NOTICE REGARDING PRIVACY OF PERSONAL HEALTH INFORMATION FOR CERTIFIED ALLERGY & ASTHMA CONSULTANTS
(referred to as “the practice” throughout this Notice)
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Federal regulations developed under the Health Insurance Portability and Accountability Act (HIPAA) require that the practice provide you with this Notice Regarding Privacy of Personal Health Information. The Notice describes (1) how the practice may use and disclose your protected health information, (2) your rights to access and control your protected health information in certain circumstances, and (3) the practices’ duties and contact information.
I. Protected Health Information
“Protected health information” is health information created or received by your health care provider that contains information that may be used to identify you, such as demographic data. It includes written or oral health information that relates to your past, present or future physical or mental health; the provision of health care to you; and your past, present, or future payment for health care.
II. The Use and Disclosure of Protected Health Information in Treatment, Payment, and Health Care Operations
Your protected health information may be used and disclosed by the practice in the course of providing treatment, obtaining payment for treatment, and conducting health care operations. Any disclosures may be made in writing, electronically, by facsimile, or orally. We will request your consent for the continuous release of such information. You may revoke this consent at any time by advising our Privacy Officer, as identified at the bottom of this notice, in writing. The practice may also use or disclose your protected health information in other circumstances if you authorize the use or disclosure, or if state law or the HIPAA privacy regulations authorize the use or disclosure.
Treatment. The practice may use and disclose your protected health information in the course of providing or managing your health care as well as any related services. For the purpose of treatment, the practice may coordinate your health care with a third party. For example, the practice may disclose your protected health information to a pharmacy to fulfill a prescription for asthma medication, to an X-ray facility to order an X-ray, or to another physician who is administering your allergy shots which we prepared. In addition, the practice may disclose protected health information to other physicians or health care providers for treatment activities of those other providers.
Payment. When needed, the practice will use or disclose your protected health information to obtain payment for its services. Such uses or disclosures may include disclosures to your health insurer to get approval for a recommended treatment or to determine whether you are eligible for benefits or whether a particular service is covered under your health plan. When obtaining payment for your health care, the practice may also disclose your protected health information to your insurance company to demonstrate the medical necessity of the care or for utilization review when required to do so by your insurance company. Finally, the practice may also disclose your protected health information to another provider where that provider is involved in your care and requires the information to obtain payment.
Health Care Operations. The practice may use or disclose your protected health information when needed for the practice’s health care operations for the purposes of management or administration of the practice and of offering quality health care services. Health care operations may include: (1) quality evaluations and improvement activities; (2) employee review activities and training programs; (3) accreditation, certification, licensing, or credentialing activities; (4) reviews and audits such as compliance reviews, medical reviews, legal services, and maintaining compliance programs; and (5) business management and general administrative activities. For instance, the practice may use, as needed, protected health information of patients to review their treatment course when making quality assessments regarding allergy care or treatment. In addition, the practice may disclose your protected health information to another provider or health plan for their health care operations.
Other Uses and Disclosures. As part of treatment, payment, and health care operations, the practice may also use or disclose your protected health information: (1) to remind you of an appointment including sending you an appointment reminder by mail or e-mail and/or leaving appointment reminder information on your telephone answering machine or voice mail; (2) to inform you of potential treatment alternatives or options; (3) to inform you of health-related benefits or services that may be of interest to you;(4) for research purposes. We may use and disclose your protected health information for research purposes, but we will only do that if the research has been specially approved by an authorized institutional review board or a privacy board that has reviewed the research proposal and has set up protocols to ensure the privacy of your protected health information. Even without that special approval, we may permit researchers to look at protected health information to help them prepare for research, for example, to allow them to identify patients who may be included in their research project, as long as they do not remove, or take a copy of, any protected health information. We may use and disclose a limited data set that does not contain specific readily identifiable information about you for research. However, we will only disclose the limited data set if we enter into a data use agreement with the recipient who must agree to (1) use the data set only for the purposes for which it was provided, (2) ensure the confidentiality and security of the data, and (3) not identify the information or use it to contact any individual.
III. Additional Uses and Disclosures Permitted Without Authorization or an Opportunity to Object
In addition to treatment, payment, and health care operations, the practice may use or disclose your protected health information without your permission or authorization in certain circumstances, including:
When Legally Required. The practice will comply with any Federal, state or local law that requires it to disclose your protected health information.
When Necessary to Protect Public Health. The practice may disclose your protected health information for public health purposes, including to, as permitted or required by law: (1) Prevent, control, or report disease, injury, or disability; (2) Report vital events such as birth or death; (3) Conduct public health surveillance, investigations, and interventions; (4) Collect or report adverse events and product defects, track FDA regulated products, enable product recalls, repairs, or replacements, and conduct post marketing surveillance; (5) Notify a person who has been exposed to a communicable disease or who may be at risk of contracting or spreading a disease (but only in accordance with state law); and (6) Report to an employer information about an individual who is a member of the workforce when information is related to a medical surveillance of the workplace or to evaluate whether an illness or injury is work-related. A separate notice will be provided to you in these circumstances.
