Privacy Policy
INTEGRATED CARE OF GREATER HICKORY, a div. of Rudisill Family Practice.
THIS NOTICE DESCRIBES HOW MEDICAL AND BEHAVIORAL HEALTH INFORMATION ABOUT YOU MAY BE
USED OR DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW
IT CAREFULLY.
Effective Date: 2006
This Notice was revised on May 30, 2013.
IF YOU HAVE ANY QUESTIONS ABOUT THIS NOTICE OR IF YOU NEED MORE
INFORMATION, PLEASE CONTACT OUR PRIVACY OFFICER:
Privacy Officer: Douglas Blakeman
Mailing Address: 425 7th Ave SW, Hickory, NC 28602
Telephone: 828-322-5915 ext 120
Fax: 828-345-0387
Email: [email protected]
About This Notice
We are required by law to maintain the privacy of Protected
Health Information and to give you this Notice explaining our privacy practices
with regard to that information. You have certain rights – and we have certain
legal obligations – regarding the privacy of your Protected Health Information,
and this Notice also explains your rights and our obligations. We are required
to abide by the terms of the current version of this Notice.
What is Protected Health Information?
“Protected Health Information” is information that individually
identifies you and that we create or get from you or from another health care
provider, health plan, your employer, or a health care clearinghouse and that
relates to (1) your past, present, or future physical or mental health or
conditions, (2) the provision of health care to you, or (3) the past, present,
or future payment for your health care.
How We May Use and Disclose Your Protected Health Information
We may use and disclose your Protected Health Information in the
following circumstances:
·
For Treatment. We may use or disclose your Protected Health Information to
give you medical treatment or services and to manage and coordinate your medical
care. For example, your Protected Health Information may be provided to a
physician or other health care provider (e.g., a specialist or laboratory) to
whom you have been referred to ensure that the physician or other health care
provider has the necessary information to diagnose or treat you or provide you
with a service.
·
For Payment. We may use and disclose your Protected Health Information so
that we can bill for the treatment and services you receive from us and can
collect payment from you, a health plan, or a third party. This use and
disclosure may include certain activities that your health insurance plan may
undertake before it approves or pays for the health care services we recommend
for you, such as making a determination of eligibility or coverage for insurance
benefits, reviewing services provided to you for medical necessity, and
undertaking utilization review activities. For example, we may need to give your
health plan information about your treatment in order for your health plan to
agree to pay for that treatment.
·
For Health Care Operations. We may use and disclose Protected Health Information for our
health care operations. For example, we may use your Protected Health
Information to internally review the quality of the treatment and services you
receive and to evaluate the performance of our team members in caring for you.
We also may disclose information to physicians, nurses, medical technicians,
medical students, and other authorized personnel for educational and learning
purposes.
·
Appointment Reminders/Treatment Alternatives/Health-Related Benefits and
Services. We may use and disclose Protected Health Information to contact
you to remind you that you have an appointment for medical care, or to contact
you to tell you about possible treatment options or alternatives or health
related benefits and services that may be of interest to you.
·
Minors.
We may disclose the Protected Health Information of minor children to their
parents or guardians unless such disclosure is otherwise prohibited by law.
(Optional,
only included if applicable.)
·
Research.
We may use and disclose your Protected Health Information for research purposes,
but we will only do that if the research has been specially approved by an
authorized institutional review board or a privacy board that has reviewed the
research proposal and has set up protocols to ensure the privacy of your
Protected Health Information. Even without that special approval, we may permit
researchers to look at Protected Health Information to help them prepare for
research, for example, to allow them to identify patients who may be included
in their research project, as long as they do not remove, or take a copy of,
any Protected Health Information. We may use and disclose a limited data set
that does not contain specific readily identifiable information about you for
research. However, we will only disclose the limited data set if we enter into
a data use agreement with the recipient who must agree to (1) use the data set
only for the purposes for which it was provided, (2) ensure the confidentiality
and security of the data, and (3) not identify the information or use it to
contact any individual.
·
As Required by Law. We will disclose Protected Health Information about you when
required to do so by international, federal, state, or local law.
To Avert a Serious Threat to Health or Safety. We may use and disclose Protected Health Information when
necessary to prevent a serious threat to your health or safety or to the health
or safety of others. But we will only disclose the information to someone who
may be able to help prevent the threat.
·
Business Associates. We may disclose Protected Health Information to our business
associates who perform functions on our behalf or provide us with services if
the Protected Health Information is necessary for those functions or services.
For example, we may use another company to do our billing, or to provide
transcription or consulting services for us. All of our business associates are
obligated, under contract with us, to protect the privacy and ensure the
security of your Protected Health Information.
·
Organ and Tissue Donation. If you are an organ or tissue donor, we may use or disclose
your Protected Health Information to organizations that handle organ procurement
or transplantation – such as an organ donation bank – as necessary to facilitate
organ or tissue donation and transplantation.
·
Military and Veterans. If you are a member of the armed forces, we may disclose
Protected Health Information as required by military command authorities. We
also may disclose Protected Health Information to the appropriate foreign
military authority if you are a member of a foreign military
Workers’ Compensation. We may use or disclose Protected Health Information for workers’
compensation or similar programs that provide benefits for work-related injuries
or illness.
·
Public Health Risks. We may disclose Protected Health Information for public health
activities. This includes disclosures to: (1) a person subject to the
jurisdiction of the Food and Drug Administration (“FDA”) for purposes related to
the quality, safety or effectiveness of an FDA-regulated product or activity;
(2) prevent or control disease, injury or disability; (3) report births and
deaths; (4) report child abuse or neglect; (5) report reactions to medications
or problems with products; (6) notify people of recalls of products they may be
using; and (7) a person who may have been exposed to a disease or may be at risk
for contracting or spreading a disease or condition.
