Privacy Policy




The confidentiality, security and integrity of information will be ensured through the observation and enforcement of several specific policies and procedures listed below. Specific security measures used to protect the accessibility and availability of information to only those authorized this access are also noted below.

Ohio Community Health Recovery Centers shall maintain confidentiality in accordance with applicable federal and state laws and regulations including, but not limited to, 42 C.F.R. part 2, confidentiality of alcohol and drug abuse patient records, and the Health Insurance Portability and Accountability Act of 1996.

Ohio Community Health Recovery Centers staff access to an individual patient’s records, treatment information, diagnosis or other protected information is limited to access and disclosure in accordance with applicable federal and state laws and regulations.

Storage of Ohio Community Health Recovery Centers patient records shall be in accordance with all applicable federal and state laws and regulations.

(A)          As Ohio Community Health maintains electronic health records (EHRs) it must be certified in accordance with the Public Health Service Act (PHSA) Title XXX and also comply with section 3701.75 of the Ohio Revised Code.

(B)          All notes, orders, and observations entered into a health care record, including any interpretive reports of diagnostic tests or specific treatments, such as radiologic or electrocardiographic reports, operative reports, reports of pathologic examination of tissue, and similar reports, shall be authenticated by the individual who made or authorized the entry.

(C)          An entry into a health care record may be authenticated by executing handwritten signatures or handwritten initials directly on the entry. An entry that is an electronic record may be authenticated by an electronic signature if all of the following apply:

1)            Ohio Community Health’s electronic signature system shall utilize either a two-level access control mechanism that assigns a unique identifier to each user or a biometric access control device.

2)            Ohio Community Health takes steps to safeguard against unauthorized access to the system and forgery of electronic signatures.

3)            The system shall include a process to verify that the individual affixing the electronic signature has reviewed the contents of the entry and determined that the entry contains what that individual intended.


(D)          Each Ohio Community Health user of the KIPU system must certify in writing that they will follow the confidentiality and security policies maintained by the entity for the system.

1)            Penalties for misusing the system shall include, but not be limited to (administrative discipline and or termination).

(E)          Training for all users of the system shall include an explanation of the appropriate use of the system and the consequences for not complying with the Ohio Community Health’s confidentiality and security policies.

(F)          Ohio Community Health shall be able to produce paper copies of patient records upon legally valid requests.

(G)         Ohio Community Health’s computer based clinical records system shall include consideration of the following components:

(1)          Authentication – providing assurance regarding the identity of a user and corroboration that the source of data is as claimed;

(2)          Authorization – the granting of rights to allow each user to access only the functions, information, and privileges required by their duties;

(3)          Integrity – ensuring that information is changed only in a specific and authorized manner. Data, program, system and network integrity are all relevant to consideration of computer and system security;

(4)          Audit trails – creating immediately and concurrently with user actions a chronological record of activities occurring in the system:

(5)          Disaster recovery – the process for restoring any loss of data in the event of fire, vandalism, disaster, or system failure;

(6)          Data storage and transmission – physically locating, maintaining and exchanging data;


(7)          Electronic signatures – a code consisting of a combination of letters, numbers, characters, or symbols that is adopted or executed by an individual as that individual’s electronic signature; a computer-generated signature code created for an individual; or an electronic image of an individual’s handwritten signature created by using a pen computer. Patient record systems utilizing electronic signatures shall comply with section 3701.75 of the Ohio Revised Code.


Are also maintained in the facility policies & HIPAA Manuals

Electronic Medical Records are used throughout or facilities. Our EMR system, KIPU, requires specific user names and passwords in order to access the system. KIPU systems has an in-depth security backup that is monitored on a regular basis as wells as being licensed and bonded for any potential security breaches.

Original records are never removed from the facility, unless ordered by court order. In that case the Administrator or designee will take the original record and a copy of the record to court. The copy will be left with the judge if so ordered.

Destruction of records is done by a licensed company and at retention periods prescribed by state law and at the order of the Administrator.

Falsification in the medical record is monitored by the clinical staff.

If confidentiality or security of data is violated it is reported to the appropriate department head who will discuss the issue with the Director of HR. Any appropriate policy and procedure to protect against this type of violation will be reviewed and revised as needed and the employee violating the policy will be counseled and informed of the policy and procedure pertaining to the incident. Any future violations of the policy by this individual will lead to formal written disciplinary action. If numerous employees are involved and it is determined there is a lack of knowledge of the P&Ps related to confidentiality and security, a staff in-service will be provided.


  1. Uniform data used in the system include:
  • DO NOT USE Abbreviation List-all clinical departments that document in the medical record
  • CD10-CM Codes-medical records and finance use these codes
  • Uniform Billing (UB 92 requirements) and HCFA 1500 Billing Form-finance dept. uses these
  1. Uniform Data Definitions-Accuracy and Reliability:

Patient identifying information is verified by staff upon assessment and any changes needed on the face sheet are made by the admitting staff. This information is also reviewed by Medical Records staff by reviewing the documentation in the medical record for validation.


