing their communication methods either by phone or in person.
    • iii. Texting – Patients can text STOP to opt out of text communications.
  • c. Electronic communication HIPAA compliance:
    • i. Electronic communications sent via text (SMS and RCS) as well as e-mail may not be fully HIPAA compliant. Content of these messages will be restricted to non-sensitive notifications. Any messages containing detailed Protected Health Information (PHI) will be sent via a separate, secure messaging channel.


References: CMS.gov; HHS.gov; California Department of Health Care Services

45 CFR §164.520, 45 CFR §164.514, 45 CFR §164.522, 45 CFR §164.530, 45 CFR §164.501, 45 CFR §164.502, 45 CFR §164.524, 42 CFR §493.3, Clinical Laboratory Improvements 

Amendments of 1988, 42 U.S.C. §263(a), Federal Privacy Act 5 U.S.C §552(a), 45 CFR §164.508, 45 CFR §164.512 

Copyright © 2026 One Health Center - All Rights Reserved.

  • Home
  • Services
  • Contact Us
  • Location
  • Who we are
  • Why choose us?
  • Our history
  • Privacy Policy

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

Accept