·
Abuse, Neglect, or Domestic Violence. We may disclose
Protected Health Information to the appropriate government authority if we
believe a patient has been the victim of abuse, neglect, or domestic violence
and the patient agrees or we are required or authorized by law to make that
disclosure.
·
Health Oversight Activities. We may disclose Protected Health Information to a health
oversight agency for activities authorized by law. These oversight activities
include, for example, audits, investigations, inspections, licensure, and
similar activities that are necessary for the government to monitor the health
care system, government programs, and compliance with civil rights laws.
·
Data Breach Notification Purposes. We may use or disclose your Protected Health Information to
provide legally required notices of unauthorized access to or disclosure of your
health information.
·
Lawsuits
and Disputes. If you are involved in a lawsuit or a dispute, we may disclose
Protected Health Information in response to a court or administrative order. We
also may disclose Protected Health Information in response to a subpoena,
discovery request, or other legal process from someone else involved in the
dispute, but only if efforts have been made to tell you about the request or to
get an order protecting the information requested. We may also use or disclose
your Protected Health Information to defend ourselves in the event of a lawsuit.
·
Law
Enforcement. We may disclose Protected Health Information, so long as
applicable legal requirements are met, for law enforcement purposes.
·
Military Activity and National Security. If you are involved with military, national security or
intelligence activities or if you are in law enforcement custody, we may
disclose your Protected Health Information to authorized officials so they may
carry out their legal duties under the law.
·
Coroners, Medical Examiners, and Funeral Directors. We may disclose Protected Health Information to a coroner,
medical examiner, or funeral director so that they can carry out their duties.
·
Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement
official, we may disclose Protected Health Information to the correctional
institution or law enforcement official if the disclosure is necessary (1) for
the institution to provide you with health care; (2) to protect your health and
safety or the health and safety of others; or (3) the safety and security of the
correctional institution.
Uses and Disclosures That Require Us to Give You an Opportunity to Object and Opt Out
·
Individuals Involved in Your Care or Payment for Your Care. Unless you object, we may disclose to a member of your family,
a relative, a close friend or any other person you identify, your Protected
Health Information that directly relates to that person’s involvement in your
health care. If you are unable to
agree or object to such a disclosure, we may disclose such information as
necessary if we determine that it is in your best interest based on our
professional judgment.
·
Disaster Relief. We may disclose your Protected Health Information to disaster
relief organizations that seek your Protected Health Information to coordinate
your care, or notify family and friends of your location or condition in a
disaster. We will provide you with an opportunity to agree or object to such a
disclosure whenever we practicably can do so.
·
Fundraising Activities.
We may use or disclose your Protected Health Information, as
necessary, in order to contact you for fundraising activities. You have the
right to opt out of receiving fundraising communications.
If you do not want to receive these materials, please submit a written request to the Privacy
Officer.
Your Written Authorization is Required for Other Uses and
Disclosures
The following uses and disclosures of your Protected Health
Information will be made only with your written
authorization:
1. Most uses and disclosures of psychotherapy notes;
2. Uses and disclosures of Protected Health Information for marketing
purposes; and
3. Disclosures that constitute a sale of your Protected Health
Information.
Other uses and disclosures of Protected Health Information not
covered by this Notice or the laws that apply to us will be made only with your
written authorization. If you do give us an authorization, you may revoke it at
any time by submitting a written revocation to our Privacy Officer and we will
no longer disclose Protected Health Information under the authorization. But
disclosure that we made in reliance on your authorization before you revoked it
will not be affected by the revocation.
Special Protections for HIV information, Alcohol
and Substance Abuse information, Mental Health Information and Genetic
Information
In addition, North Carolina Communicable Disease statue,
NC General Statutes 130A-143 states “All information and records, whether
publicly or privately maintained, that identify a person who has AIDS virus
infection or who has or may have a disease or condition required to be reported
pursuant to the provisions of this Article (communicable disease) shall be
strictly confidential…” with only specific exceptions. Other state statutes
guarantee patient confidentiality for specific program information, such as
medical information associated with birth certificates, birth defects
monitoring, the central cancer registry, data within the State Center
for Health Statistics, and client information in Children’s Developmental
Evaluation Center (CDSA) records.
HIPAA
Medical Privacy Rule (45 C.F.R. Parts 160 and 164)
The HIPAA medical privacy rule (hereafter “Privacy Rule”) applies to covered
entities1 and governs the use2 and disclosure3 of protected health information (PHI).4
Under the Privacy Rule, the general rule is that covered entities may use or disclose
PHI for treatment5 purposes without patient permission. 45 C.F.R. § 164.502(a)(1)(ii). A covered entity may
use or discloPHI without permission for its own treatment purposes, or for the
treatment purposes of anothealth care provider. 45 C.F.R. § 164.506(c).
There is an exception to this general rule for psychotherapy notes,6
a subset of PHI. A covered entity must have the individual’s written authorization
for most disclosures of psychotherapy notes, including disclosures made for
treatment purposes. 45 C.F.R. § 164.508(a)(2).
Although HIPAA does not require health care providers to obtain consent to disclose PHI
(other than psychotherapy notes) for treatment purposes, some health care
providers are subject to other federal or state laws that do require
consent for disclosure. In addition, HIPAA expressly permits health care
providers to obtain consent to disclose PHI for treatment purposes, 45 C.F.R. §
164.506(b)(1), whether because they choose to or are required by other laws to
do so.
