Notice of Privacy Practices

Circare has adopted the following policies and procedures for protection of the privacy of the people we serve.

Privacy Policy

In the course of our work, we create or receive confidential information about individuals. This includes information about their life history, their physical or mental health, and financial information. Circare has an ethical and legal obligation to safeguard the privacy of that information. We will only use or disclose protected health information¹ about individuals as permitted or required by law and by these policies and procedures.

Administration of our Privacy Program

These policies and procedures were approved by our Board of Directors on March 31, 2025. They are effective as of April 1, 2025.

Our Privacy Officer is Kira Vasquez. The Privacy Officer is responsible for oversight of implementation of our privacy policies and procedures. The Privacy Officer can be reached at 315-474-5506.

Our Contact Person is Kira Vasquez. Questions about our policies and procedures, requests to exercise individual rights, and privacy complaints should first be directed to the Contact Person. The Contact Person can be reached at 315-474-5506 or by emailing compliance@helio.health.

Posting of Notice of Privacy Practices. We will post our Notice of Privacy Practices in our waiting areas and on our web site.

Business Associates. Some people or organizations (other than employees) provide services to assist in our clinical or business operations and, as a result, require access to protected health information. As required by federal rules, we enter written agreements with each of these “business associates” which require them to safeguard the protected health information and restrict its use and disclosure. Breach of these requirements is grounds for termination of the business relationship.

Personnel Policies and Staff Training. Our personnel policies require all employees to abide by these privacy policies and procedures. All staff will be trained about our privacy policies and procedures.

Ownership of records. The clinical record and other protected health information about individuals created by Circare is the property of Circare.

Maintenance of records including protected health information. Service records and financial records that include protected health information will be maintained based on program regulations and/or best practices.

Disposal of records of protected health information. When disposing of records, papers or electronic media that include protected health information: (a) written materials must be shredded; and (b) electronic media (such as computer hard drives, floppy disks, and CDs) must be “wiped” clean using software programs designed to eliminate “ghost images” of deleted files or physically destroyed according to retention policies.

Our use of information about individuals

Access to protected health information. Our employees and contractors who perform services on our behalf may have access to protected health information as necessary to enable them to perform their work. All employees and contractors are expected to limit their requests for access to information about individuals to the information they need for their own work.

Use of Computer Systems. Access to protected health information stored on our computer systems will be controlled to ensure that people only have access to information that is relevant to their work.

On-Site Storage of Records. All paper records must be stored in a locked file room or in locked file cabinets. A staff person who needs a record must sign-out the record and sign it back in when it is returned. Records must be returned to the locked file room or locked filing cabinet at the end of the workday. If it is necessary to keep a record overnight, the record must be stored in a locked filing cabinet or locked desk drawer.

Transporting and Off-Site Storage of Paper Documents. At times Circare staff working in the community and Circare staff who work from a location other than the agency’s main office may have a need to transport and/or store paper documents containing protected health information {PHI) off-site. When such circumstances arise, the following safeguards are required.

• Before transporting and/or storing paper documents containing PHI off-site, staff must receive approval from their direct supervisor.
• Only transport and/or store off-site the minimum necessary PHI needed to accomplish the intended task.
• While in transit, paper documents containing PHI must:
  • be kept in a zippered/latched folio, zipper/latched attache, or similar approved carrycase, and
  • always remain under the staff person’s possession and under their direct control (never leave PHI in an unattended vehicle).
• Paper documents containing PHI must only be stored in a pre-approved off-site location in a locked filing cabinet, locked drawer, or other approved lockable storage container.
• When working on paper documents containing PHI off–site, adequate precautions must be taken to prevent the disclosure of PHI.
• The destruction of paper documents containing PHI must be done at the agency’s main office using approved destruction methods or, when at an approved off-site location, using a crosscut shredder. Documents shredded off-site must be disposed of as trash and not recycled.
• Report the loss, theft, or unauthorized disclosure of PHI to the Privacy Officer immediately upon discovery.

Use for treatment. payment and health care operations. We will use protected health information as necessary to deliver services, seek payment or pay claims for services, and to operate our programs. We inform patients that we will use their information for these purposes in our Notice of Privacy Practices. It is not necessary to obtain a specific authorization for our own use of protected health information for these purposes.