  1. Clinical Lab Results-Timely receipt of clinical test results will be monitored thru the use of the established indicators. Variances with timely transmission will be documented and if trends are identified of inappropriate turnaround time, contract providers will be notified and replaced if the problems continue. This type of information is provided to the PI/Safety Committee and Board of Trustees at the time of their quarterly review of contract services.
  2. Diet Orders-all special diet orders are ordered by the psychiatrist or internist on the physician’s order sheet. Diets are relayed to the kitchen by personnel daily. Consistency modifications to diets may be made by the RD. If done, this is communicated to the MD thru the physician orders. The RD may take phone diet orders and write diet orders.
  3. Medication Orders-all orders or prescriptions for medications are faxed to the pharmacy for dispensing. Any clarification of the orders needed will be done with the nursing staff.
  4. MR Forms Format-Forms Management Policy – All forms in the medical record are standardized as much as possible for all levels of care and are reviewed by the Performance Improvement Committee prior to approval for permanent use. When significant revisions to forms or new forms used in the medical record are developed, this is usually done by a process team dedicated to this project. Staff are appropriately trained on the proper completion of new forms and they are added to the chart analysis policy of the Medical Records Department and the department responsible for completing the form will also add the specifics for completion to their policies and procedures.
  5. Medical Record Availability – Policy – Medical records are maintained in hard copy format in the Medical Records Department. The Staff are trained in retrieval of records for patients readmitted when the department staff is not available. Due to space constraints some medical records may be stored at an approved offsite records storage facility who can retrieve and deliver medical records on a routine (24hr) or stat basis.


Unit Record-The medical record is initiated and maintained for each patient who is treated. The medical record includes information from subsequent admissions and a unit number system is used to ensure that all patient information from all levels of care are filed under one number.


Information will be maintained to support decision making, performance improvement and patient care. Examples of these types of information include:

  1. Infection Control Data
  2. Medication Usage
  3. Hazard and Safety Information
  4. Risk Management and Incident Reports
  5. Records of Required Reporting
  6. Patient Demographic Information
  7. Patient Satisfaction Data
  8. Diagnosis Codes/Diagnosis
  9. Financial , UR Information and Census Information
  10. Performance measures
  11. Action taken as a result of organization wide performance improvement activities
  12. Practitioners-specific information for the Medical and AHP staff
  13. Information needed for operational decision making/planning


The information management function includes access to external databases and bodies of expert health related administrative and research knowledge as required by the needs of the facility.

Examples of external database resources include, but are not limited to:


  1. External reference data base-Internet
  2. JCAHO Standards
  3. Licensing Standards
  4. JCAHO Oryx Data
  5. National Practitioner Data Bank
  6. CDC-Center for Disease Control
  7. State Board of Nursing
  8. HIPAA Regulations
  9. Medical Board of Ohio
  10. Board of Vocational Nursing/Psychiatric Techs
  11. State Board of Behavioral Science
  12. Various Payers


Data is shared with the Department Heads, PI/Safety Committee and Board of Trustees. Reports are retained along with the Committee minutes.

Access to patient records is restricted to facility clinical personnel. All patient records shall be available to the licensing agency to inspect, audit and copy upon demand during normal business hours.

Licensing representatives shall not remove the records for current patients unless the same information is otherwise readily available in another document format.

A patient’s records shall be open to inspection by the patient’s authorized representatives, if any, once an authorization is signed by the patient.

All patient records, as part of regular, quality assurance will be kept up to date and shall be completed within 30 days of the patient’s discharge.

Original records shall be retained for at least seven (7) years following termination of service to patient.

If destroyed after the retention period, records will be shredded by a reputable company with a certificate of destruction kept on file.

If the facility closes, the Licensing Department must be informed within 3 days of closure where the medical records of the facility will be stored. If an offsite storage facility is used this facility must first be approved by the Licensing Department.

It is the policy of this treatment center that all personnel must preserve the integrity and the confidentiality of medical and other sensitive information pertaining to our patients. The purpose of this policy is to ensure that all staff have the necessary medical and other information to provide the highest quality medical care possible while protecting the confidentiality of that information to the highest degree possible so that patients do not fear to provide information to the facility for purposes of treatment. To that end, the facility will:

  1. Collect and use individual medical information only for the purposes of providing medical services and for supporting the delivery, payment, integrity, and quality of those services. Ohio Community Health Recovery Centers will not use or supply individual medical information for non-health care uses, such as direct marketing, employment, or credit evaluation purposes other than as authorized by the Health and Human Services Privacy Regulations (“HHS”) (“privacy regulations’).
  2. Collect and use individual medical information only:
  3. To provide proper diagnosis and treatment.
  4. With the individual’s knowledge and consent/authorization.
  5. To receive reimbursement for services provided.
  6. For research and similar purposes designed to improve the quality and to reduce the cost of health care.
  7. As a basis for required reporting of health information.
  8. Recognize that medical information collected about patients must be accurate, timely, complete, and available when needed. The facility will:
  9. Use their best efforts to ensure the accuracy, timeliness, and completeness of data and to ensure that authorized personnel can access it when needed.
  10. Complete and authenticate medical records in accordance with the law, medical ethics, and accreditation standards.
  11. Maintain medical records for the retention periods required by law and professional standards.
  12. Not alter or destroy an entry in a record, but rather designate it as an error while leaving the original entry intact and create and maintain a new entry showing the correct data.
  13. Implement reasonable measures to protect the integrity of all data maintained about patients.
  14. Recognize that patients have a right of privacy. The facility will respect patients’ individual dignity at all times. The facility will respect patients’ privacy to the extent consistent with providing the highest quality medical care possible and with the efficient administration of the facility.
  15. Act as responsible information stewards and treat all individual medical record data and related financial, demographic, and lifestyle information as sensitive and confidential. Consequently, Ohio Community Health Recovery Centers will:

Treat all individual medical record data (“protected health information”) as confidential in accordance with the HHS privacy regulations, other legal requirements, professional ethics, and accreditation standards.

  1. Only use or disclose the minimum necessary health information to accomplish the particular task for which the information is used or disclosed.
  2. Not divulge medical record data unless the patient (or his or her authorized representative) has properly consented to the release or the release is otherwise authorized by the privacy regulations and/or other law, such as communicable disease reporting, child abuse reporting, and the like.
  3. When releasing medical record data, take appropriate steps to prevent unauthorized re-disclosures, such as specifying that the recipient may not further disclose the information without patient consent or as authorized by law.
  4. Implement reasonable measures to protect the confidentiality of medical and other information maintained about patients.
  5. Remove patient identifiers when appropriate, such as in statistical reporting and in medical research studies.
  6. Not disclose financial or other patient information except as necessary for billing or other authorized purposes as authorized by the privacy regulations, other laws, and professional standards.
  7. Recognize that some medical information is particularly sensitive, such as HIV/AIDS information, mental health and developmental disability information, alcohol and drug abuse information, and other information about sexually transmitted or communicable diseases and that disclosure of such information could severely harm patients, such as by causing loss of employment opportunities and insurance coverage, as well as the pain of social stigma. Consequently, the facility will treat such information with additional confidentiality protections as required by law, professional ethics, and accreditation requirements.
  8. Recognize that, although the center “owns” the medical record, the patient has a right of access to information contained in the record. The facility will:

             Permit patients to access and copy their protected health information in accordance with the requirements of the privacy regulations.

             Provide patients an opportunity to request correction of inaccurate data in their records in accordance with the requirements of the privacy regulations.

             Provide patients an accounting of uses and disclosures other than those for treatment, payment, and healthcare operations in accordance with the requirements of the privacy regulations.

All employees must adhere to this policy. Ohio Community Health Recovery Centers will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions.

Removal of Records from Premises: Original records are only removed from the facility for appearance in court as ordered by a court order. If possible, copies will be taken to court instead of the originals.

Safeguarding Records Against Damage and Alteration: Medical Records will be protected from fire and/or water damage by being maintained in cabinets. A fire extinguisher will be available near the Medical Record Department for emergencies. Flammable liquids will not be stored in the Medical Record Department. Only approved electrical equipment and cords will be allowed.

Removal of Records from Premises:

  1. All original records taken to court will be taken by Administrative personnel, along with a copy of the record. The copy will be left with the court only.
  2. The date that a copy was left with the court will be documented on the court order maintained in the release of information section of the chart.

Safeguarding Records against Damage and Alteration:

  1. Staff will be trained on the use of fire extinguishers. All extinguishers will be checked monthly by maintenance.
  2. Any electrical problems or water leaks will be reported immediately to Maintenance.
  3. Plastic tarps will be used to cover files if leaks are present and trash cans will be used to collect leakage, if necessary.

Alteration of Medical Records/Tampering with Unauthorized Access to Medical Records:

  1. No whiteout may be used on medical records.
  2. An error may be corrected in the record by drawing a single line through the error, labeling it as an error, and signing the name or the person correcting the error and the date and time it was corrected.
  3. The medical record will be protected by staff from review or tampering by unauthorized persons. All clinical staff is authorized to review and make entries in the medical record.
  4. All entries in the medical record shall be made in black ink.

Report any suspicious unauthorized alteration or access to records to the Clinical Director.


To protect confidentiality of patient information, no information will be disclosed or released without a signed authorization from the patient or legal representative (when appropriate), authorizing release of information. Exception: In a medical emergency in which a patient is being treated at another health care facility and cannot give written consent due to his/her medical condition.