Substance Abuse Confidentiality Regulations (42 C.F.R. Part 2)
The federal substance abuse confidentiality regulations (hereafter Part 2) apply to
federally assisted substance abuse programs7 and restrict the use and disclosure8
of patient records9 and information. The general rule under Part 2 is that patient
consent is required for most disclosures for treatment purposes. 42 C.F.R. §§
2.12 & 2.13.
There are some
exceptions for disclosures occurring between entities who are involved in a
qualified service organization agreement (QSOA), when the information is needed
to provide services. The federal Substance Abuse and Mental Health Services
Administration (SAMHSA) has issued guidance indicating that, while a QSOA may be
used to facilitate communications between a covered program and a health
information organization (HIOs), the HIO may not disclose a patient’s
information to a separate covered program without the patient’s written consent,
unless there is a QSOA between both of the involved covered
programs.10
Health care providers who are subject to Part 2 are likely to be
subject to HIPAA as well. When making disclosures for treatment purposes, such
providers may not follow.
1 For purposes of HIPAA, a covered entity is a health plan, a health care
clearinghouse, or a health care provider who transmits individually identifiable
health information electronically in connection with specific transactions, many
associated with claims processing or billing. 45 C.F.R. 160.103.
2 Use means “the sharing, employment, application, utilization, examination, or analysis of
[individually identifiable health] information within an entity that maintains
such information.” Id.
3 Disclosure means
“the release, transfer, provision of, access to, or divulging in any other
manner of information outside the entity holding the information.” Id.
4
Protected health information is
information created or received by a covered entity that: (i) identifies an
individual (or that could be used to identify an individual), and (ii) relates
to any of the following: the past, present, or future physical or mental health
or condition of the individual; the provision of health care to the individual;
or the past, present, or future payment for the provision of health care to the
individual. Id.
5 Treatment means “the provision, coordination, or management of health care and related services
by one or more health care providers, including the coordination or management
of health care by a health care provider with a third party; consultation
between health care providers relating to a patient; or the referral of a
patient from one health care provider to another.” 45 C.F.R. 164.501.
6 Psychotherapy notes are
“notes recorded (in any medium) by a health care provider who is a mental health
professional documenting or analyzing the contents of a conversation during a
private counseling session or a group, joint, or family counseling session and
that are separated from the rest of the individual’s medical record.” There are
some exclusions to this definition; see the rule for details. Id.
Section 264 of HIPAA required the Secretary of Health and
Human Services to implement national standards to protect the privacy of
individually identifiable health information that was transmitted
electronically. The final HIPAA regulation was published in the last minutes of
the Clinton Administration on December 28, 2000. That rule was extensively
amended in August of 2002 (with further amendments in 2003), and appears at
final form at 45 C.F.R. Parts 160 and 164.
Under the final HIPAA rules at 45 C.F.R. § 164.502,
covered entities, including health care providers, can disclose protected health
information for treatment purposes without patient consent; 45 C.F.R. §
164.506(c) (1) and (2) permit both the use and disclosure of information for
treatment purposes. The rules at 45 C.F.R. § 164.501 define treatment to mean:
… the provision, coordination, or management of health
care and related services by one or more health care providers, including the
coordination or management of health care by a health care provider with a third
party; consultation between health care providers relating to a patient; or the
referral of a patient for health care from one health care provider to another.
One exception to this general rule of permitting the
sharing of treatment information without consent is that “psychotherapy notes”
may only be disclosed with authorization (45 C.F.R. § 164.508(a)(2)) except
insofar as they are used by the originator of the notes or for a covered
entity's supervised mental health education and training purposes. Psychotherapy
notes are a special form of treatment information:
Psychotherapy notes means notes recorded (in any medium)
by a health care provider who is a mental health professional documenting or
analyzing the contents of conversation during a private counseling session or a
group, joint, or family counseling session and that are separated from the rest
of the individual's medical record. Psychotherapy notes excludes medication
prescription and monitoring, counseling session start and stop times, the
modalities and frequencies of treatment furnished, results of clinical tests,
and any summary of the following items: diagnosis, functional status, the
treatment plan, symptoms, prognosis, and progress to date (45 C.F.R. § 164.501).
Authorization is a special and rigorous form of consent,
which must include a description of the information to be disclosed, the
identity of the person or class of persons who may disclose the information and
to whom it may be disclosed, a description of the purpose of the disclosure, an
expiration date for the authorization, and the signature of the person
authorizing the disclosure (45 C.F.R. § 164.508(c)). In general, the individual
signing the authorization may revoke it at any time, a provider cannot condition
treatment on the willingness of an individual to sign an authorization for the
release of psychotherapy notes, and an authorization for the release of
psychotherapy notes must be a separate and independent document (45 C.F.R. §
164.508(b) and (c)).
Additionally,
GINA amends the HIPAA privacy regulations. Under these laws, genetic information
is considered confidential medical information.
Your Rights Regarding Your Protected Health Information
You have the following rights, subject to certain limitations,
regarding your Protected Health Information:
·
Right
to Inspect and Copy. You have the right to inspect and copy Protected Health
Information that may be used to make decisions about your care or payment for
your care. We have up to 30 days to make your Protected Health Information
available to you and we may charge you a reasonable fee for the costs of
copying, mailing or other supplies associated with your request. We may not
charge you a fee if you need the information for a claim for benefits under the
Social Security Act or any other state or federal needs-based benefit program.