Communications with patients. As needed, we will communicate with individuals about our service to them. Communication may be by telephone (voice or text), mail, or electronic mail. We will respect individual requests for confidential communications and communication preferences. We may telephone (voice or text) individuals to remind them of appointments. Under no circumstances will written notes or messages for participants be left in public places, including porches, the doors of their residence, or other areas where the general public would have access to the message and it could identify the individual as a participant of our services.

We may contact individual patients to provide information about treatment alternatives or health related services or benefits that may be of specific interest to the individual. We will not contact individuals for marketing purposes without their written permission.

SMS Text Messaging. Patients will need to consent to communications via text. Frequency of texting may vary; data and message rates may apply. To opt out text ‘STOP’ at any time. For assistance text ‘HELP’ or visit our website at https://cir.care/. Visit https://cir.care/notice-of-privacy-practices/ for privacy policy and https://cir.care/contact/ for Terms of Service.

SMS Terms & Conditions

Consent for SMS Communication
Information and phone number/s obtained as part of the SMS consent process will not be shared with third parties for marketing purposes.

Types of SMS Communications
If you have consented to receive text messages from CIRCARE, you may receive text messages related appointments and follow-ups.

Example: “Hello, this is a friendly reminder of your upcoming appointment with [Caseworker Name] at [Location] on [Date] at [Time] with CIRCARE. Reply STOP to opt out of SMS messaging at any time.”

Message Frequency:
Message frequency may vary depending on the type of communication. For example, you may receive up to five SMS messages per week related to your appointments, follow-up messages, etc..

Example:
“Message frequency may vary. You may receive up to 5 SMS messages per week regarding your appointments or account status.”

Potential Fees for SMS Messaging:
Please note that standard message and data rates may apply, depending on your carrier’s pricing plan. These fees may vary if the message is sent domestically or internationally.

Opt-In Method:

You may opt-in to receive SMS messages from CIRCARE in the following ways:

• by filling out an online form
• filling out a paper form

Opt-Out Method:
You can opt out of receiving SMS messages at any time from Circare. To do so, reply “STOP” to any SMS message you receive. Alternatively, you can contact us directly to request removal from our messaging list.

Help:
If you are experiencing any issues, you can reply with the keyword HELP or you can get help directly by calling us at 315-474-5506 or visiting us at https://cir.care/.

Standard Messaging Disclosures
Message frequency may vary.
Message and data rates may apply.
You can opt-out at any time by texting “STOP.”
For assistance, text “HELP” or visit our Privacy Policy page.

Disclosure of protected health information to third parties

Minimum necessary standard. Ordinarily, we will ask people or organizations who request disclosure of protected health information to limit their request to that information which is the minimum necessary to enable them to perform their function. If there is a concern that a request is unreasonable, the matter should be referred to the Privacy Officer. This rule does not apply to disclosures for treatment purposes, disclosures to individuals who request their records, and disclosures to regulatory agencies such as the NYS Office of Mental Health, NYS Department of Health, and Department of Health and Human Services.

Disclosure to arrange treatment of an individual. We will disclose protected health information to health care providers as required to arrange for treatment or services to an individual.

It is our policy to obtain a general written permission from individuals to our disclosure of general health information for purposes of arranging services necessary to carry out our role delivering services. Individuals may be asked to sign a RHIO consent form, Regional Health Information Organization, and/or a PSYCKES consent form, Psychiatric Services and Clinical Knowledge Enhancement System for Medicaid to facilitate services.

When indicated, it is also our policy to obtain specific written permission from individuals, in the form of an Authorization, before disclosing their health information to a specific health care provider or other entity for purposes of arranging treatment or services.

Disclosure for purposes of payment for services. We will disclose protected health information as needed to engage in billing and payment activities related to service to individuals. This includes billing, claims payment, and coordination of benefits. It also includes utilization reviews for purposes of determining the medical necessity of the service delivered. We will disclose protected health information, as needed for our payment transactions or for the payment transactions of a health care provider or a health plan. The information disclosed will be limited to that necessary to accomplish the transaction.

Disclosure for health care operations. We will disclose protected health information as required to support our own health care operations or the health care operations of another health care organization that has a relationship with an individual. For example, we will disclose information to organizations that review our operations to determine if we meet national standards for quality of care. These reviews may be conducted at our request or at the request of a health benefits plan that pays for service to an individual.

