Privacy Practices

Notice of Privacy Practices

As an alcohol and substance abuse treatment program, your records and personal information are protected at a higher level of confidentiality. You are protected by Federal law and regulations.


We are committed to protecting the privacy of protected health information we gather about you while providing services.  Some examples of protected health information are:

  • the fact that you are a participant at, or receiving services from, our agency;
  • information about your condition;
  • information about health care products or services you have received or may receive in the future (such as a medication or equipment);
  • information about your health care benefits under an insurance plan (such as whether a prescription is covered);
  • geographic information (such as where you live or work);
  • demographic information (such as your race, gender, or ethnicity); and
  • unique numbers that may identify you (such as your social security number, your phone number).



We will not use or disclose your protected health information for any purpose not specified in this Notice without your written authorization.  The written authorization we obtain will specifically identify the particular purpose of the use or disclosure, the information being used or disclosed, the person(s) receiving the information, and the time frame that the authorization is valid.  If you give us your written authorization you may revoke it at any time, in which case we will no longer use or disclose your protected health information for this purpose, except to the extent we have already relied on your authorization.  You are not required to sign an authorization form and we will not deny you treatment if you refuse to do so.


The only exceptions where your information may be disclosed without consent are:

  1. Treatment, Payment and Health Care Operations

Protected health information about you may be used by our agency in connection with our duties to provide you with treatment, to obtain payment for that treatment, or to conduct our agency’s business operations.

  • “Treatment” means that we may use protected health information about you inside our agency to plan for and provide services to you.  For example, two of our clinicians who are both treating you may discuss your case to coordinate treatment.
  • “Payment” means that we may use protected health information about you, or share it with others, so that we obtain payment for the services we provide to you.
  • “Business operations” means that we may use protected health information about you in order to conduct our normal business operations.  For example, we may use protected health information about you to evaluate the performance of our staff in providing services to you, or to educate our staff on how to improve the care they provide for you.
  1. Qualified Service Organization Agreements

Kolmac staff members may in some cases disclose to a “qualified service organization” without the patient’s consent.  A “service organization” is a person or agency that provides services – such as claims processing, laboratory analyses, legal, medical accounting, or other professional services – to Kolmac.  Confidentiality agreements will be signed with all such organizations.

We have chosen to participate in the Chesapeake Regional Information System for our Patients (CRISP), a regional health information exchange serving Maryland and D.C. which assists providers and public health officials in making more informed decisions.  You may “opt-out” and disable access to your health information available through CRISP by calling 1-877-952-7477 or completing and submitting an Opt-Out form to CRISP by mail, fax or through their website at Public health reporting and Controlled Dangerous Substances information, as part of the Maryland Prescription Drug Monitoring Program (PDMP), will still be available to providers.

  1. Medical Emergencies – See 42 CFR §2.51

Patient-identifying information may be disclosed to medical personnel who have a need for the information about a patient for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention.  A program can disclose information only to medical personnel and must limit the amount of information to that which is necessary to treat the emergency medical condition. 

  1. Court Ordered

The Privacy Rule permits a program to disclose PHI pursuant to a subpoena without a prior written authorization. – See 45 CFR §164.512(e)(1)(ii).

  1. Child abuse reporting – See 42 CFR §2.12(c)(6); See 45 CFR §164.512(b)(1)(ii)

State laws that require the reporting of child abuse and neglect. The Privacy Rule also permits such reporting.

  1. Crimes on program premises or against program personnel – See 45 CFR §164.512(f)(5); 45 CFR §164.502(j)(2).

We are permitted to disclose limited information to law enforcement officers. Such disclosures must be directly related to crimes and threats to commit crimes on program premises or against program personnel and must be limited to the circumstances of the incident and the patient’s status, name, address and last known whereabouts. The Privacy Rule permits programs to disclose to law enforcement officials PHI that the program believes in good faith constitutes evidence of a crime that occurred on the program’s premises. It also permits any member of the program’s staff who is the victim of a crime to report certain information about the suspected perpetrator to law enforcement officials.

In those exceptions listed above, the disclosure will be limited to the information necessary to carry out the purpose of the disclosure.



While we will take reasonable steps to safeguard the privacy of your information, certain disclosures of your information may occur during or as an unavoidable result of our otherwise permissible uses or disclosures of your protected health information.



We will notify you if there is a breach of your unsecured protected health information.  A breach is an improper use or disclosure of your information that compromises the security of the information.  Information is considered unsecured if it is not encrypted in accordance with standards adopted by the federal government.  If there is a breach, we will notify you as soon as reasonably possible after we discover the breach.  Kolmac’s Privacy Officer will also be notified.

We reserve the right to change our policy and practices and the terms of this Notice of Privacy Practices, consistent with applicable law and under current business processes, at any time.  Any new Notice of Privacy Practices will be effective for all PHI that we maintain at that time.  Notification of revisions of this Notice of Privacy Practices will be provided.