Information/copies of records may be furnished to the facility’s legal representatives or insurance carriers to protect the interest of the facility in claims involving liability or compensation without the patient’s consent.

Disclosure of confidential information may be denied, even under proper authorization, if the attending psychiatrist determines, and so documents, that such action would be injurious to the patient’s welfare.

Patient request for medical records: All requests from the patient or family of the patient must be in writing and approved by the clinician responsible for the patient’s care at the facility, unless the clinician feels that the release of the record would “reasonable likely to endanger the life of physical safety of the patient or others”. (HIPAA 164.524 a, 2I or ii.)

Properly authorized disclosures may be made via mail, or facsimile.

Information received from other health care facilities, physicians, etc., regarding the patient’s past history of treatment will be used for informational purposes only and will not be re-disclosed.

  1. A separate authorization form will be completed for each individual or organization which information will be released. The authorization will contain at least the following:
  2. Name of person, agency, organization or entity that is authorized to make the disclosure;
  3. Name of person, agency, organization or entity to which the information is to disclosed; the date of birth of the person.
  4. Name of patient or family member authorizing disclosure;
  5. Purpose or need for disclosure;
  6. Specific information to be disclosed;
  7. Date, event or condition upon which the authorization will expire;
  8. Statement that the consent is subject to revocation at any time except to the      extent the provider or person who is to make the disclosure has already acted in reliance on it;
  9. The dated signature of the patient or, as appropriate, a legally authorized agent and the agent’s relationship to the patient.
  10. For patients receiving addiction services treatment, the following statement: “This information has been disclosed to you from records protected by federal

confidentiality rules. The federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 C.F.R. part 2. A general authorization for the release of medical or other information is not sufficient for this purpose. The federal rules restrict any use of information to criminally investigate or prosecute any alcohol or drug abuse patient.”

  1. If an authorization fails to meet criteria, the medical record staff will send a blank facility authorization form to the requesting party for proper completion, making certain any explanation for unacceptability does not breach confidentiality.
  2. A patient has the right to revoke or modify their release of confidential information at any given time.
  3. When a properly executed authorization is received copies of medical records and/or information will be disclosed:
  4. Process all requests for medical records/information according to policy.
  5. Confidentiality statement will be included with each disclosure.
  6. Documentation will be included in the patient’s record to indicate when and what specific records/information released, to whom it was released, and signature of staff member responsible for release.

Copy Fees- a charge of 10 cents per page for copies and 25 cents per quarter hour to copy will be billed to the patient and paid before records can be copied. Actual retrieval fees from storage and postage may also be charged.

OCHRC maintains confidentiality in accordance with applicable federal and state laws and regulations; including, but not limited to, 42 CF.R. part 2, confidentiality of alcohol and drug abuse client records, and the Health Insurance Portability and Accountability Act of 1996.

OCHRC staff access to an individual client’s records, treatment information, diagnosis or other protected information is limited to access and disclosure in accordance with applicable federal and state laws and regulations.

Storage of client records shall be in accordance with all applicable and federal state laws and regulations. Records will be released to staff only when necessary, appropriate, and admissible by state and federal law. Records shall be stored in one or both of the following:

  1. The Clinical Director’s office in a locked filing cabinet.
  2. HIPPA compliant Electronic Health Record service, KIPU.

KIPU, LLC including KIPU CRM/EMR and OutcomeTools, is fully compliant with the HIPAA Standards for Privacy, Electronic Transactions and Security (including the HITECH Act and the Omnibus Rule of 2013). KIPU has implemented policies, processes, and procedures designed to ensure compliance with Federal and State information security laws, regulations, and rules, and monitors ongoing compliance efforts with assistance from Compliancy Group LLC. This process includes a risk analysis of administrative (policies and procedures), technical (all devices connecting to or storing ePHI, e.g., routers, firewalls,

servers, workstations) and physical (paper shredding, alarm systems, and general security of each site) controls as well as disaster recovery planning.

All employees will receive the confidentiality policy, including summaries of HIPPA and 42

C.F.R. part 2. Upon hire and orientation, employees will sign and date an acknowledgement of receipt which will be kept in their employee file.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA Security Rule

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

HIPAA Privacy Rule

The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well- being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.

Permitted Uses and Disclosures

A covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:

  • Disclosure to the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual)
  • Treatment, payment, and healthcare operations
  • Opportunity to agree or object to the disclosure of PHI (Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object)
  • Incident to an otherwise permitted use and disclosure

Public interest and benefit activities—The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes:

  • When required by law
  • Public health activities
  • Victims of abuse or neglect or domestic violence
  • Health oversight activities
  • Judicial and administrative proceedings
  • Law enforcement
  • Functions (such as identification) concerning deceased persons
  • Cadaveric organ, eye, or tissue donation
  • Research, under certain conditions
  • To prevent or lessen a serious threat to health or safety
  • Essential government functions
  • Workers compensation
  • Limited dataset for research, public health, or healthcare operations

HIPAA Security Rule

While the HIPAA Privacy Rule safeguards protected health information (PHI), the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.

