In crisis? Call 9-8-8 or 540-961-8400; All other calls: 540-961-8300 | info@nrvcs.org

notice-of-privacy-practices

  1. Home
  2. /
  3. notice-of-privacy-practices

Notice of Privacy Practices of New River Valley Community Services

This notice describes:

• HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED

• YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION

• HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE PRIVACY OR SECURITY OF YOUR HEALTH INFORMATION, OR OF YOUR RIGHTS CONCERNING YOUR INFORMATION

YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR ELECTRONIC FORM) AND TO DISCUSS IT WITH THE NEW RIVER VALLEY COMMUNITY SERVICES (NRVCS) HEALTH INFORMATION OFFICE AT 540-961-8418 IF YOU HAVE ANY QUESTIONS

Uses and Disclosures

Uses and disclosures permitted without written consent include medical emergencies, scientific research, management audits, financial audits, and program evaluation, and disclosures for public health.

Medical Emergency-Patient identifying information may be disclosed to medical personnel to the extent necessary to:

  • Meet a bona fide medical emergency in which the patient’s prior written consent cannot be obtained; or
  • Meet a bona fide medical emergency in which NRVCS is closed and unable to provide services or obtain the prior written consent of the patient, during a temporary state of emergency declared by a state or federal authority as the result of a natural or major disaster, until such time that the part 2 program resumes operations.
  • Patient identifying information may be disclosed to medical personnel of the Food and Drug Administration (FDA) who assert a reason to believe that the health of any individual may be threatened by an error in the manufacture, labeling, or sale of a product under FDA jurisdiction, and that the information will be used for the exclusive purpose of notifying patients or their physicians of potential dangers.

Scientific Research-patient identifying information may be used or disclosed for the purposes of the recipient conducting scientific research if”

  • The person designated as director or managing director, or person otherwise vested with authority to act as chief executive officer or their designee, of a part 2 program or other lawful holder of data under this part, makes a determination that the recipient of the patient identifying information is:
  • A HIPAA covered entity or business associate that has obtained and documented authorization from the patient, or a waiver or alteration of authorization, consistent with 45 CFR 164.508 or 164.512(i), as applicable;
  • Subject to the HHS regulations regarding the protection of human subjects (45 CFR part 46), and provides documentation either that the researcher is in compliance with the requirements of 45 CFR part 46, including the requirements related to informed consent or a waiver of consent (45 CFR 46.111 and 46.116) or that the research qualifies for exemption under the HHS regulations (45 CFR 46.104) or any successor regulations;
  • Subject to the FDA regulations regarding the protection of human subjects (21 CFR parts 50 and 56) and provides documentation that the research is in compliance with the requirements of the FDA regulations, including the requirements related to informed consent or an exception to, or waiver of, consent (21 CFR part 50) and any successor regulations; or
  • Any combination of a HIPAA covered entity or business associate, and/or subject to the HHS regulations regarding the protection of human subjects, and/or subject to the FDA regulations regarding the protection of human subjects; and has met the requirements as applicable.
  • The part 2 program or other lawful holder of data under this part is a HIPAA covered entity or business associate, and the use or disclosure is made in accordance with the requirements at 45 CFR 164.512(i).