We may deny your request in certain limited circumstances. If we do deny your
request, you have the right to have the denial reviewed by a licensed healthcare
professional who was not directly involved in the denial of your request, and we
will comply with the outcome of the review.
·
Right
to a Summary or Explanation. We can also provide you with a
summary of your Protected Health Information, rather than the entire record, or
we can provide you with an explanation of the Protected Health Information which
has been provided to you, so long as you agree to this alternative form and pay
the associated fees.
Right to an Electronic Copy of Electronic Medical Records. If
your Protected Health Information is maintained in an electronic format (known
as an electronic medical record or an electronic health record), you have the
right to request that an electronic copy of your record be given to you or
transmitted to another individual or entity. We will make every effort to provide access to your Protected
Health Information in the form
or format you request, if it is readily
producible in such form or format. If the Protected Health
Information is
not readily producible in the form or format you request
your record will be provided in either our
standard electronic format or if you do not want this form or format, a readable hard copy form.
We may charge you a reasonable, cost-based fee for the labor associated with
transmitting the electronic medical record.
·
Right to Get Notice of a Breach. You have the right to be notified upon a breach of any of your
unsecured Protected Health Information.
·
Right to Request Amendments. If you feel that the Protected Health Information we have is
incorrect or incomplete, you may ask us to amend the information. You have the
right to request an amendment for as long as the information is kept by or for
us. A request for amendment must be made in writing to the Privacy Officer at
the address provided at the beginning of this Notice and it must tell us the
reason for your request. In certain cases, we may deny your request for an
amendment. If we deny your request for an amendment, you have the right to file
a statement of disagreement with us and we may prepare a rebuttal to your
statement and will provide you with a copy of any such rebuttal.
·
Right to an Accounting of Disclosures. You have the right to ask for an “accounting of disclosures,”
which is a list of the disclosures we made of your Protected Health Information.
This right applies to disclosures for purposes other than treatment, payment or
healthcare operations as described in this Notice. It excludes disclosures we
may have made to you, for a resident directory, to family members or friends
involved in your care, or for notification purposes. The right to receive this
information is subject to certain exceptions, restrictions and limitations.
Additionally, limitations are different for electronic health records. The first
accounting of disclosures you request within any 12-month period will be free.
For additional requests within the same period, we may charge you for the
reasonable costs of providing the accounting. We will tell what the costs are,
and you may choose to withdraw or modify your request before the costs are
incurred.
·
Right to Request Restrictions. You have the right to request a restriction or limitation on
the Protected Health Information we use or disclose for treatment, payment, or
health care operations. You also have the right to request a limit on the
Protected Health Information we disclose about you to someone who is involved in
your care or the payment for your care, like a family member or friend. To
request a restriction on who may have access to your Protected Health
Information, you must submit a written request to the Privacy Officer. Your
request must state the specific restriction requested and to whom you want the
restriction to apply. We are not
required to agree to your request, unless you are asking us to restrict the use
and disclosure of your Protected Health Information to a health plan for payment
or health care operation purposes and such information you wish to restrict
pertains solely to a health care item or service for which you have paid us
“out-of-pocket” in full. If we do agree to the requested restriction, we may not
use or disclose your Protected Health Information in violation of that
restriction unless it is needed to provide emergency treatment.
·
Out-of-Pocket-Payments.
If you paid out-of-pocket (or in other words, you have requested that we not
bill your health plan) in full for a specific item or service, you have the
right to ask that your Protected Health Information with respect to that item or
service not be disclosed to a health plan for purposes of payment or health care
operations, and we will honor that request.
·
Right to Request Confidential Communications. You have the right to request that we communicate with you only
in certain ways to preserve your privacy. For example, you may request that we
contact you by mail at a specific address or call you only at your work number.
You must make any such request in writing and you must specify how or where we
are to contact you. We will accommodate all reasonable requests. We will not ask
you the reason for your request.
·
Right to a Paper Copy of This Notice.
You have the right to a paper copy of this Notice, even if you have agreed to
receive this Notice electronically. You may request a copy of this Notice at
any time.
How to Exercise Your
Rights
To exercise your rights described in this Notice, send your
request, in writing, to our Privacy Officer at the address listed at the
beginning of this Notice. We may ask you to fill out a form that we will supply.
To exercise your right to inspect and copy your Protected Health Information,
you may also contact your physician directly. To get a paper copy of this
Notice, contact our Privacy Officer by phone or mail.
Changes To This Notice
We reserve the right to change this Notice. We reserve the right
to make the changed Notice effective for Protected Health Information we already
have as well as for any Protected Health Information we create or receive in the
future. A copy of our current Notice is posted in our office and on our
website.
Complaints
You may file a complaint with us or with the Secretary of the
United States Department of Health and Human Services if you believe your
privacy rights have been violated.
To file a complaint with us, contact our Privacy Officer at the
address listed at the beginning of this Notice. All complaints must be made in
writing and should be submitted within 180 days of when you knew or should have
known of the suspected violation. There will be no retaliation against you for
filing a complaint.
To file a complaint with the Secretary, mail it to: Secretary of
the U.S. Department of Health and Human Services, 200 Independence Ave, S.W.,
Washington, D.C. 20201. Call (202) 619-0257 (or toll
free (877) 696-6775) or go to the website of the Office for Civil Rights,
www.hhs.gov/ocr/hipaa/, for more information. There will be no retaliation
against you for filing a complaint.
