HIPAA Compliance Statement


OCHRC maintains confidentiality in accordance with applicable federal and state laws and regulations; including, but not limited to, 42 CF.R. part 2, confidentiality of alcohol and drug abuse client records, and the Health Insurance Portability and Accountability Act of 1996.


OCHRC staff access to an individual client’s records, treatment information, diagnosis or other protected information is limited to access and disclosure in accordance with applicable federal and state laws and regulations.

Storage of client records shall be in accordance with all applicable and federal state laws and regulations. Records will be released to staff only when necessary, appropriate, and admissible by state and federal law. Records shall be stored in one or both of the following:

1.      The Clinical Director’s office in a locked filing cabinet.

2.      HIPPA compliant Electronic Health Record service, KIPU.

KIPU, LLC including KIPU CRM/EMR and OutcomeTools, is fully compliant with the HIPAA Standards for Privacy, Electronic Transactions and Security (including the HITECH Act and the Omnibus Rule of 2013). KIPU has implemented policies, processes, and procedures designed to ensure compliance with Federal and State information security laws, regulations, and rules, and monitors ongoing compliance efforts with assistance from Compliancy Group LLC. This process includes a risk analysis of administrative (policies and procedures), technical (all devices connecting to or storing ePHI, e.g., routers, firewalls,

servers, workstations) and physical (paper shredding, alarm systems, and general security of each site) controls as well as disaster recovery planning.

All employees will receive the confidentiality policy, including summaries of HIPPA and 42

C.F.R. part 2. Upon hire and orientation, employees will sign and date an acknowledgement of receipt which will be kept in their employee file.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA Security Rule

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

HIPAA Privacy Rule

The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well- being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.

Permitted Uses and Disclosures

A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:

·  Disclosure to the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual)

·  Treatment, payment, and healthcare operations

·  Opportunity to agree or object to the disclosure of PHI (Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object)

·  Incident to an otherwise permitted use and disclosure

Public interest and benefit activities—The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes:

·  When required by law

·  Public health activities

·  Victims of abuse or neglect or domestic violence

·  Health oversight activities

·  Judicial and administrative proceedings

·  Law enforcement

·  Functions (such as identification) concerning deceased persons

·  Cadaveric organ, eye, or tissue donation

·  Research, under certain conditions

·  To prevent or lessen a serious threat to health or safety

·  Essential government functions

·  Workers compensation

·  Limited dataset for research, public health, or healthcare operations

HIPAA Security Rule

While the HIPAA Privacy Rule safeguards protected health information (PHI), the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.

To comply with the HIPAA Security Rule, all covered entities must do the following:

·  Ensure the confidentiality, integrity, and availability of all electronic protected health information

·  Detect and safeguard against anticipated threats to the security of the information

·  Protect against anticipated impermissible uses or disclosures

·  Certify compliance by their workforce

Covered entities should rely on professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in civil monetary or criminal penalties.

For more information, visit the Department of Health and Human Services HIPAA website.

42 C.F.R. Part 2

42 C.F.R. Part 2 applies to any individual or entity that is federally assisted and holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment, or referral for treatment. It protects client identifying information that would identify a client as an alcohol or drug client, either directly or indirectly and any information, whether or written, that would directly or indirectly reveal a person’s status as a current or former client.

Part 2 generally requires a patient’s written consent before making a disclosure of protected records. Patient consent must always be written and include specific information about the recipient of the records and the records to be shared.

Part 2 generally requires a special court order before your records can be shared with law enforcement or a court. A subpoena, general court order, search warrant, or official request is not enough for law enforcement to access your treatment information.

Part 2 permits the disclosure of information under certain circumstances without consent during a medical emergency or in other limited situations. If a Part 2 program (or a healthcare provider that has received Part 2 patient information) believes that there is an immediate threat to the health or safety of any individual, there are steps described below that the Part 2 program or healthcare provider can take in such a situation:

Notifications to medical personnel in a medical emergency: A Part 2 program can make disclosures to medical personnel if there is a determination that a medical emergency exists, i.e. there is a situation that poses an immediate threat to the health of any individual and requires immediate medical intervention [42 CFR §2.51(a)]. Information disclosed to the medical personnel who are treating such a medical emergency may be redisclosed by such personnel for treatment purposes as needed.

