Effective Date: 04/08/2026
Patient Privacy Policy Marula Rehab Telehealth Program Scope:
Applies to all Marula Rehab staff, contractors, clinicians, vendors, and business associates who collect, access, store, transmit, or otherwise handle protected health information (PHI) for patients receiving telehealth substance use disorder and alcohol treatment while physically located in Utah.
Purpose
To protect patient privacy and confidentiality, ensure secure handling of PHI in telehealth encounters, comply with federal and Utah law, and define patient rights and organizational responsibilities for telehealth services.
Definitions
PHI: Protected health information as defined by HIPAA.Telehealth Platform: The software and hardware used to deliver synchronous or asynchronous telehealth services.
Business Associate:
Any vendor or contractor that creates, receives, maintains, or transmits PHI on behalf of Marula Rehab.
Privacy Principles
Lawful, Minimal, Purposeful Use: Collect only PHI necessary to provide safe, effective care and to meet legal, billing, and quality requirements.
Patient Control:
Patients have rights to access, amend, and obtain an accounting of disclosures of their PHI consistent with HIPAA and Utah law.
Transparency:
Patients will be informed about how their PHI is used, who may access it, and the risks and limits of telehealth privacy.
Data Collection and Use
What We Collect: Identifying information; medical and behavioral health history; medication lists; treatment plans; session notes; diagnostic results; communications (messages, emails, video/audio recordings only if authorized).
How We Use PHI:
For clinical care, care coordination, billing, quality improvement, legal compliance, and as otherwise authorized by the patient or required by law.
Minimum Necessary:
Staff will access only the minimum PHI needed to perform their job duties. All requests for PHI must be justified and documented.
Consent and Notice - Telehealth Privacy Notice:
Before the first telehealth visit, provide and document a written or electronic Telehealth Privacy Notice that explains: the telehealth platform used; privacy and security measures; limits to confidentiality (e.g., mandatory reporting, court orders); how recordings are handled; and how to request records. Utah requires informed consent for telehealth and that telehealth meet industry security and privacy standards.
Recording:
No audio or video recording of telehealth sessions will occur without explicit, documented patient consent. If recordings are made, the purpose, storage, retention period, and access rights must be disclosed and documented.
Patient Rights Access:
Patients may request access to their medical records and receive copies in the format requested when feasible.
Amendment:
Patients may request amendments to their records; Marula Rehab will review and respond per HIPAA and Utah procedures.
Accounting of Disclosures:
Patients may request an accounting of disclosures of their PHI as allowed by law.
Restrictions and Confidential Communications:
Patients may request restrictions on disclosures and request alternative means or locations for communications; Marula Rehab will evaluate and document responses consistent with law.
Use and Disclosure Without Patient Authorization Permitted Disclosures:
Treatment, payment, and health care operations; public health reporting; mandatory reporting (abuse, threats to safety); court orders and subpoenas; law enforcement requests as allowed by law. All such disclosures will be documented.
Business Associates and Third Parties Due Diligence:
All vendors and business associates (telehealth platform vendors, cloud storage, billing companies) must sign a HIPAA Business Associate Agreement (BAA) and demonstrate appropriate security controls.
Vendor Security Review:
Prior to engagement, vendors must pass a security and privacy assessment covering encryption, access controls, logging, incident response, and data location.
Security Safeguards Technical Controls:
Use HIPAA‑compliant platforms with end‑to‑end encryption for video and messaging; enforce strong authentication; role‑based access controls; automatic session timeouts; and secure e‑prescribing systems when applicable.
Administrative Controls:
Written policies and procedures; workforce training on privacy and telehealth security; background checks for staff with PHI access; least privilege access.
Physical Controls:
Secure workspaces for staff; locked storage for any physical PHI; controls for portable devices.
Logging and Monitoring:
Maintain access logs for PHI and telehealth sessions; review logs regularly for unauthorized access.
Data Retention and Disposal Retention Periods:
Retain telehealth medical records in accordance with Utah record retention laws and Marula Rehab retention schedule. When PHI is no longer required, dispose of it securely (secure deletion for electronic records; shredding or secure destruction for paper).
Breach Notification and Incident Response Incident Response Plan:
Maintain a written incident response plan that includes containment, assessment, mitigation, notification, and remediation steps.
Breach Notification:
In the event of an unauthorized disclosure of unsecured PHI, Marula Rehab will follow HIPAA and Utah breach notification requirements, notify affected individuals and regulators as required, and document the incident and corrective actions.
Special Considerations for Substance Use Disorder Records
42 CFR Part 2 and SUD Records: Substance use disorder treatment records may have additional federal protections (e.g., 42 CFR Part 2). Marula Rehab will identify SUD records and apply the stricter confidentiality rules where applicable; disclosures will occur only with proper patient consent or as permitted by law. Document any special consents and disclosures.
Patient Responsibilities
Secure Environment: Patients should attend telehealth sessions from a private location and use secure networks when possible. Avoid public Wi‑Fi for sessions involving PHI.
Device Security:
Patients are encouraged to use updated devices and software and to protect access with passwords.
Accurate Information:
Provide accurate contact and location information at each encounter. Staff Training and Compliance
Mandatory Training:
All staff must complete initial and annual training on HIPAA, Utah telehealth privacy requirements, SUD confidentiality rules, secure use of telehealth platforms, and incident reporting procedures.
Audits:
Conduct periodic privacy and security audits, including vendor reviews and chart audits, and remediate findings promptly.
Complaints and Enforcement How to File a Complaint:
Patients may file privacy complaints with Marula Rehab’s Privacy Officer; complaints will be investigated and resolved without retaliation. Provide contact details in the Telehealth Privacy Notice.
External Remedies:
Patients retain the right to file complaints with the HHS Office for Civil Rights or Utah regulatory authorities if they believe their rights were violated.
Implementation Checklist
Before First Telehealth Visit: Provide Telehealth Privacy Notice; obtain and document informed consent; confirm patient identity and location; ensure platform and vendor BAAs are in place.
Ongoing:
Log and monitor access; perform PDMP and prescribing checks when applicable; update local emergency resource list; maintain training records.
Telehealth Privacy Notice Language
Marula Rehab Telehealth Privacy Notice Marula Rehab uses secure, HIPAA‑compliant telehealth technology to provide behavioral health and substance use disorder services. Telehealth involves electronic transmission of health information and carries privacy risks despite safeguards. We will not record sessions without your written consent. We will share your health information only for treatment, payment, health care operations, or as required by law. You have rights to access, amend, and receive an accounting of disclosures of your health information. For questions or to file a privacy complaint, contact our Privacy Officer at 385-376-8950
Review Cycle
This policy will be reviewed annually and updated sooner if federal or Utah law, payer rules, or best practices change. Maintain version control and staff notification for updates.