Foreign Language Version
If you have difficulty reading or understanding English, you may
request a copy of this Notice in The language of your choice.
THIS NOTICE DESCRIBES HOW MEDICAL AND BEHAVIORAL HEALTH INFORMATION ABOUT YOU MAY BE
USED OR DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW
IT CAREFULLY.
Effective Date: 2006
This Notice was revised on May 30, 2013.
IF YOU HAVE ANY QUESTIONS ABOUT THIS NOTICE OR IF YOU NEED MORE
INFORMATION, PLEASE CONTACT OUR PRIVACY OFFICER:
Privacy Officer: Douglas Blakeman
Mailing Address: 425 7th Ave SW, Hickory, NC 28602
Telephone: 828-322-5915 ext 120
Fax: 828-345-0387
Email: [email protected]
About This Notice
We are required by law to maintain the privacy of Protected
Health Information and to give you this Notice explaining our privacy practices
with regard to that information. You have certain rights – and we have certain
legal obligations – regarding the privacy of your Protected Health Information,
and this Notice also explains your rights and our obligations. We are required
to abide by the terms of the current version of this Notice.
What is Protected Health Information?
“Protected Health Information” is information that individually
identifies you and that we create or get from you or from another health care
provider, health plan, your employer, or a health care clearinghouse and that
relates to (1) your past, present, or future physical or mental health or
conditions, (2) the provision of health care to you, or (3) the past, present,
or future payment for your health care.
How We May Use and Disclose Your Protected Health Information
We may use and disclose your Protected Health Information in the
following circumstances:
·
For Treatment. We may use or disclose your Protected Health Information to
give you medical treatment or services and to manage and coordinate your medical
care. For example, your Protected Health Information may be provided to a
physician or other health care provider (e.g., a specialist or laboratory) to
whom you have been referred to ensure that the physician or other health care
provider has the necessary information to diagnose or treat you or provide you
with a service.
·
For Payment. We may use and disclose your Protected Health Information so
that we can bill for the treatment and services you receive from us and can
collect payment from you, a health plan, or a third party. This use and
disclosure may include certain activities that your health insurance plan may
undertake before it approves or pays for the health care services we recommend
for you, such as making a determination of eligibility or coverage for insurance
benefits, reviewing services provided to you for medical necessity, and
undertaking utilization review activities. For example, we may need to give your
health plan information about your treatment in order for your health plan to
agree to pay for that treatment.
·
For Health Care Operations. We may use and disclose Protected Health Information for our
health care operations. For example, we may use your Protected Health
Information to internally review the quality of the treatment and services you
receive and to evaluate the performance of our team members in caring for you.
We also may disclose information to physicians, nurses, medical technicians,
medical students, and other authorized personnel for educational and learning
purposes.
·
Appointment Reminders/Treatment Alternatives/Health-Related Benefits and
Services. We may use and disclose Protected Health Information to contact
you to remind you that you have an appointment for medical care, or to contact
you to tell you about possible treatment options or alternatives or health
related benefits and services that may be of interest to you.
·
Minors.
We may disclose the Protected Health Information of minor children to their
parents or guardians unless such disclosure is otherwise prohibited by law.
(Optional,
only included if applicable.)
·
Research.
We may use and disclose your Protected Health Information for research purposes,
but we will only do that if the research has been specially approved by an
authorized institutional review board or a privacy board that has reviewed the
research proposal and has set up protocols to ensure the privacy of your
Protected Health Information. Even without that special approval, we may permit
researchers to look at Protected Health Information to help them prepare for
research, for example, to allow them to identify patients who may be included
in their research project, as long as they do not remove, or take a copy of,
any Protected Health Information. We may use and disclose a limited data set
that does not contain specific readily identifiable information about you for
research. However, we will only disclose the limited data set if we enter into
a data use agreement with the recipient who must agree to (1) use the data set
only for the purposes for which it was provided, (2) ensure the confidentiality
and security of the data, and (3) not identify the information or use it to
contact any individual.
·
As Required by Law. We will disclose Protected Health Information about you when
required to do so by international, federal, state, or local law.
To Avert a Serious Threat to Health or Safety. We may use and disclose Protected Health Information when
necessary to prevent a serious threat to your health or safety or to the health
or safety of others. But we will only disclose the information to someone who
may be able to help prevent the threat.
·
Business Associates. We may disclose Protected Health Information to our business
associates who perform functions on our behalf or provide us with services if
the Protected Health Information is necessary for those functions or services.
For example, we may use another company to do our billing, or to provide
transcription or consulting services for us. All of our business associates are
obligated, under contract with us, to protect the privacy and ensure the
security of your Protected Health Information.
·
Organ and Tissue Donation. If you are an organ or tissue donor, we may use or disclose
your Protected Health Information to organizations that handle organ procurement
or transplantation – such as an organ donation bank – as necessary to facilitate
organ or tissue donation and transplantation.
·
Military and Veterans. If you are a member of the armed forces, we may disclose
Protected Health Information as required by military command authorities. We
also may disclose Protected Health Information to the appropriate foreign
military authority if you are a member of a foreign military
Workers’ Compensation. We may use or disclose Protected Health Information for workers’
compensation or similar programs that provide benefits for work-related injuries
or illness.
·
Public Health Risks. We may disclose Protected Health Information for public health
activities. This includes disclosures to: (1) a person subject to the
jurisdiction of the Food and Drug Administration (“FDA”) for purposes related to
the quality, safety or effectiveness of an FDA-regulated product or activity;
(2) prevent or control disease, injury or disability; (3) report births and
deaths; (4) report child abuse or neglect; (5) report reactions to medications
or problems with products; (6) notify people of recalls of products they may be
using; and (7) a person who may have been exposed to a disease or may be at risk
for contracting or spreading a disease or condition.
