HIPAA‑Compliant Privacy Policy for Mental Health & Peer Support Services

1. Purpose of This Policy

This Privacy Policy explains how Centipede Peer‑to‑Peer (“we,” “our,” or “the organization”) protects, uses, and discloses Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and enhanced mental‑health privacy protections. HIPAA provides individuals with important privacy rights and strict controls over how their health information is used and shared .

2. What Information We Protect

We protect all PHI, including but not limited to:

Mental‑health history, diagnoses, or treatment information

Notes from peer‑support sessions

Crisis‑intervention records

Medication or care‑coordination information

Contact information and demographic details

Any information that can identify a client

Mental‑health information receives heightened protection under HIPAA due to its sensitivity and potential impact on a person’s life, relationships, and employment .

3. How We Use and Share PHI

We only use or disclose PHI for the following permitted purposes:

A. Treatment

To coordinate care, referrals, crisis support, or safety planning. HIPAA allows sharing information when needed to ensure the patient receives appropriate treatment .

B. Payment

If applicable, to process billing or insurance claims.

C. Healthcare Operations

For quality improvement, supervision, training, or compliance audits.

D. With Written Authorization

We require signed authorization before sharing PHI for:

Communication with family or friends (unlesspermitted by HIPAA)

Release of records to outside agencies

Legal requests not covered by HIPAA exceptions

Sharing psychotherapy notes (which have special protections)

E. When the Law Requires It

We may disclose PHI without authorization only when legally required, such as:

To prevent or lessen a serious and imminent threat to the client or others

Mandatory reporting (abuse, neglect, or exploitation)

Court orders or law‑enforcement requests that meet HIPAA standards

4. Special Protections for Mental Health Information

HIPAA provides enhanced safeguards for mental‑health and behavioral‑health records, including:

A. Psychotherapy Notes

These require separate written authorization and are not shared for treatment, payment, or operations except in very limited circumstances.

B. Family Involvement

Providers may communicate with family or caregivers only when permitted, such as when:

The client gives permission

The client lacks capacity

There is a safety concern

The client is a minor and the parent is legally authorized HIPAA outlines specific rules for adult and minor patients regarding family communication .

C. Substance‑Use Information

If applicable, 42 CFR Part 2 may apply, which provides even stricter confidentiality rules for substance‑use treatment.

D. Long‑Term Protection

Mental‑health records remain protected for 50 years after a client’s death, per updated HIPAA rules .

5. Client Rights Under HIPAA

Clients have the right to:

Access their records

Request corrections to inaccurate information

Request limits on how their PHI is used or shared

Request confidential communication methods

Receive a list of disclosures

File a complaint without fear of retaliation

Providers must respond to record‑access requests within 30 days .

6. How We Protect Your Information

We use administrative, physical, and technical safeguards, including:

Secure electronic record systems

Encrypted communication

Staff training on HIPAA and mental‑health confidentiality

Access limited to authorized personnel

Private spaces for sessions and documentation

Incident‑response procedures for breaches

7. Peer Support Confidentiality

Peer‑support specialists follow:

HIPAA Privacy Rule

Ethical standards for peer support

Trauma‑informed, person‑centered practices

Boundaries that protect client privacy and dignity

Peer‑support staff do not share client information unless:

The client gives permission

There is a safety concern

Reporting is legally required

8. Social Media & Public Communication

We never disclose PHI on:

Social media

Public forums

Marketing materials

Websites

Testimonials (unless written authorization is provided)

9. Breach Notification

If a breach of unsecured PHI occurs, we will:

Notify the affected individual(s)

Follow HIPAA breach‑notification requirements

Take corrective action to prevent recurrence

10. Contact for Privacy Questions or Complaints