Management audits, financial audits, and program evaluation

  • Records not copied or removed-If patient records are not downloaded, copied or removed from the premises of a part 2 program or other lawful holder, or forwarded electronically to another electronic system or device, patient identifying information may be disclosed in the course of a review of records on the premises of a part 2 program or other lawful holder to any person who agrees in writing to comply with the limitations on use and redisclosure and who:
  • Performs the audit or evaluation on behalf of:
  • Any federal, state, or local government agency that provides financial assistance to a part 2 program or other lawful holder, or is authorized by law to regulate the activities of the part 2 program or other lawful holder;
  • Any person which provides financial assistance to the part 2 program or other lawful, which is a third-party payer or health plan to covering patients in the part 2 program, or which is a quality improvement organization (QIO) performing QIO review, or the contractors, subcontractors, or legal representatives of such person or quality improvement organization; or
  • An entity with direct administrative control over the part 2 program or lawful holder.
  • Copying, removing, downloading, or forwarding patient records-Records containing patient identifying information may be copied or removed from the premises of a part 2 program or other lawful holder or downloaded or forwarded to another electronic system or device from the part 2 program’s or other lawful holder’s electronic records by any person who:
  • Agrees in writing to:
  • Maintain and destroy the patient identifying information in a manner consistent with the policies and procedures established by 42 CFR 2.16;
  • Retain records in compliance with applicable federal, state, and local retention laws; and
  • Comply with the limitations on use and disclosure
  • Performs the audit or evaluation on behalf of:
  • Any federal, state, or local governmental agency that provides financial assistance to the part 2 program or other lawful holder, or is authorized by law to regulate the activities of the part 2 program or other lawful holder; or
  • Any person which provides financial assistance to the part w program or other lawful holder, which is a third-party payer or health plan covering patients in the part 2 program, or which is a quality improvement organization performing a QIO review, or the contractors, subcontractors, or legal representatives of such person or quality improvement organization; or
  • An entity with direct administrative control over the part 2 program or lawful holder.
  • Activities included-Audits and evaluations may include, but are not limited to:
  • Activities undertaken by a Federal, state, or local governmental agency, or a third-party payer or health plan, in order to:
  • Identify action the agency or third-party payer or health plan can make, such as changes to its policies or procedures, to improve care and outcomes for patients with substance use disorders who are treated by part 2 programs;
  • Ensure that resources are managed effectively to care for patients; or
  • Determine the need for adjustments to payment policies to enhance care or coverage for patients with SUD.
  • Reviews of appropriateness of medical care, medical necessity, and utilization of services.
  • Quality Assurance entities included-Entities conducting audits or evaluations may include accreditation or similar types of organizations focused on quality assurance.
  • Medicare, Medicaid, Children’s Health Insurance Program (CHIP), or related audit or evaluation.
  • Patient identifying information, as defined in 42 CFR 2.11, may be disclosed to any person for the purpose of conducting a Medicare, Medicaid, or CHIP audit or evaluation, including an audit or evaluation necessary to meet the requirements for a Centers for Medicare & Medicaid Services (CMS)-regulated accountable care organization (CMS-regulated ACO) or similar CMS-regulated organization (including a CMS-regulated Qualified Entity (QE)), if the person agrees in writing to comply with the following:
  • Maintain and destroy the patient identifying information in a manner consistent with the policies and procedures established under 42 CFR 2.16;
  • Retain records in compliance with applicable federal, state, and local retention laws; and
  • Comply with the limitations on use and disclosure.
  • A Medicare, Medicaid, or CHIP audit or evaluation under this section includes a civil or administrative investigation of a part 2 program by an federal, state, or local government agency with oversight responsibilities for Medicare, Medicaid, or CHIP and includes administrative enforcement, against the part 2 program by the government agency, of any remedy authorized by law to be imposed as a result of the findings of the investigation.
  • An audit or evaluation necessary to meet the requirements for a CMS-regulated ACO or similar CMS-regulated organization (included a CMS-regulated QE) must be conducted in accordance with the following:
  • A CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must:
  • Have in place administrative and/or clinical systems; and
  • Have in place a leadership and management structure, including a governing body and chief executive officer with responsibility for oversight of the organization’s management and for ensuring compliance with and adherence to the terms and conditions of the Participation Agreement or similar documentation with CMS; and
  • A CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) must have a signed Participation Agreement or similar documentation with CMS, which provides that the CMS-regulated ACO or similar CMS-regulated organization including a CMS-regulated QE):
  • Is subject to periodic evaluations by CMS or its agents, or is required by CMS to evaluate participants in the CMS-regulated ACO or similar CMS-regulated organization (including a CMS-regulated QE) relative to CMS-defined or approved quality and/or cost measures;
  • Must designate an executive who has the authority to legally bind the organization to ensure compliance with 42 U.S.C. 29dd-2 and this part and the terms and conditions of the Participation Agreement in order to receive patient identifying information from CMS or its agents;
  • Agrees to comply with all applicable provisions of 42 U.S.C. 290dd-2 and this part;
  • Must ensure that any audit or evaluation involving patient identifying information occurs in a confidential and controlled setting approved by the designated executive;
  • Must ensure that any communications or reports or other documents resulting from an audit or evaluation under this section do not allow for the direct or indirect identification (e.g., through the use of codes) of a patient as having or having had a substance use disorder; and
  • Must establish policies and procedures to protect the confidentiality of the patient identifying information consistent with this part, the terms and conditions of the Participation Agreement, and the requirements set forth in paragraph (5)(a) of this section.
  • Program, as defined in 42 CFR 2.11 includes an employee of, or provider of medical services under the program when the employee or provider is the subject of a civil investigation or administrative remedy.
  • If a disclosure to a person is authorized under this section for a Medicare, Medicaid, or CHIP audit or evaluation, including a civil investigation or administrative remedy. The person may further use or disclose the patient identifying information that is received for such purposes to its contractor(s), subcontractor(s), or legal representative(s), to carry out the audit or evaluation, and a quality improvement organization which obtains such information may use or disclose the information to that person (or, to such person’s contractors, subcontractors, or legal representatives, but only for the purposes of this section).
  • The provisions above do not authorize the part 2 program, the Federal, state, or local government agency, or any other person to use or disclose patient identifying information obtained during the audit or evaluation for any purposes other than those necessary to complete the audit or evaluation.
  • Limitations on use and disclosure-Except as provided above in this section, patient identifying information disclosed under this section may be disclosed only back to the part 2 program or other lawful holder from which it was obtained and may be used only to carry out an audit or evaluation purpose or to investigate or prosecute criminal or other activities, as authorized by a court order entered under 42 CFR 2.66.
  • Audits and evaluations mandated by statute or regulation-Patient identifying information may be disclosed to federal, state, and local government agencies, and the contractors, subcontractors, and legal representatives of such agencies, in the course of conducting audits or evaluations mandated by statute or regulation, if those audits or evaluations cannot be carried out using deidentified information.
  • Disclosures for health care operations-With respect to activities described above, a part 2 program, covered entity, or business associate may disclose records in accordance with a consent that includes health care operations, and the recipient may redisclose such records as permitted under the HIPAA regulations if the recipient is a covered entity or business associate.