Notifications to law enforcement: Law enforcement agencies can be notified if an immediate threat to the health or safety of an individual exists due to a crime on program premises or against program personnel. A Part 2 program is permitted to report the crime or attempted crime to a law enforcement agency or to seek its assistance [42 CFR

§2.12(c)(5)]. Part 2 permits a program to disclose information regarding the circumstances of such an incident, including the suspect’s name, address, last known whereabouts, and status as a patient in the program.

Reports of child abuse and neglect: The restrictions on disclosure do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities. However, Part 2 restrictions continue to apply to the original alcohol or drug abuse patient records maintained by the program including their disclosure and use for civil or criminal proceedings which may arise out of the report of suspected child abuse and neglect [42 CFR § 2.12(c)(6)]. Also, a court order under Part 2 may authorize disclosure of confidential communications made by a patient to a program in the course of diagnosis, treatment, or referral for treatment if, among other reasons, the disclosure is necessary to protect against an existing threat of life or of serious bodily injury, including circumstances which constitute suspected child abuse and neglect [42 CFR

§ 2.63(a)(1)].

Court ordered disclosures: Under the regulations, Part 2 programs or “any person having a legally recognized interest in the disclosure which is sought” may apply to a court for an order authorizing disclosure of protected patient information [42 CFR § 2.64]. Thus,if there

is an existing threat to life or serious bodily injury, a Part 2 program or “any person having a legally recognized interest in the disclosure which is sought” can apply for a court order to disclose information.

Once Part 2 information has been initially disclosed (with or without patient consent), no redisclosure is permitted without the patient’s express consent to redisclose or unless otherwise permitted under Part 2. Disclosures made with patient consent must be accompanied by a statement notifying the recipient that Part 2 redisclosure is prohibited, unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by Part 2 (42 CFR § 2.32). When disclosures are made without patient consent under the following circumstances, limited redisclosures without obtaining the patient’s consent: are permitted, such as medical emergencies [42 CFR § 2.51], child abuse reporting [42 CFR § 2.12(c)(6)], crimes on program premises or against program personnel [42 CFR § 2.12(c)(5)], and court ordered disclosures when procedures and criteria are met [42 CFR §§ 2.61-2.67]. When disclosures are made under the following circumstances the recipient is prohibited from redisclosing the information without consent, except under the following restricted circumstances:

Research: Researchers who receive patient identifying information are prohibited from redisclosing the patient-identifying information to anyone except back to the program [42 CFR § 2.52(b)].

Audits and Evaluations: Part 2 permits disclosures to persons and organizations authorized to conduct audits and evaluation activities, but imposes limitations by requiring any person or organization conducting the audit or evaluation to agree in writing that it will redisclose patient identifying information only (1) back to the program, or (2) pursuant to a court order to investigate or prosecute the program (not a patient), or (3) to a government agency that is overseeing a Medicare or Medicaid audit or evaluation [42 CFR

§ 2.53(c)(d)].

Qualified Service Organization Agreements (QSOAs): Part 2 requires the QSO to agree in writing that in receiving, storing, processing, or otherwise dealing with any information from the program about patients, it is fully bound by Part 2, it will resist, in judicial proceedings if necessary, any efforts to obtain access to information pertaining to patients except as permitted by Part 2, and will use appropriate safeguards to prevent the unauthorized use or disclosure of the protected information [42 CFR § 2.11]. In addition, QSOAs may allow disclosure in certain circumstances.

Authorizing Court Orders: When information is disclosed pursuant to an authorizing court order, Part 2 requires that steps be taken to protect patient confidentiality. In a civil case, Part 2 requires that the court order authorizing a disclosure include measures necessary to limit disclosure for the patient’s protection, which could include sealing from public scrutiny the record of any proceeding for which disclosure of a patient’s record has been ordered [42 CFR § 2.64(e)(3)]. In a criminal case, such an order must limit disclosure

to those law enforcement and prosecutorial officials who are responsible for or are conducting the investigation or prosecution, and must limit their use of the record to cases involving extremely serious crimes or suspected crimes. For additional information regarding the contents of court orders authorizing disclosure, see 42 CFR § 2.65(e).

An image of Ohio Community Health staff

Christopher Glover CDCA

My name is Christopher Glover, and I am from Cincinnati, Ohio. I am currently in school and working to grow in competence to better support our community. As a recovering individual I know the struggles that you or a loved one can go through and that there is help for anything you may be struggling with.

The hardest part is asking for help and we are here as a team to best support you and your decision to start your journey towards a better future. Connect with Chris on LinkedIn

An image of Ohio Community Health staff

Amanda Kuchenberg PRS CDCA

I recently joined Ohio Community Health Recovery Centers as a Clinical Case Manager. I am originally from Wisconsin but settled in the Cincinnati area in my early 20s.  My career started in the fashion industry but quickly changed as I searched to find my drive and passion through helping others who struggle with addiction. 