To comply with the HIPAA Security Rule, all covered entities must do the following:

  • Ensure the confidentiality, integrity, and availability of all electronic protected health information
  • Detect and safeguard against anticipated threats to the security of the information
  • Protect against anticipated impermissible uses or disclosures
  • Certify compliance by their workforce

Covered entities should rely on professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in civil monetary or criminal penalties.

For more information, visit the Department of Health and Human Services HIPAA website.

42 C.F.R. Part 2

42 C.F.R. Part 2 applies to any individual or entity that is federally assisted and holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment, or referral for treatment. It protects client identifying information that would identify a client as an alcohol or drug client, either directly or indirectly and any information, whether or written, that would directly or indirectly reveal a person’s status as a current or former client.

Part 2 generally requires a patient’s written consent before making a disclosure of protected records. Patient consent must always be written and include specific information about the recipient of the records and the records to be shared.

Part 2 generally requires a special court order before your records can be shared with law enforcement or a court. A subpoena, general court order, search warrant, or official request is not enough for law enforcement to access your treatment information.

Part 2 permits the disclosure of information under certain circumstances without consent during a medical emergency or in other limited situations. If a Part 2 program (or a healthcare provider that has received Part 2 patient information) believes that there is an immediate threat to the health or safety of any individual, there are steps described below that the Part 2 program or healthcare provider can take in such a situation:

Notifications to medical personnel in a medical emergency: A Part 2 program can make disclosures to medical personnel if there is a determination that a medical emergency exists, i.e. there is a situation that poses an immediate threat to the health of any individual and requires immediate medical intervention [42 CFR §2.51(a)]. Information disclosed to the medical personnel who are treating such a medical emergency may be redisclosed by such personnel for treatment purposes as needed.

Notifications to law enforcement: Law enforcement agencies can be notified if an immediate threat to the health or safety of an individual exists due to a crime on program premises or against program personnel. A Part 2 program is permitted to report the crime or attempted crime to a law enforcement agency or to seek its assistance [42 CFR §2.12(c)(5)]. Part 2 permits a program to disclose information regarding the circumstances of such an incident, including the suspect’s name, address, last known whereabouts, and status as a patient in the program.

Reports of child abuse and neglect: The restrictions on disclosure do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities. However, Part 2 restrictions continue to apply to the original alcohol or drug abuse patient records maintained by the program including their disclosure and use for civil or criminal proceedings which may arise out of the report of suspected child abuse and neglect [42 CFR § 2.12(c)(6)]. Also, a court order under Part 2 may authorize disclosure of confidential communications made by a patient to a program in the course of diagnosis, treatment, or referral for treatment if, among other reasons, the disclosure is necessary to protect against an existing threat of life or of serious bodily injury, including circumstances which constitute suspected child abuse and neglect [42 CFR § 2.63(a)(1)].

Court ordered disclosures: Under the regulations, Part 2 programs or “any person having a legally recognized interest in the disclosure which is sought” may apply to a court for an order authorizing disclosure of protected patient information [42 CFR § 2.64]. Thus, if there is an existing threat to life or serious bodily injury, a Part 2 program or “any person having a legally recognized interest in the disclosure which is sought” can apply for a court order to disclose information.

Once Part 2 information has been initially disclosed (with or without patient consent), no redisclosure is permitted without the patient’s express consent to redisclose or unless otherwise permitted under Part 2. Disclosures made with patient consent must be accompanied by a statement notifying the recipient that Part 2 redisclosure is prohibited, unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by Part 2 (42 CFR § 2.32). When disclosures are made without patient consent under the following circumstances, limited redisclosures without obtaining the patient’s consent: are permitted, such as medical emergencies [42 CFR § 2.51], child abuse reporting [42 CFR § 2.12(c)(6)], crimes on program premises or against program personnel [42 CFR § 2.12(c)(5)], and court ordered disclosures when procedures and criteria are met [42 CFR §§ 2.61-2.67]. When disclosures are made under the following circumstances the recipient is prohibited from redisclosing the information without consent, except under the following restricted circumstances:

Research: Researchers who receive patient identifying information are prohibited from redisclosing the patient-identifying information to anyone except back to the program [42 CFR § 2.52(b)].

Audits and Evaluations: Part 2 permits disclosures to persons and organizations authorized to conduct audits and evaluation activities, but imposes limitations by requiring any person or organization conducting the audit or evaluation to agree in writing that it will redisclose patient identifying information only (1) back to the program, or (2) pursuant to a court order to investigate or prosecute the program (not a patient), or (3) to a government agency that is overseeing a Medicare or Medicaid audit or evaluation [42 CFR§ 2.53(c)(d)].