·
Abuse, Neglect, or Domestic Violence. We may disclose
Protected Health Information to the appropriate government authority if we
believe a patient has been the victim of abuse, neglect, or domestic violence
and the patient agrees or we are required or authorized by law to make that
disclosure.
·
Health Oversight Activities. We may disclose Protected Health Information to a health
oversight agency for activities authorized by law. These oversight activities
include, for example, audits, investigations, inspections, licensure, and
similar activities that are necessary for the government to monitor the health
care system, government programs, and compliance with civil rights laws.
·
Data Breach Notification Purposes. We may use or disclose your Protected Health Information to
provide legally required notices of unauthorized access to or disclosure of your
health information.
·
Lawsuits
and Disputes. If you are involved in a lawsuit or a dispute, we may disclose
Protected Health Information in response to a court or administrative order. We
also may disclose Protected Health Information in response to a subpoena,
discovery request, or other legal process from someone else involved in the
dispute, but only if efforts have been made to tell you about the request or to
get an order protecting the information requested. We may also use or disclose
your Protected Health Information to defend ourselves in the event of a lawsuit.
·
Law
Enforcement. We may disclose Protected Health Information, so long as
applicable legal requirements are met, for law enforcement purposes.
·
Military Activity and National Security. If you are involved with military, national security or
intelligence activities or if you are in law enforcement custody, we may
disclose your Protected Health Information to authorized officials so they may
carry out their legal duties under the law.
·
Coroners, Medical Examiners, and Funeral Directors. We may disclose Protected Health Information to a coroner,
medical examiner, or funeral director so that they can carry out their duties.
·
Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement
official, we may disclose Protected Health Information to the correctional
institution or law enforcement official if the disclosure is necessary (1) for
the institution to provide you with health care; (2) to protect your health and
safety or the health and safety of others; or (3) the safety and security of the
correctional institution.
Uses and Disclosures That Require Us to Give You an Opportunity to Object and Opt Out
·
Individuals Involved in Your Care or Payment for Your Care. Unless you object, we may disclose to a member of your family,
a relative, a close friend or any other person you identify, your Protected
Health Information that directly relates to that person’s involvement in your
health care. If you are unable to
agree or object to such a disclosure, we may disclose such information as
necessary if we determine that it is in your best interest based on our
professional judgment.
·
Disaster Relief. We may disclose your Protected Health Information to disaster
relief organizations that seek your Protected Health Information to coordinate
your care, or notify family and friends of your location or condition in a
disaster. We will provide you with an opportunity to agree or object to such a
disclosure whenever we practicably can do so.
·
Fundraising Activities.
We may use or disclose your Protected Health Information, as
necessary, in order to contact you for fundraising activities. You have the
right to opt out of receiving fundraising communications.
If you do not want to receive these materials, please submit a written request to the Privacy
Officer.
Your Written Authorization is Required for Other Uses and
Disclosures
The following uses and disclosures of your Protected Health
Information will be made only with your written
authorization:
1. Most uses and disclosures of psychotherapy notes;
2. Uses and disclosures of Protected Health Information for marketing
purposes; and
3. Disclosures that constitute a sale of your Protected Health
Information.
Other uses and disclosures of Protected Health Information not
covered by this Notice or the laws that apply to us will be made only with your
written authorization. If you do give us an authorization, you may revoke it at
any time by submitting a written revocation to our Privacy Officer and we will
no longer disclose Protected Health Information under the authorization. But
disclosure that we made in reliance on your authorization before you revoked it
will not be affected by the revocation.
Special Protections for HIV information, Alcohol
and Substance Abuse information, Mental Health Information and Genetic
Information
In addition, North Carolina Communicable Disease statue,
NC General Statutes 130A-143 states “All information and records, whether
publicly or privately maintained, that identify a person who has AIDS virus
infection or who has or may have a disease or condition required to be reported
pursuant to the provisions of this Article (communicable disease) shall be
strictly confidential…” with only specific exceptions. Other state statutes
guarantee patient confidentiality for specific program information, such as
medical information associated with birth certificates, birth defects
monitoring, the central cancer registry, data within the State Center
for Health Statistics, and client information in Children’s Developmental
Evaluation Center (CDSA) records.
HIPAA
Medical Privacy Rule (45 C.F.R. Parts 160 and 164)
The HIPAA medical privacy rule (hereafter “Privacy Rule”) applies to covered
entities1 and governs the use2 and disclosure3 of protected health information (PHI).4
Under the Privacy Rule, the general rule is that covered entities may use or disclose
PHI for treatment5 purposes without patient permission. 45 C.F.R. § 164.502(a)(1)(ii). A covered entity may
use or discloPHI without permission for its own treatment purposes, or for the
treatment purposes of anothealth care provider. 45 C.F.R. § 164.506(c).
There is an exception to this general rule for psychotherapy notes,6
a subset of PHI. A covered entity must have the individual’s written authorization
for most disclosures of psychotherapy notes, including disclosures made for
treatment purposes. 45 C.F.R. § 164.508(a)(2).
Although HIPAA does not require health care providers to obtain consent to disclose PHI
(other than psychotherapy notes) for treatment purposes, some health care
providers are subject to other federal or state laws that do require
consent for disclosure. In addition, HIPAA expressly permits health care
providers to obtain consent to disclose PHI for treatment purposes, 45 C.F.R. §
164.506(b)(1), whether because they choose to or are required by other laws to
do so.
