Policies & Procedures


The following privacy policy is adopted to ensure that SBNC complies fully with all federal
and state privacy protection laws and regulations. Protection of patient privacy is of
paramount importance to this organization. Violations of any of these provisions will
result in severe disciplinary action including termination of employment and possible
referral for criminal prosecution,

Effective Date: This policy is in effect as of April 1, 2003.
It is the policy of SBNC that we will adopt, maintain and comply with our Notice of
Privacy Practices, which shall be consistent with HIPAA and California law.

Notice of Privacy Practices
It is the policy of SBNC that a notice of privacy practices must be available to all patients
and that this notice be provided to all subject individuals upon request, and that all uses
and disclosures of protected health information be done in accord with this organization’s
notice of privacy practices. It is the policy of SBNC to post the most current notice of
privacy practices in our “waiting room” area, and to have copies available for distribution
at our reception desk.


Assigning Privacy and Security Responsibilities
It is the policy of SBNC that clinic managers of each clinic facility are assigned the
responsibility of implementing and maintaining the HIPAA Privacy and Security Rule’s
requirements. Furthermore, it is the policy of SBNC that these individuals will be provided
sufficient resources and authority to fulfill their responsibilities.


Deceased Individuals
It is the policy of SBNC that privacy protections extend to information concerning
deceased individuals.


Minimum Necessary Use and Disclosure of Protected Health Information
It is the policy of SBNC that for all routine and recurring uses and disclosures of PHI
(except for uses or disclosures made 1) for treatment purposes, 2) to or as authorized by
the patient or 3) as required by law for HIPAA compliance such uses and disclosures of
protected health information must be limited to the minimum amount of information
needed to accomplish the purpose of the use or disclosure. It is also the policy of SBNC
that non-routine uses and disclosures will be handled pursuant to established criteria. All
requests for protected health information (except as specified above) must be limited to
the minimum amount of information needed to accomplish the purpose of the request.


Marketing Activities
It is the policy of SBNC that any uses or disclosures of protected health information for
marketing activities will be done only after a valid authorization is in effect. “Marketing”
means any communication to encourage purchase or use a product or service where an arrangement exists in exchange for direct or indirect remuneration, or where this organization encourages purchase or use of a product or service. This organization does not consider the communication of alternate forms of treatment, or the use of products and services in treatment to be marketing. A face to face communication made by us to the patient, or a promotional gift of nominal value given to the patient does not require an Authorization.

Psychotherapy Notes
An authorization for any use or disclosure of psychotherapy notes, as defined in the
HIPAA regulations, except for treatment, payment or health care operations, is required as

  1. Use by originator for treatment
  2. Use for training physicians or other mental health professionals as
    authorized by the regulations
  3. Use or disclosure in defense of a legal action brought by the individual
    whose records are in issue
  4. Use or disclosures as required by law, or as authorized by law to enable
    health oversight agencies to oversee the originator of the psychotherapy

Confidentiality of Alcohol and Drug Abuse Patient Records, HIV-Related Information
District and/ or federal law and regulations specifically protects the confidentiality of
alcohol and drug abuse patient records, and HIV related information. Generally SBNC
may not disclose such information held unless the individual consents in writing,
disclosure is allowed by a court order, or is required by law.

It is the policy of SBNC that all complaints relating to the protection of health information
be investigated and resolved in a timely fashion. Furthermore, it is the policy of SBNC
that all complaints will be addressed to the appropriate clinic manager who is duly
authorized to investigate complaints and implement resolutions if the complaint stems
from a valid area of non-compliance with the HIPAA Privacy and Security Rule.


Prohibited Activities-No Retaliation or Intimidation
It is the policy of SBNC that no employee or contractor may engage in any intimidating or
retaliatory acts against persons who file complaints or otherwise exercise their rights
under HIPAA regulations. No employee or contractor may condition treatment, payment,
enrollment or eligibility for benefits on the provision of an authorization to disclose
protected health information except as expressly authorized under the regulations.

It is the policy of SBNC that the responsibility for designing and implementing procedures
to implement this policy lies with the appropriate clinic manger.

Verification of Identity
It is the policy of SBNC that the identity of all persons who request access to protected
health information be verified before such access is granted.


It is the policy of SBNC that the effects of any unauthorized use or disclosure of protected
health information be mitigated to the extent possible.


Appropriate physical safeguards will be in place to reasonably safeguard protected health
information from any intentional or unintentional use or disclosure that is in violation of the


HIPAA Privacy Rule
These safeguards will include physical protection of premises and
PHI, technical protection of PHI maintained electronically and administrative protection.
These safeguards will extend to the oral communication of PHI. These safeguards will
extend to PHI that is removed from this organization.


Business Associates
Business associates as defined by HIPAA must be contractually bound to protect health
information to the same degree as set forth in this policy. It is also the policy of this
organization that business associates who violate their agreement will be dealt with first
by an attempt to correct the problem, and if that fails by termination of the agreement and
discontinuation of services by the business associate.


Training and Awareness
Members of the SBNC workforce will be trained on the policies and procedures governing
protected health information and how SBNC complies with the HIPAA Privacy and
Security Rules. New members of our workforce receive training on these matters within a
reasonable time after they have joined the workforce. It is the policy of SBNC to provide
training should any policy or procedure related to the HIPAA Privacy and Security Rule
materially change. This training will be provided within a reasonable time after the policy
or procedure materially changes. Furthermore, it is the policy of SBNC that training will
be documented indicating participants, date and subject matter.


Material Change
It is the policy of SBNC that the term “material change” for the purposes of these policies
is any change in our HIPAA compliance activities.

It is the policy of SBNC that sanctions will be in effect for any member of the workforce
who intentionally or unintentionally violates any of these policies or any procedures
related to the fulfillment of these policies. Such sanctions will be recorded in the
individual’s personnel file.