Emergencies. We will disclose protected health information as needed to enable health care providers and others to provide emergency care to an individual. An emergency is a situation in which there is an immediate and serious risk to a person’s physical or mental health, and the information requested is needed to provide treatment. It is not necessary to obtain written permission for the release of protected health information in an emergency. The fact of the disclosure should be noted in the individual’s record.

Disclosures to family and others involved in care of an individual. Adult patients have the right to control disclosure of their information to third parties, including family members and friends. But if circumstances suggest that the individual does not object to disclosure, it is permissible to share information with family members or friends involved in care of an individual. If the individual is present or available when PHI is to be disclosed to a relative, friend or other third party, we must give the individual the opportunity to refuse disclosure. If, under the circumstances, the individual is not present or the individual cannot object or agree, we may use professional judgement and infer whether the individual agrees or objects. The information shared should be limited to that which is necessary to enable the family member or friend to assist the individual.

Written permission is not required. It is not necessary to note the disclosure in the individual’s record. If an individual objects to disclosure to any or all family members or friends, his or her wishes must be respected.

Disclosures to health oversight agencies. We will disclose protected health information to the Department of Health and Human Services as required for DHHS to audit compliance with federal law and rules for privacy of health information, and to audit our compliance with the requirements of the Medicaid program. We will also disclose infqrmation to state and local government agencies that have legal authority to review our operations. Written permission is not required. A note of the disclosure should be made in the individual’s record.

Disclosures to child protection agencies. As New York State mandated reporters, we will disclose protected health information as needed to comply with state law requiring reports of suspected incidents of child abuse or neglect. Written permission is not required.

Other disclosures without written permission. There are other circumstances in which we may be required to disclose protected health information without the permission of the individual who is the subject of the record. They include disclosures made:

• Pursuant to court order;
• To public health authorities;
• To law enforcement officials in some circumstances;
• To correctional institutions regarding inmates;
• To federal officials for lawful military or intelligence activities;
• To coroners, medical examiners and funeral directors;
• To researchers involved in approved research projects; and
• As otherwise required by law.

In each case, the request for disclosure should be referred to the Privacy Officer. Written permission of these disclosures is not required. A record should be made of the disclosure.

Disclosures with permission of individuals. No other disclosure of protected health information will be made unless the individual who is the subject of the record gives written authorization for the specific disclosure. A valid authorization form will be used to document this permission. Routine requests for disclosure will be handled by program, pursuant to our policies. Any concerns will be referred to the Privacy Officer. A copy of any Authorization will be maintained by the agency.

Working with individuals regarding use and disclosure of protected health information about them

Notice of Privacy Practices. We will provide each person who presents himself or herself for services with a copy of our Notice of Privacy Practices. This will be provided the first time an individual appears for service after April 14, 2003. If we change our Notice of Privacy Practices, we will post the revised Notice on our website and provide a copy to individuals upon request. If an individual has difficulty reading or understanding a written Notice, a member of the staff will_explain it.

Acknowledgement of receipt of Notice of Privacy Practices. Each person who receives a Notice of Privacy Practices will be asked to acknowledge receipt of the Notice. If the person refuses or is unable to sign an acknowledgement, a note will be made in the individual’s record to confirm that the notice was provided.

Authorization of disclosure of protected health information. At the time an individual begins treatment, he or she will be asked to give specific written permission for our use of protected health information for treatment purposes, and for disclosure of information about them to specific people or organizations.

Rights of Individuals

Presumption of competency. Unless a court finds a person to be incapable of making personal decisions, adults are presumed to be competent, regardless of their physical or mental condition.

Personal representatives. A “personal representative” is a person who has the right to make health care decisions on behalf of an individual. The parent or legal guardian of a young child is the child’s “personal representative”. The personal representative of an adult would ordinarily be his or her spouse or another member of the immediate family. An individual can also grant another person the right to act as his or her personal representative in an advance directive or living will.

Personal representatives may exercise the rights of adult patients if the adult is incapable of making a decision about use or disclosure of protected health information.

Parents or legal guardians of minors exercise the rights of the minor, with some exceptions. In some cases, adolescents who are “mature minors” may make their own decisions about receiving treatment and disclosure of protected health information about them.

Any question about the rights of a person or organization claiming to be the personal representative of an individual should be referred to the Privacy Officer.

Domestic abuse. Disclosure of protected health information to personal representatives may be limited in cases of domestic or child abuse. If this situation may exist, the matter should be referred to the Privacy Officer.