Substance Abuse Confidentiality Regulations (42 C.F.R. Part 2)
The federal substance abuse confidentiality regulations (hereafter Part 2) apply to
federally assisted substance abuse programs7 and restrict the use and disclosure8
of patient records9 and information. The general rule under Part 2 is that patient
consent is required for most disclosures for treatment purposes. 42 C.F.R. §§
2.12 & 2.13.
There are some
exceptions for disclosures occurring between entities who are involved in a
qualified service organization agreement (QSOA), when the information is needed
to provide services. The federal Substance Abuse and Mental Health Services
Administration (SAMHSA) has issued guidance indicating that, while a QSOA may be
used to facilitate communications between a covered program and a health
information organization (HIOs), the HIO may not disclose a patient’s
information to a separate covered program without the patient’s written consent,
unless there is a QSOA between both of the involved covered
programs.10
Health care providers who are subject to Part 2 are likely to be
subject to HIPAA as well. When making disclosures for treatment purposes, such
providers may not follow.
1 For purposes of HIPAA, a covered entity is a health plan, a health care
clearinghouse, or a health care provider who transmits individually identifiable
health information electronically in connection with specific transactions, many
associated with claims processing or billing. 45 C.F.R. 160.103.
2 Use means “the sharing, employment, application, utilization, examination, or analysis of
[individually identifiable health] information within an entity that maintains
such information.” Id.
3 Disclosure means
“the release, transfer, provision of, access to, or divulging in any other
manner of information outside the entity holding the information.” Id.
4
Protected health information is
information created or received by a covered entity that: (i) identifies an
individual (or that could be used to identify an individual), and (ii) relates
to any of the following: the past, present, or future physical or mental health
or condition of the individual; the provision of health care to the individual;
or the past, present, or future payment for the provision of health care to the
individual. Id.
5 Treatment means “the provision, coordination, or management of health care and related services
by one or more health care providers, including the coordination or management
of health care by a health care provider with a third party; consultation
between health care providers relating to a patient; or the referral of a
patient from one health care provider to another.” 45 C.F.R. 164.501.
6 Psychotherapy notes are
“notes recorded (in any medium) by a health care provider who is a mental health
professional documenting or analyzing the contents of a conversation during a
private counseling session or a group, joint, or family counseling session and
that are separated from the rest of the individual’s medical record.” There are
some exclusions to this definition; see the rule for details. Id.
Section 264 of HIPAA required the Secretary of Health and
Human Services to implement national standards to protect the privacy of
individually identifiable health information that was transmitted
electronically. The final HIPAA regulation was published in the last minutes of
the Clinton Administration on December 28, 2000. That rule was extensively
amended in August of 2002 (with further amendments in 2003), and appears at
final form at 45 C.F.R. Parts 160 and 164.
Under the final HIPAA rules at 45 C.F.R. § 164.502,
covered entities, including health care providers, can disclose protected health
information for treatment purposes without patient consent; 45 C.F.R. §
164.506(c) (1) and (2) permit both the use and disclosure of information for
treatment purposes. The rules at 45 C.F.R. § 164.501 define treatment to mean:
… the provision, coordination, or management of health
care and related services by one or more health care providers, including the
coordination or management of health care by a health care provider with a third
party; consultation between health care providers relating to a patient; or the
referral of a patient for health care from one health care provider to another.
One exception to this general rule of permitting the
sharing of treatment information without consent is that “psychotherapy notes”
may only be disclosed with authorization (45 C.F.R. § 164.508(a)(2)) except
insofar as they are used by the originator of the notes or for a covered
entity's supervised mental health education and training purposes. Psychotherapy
notes are a special form of treatment information:
Psychotherapy notes means notes recorded (in any medium)
by a health care provider who is a mental health professional documenting or
analyzing the contents of conversation during a private counseling session or a
group, joint, or family counseling session and that are separated from the rest
of the individual's medical record. Psychotherapy notes excludes medication
prescription and monitoring, counseling session start and stop times, the
modalities and frequencies of treatment furnished, results of clinical tests,
and any summary of the following items: diagnosis, functional status, the
treatment plan, symptoms, prognosis, and progress to date (45 C.F.R. § 164.501).
Authorization is a special and rigorous form of consent,
which must include a description of the information to be disclosed, the
identity of the person or class of persons who may disclose the information and
to whom it may be disclosed, a description of the purpose of the disclosure, an
expiration date for the authorization, and the signature of the person
authorizing the disclosure (45 C.F.R. § 164.508(c)). In general, the individual
signing the authorization may revoke it at any time, a provider cannot condition
treatment on the willingness of an individual to sign an authorization for the
release of psychotherapy notes, and an authorization for the release of
psychotherapy notes must be a separate and independent document (45 C.F.R. §
164.508(b) and (c)).
Additionally,
GINA amends the HIPAA privacy regulations. Under these laws, genetic information
is considered confidential medical information.
Your Rights Regarding Your Protected Health Information
You have the following rights, subject to certain limitations,
regarding your Protected Health Information:
·
Right
to Inspect and Copy. You have the right to inspect and copy Protected Health
Information that may be used to make decisions about your care or payment for
your care. We have up to 30 days to make your Protected Health Information
available to you and we may charge you a reasonable fee for the costs of
copying, mailing or other supplies associated with your request. We may not
charge you a fee if you need the information for a claim for benefits under the
Social Security Act or any other state or federal needs-based benefit program.