Retention of Records
It is the policy of SBNC that the HIPAA Privacy Rule records retention requirement of six
years will be strictly adhered to. All records designated by HIPAA in this retention
requirement will be maintained in a manner that allows for access within a reasonable
period of time. This records retention time requirement may be extended at this
organization’s discretion to meet with other governmental regulations or those
requirements imposed by our professional liability carrier.

Regulatory Currency
It is the policy of SBNC to remain current in our compliance program with HIPAA

Cooperation with Privacy Oversight Authorities
It is the policy of SBNC that oversight agencies such as the Office for Civil Rights of the
Department of Health and Human Services be given full support and cooperation in their
efforts to ensure the protection of health information within this organization. It is also the
policy of this organization that all personnel must cooperate fully with all privacy
compliance reviews and investigations.

^Back to top


Santa Barbara Neighborhood Clinics (SBNC) recognizes that the efficient operation of the development office requires the maintenance and management of extensive donor and prospect records. These records often contain sensitive information that has been shared with or developed by the SBNC staff on a confidential basis.

The purpose of this policy is to codify the position of SBNC on anonymity and donor/prospect records. “Records” is construed to mean all files, including electronic data, containing information on donors or prospective donors to SBNC.

I. Confidentiality of Records: The Director of Development shall be responsible for maintaining the confidentiality of donor and prospect records. She may, in her discretion, make all or part of any record available to staff members or SBNC volunteers to assist them in executing their responsibility. SBNC will not sell, trade or share a donor's personal information with external sources nor send donor mailings on behalf of other organizations unless expressly granted specific permission to do so. SBNC's auditors are authorized to review donor and prospect records as required for the purposes for which they are engaged. The Board of Directors may, by a majority vote, appoint a committee to review the donor/prospect records and report back to the Board. Any such committee shall respect SBNC's significant interest in protecting the sensitive nature of those records.

II. Publication Of Donor Names: Unless otherwise requested by the donor, the names of all individual donors will be listed in SBNC's annual report and/or in other appropriate vehicles. SBNC will not publish the amount of any donor's gift without the permission of the donor. Donors making gifts to SBNC by bequest or other testamentary device are deemed to have granted such permission. Donors should be aware that it is SBNC's policy to, from time to time, publish the current market value of its funds, from which a reader may be able to determine the approximate size of a donor’s gift.

III. Honor/ Memorial Gifts: The names of donors of memorial or honor gifts may be released to the honoree, next of kin, or appropriate member of the immediate family, unless otherwise specified by the donor. Gift amounts are not to be released without the express consent of the donor.

IV. Anonymous Gifts: The Director of Development is authorized to accept anonymous gifts to the Foundation. In the event the Director of Development is uncertain about the desirability of accepting an anonymous gift, she shall consult with the Chief Executive Officer. The Chief Executive Officer shall disclose to the Board Executive Committee, upon a request by a majority of the Executive Committee, the names of any anonymous donors.

V. Disclosure of Pending Gifts: In the event that the Director of Development concludes that SBNC is likely to receive, in the immediate future, a gift equal to or greater than five percent of its then existing assets, the Chief Executive Officer shall notify the Chair of the Board. The Chair and the Chief Executive Officer shall determine the appropriate course for notifying the Board of Directors.

I affirm that I have read and agree to abide by this Policy on Confidentiality of Donor Records and Donor Anonymity.

^Back to top

SBNC Donor Bill of Rights:

I. To be informed of SBNC’s mission, of the way SBNC intends to use donated resources and of our capacity to use donations effectively for their intended purposes.

II. To be informed of the identity of those serving on SBNC’s governing board and to expect the board to exercise prudent judgment in its stewardship responsibilities.

III. To have access to SBNC’s most recent financial statements.

IV. To be assured donors gifts will be used for the purposes for which they were given.

V. To receive appropriate acknowledgement and recognition.

VI. To be assured that information about private donations is handled with respect and with confidentiality to the extent provided by law.

VII. To expect that all relationships with individuals representing organizations of interest to the donor will be professional in nature.

VIII. To be informed whether those seeking donations are volunteers, employees of SBNC or hired solicitors.

IX. To have the opportunity for donors names to be deleted from mailing lists that SBNC may intend to share.

X. To feel free to ask questions when making a donation and to receive prompt, truthful and forthright answers.

^Back to top

Record Retention and Destruction Policy:

To ensure proper record retention and destruction processes, Santa Barbara Neighborhood Clinics (SBNC) policy is to ensure that necessary records and documents are protected and maintained, and to ensure that records that are no longer needed by SBNC are destroyed — including email records, web files, text files, sound and movie files, PDF documents and all Microsoft Office or other formatted files. Records include personnel files, customer, patient and donor information, financial records and general correspondence. See Record Retention Schedule for a complete list and retention requirement.

Employees with responsibilities requiring them to create, revise, handle, or maintain financial, personnel, patient and donor data, are responsible to perform these functions confidentially, safely, diligently and with respect for these records’ importance and confidentiality.

In the event SBNC is served with any subpoena or request for documents; any employee becomes aware of a governmental investigation or audit concerning SBNC, or the commencement of any litigation against or concerning our organization, they are required to inform the CEO immediately. Any further disposal of documents shall be suspended until such time as the CEO, with the advice of counsel, determines otherwise. The CEO shall take such steps as is necessary to promptly inform all staff of any suspension in the further disposal of documents.

Only the CEO may decide and direct employees about when, how and what financial, personnel, patient and donor records will be destroyed. This direction will be in writing. Employees are subject to immediate discipline, up to and including termination of employment, for destroying or failing to preserve and maintain any SBNC records without prior written notice from the CEO. See the Record Retention Schedule here (PDF)

^Back to top