Qualified Service Organization Agreements (QSOAs): Part 2 requires the QSO to agree in writing that in receiving, storing, processing, or otherwise dealing with any information from the program about patients, it is fully bound by Part 2, it will resist, in judicial proceedings if necessary, any efforts to obtain access to information pertaining to patients except as permitted by Part 2, and will use appropriate safeguards to prevent the unauthorized use or disclosure of the protected information [42 CFR § 2.11]. In addition, QSOAs may allow disclosure in certain circumstances.

Authorizing Court Orders: When information is disclosed pursuant to an authorizing court order, Part 2 requires that steps be taken to protect patient confidentiality. In a civil case, Part 2 requires that the court order authorizing a disclosure include measures necessary to limit disclosure for the patient’s protection, which could include sealing from public scrutiny the record of any proceeding for which disclosure of a patient’s record has been ordered [42 CFR § 2.64(e)(3)]. In a criminal case, such an order must limit disclosure to those law enforcement and prosecutorial officials who are responsible for or are conducting the investigation or prosecution, and must limit their use of the record to cases involving extremely serious crimes or suspected crimes. For additional information regarding the contents of court orders authorizing disclosure, see 42 CFR § 2.65(e).


Client Rights, Grievance Procedure, Abuse and Neglect Reporting


All cases of suspected child, adult or patient abuse and/or neglect will be reported to the appropriate regulatory agencies.

  1. All employees, contract staff, student interns and volunteers can request a copy of the Ohio Community Health policies and procedures for ethical and professional conduct regarding patient rights, which will be documented in staff’s personnel file.
  2. When abuse is suspected or reported, the employee will notify their immediate supervisor and explain the reported or suspected abuse. In case of it being a weekend, the clinician on call is called immediately.
  3. The abuse/neglect case will then be reported to the Clinical Director by the clinical on call for direction on making a report to the appropriate regulatory agency and/or law enforcement.
  4. In cases of extreme emergencies where the current welfare of a child or children are in jeopardy, the matter is to be referred to the appropriate law enforcement agency for immediate action. Immediately following the call to law enforcement agencies, the employee will then call the Clinical Director or clinician on call. The employee and/or Clinical Director will follow the direction of the law enforcement agency on whether or not to call CPS.
  5. The Chief Executive Officer shall investigate any alleged violations contributing to the abuse or neglect of patients.
  6. A full written report shall be placed in the staff member’s personnel file.
  7. Should it be determined that unwarranted force, abuse or neglect of a patient occurred, im- mediate dismissal of staff involved shall occur.
  8. Immediately following the call, the employee will document on a service providers report that includes the case number. The service providers report will be signed by the Clinical Director and then placed in the chart.
  9. Employees will then follow any further direction from CPS and/or law enforcement agency.
  10. The Chief Executive Officer shall notify appropriate Regulatory Boards and Law Enforcement agencies as necessary.
  11. The Chief Executive Officer will report results of alleged violations to the Executive Team.


Each client receiving treatment and services with OHIO COMMUNITY HEALTH RECOVERY CENTERS shall have all of the following individual rights:

  1. The right to be treated with consideration and respect for personal dignity, autonomy and privacy.
  2. The right to reasonable protection from physical, sexual or emotional abuse, neglect and inhumane treatment.
  3. The right to receive services in the least restrictive, feasible environment.
  4. The right to participate in any appropriate and available service that is consistent with an individual service plan (ISP), regardless of the refusal of any other service, unless that service is a necessity for clear treatment reasons and requires the person’s participation.
  5. The right to give informed consent to or to refuse any service, treatment or therapy, including medication absent an emergency.
  6. The right to participate in the development, review and revision of one’s own individualized treatment plan and receive a copy of it.
  7. The right to freedom from unnecessary or excessive medication, and to be free from restraint or seclusion unless there is immediate risk of physical harm to self or others.
  8. The right to be informed and the right to refuse any unusual or hazardous treatment procedures.
  9. The right to be advised and the right to refuse observation by others and by techniques such as one-way vision mirrors, tape recorders, video recorders, television, movies, photographs or other audio and visual technology. This right does not prohibit an agency from using closed-circuit monitoring to observe seclusion rooms or common areas, which does not include bathrooms or sleeping areas.
  10. The right to confidentiality of communications and personal identifying information within the limitations and requirements for disclosure of client information under state and federal laws and regulations.
  11. The right to have access to one’s own client record unless access to certain information is restricted for clear treatment reasons. If access is restricted, the treatment plan shall include the reason for the restriction, a goal to remove the restriction, and the treatment being offered to remove the restriction.
  12. The right to be informed a reasonable amount of time in advance of the reason for terminating participation in a service, and to be provided a referral, unless the service is unavailable or not necessary.
  13. The right to be informed of the reason for denial of a service.
  14. The right not to be discriminated against for receiving services on the basis of race, ethnicity, age, color, religion, gender, national origin, sexual orientation, physical or mental handicap, developmental disability, genetic information, human immunodeficiency virus status, or in any manner prohibited by local, state or federal laws.
  15. The right to know the cost of services.
  16. The right to be verbally informed of all client rights, and to receive a written copy upon request.
  17. The right to exercise one’s own rights without reprisal, except that no right extends so far as to supersede health and safety considerations.
  18. The right to file a grievance.
  19. The right to have oral and written instructions concerning the procedure for filing a grievance, and to assistance in filing a grievance if requested.
  20. The right to be informed of one’s own condition.
  21. The right to consult with an independent treatment specialist or legal counsel at one’s own expense.

