This Notice describes how Identifiable Health Information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
This Revised Notice of Privacy Practices is effective as of February 17, 2010. If you have any questions about this notice, please contact the Center for Disability Services (CFDS) Privacy Officer, at 518-944-2129.
Note: If you cannot give permission due to an emergency, CFDS may release health/clinical information in your best interest. We must tell you as soon as possible after releasing the information. This notification will be made in writing. You may revoke your authorization at any time. If you revoke your authorization in writing, we will no longer use or disclose your health/clinical information for the reasons stated in you authorization. We cannot, however, take back disclosures we made before you revoked and we must retain health/clinical information that indicates the services we have provided to you.
Breach means the acquisition, access, use or disclosure of protected health information in violation of the HIPAA privacy rule that compromises the security or privacy of the information. The phrase “compromises the security or privacy of health information” means poses a significant risk of financial, reputational or other harm to the individual.
If a breach occurs and we determine that the breach poses significant harm to the individual, we will provide written notice to the individual affected as described below. In order to determine whether the breach poses significant harm to the individual, we will perform a fact-based risk assessment that includes consideration of the following factors: (i) who or what type of entity received access to the information; (ii) steps taken to mitigate harm, such as obtaining satisfactory assurances (e.g., a confidentiality agreement) from the recipient that the information will not be further used or disclosed, or will be destroyed; (iii) if the information was returned prior to it being accessed for an improper purpose; and (iv) the nature, type and amount of information used or disclosed.
A. Notice to the Individual
The required notice will be sent without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. A breach will be treated as discovered by us as of the first day on which the breach is known to us. The notice will be written in plain language and will contain the following information: (i) a brief description of what happened, the date of the breach, if known, and the date of discovery; (ii) the type of PHI involved in the breach; (iii) any precautionary steps the individual should take; (iv) a description of what we are doing to investigate and mitigate the breach and prevent future breaches; and (v) contact information for us, including a toll-free telephone number, e-mail address, website or postal address.
The notice will be sent by first-class mail or by email, if the individual has specified a preference for communication by email. If contact information for the individual in question is insufficient or out-of-date, we may contact the individual by telephone or other permissible alternate method of communication. If the notification is of an urgent nature because of possible imminent misuse of unsecured health information, we may contact the individual by telephone or other means, as appropriate, in addition to the written or other forms of notice.
B. Notice to the Media
In the event of a breach affecting more than 500 residents of a State or jurisdiction, we will, without unreasonable delay and in no case later than 60 calendar days after discovery of the breach, notify prominent media outlets serving the State or jurisdiction.
C. Notice to HHS
For breaches affecting fewer than 500 individuals, we are required to maintain an annual log of such breaches and provide a copy of such log to HHS within 60 days of the end of the calendar year. For breaches affecting 500 or more individuals, we are required to notify HHS at the same time notice is provided to the individual.
D. Law Enforcement Delay
Following a breach, we may delay transmission of any of the required forms of notice if we are informed by a law enforcement official that such notice would impede a criminal investigation or cause damage to national security.