As someone who is also in recovery, I wanted to provide hope, share lived experience, and support others on their journey.  I currently have my Peer Recovery Support Supervision Certification along with my CDCA and plan to continue my education with University of Cincinnati so I can continue to aid in the battle against substance addiction. Connect with Amanda on LinkedIn.

An image of Ohio Community Health staff

Patrick McCamley LCDC III

 Patrick McCamley (Clinical Therapist) is a Cincinnati native who has worked in substance use disorder/co-occurring mental health disorder treatment since 2019. Patrick received his bachelors degree in psychology from University of Cincinnati in 2021 and received his LCDC III (Licensed Chemical Dependency Counselor) license from the Ohio Chemical Dependency Professionals Board in 2022. Patrick has worked in Clinical Operations, Clinical Case Management, and Clinical Therapy throughout his career.

Patrick has tremendous empathy and compassion for the recovery community, being in recovery himself since 2018. Patrick is uniquely qualified to be helpful because of the specific combination of his academic background and his own experience in recovery.

An image of Ohio Community Health staff

Bill Zimmerman CDCA

Bill Zimmerman is a Greater Cincinnati Area native who has worked in substance use disorder/co-occurring mental health disorder treatment since 2018. Bill received his (Chemical Dependency Counselor Assistant) license from the Ohio Chemical Dependency Professionals Board in 2020.

Bill has worked in Clinical Operations in both support and supervision, and Program facilitating and 12 step recovery support during his career. Bill has a passion for the recovery community, having been in recovery himself since 1982. Connect with Bill on LinkedIn

An image of Ohio Community Health staff

Taylor Lilley CDCA, PRS

Growing up in Louisiana with addiction running rampant on both sides of my family. A life away from drugs and alcohol seemed impossible for someone like me. I remember what it was like sitting across from someone thinking there is no way they could ever understand what I was going through.

Sharing my experience offers a credibility and a certain type of trust with clients that only someone who has walked down this road can illustrate. To immerse myself further into the field of addiction, I am currently studying at Cincinnati State for Human and Social Services.  I hope I never forget where I came from, if I can do it, so can you!

An image of Ohio Community Health staff

Thomas Hunter LSW

Hello my name is Thomas Hunter. I was born and raised in Cincinnati, Ohio. I am a licensed social worker.In my scope of practice I have worked in the areas of mental health and recovery for thirty years. The clients I have worked with in my career have ranged in age from seven to seventy.

I strive each day to serve my purpose of helping those in need and I believe I do so by utilizing all of my experiences to accomplish my goal of supporting those who desire to establish their sobriety and maintain it in their recovery. Connect with Thomas on LinkedIn.

An image of Ohio Community Health staff

Mary D.Porter,LICDC

 My name is Mary D. Porter. I received my Masters of Social Work in 2008 from The University of Cincinnati. I received My Licensed Independent Chemical Dependency Counselor Licensure in 2001. I retired from The Department of Veteran Affairs Medical Center on April 14, 2014. Currently, I am the Associate Clinical Director for The Ohio Community Health Recovery Centers in Cincinnati.. Due to the fourth wave of the Opioid Epidemic in 2019,  I decided to enter back into the workforce to assist the addicted population.

The overdoses were astounding and I wanted to help.  I consider myself  to be an advocate for the addicted population. My compassion, resilience, empathy, wisdom, knowledge, experience and  love I have for this forgotten population goes beyond words. I consider what I do for the addicted population as a calling versus a “career,” because I too was once an “addict and alcoholic.” Today I am 45.5 years alcohol and substance free.

An image of Ohio Community Health staff

Ben Lemmon LCDC III

Hello, my name is Ben Lemmon, and I’m the Vice President and Clinical Director at Ohio Community Health Recovery Centers. I’ve been working in the addiction and mental health field since 2013 and decided to enter the field after overcoming my own challenges with addiction.

When I first meet a client, I always explain to them that the reason we are meeting is because they are not capable of obtaining or maintaining sobriety, and my goal is to create a person that can maintain sobriety. I believe a person’s personality is made up of their thoughts, feelings and actions and my job is to help clients identify the thoughts, feelings and actions that have them disconnected from recovery and provide them with the tools to live a healthy and happy life. Connect with Ben on LinkedIn