All OCHRC treatment and services are voluntary—you have the right to terminate your treatment with OCHRC at any time. You may receive an additional written copy of your individual rights upon request.


Complaints and Grievances can be made at any time by the individual Client receiving services, by an agency on behalf of the individual or by any other person involved. All Staff members are available to receive, assist, and attempt to resolve any complaints and/or grievances. Concerns or complaints may be addressed either informally or formally. The Ohio Department of Mental Health Services encourages a first attempt to resolve all complaints and grievances be made at the lowest and most direct possible level, in the environment where the situation occurred.


Concerns or complaints can be made at any time and all Staff members are available to receive, assist, and attempt to resolve any concerns and/or complaints. In the event of any concerns and/or complaints, the Client or person acting on their behalf are encouraged to contact Ohio Community Health Recovery Centers Sea Staff—explaining the situation to a staff member or client advocate often resolves the issue.


  1. A “Grievance” is “a written complaint initiated either verbally or in writing by a client or by any other person or provider on behalf of a client regarding denial or abuse of any client’s rights.”
  2. Grievances may be filed at any time and all Staff members are available to receive and attempt to resolve a Grievance. The Client Advocate is the primary point of contact available to assist a Client in filing a Grievance, located Ohio Community Health Recovery Centers Main Office: 12115 Sheraton Lane, Cincinnati, OH 45246.

Client Advocate: TBD Hours Available: M-F (10am – 5pm): Phone:

When Client Advocate is Unavailable: Director of Operations: J.B. Whitehouse: Phone: (513) 404-8090.

  1. The Grievance must be put into writing. The Grievance may be made verbally

and the client advocate shall be responsible for preparing a written text of the Grievance. This written grievance must then be dated and signed by the Client, the individual filing the Grievance on behalf of the client, or have an attestation by the Client Advocate that the written Grievance is a true and accurate representation of the client’s Grievance. 4. The Grievance should include, if available: The date and approximate time of the incident and a description of the incident and the names of the individuals involved in the incident or situation being grieved.

  1. Ohio Community Health Recovery Centers will provide a written acknowledgement of receipt of the Grievance to each grievant. The acknowledgement shall be provided within three business days from receipt of the Grievance and shall include, but not be limited to, the following information: Date the Grievance was received; Summary of the Grievance; Overview of the Grievance investigation process; Timetable for completion of investigation and notification of resolution; and, Treatment provider contact name, address, and telephone number.
  2. Ohio Community Health Recovery Centers will make a resolution decision on the grievance within twenty business days of receipt of the grievance. Any extenuating circumstances indicating that this time period will need to be extended must be documented in the grievance file and written notification given to the client.
  3. Clients have the option of filing a Grievance with an outside organization(s) and/or contact the organization(s) in the event that you feel that Ohio Community Health Recovery Centers has failed to properly address or resolve your Grievance. The Organizations include but are not limited to the following:

THE JOINT COMMISSION OHIO Dept. of Mental Health & Addiction Services

Mail: Office of Quality and Patient Safety

One Renaissance Blvd., Oakbrook Terrace, IL 60181 Address: 30 E Broad St., 36th Floor,

Columbus, OH 45215

Fax: (630) 792-5636 / Phone: (630) 792-5800 Phone: (614) 466-2596


U.S. Dept. Health & Human Services, Office of Civil Rights DISABILITY RIGHTS OHIO

Address: 233 N. Michigan Ave., Suite 240, Chicago, IL 60601 200 Civic Center Drive, Ste 300, Columbus, OH 43215

Phone: (800) 368-1019 / TDD: (800) 537-7697 Phone: (800) 282-9181; TTY:


For more information on Ohio Community Health Recovery Centers LLC Privacy Policies please contact our HR Department or JB Whitehouse at (877) 679-2132.

An image of Ohio Community Health staff

Christopher Glover CDCA

My name is Christopher Glover, and I am from Cincinnati, Ohio. I am currently in school and working to grow in competence to better support our community. As a recovering individual I know the struggles that you or a loved one can go through and that there is help for anything you may be struggling with.