We may deny your request in certain limited circumstances. If we do deny your
request, you have the right to have the denial reviewed by a licensed healthcare
professional who was not directly involved in the denial of your request, and we
will comply with the outcome of the review.
·
Right
to a Summary or Explanation. We can also provide you with a
summary of your Protected Health Information, rather than the entire record, or
we can provide you with an explanation of the Protected Health Information which
has been provided to you, so long as you agree to this alternative form and pay
the associated fees.
Right to an Electronic Copy of Electronic Medical Records. If
your Protected Health Information is maintained in an electronic format (known
as an electronic medical record or an electronic health record), you have the
right to request that an electronic copy of your record be given to you or
transmitted to another individual or entity. We will make every effort to provide access to your Protected
Health Information in the form
or format you request, if it is readily
producible in such form or format. If the Protected Health
Information is
not readily producible in the form or format you request
your record will be provided in either our
standard electronic format or if you do not want this form or format, a readable hard copy form.
We may charge you a reasonable, cost-based fee for the labor associated with
transmitting the electronic medical record.
·
Right to Get Notice of a Breach. You have the right to be notified upon a breach of any of your
unsecured Protected Health Information.
·
Right to Request Amendments. If you feel that the Protected Health Information we have is
incorrect or incomplete, you may ask us to amend the information. You have the
right to request an amendment for as long as the information is kept by or for
us. A request for amendment must be made in writing to the Privacy Officer at
the address provided at the beginning of this Notice and it must tell us the
reason for your request. In certain cases, we may deny your request for an
amendment. If we deny your request for an amendment, you have the right to file
a statement of disagreement with us and we may prepare a rebuttal to your
statement and will provide you with a copy of any such rebuttal.
·
Right to an Accounting of Disclosures. You have the right to ask for an “accounting of disclosures,”
which is a list of the disclosures we made of your Protected Health Information.
This right applies to disclosures for purposes other than treatment, payment or
healthcare operations as described in this Notice. It excludes disclosures we
may have made to you, for a resident directory, to family members or friends
involved in your care, or for notification purposes. The right to receive this
information is subject to certain exceptions, restrictions and limitations.
Additionally, limitations are different for electronic health records. The first
accounting of disclosures you request within any 12-month period will be free.
For additional requests within the same period, we may charge you for the
reasonable costs of providing the accounting. We will tell what the costs are,
and you may choose to withdraw or modify your request before the costs are
incurred.
·
Right to Request Restrictions. You have the right to request a restriction or limitation on
the Protected Health Information we use or disclose for treatment, payment, or
health care operations. You also have the right to request a limit on the
Protected Health Information we disclose about you to someone who is involved in
your care or the payment for your care, like a family member or friend. To
request a restriction on who may have access to your Protected Health
Information, you must submit a written request to the Privacy Officer. Your
request must state the specific restriction requested and to whom you want the
restriction to apply. We are not
required to agree to your request, unless you are asking us to restrict the use
and disclosure of your Protected Health Information to a health plan for payment
or health care operation purposes and such information you wish to restrict
pertains solely to a health care item or service for which you have paid us
“out-of-pocket” in full. If we do agree to the requested restriction, we may not
use or disclose your Protected Health Information in violation of that
restriction unless it is needed to provide emergency treatment.
·
Out-of-Pocket-Payments.
If you paid out-of-pocket (or in other words, you have requested that we not
bill your health plan) in full for a specific item or service, you have the
right to ask that your Protected Health Information with respect to that item or
service not be disclosed to a health plan for purposes of payment or health care
operations, and we will honor that request.
·
Right to Request Confidential Communications. You have the right to request that we communicate with you only
in certain ways to preserve your privacy. For example, you may request that we
contact you by mail at a specific address or call you only at your work number.
You must make any such request in writing and you must specify how or where we
are to contact you. We will accommodate all reasonable requests. We will not ask
you the reason for your request.
·
Right to a Paper Copy of This Notice.
You have the right to a paper copy of this Notice, even if you have agreed to
receive this Notice electronically. You may request a copy of this Notice at
any time.
How to Exercise Your
Rights
To exercise your rights described in this Notice, send your
request, in writing, to our Privacy Officer at the address listed at the
beginning of this Notice. We may ask you to fill out a form that we will supply.
To exercise your right to inspect and copy your Protected Health Information,
you may also contact your physician directly. To get a paper copy of this
Notice, contact our Privacy Officer by phone or mail.
Changes To This Notice
We reserve the right to change this Notice. We reserve the right
to make the changed Notice effective for Protected Health Information we already
have as well as for any Protected Health Information we create or receive in the
future. A copy of our current Notice is posted in our office and on our
website.
Complaints
You may file a complaint with us or with the Secretary of the
United States Department of Health and Human Services if you believe your
privacy rights have been violated.
To file a complaint with us, contact our Privacy Officer at the
address listed at the beginning of this Notice. All complaints must be made in
writing and should be submitted within 180 days of when you knew or should have
known of the suspected violation. There will be no retaliation against you for
filing a complaint.
To file a complaint with the Secretary, mail it to: Secretary of
the U.S. Department of Health and Human Services, 200 Independence Ave, S.W.,
Washington, D.C. 20201. Call (202) 619-0257 (or toll
free (877) 696-6775) or go to the website of the Office for Civil Rights,
www.hhs.gov/ocr/hipaa/, for more information. There will be no retaliation
against you for filing a complaint.
Foreign Language Version
If you have difficulty reading or understanding English, you may
request a copy of this Notice in The language of your choice.