To Report Abuse, Neglect or Domestic Violence. As required or authorized by law or with the patient’s agreement, the practice may inform government authorities if it is believed that a patient is the victim of abuse, neglect or domestic violence.
To Conduct Health Oversight Activities. The practice may disclose your protected health information to a health oversight agency for use in (1) audits; (2) civil, administrative, or criminal investigations, proceedings or actions; (3) inspections; (4) licensure or disciplinary actions; or (5) other necessary oversight activities as permitted by law. However, if you are the subject of an investigation, the practice will not disclose protected health information that is not directly related to your receipt of health care or public benefits.
For Judicial and Administrative Proceedings. The practice may disclose your protected health information for any judicial or administrative proceeding if the disclosure is expressly authorized by an order of a court or administrative tribunal as expressly authorized by such order or a signed authorization is provided.
For Law Enforcement Purposes. The practice may disclose your protected health information to a law enforcement official for law enforcement purposes when: (1) Required by law to report of certain types of physical injuries; (2) Required by court order, court-ordered warrant, subpoena, summons or similar process; (3) Needed to identify or locate a suspect, fugitive, material witness or missing person; (4) Needed to report a crime in an emergency situation; (5) You are the victim of a crime in specific limited instances; (6) Your death is suspected by the practice to be the result of criminal conduct; or (7) The practice believes your protected health information is evidence of a crime committed on the premises of the practice.
To Coroners, Funeral Directors, and for Organ Donation. The practice may disclose protected health information to a coroner or medical examiner for the purpose of (1) identification, (2) determination of cause of death, or (3) performance of the coroner or medical examiner’s other duties as authorized by law. In addition, as permitted by law, the practice may disclose protected health information, including when death is reasonably anticipated, to a funeral director to enable the funeral director to carry out his or her duties. Protected health information may also be used and disclosed for the purpose of cadaveric organ, eye or tissue donation.
To Prevent or Diminish a Serious and Imminent Threat to Health or Safety. If in good faith the practice believes that use or disclosure of your protected health information is necessary to prevent or diminish a serious and imminent threat to the health and safety of a person or of the public, the practice may use or disclose your protected health information as permitted under law and consistent with ethical standards of conduct.
For Specified Government Functions. As authorized by the HIPAA privacy regulations or state law, the practice may use or disclose your protected health information to facilitate specified government functions relating to military and veterans activities, national security and intelligence activities, protective services for the President and others, medical suitability determinations, correctional institutions, and law enforcement custodial situations.
For Worker’s Compensation. The practice may disclose your protected health information to comply with worker’s compensation laws or similar programs.
For Use by Business Associates. We may disclose protected health information to our business associates who perform functions on our behalf or provide us with services if the protected health information is necessary for those functions or services. For example, we use another company to provide electronic health record software to us which contains your protected health information. All of our business associates are obligated, under contract with us, to protect the privacy and ensure the security of your protected health information.
For Data Breach Notification Purposes. We may use or disclose your protected health information to provide legally required notices of unauthorized access to or disclosure of your health information.
IV. Uses and Disclosures Permitted With An Opportunity to Object
Subject to your objection, the practice may disclose your protected health information (1) to a family member or close personal friend if the disclosure is directly relevant to the person’s involvement in your care or payment related to your care; or (2) when attempting to locate or notify family members or others involved in your care to inform them of your location, condition or death. The practice will inform you orally or in writing of such uses and disclosures of your protected health information as well as provide you with an opportunity to object in advance. Your agreement or objection to the uses and disclosures can be oral or in writing. The practice may disclose your health information to a friend or family member as described at (1) and (2) if: (a) you are present and do not object to these disclosures; (b) the practice is able to infer from the circumstances that you do not object; or (c) the practice determines, in its professional judgment, that it is in your best interests for the practice to disclose information that is directly relevant to the person’s involvement with your care. If you are incapacitated or in an emergency situation, the practice may exercise its professional judgment to determine if the disclosure is in your best interests and, if such a determination is made, may only disclose information directly relevant to your health care.
We may also use or disclose your protected health information, as necessary, in order to contact you for fundraising activities. You have the right to opt out of receiving fundraising communications.
V. Uses and Disclosures Authorized by You
Other than the circumstances described above, the practice will not disclose your health information unless you provide written authorization. Your written authorization is also required for the use and disclosure of your protected health information for marketing purposes and for disclosures that constitute a sale of such information. Your authorization is also required for use and disclosure of psychotherapy notes. You may revoke your authorization in writing at any time except to the extent that the practice has taken action in reliance upon the authorization.