The hardest part is asking for help and we are here as a team to best support you and your decision to start your journey towards a better future. Connect with Chris on LinkedIn

An image of Ohio Community Health staff

Amanda Kuchenberg PRS CDCA

I recently joined Ohio Community Health Recovery Centers as a Clinical Case Manager. I am originally from Wisconsin but settled in the Cincinnati area in my early 20s.  My career started in the fashion industry but quickly changed as I searched to find my drive and passion through helping others who struggle with addiction. 

As someone who is also in recovery, I wanted to provide hope, share lived experience, and support others on their journey.  I currently have my Peer Recovery Support Supervision Certification along with my CDCA and plan to continue my education with University of Cincinnati so I can continue to aid in the battle against substance addiction. Connect with Amanda on LinkedIn.

An image of Ohio Community Health staff

Patrick McCamley LCDC III

 Patrick McCamley (Clinical Therapist) is a Cincinnati native who has worked in substance use disorder/co-occurring mental health disorder treatment since 2019. Patrick received his bachelors degree in psychology from University of Cincinnati in 2021 and received his LCDC III (Licensed Chemical Dependency Counselor) license from the Ohio Chemical Dependency Professionals Board in 2022. Patrick has worked in Clinical Operations, Clinical Case Management, and Clinical Therapy throughout his career.

Patrick has tremendous empathy and compassion for the recovery community, being in recovery himself since 2018. Patrick is uniquely qualified to be helpful because of the specific combination of his academic background and his own experience in recovery.

An image of Ohio Community Health staff

Bill Zimmerman CDCA

Bill Zimmerman is a Greater Cincinnati Area native who has worked in substance use disorder/co-occurring mental health disorder treatment since 2018. Bill received his (Chemical Dependency Counselor Assistant) license from the Ohio Chemical Dependency Professionals Board in 2020.

Bill has worked in Clinical Operations in both support and supervision, and Program facilitating and 12 step recovery support during his career. Bill has a passion for the recovery community, having been in recovery himself since 1982. Connect with Bill on LinkedIn

An image of Ohio Community Health staff

Taylor Lilley CDCA, PRS

Growing up in Louisiana with addiction running rampant on both sides of my family. A life away from drugs and alcohol seemed impossible for someone like me. I remember what it was like sitting across from someone thinking there is no way they could ever understand what I was going through.

Sharing my experience offers a credibility and a certain type of trust with clients that only someone who has walked down this road can illustrate. To immerse myself further into the field of addiction, I am currently studying at Cincinnati State for Human and Social Services.  I hope I never forget where I came from, if I can do it, so can you!

An image of Ohio Community Health staff

Thomas Hunter LSW

Hello my name is Thomas Hunter. I was born and raised in Cincinnati, Ohio. I am a licensed social worker.In my scope of practice I have worked in the areas of mental health and recovery for thirty years. The clients I have worked with in my career have ranged in age from seven to seventy.

I strive each day to serve my purpose of helping those in need and I believe I do so by utilizing all of my experiences to accomplish my goal of supporting those who desire to establish their sobriety and maintain it in their recovery. Connect with Thomas on LinkedIn.

An image of Ohio Community Health staff

Mary D.Porter,LICDC

 My name is Mary D. Porter. I received my Masters of Social Work in 2008 from The University of Cincinnati. I received My Licensed Independent Chemical Dependency Counselor Licensure in 2001. I retired from The Department of Veteran Affairs Medical Center on April 14, 2014. Currently, I am the Associate Clinical Director for The Ohio Community Health Recovery Centers in Cincinnati.. Due to the fourth wave of the Opioid Epidemic in 2019,  I decided to enter back into the workforce to assist the addicted population.

The overdoses were astounding and I wanted to help.  I consider myself  to be an advocate for the addicted population. My compassion, resilience, empathy, wisdom, knowledge, experience and  love I have for this forgotten population goes beyond words. I consider what I do for the addicted population as a calling versus a “career,” because I too was once an “addict and alcoholic.” Today I am 45.5 years alcohol and substance free.

An image of Ohio Community Health staff

Ben Lemmon LCDC III

Hello, my name is Ben Lemmon, and I’m the Vice President and Clinical Director at Ohio Community Health Recovery Centers. I’ve been working in the addiction and mental health field since 2013 and decided to enter the field after overcoming my own challenges with addiction.

When I first meet a client, I always explain to them that the reason we are meeting is because they are not capable of obtaining or maintaining sobriety, and my goal is to create a person that can maintain sobriety. I believe a person’s personality is made up of their thoughts, feelings and actions and my job is to help clients identify the thoughts, feelings and actions that have them disconnected from recovery and provide them with the tools to live a healthy and happy life. Connect with Ben on LinkedIn