Federal law requires behavioral health organizations to implement safeguards that ensure the confidentiality of sensitive service recipient information.

To minimize risk, ACHC Behavioral Health Accreditation Standards stipulate that your organization establish clear, well-defined policies and procedures for properly securing, protecting, and releasing confidential service recipient information.

Policies and Procedures

ACHC Standard BH2-6A addresses securing and releasing service recipient confidential and protected health information.

Standard BH2-6A: Written policies and procedures are established and implemented in regard to securing and releasing confidential and Protected Health Information (PHI) and Electronic Protected Health Information (EPHI).

The standard specifies items required to be addressed in policies and procedures, which include but are not limited to:

• A definition of protected health and confidential information and the types of information that are covered by the policy, including electronic information, telephone and cell phone communications, and verbal and faxed information.
• Persons/positions authorized to release PHI/EPHI and confidential information.
• Conditions that warrant its release.
• Persons to whom it may be released.
• Signature of the service recipient or responsible person authorized to act on the service recipient’s behalf.
• A description of what information the service recipient is authorizing the organization to disclose.
• Securing service recipient records and identifying who has authority to review or access records.
• When records may be released to legal authorities pursuant to court orders and subpoenas with appropriate documentation.
• The storage and access of records to prevent loss, destruction, or tampering of information.
• The use of confidentiality/privacy statements and who is required to sign a confidentiality/privacy statement.

Tips for Compliance

• Obtain a signed confidentiality statement from the governing body/owner and all personnel.
  • A confidentiality statement is a legal document. Its purpose is to have the individual affirm to refrain from obtaining or sharing service recipient confidential information without the proper consent.
• Designate an individual responsible for seeing that the confidentiality and privacy policies and procedures are adopted and followed.
  • The individual ensures that the organization complies with internal policies and regulatory requirements and works with staff to identify and manage any risk(s) for noncompliance.
• Upon admission, provide written information and discuss confidentiality/privacy of service recipient-specific information as included in the service recipient Rights and Responsibilities statement.
• Include signed release of information statements/forms in service recipient records when the organization bills a third-party payor or shares information with others outside the organization, as required by the federal Health Insurance Portability and Accountability Act (HIPAA) and other applicable laws and regulations.

Here to Help

ACHC is your partner in accreditation. For more information, contact your Account Advisor, email [email protected], or call (855) 937-2242, ext. 457.