VI. Your Rights
You have certain rights regarding your protected health information under the HIPAA privacy regulations. These rights include:
The right to request a restriction on uses and disclosures of your protected health information. You may request that the practice not use or disclose specific sections of your protected health information for the purposes of treatment, payment, or health care operations. Additionally, you may request that the practice not disclose your health information to family members or friends who may be involved in your care or for purposes of notifying friends and family of your location, condition, or death. In your request, you must specify the scope of restriction requested as well as the individuals for which you want the restriction to apply. Your request should be directed to the practice’s Privacy Officer. The practice may choose to deny your request for a restriction unless you are asking us to restrict the use and disclosure of your protected health information to a health plan for payment or health care operation purposes and such information you wish to restrict pertains solely to a health care item or service for which you have paid us “out-of-pocket” in full. “Out-of-pocket” payments are those payments for health care services you have made in full for which you have requested we not bill your insurance company. If your request for a different restriction is denied, the practice will notify you of its decision. Once the practice agrees to a requested restriction, the practice may not violate that restriction unless use or disclosure of the relevant information is needed to provide emergency treatment. The practice may terminate the agreement to a restriction in some instances.
The right to request to receive confidential communications from the practice by alternative means or at an alternative location. You have the right to request that the practice communicates with you through alternative means or at an alternative location. The practice will make every effort to comply with reasonable requests. However, the practice may condition its compliance by asking you for information regarding the procurement of payment or specific information regarding an alternative address or other method of contact. You are not required to provide an explanation for your request. Requests should be made in writing to the practice’s Privacy Officer.
The right to inspect and copy your protected health information. You have the right to inspect and copy your protected health information for as long as we maintain it, subject to certain limitations. If we deny your request to inspect and copy your protected health information we will provide you with a written notice of the reason for the denial including an explanation of any appeal rights you may have. We may impose a fee for copies as permitted by state or Federal law. Requests for review and copying of your protected health information should be directed to the Privacy Officer.
The right to an electronic copy of electronic medical records. If your protected health information is maintained in an electronic format (known as an electronic medical record or an electronic health record), you have the right to request that an electronic copy of your record be given to you or transmitted to another individual or entity. We will make every effort to provide access to your protected health information in the form or format you request, if it is readily producible in such form or format. If the protected health information is not readily producible in the form or format you request your record will be provided in either our standard electronic format or if you do not want this form or format, a readable hard copy form. We may charge you a reasonable, cost-based fee for the labor associated with transmitting the electronic medical record.
The right to request an amendment of your protected health information. During the time that the practice holds your protected health information, you may request an amendment of your information in a designated record set. The practice may deny your request in some instances. However, should the practice deny your request for amendment, you have the right to file a statement of disagreement with the practice. In turn, the practice may develop a rebuttal to your statement. If it does so, the practice will provide you with a copy of the rebuttal. Requests for amendment must be submitted in writing to the practice’s Privacy Officer. Your written request must supply a reason to support the requested amendments.
The right to request an accounting of certain disclosures. You have the right to request an accounting of the practice’s disclosures of your protected health information made for purposes other than treatment, payment or health care operations as described in this Notice. The practice is not required to account for disclosures (1) which you requested, (2) which you authorized by signing an authorization form, (3) for a facility directory, (4) to friends or family members involved in your care, and (5) certain other disclosures the practice is permitted to make without your authorization. The request for an accounting must be made in writing to our Privacy Officer and should state the time period for which you wish the accounting to include up to a six year period. The practice is not required to provide an accounting for disclosures that take place prior to April 14, 2003. The practice will not charge you for the first accounting you request of any 12-month period. Subsequent accountings may require a fee based on the practice’s reasonable costs for compliance with the request.
The right to receive a notice of breach. You have the right to be notified upon a breach of any of your unsecured protected health information.
The right to obtain a paper copy of this Notice. The practice will provide a separate paper copy of this Notice upon request even if you have already been given a copy of it or have agreed to review it electronically.
VII. The Practice’s Duties
The practice is required to ensure the privacy of your health information and to provide you with this Notice of your rights and the practice’s duties and procedures regarding your privacy. The practice must abide by the terms of this Notice, as may be amended periodically. The practice reserves the right to change the terms of this Notice and to make the new Notice provisions effective for all protected health information that the practice collects and maintains. The current Notice is available in our office and on our website.
If you believe that your privacy rights have been violated, you have the right to relate complaints to the practice and to the Secretary of the Department of Health and Human Services. You may provide complaints to the practice verbally or in writing. Such complaints should be directed to the practice’s Privacy Officer. The practice encourages you to relate any concerns you may have regarding the privacy of your information and you will not be retaliated against in any way for filing a complaint.
IX. Contact Person/Exercising Your Rights
The practice’s contact person regarding the practice’s duties and your rights under the HIPAA privacy regulations is the Privacy Officer. To exercise your rights described in the Notice, send your request, in writing, to the Privacy Officer. The Privacy Officer can provide information regarding issues related to this Notice by request. Complaints or requests should be directed to the Privacy Officer at the following address:
CERTIFIED ALLERGY & ASTHMA CONSULTANTS
8 Southwoods Blvd.
Albany, NY 12211
ATTN: Thomas J. Derrico, Privacy Officer
The Privacy Officer can be contacted by telephone at (518) 434-1446.
X. Effective Date
This Notice is effective on September 23, 2013.