Disclosures for public health- A part 2 program may disclose records for public health purposes without a patient consent so long as:

  • The disclosure is made to a public health authority as defined in this part; and
  • The content of the information from the record disclosed has been de-identified in accordance with the requirements of 45 CFR 164.514(b) such that there is no reasonable basis to believe that the information can be used to identify a patient.

If a use or disclosure for any purpose described above is prohibited or materially limited by other applicable law, the description of such use or disclosure must reflect the more stringent law.

Uses and disclosures made to any entity/individual that does not meet the above requirements would require written consent. Examples where written consent would be required include, but are not limited to:

SUD counseling notes

  • Notwithstanding any provision of this subpart, a part 2 program must obtain consent for any use or disclosure of SUD counseling notes, except:
  • To carry out the following treatment, payment, or health care operations:
  • Use by the originator of the SUD counseling notes for treatment;
  • Use or disclosure by the part 2 program for its own training programs in which students, trainees, or practitioners in SUD treatment or mental health learn under supervision to practice or improve their skills in group, joint, family , or individual SUD counseling; or
  • Use or disclosure by the part 2 program to defend itself in a legal action or other proceeding brought by the patient;
  • A use or disclosure that is required by 42 CFR 2.2 (b) or permitted by 42 CFR 2.15 (b); 42 CFR 2.53 with respect to the oversight of the originator of the SUD counseling notes; 42 CFR 2.63 (a); 42 CFR 2.64.

Civil, administrative, or legislative proceedings-Patient consent is required for use and disclosure of records (or testimony relaying information contained in a record) in a civil, criminal, administrative, or legislative investigation or proceeding.

  • This consent cannot be combined with a consent to use or disclose a record for any other purpose.

Treatment, payment, and health care operations purposes

  • A patient may provide a single consent for all future uses and disclosures for treatment, payment, and health care operations purposes.
  • When a single consent for all future uses and disclosures for treatment, payment, and health care operations is provided, a part 2 program, covered entity, or business associate may use and disclose those records as permitted by the HIPAA regulations, until such time as the patient revokes such consent in writing.
  • Records that are disclosed to a part 2 program, covered entity, or business associate pursuant to the patient’s written consent for treatment, payment, and health care operations may be further disclosed by that part 2 program, covered entity, or business associate, without the patient’s written consent, to the extent the HIPAA regulations permit such disclosure.

Revocation of consent-A patient my revoke written consent as provided by 42 CFR 2.31 and 2.35

  • 42 CFR 2.31-The patient may revoke a consent at any time by signing and dating a formal request, except to the extent that action has already been taken in reliance upon it.
  • 42 CFR 2.35-Revocations related to elements of the criminal justice system which have referred patients.
  • The written consent must state that it is revocable upon the passage of a specified amount of time or the occurrence of a specified, ascertainable event. The time or occurrence upon which consent becomes revocable may be no later than the final disposition or the conditional release or other action in connection with which consent was given.