Restrictions on consent. An individual may request restrictions on disclosure of protected health information about them that is used for treatment, payment or health care operations.

It is our policy to accommodate reasonable requests that will not disrupt service. Any such request should be forwarded to the Contact Person.

Right to revoke a Consent or Authorization. An individual person may, at any time, revoke Consent or Authorization to use or disclose protected health information. We will honor the person’s wishes and discontinue use and disclosure as directed. The revocation will not affect any previous use or disclosure permitted by the individual. The individual will be asked to sign a written confirmation of the revocation.

In the case of a revocation of Consent to use and disclosure for purposes of treatment, payment or health care operations, the individual may be advised that it will not be possible to continue service without such permission.

A revocation of Consent or Authorization should be documented in the individual’s record and Privacy Officer should be notified.

Right to request confidential communications. Any patient may request that our communications with them be made in a private manner. If the individual provides a method to assure payment for services, we will accommodate that request. If the request is granted, the Privacy Officer, scheduling, and billing departments must be notified. A note must be made in the individual’s record.

Right to review and copy record. Individuals have the right to review and receive copies of records used to make decisions about them. These records are called the “designated record set”. They include the clinical record, and financial records.

An individual request to see a record will be accommodated unless a clinical professional determines that disclosurewould create a substantialrisk of physical harm tothe individualor a third party.(The riskof emotional harm is not sufficient to limit access.)(Please note that disclosure to a personal representativemay create a risk ofphysical harm if there is an abusive relationship.)Circaremay request an opportunityto review the recordwiththe qualifiedperson,butsuchreviewwill notbe aprerequisiteforfurnishingthe record.

Information supplied in confidence by third parties may be redacted from the record provided to the individual. Protected health information about other persons may also be redacted from the record.

If an individual asks for a copy of his/her record, we will provide one.

Requestsforaccesstorecordsshouldbeinwritingandaformwillbeprovided.Circarewillprovidean opportunitywithin10daysofarequestforaccesstoinspectormakeavailableacopyoftherecord,orboth.If another format isrequested andreadilyavailableinaddition to acopyorinspection oftheoriginal,it willbe provided.Circarewillarrangeaconvenient timeandplacefortheindividualortheirqualifiedrepresentativeto inspect or copy the record.

Right to “amend” record. Individuals have the right to request an addition to record if they believe an error has been made. Any such request must be referred to the Contact Person. A supervisor will review the request. If there is a mistake in the record, a note will be entered to correct the error. If not, the individual will be given the opportunity to add a short statement to the record explaining why he or she believes there is an error. If this information might affect decisions about the individual, these additions to the record will be forwarded to third parties to whom protected health information has been disclosed.

Right to an accounting. Individuals have a right to an accounting of disclosure of their protected health information other than disclosures that occur in the context of treatment, payment or health care operations, or disclosures authorized by the individual. We will provide an accounting of any such disclosure made in the preceding six years. We will suspend for disclosures to law enforcement authorities if requested in the case of an active criminal investigation. Requests for an accounting should be referred to the Contact Person.

Prohibition against intimidation, retaliation or waiver of legal rights. Circare will not intimidate or retaliate against individuals who wish to exercise their legal rights as explained in this policy. Nor will we ask individuals to waive these legal rights.

Mitigation. If there is an unauthorized disclosure of protected health information, Circare will make an effort to mitigate any damage to the individual whose record is disclosed. The Privacy Officer should be immediately informed of any unauthorized disclosure of protected health information about an individual.

Response to requests to exercise individual rights. We will respond within ten days to any request by an individual to exercise the rights described above. If we are unable to provide a complete response within ten days, we will notify the individual within the first ten days, and provide a complete response within thirty days of the initial request.

Enforcement

Employees of Circare who violate any part of this policy are subject to disciplinary action up to and including dismissal.

Circare reserves the right to immediately terminate for cause any contract or business relationship with any User who violates any part of this policy.

Questions about this Policy

Questions about this policy for use of protected health information should be directed to:
Kira Vasquez
315-474-5506

Policy Review

Last reviewed 02–06–2025.
Last updated 03–31–2025.
Next review on or before 02–06-2026.

_______________________

¹Throughout these policies and procedures, we use the term “protected health information”. This means any information that we create or receive that relates to the past, present or future physical or mental health or condition of an individual or payment for services to the individual, and which identifies or can be used to identify the individual.