Legal uses and disclosures

Records or testimony relaying the content of such records, shall not be used or disclosed in any civil, administrative, criminal, or legislative proceedings against the patient unless based on specific written consent or a court order.

Records shall only be used or disclosed based on a court order after notice and an opportunity to be heard is provided to the patient or the holder of the record, where required by 42 U.S.C. 290dd-2 and this part.

A court order authorizing use or disclosure must be accompanied by a subpoena or other similar legal mandate compelling disclosure before the record is used or disclosed.

Patient Rights

A patient has the right to obtain their own records, adhering to all federal and state laws and regulations as well as any part 2 program policies.  A patient has the right to have their protected health information treated with confidentiality and not released without written consent, except for situations required by law. A patient has a right to determine what information is disclosed, to whom, and the purposes for which it will be used.  Further rights include and may be exercised as follows:

  • Right to permit a patient to request that the part 2 program restrict uses or disclosures of records about the patient to carry out treatment, payment, or health care operations, including when the patient has signed written consent for such disclosures.
  • A part 2 program is not required to agree to a restriction except for the following:
  • The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and
  • The record pertains solely to a health care item or service for which the patient, or person other than the health plan on behalf of the patient, has paid the part 2 program in full, as in the same manner as 45 CFR 164.522.
  • A part 2 program may terminate a restriction, if one of the following applies:
  • The patient agrees to or request the termination in writing.
  • The patient orally agrees to the termination and the oral agreement is documented.
  • The part 2 program informs the patient that it is terminating the agreement to a restriction except for the following:
  • Only effective with respect to records created or received after it has so informed the patient.

Right to an accounting of disclosures from a part 2 program must be made upon request.     

  • Upon request an accounting of all disclosures made with consent in the 3 years prior to the date of the request (a shorter time periods may be chosen by the patient).  This account must meet the requirements of 45 CFR 164.528(a)(2) and (b) through (d).

Right to a list of disclosures by an intermediary for the past 3 years.

Right to obtain a paper or electronic copy of this notice upon request.

Right to discuss the notice with the designated office below:

  • Health Information Office, 540-961-8418, mrecords@nrvcs.org

Right to elect not to receive fundraising communications

NRVCS is required by law to maintain the privacy of patient records, to provide patients with notice of our legal duties and privacy practices with respect to records, and to notify affected patients following a breach of unsecured records.

NRVCS is required to abide by the terms of this notice.

NRVCS reserves the right to change the terms of this notice and to make the notice provisions effective for records maintained by NRVCS.

  • Any changes to the terms of this notice will be made in accordance with all federal and state laws and regulations.
  • Upon any changes to the terms of this notice, NRVCS will provide patients with a copy (paper or electronic) of the revised notice at the time of their next appointment.

Complaints

Complaints may be made in writing to the patient’s service provider, the service provider’s supervisor, the NRVCS Client Advocate, or the Secretary or Health and Human Services.

Once a complaint is filed, the patient will be contacted within 24 hours to provide assistance in understanding the complaint and resolution process.

If necessary, an investigation of the complaint will be initiated immediately, but no later than the next business day.

A written report from the Director will be provided with a decision and, if necessary, an action plan for resolving the complaint within 10 working days.

The patient may also file a complaint with the Secretary of Health and Human Services.

  • A complaint to the Secretary of Health and Human Services must be filed in writing, either on paper or electronically.
  • A complaint must name the person that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable administrative simplification provision(s).
  • A complaint must be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause shown.

NRVCS Client Advocate                                                                                                                                        

700 University City Blvd.                                                                                                                              

Blacksburg, VA 24060                                                                                                                                             

540-961-8421

The U.S. Department of Health and Human Services                                                                                   

Hubert H. Humphrey Building                                                                                                                               

200 Independence Avenue, S.W.                                                                                                                

Washington, D.C. 20201                                                                                                                                           

1-877-696-6775

If you believe your privacy rights have been violated and a complaint is filed, you have the right to have your complaint resolved without any retaliation against you for filing a complaint.

This notice is effective as of February 16, 2026.

Copyright 2024 New River Valley Community Services | All Rights Reserved