Estill County Chiropractic, PLLC
John C. Allen, D.C.
PRIVACY NOTICE VERSION 1.2
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THAT INFORMATION.
PLEASE REVIEW THIS NOTICE CAREFULLY.
This Practice is committed to maintaining the privacy of your protected health information (“PHI”), which includes information about your health condition and the care and treatment you receive from the Practice. The creation of a record detailing the care and services you receive helps this office to provide you with quality health care. This Notice details how your PHI may be used and disclosed to third parties. This Notice also details your rights regarding your PHI.
USE AND DISCLOSURE OF INFORMATION
1. The Practice may use and/or disclose your PHI for the purposes of:
A. Treatment- In order to provide you with the health care you require, the Practice will provide your PHI to those health care professionals, whether on the Practice’s staff or not, directly involved in your care so that they may understand your health conditions and needs. For example, a physician treating you for lower back pain may need to know the results of your latest physician examination in this office.
B. Payment- In order to get paid for services provided to you, the Practice will provide your PHI, directly or through a billing service, to appropriate third party payors, pursuant to their billing and payment requirements. For example, the Practice may need to provide the Medicare program with information about health care services that you received from the Practice so that the Practice can be properly reimbursed. The Practice may also need to tell your insurance plan about treatment you are going to receive so that it can determine whether or not it will cover the treatment expense.
C. Health Care Operations- In order for the Practice to operate in accordance with applicable law and insurance requirements and in order for the Practice to continue to provide quality and efficient care, it may be necessary for the Practice to compile, use and/or disclose your PHI. For example, the Practice may use your PHI in order to evaluate the performance of the Practice’s personnel in providing care to you.
2. The Practice may also use and/or disclose your PHI in the following instances:
A. De-identified Information- Information that does not identify you and, even without your name, cannot be used to identify you.
B. Business Associate- To a business associate if the Practice obtains satisfactory written assurance, in accordance with applicable law, that the business associate will appropriately safeguard your PHI. A business associate is an entity that assists the Practice in undertaking some essential function, such as billing company that assists the office in submitting claims for payment to insurance companies or other payors.
C. Personal Representative- To a person who, under applicable law, has the authority to represent you in making decisions related to your health care.
D. Emergency Situations-
I. for the purpose of obtaining or rendering emergency treatment to you provided that the Practice attempts to obtain your acknowledgement of our Privacy Notice as soon as possible.
II. To a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the purpose of coordinating your care with such entities in an emergency situation.
E. Communication Barriers- If, due to substantial communication barriers or inability to communicate, the Practice has been unable to obtain your acknowledgement of your Privacy Notice and the Practice determines, in the exercise of its professional judgment, that your consent to receive treatment is clearly inferred from the circumstances.
F. Public Health Activities- Such activities include, for example, information collected by a public health authority, as authorized by law, to prevent or control disease.
G. Abuse, Neglect or Domestic Violence- To a government authority if the Practice is required by law to make such disclosure. If the Practice is authorized by law to make such a disclosure, it will do so if it believes that the disclosure is necessary to prevent serious harm.
H. Health Oversight Activities- Such activities, which must be required by law, involve government agencies and may include, for example, criminal investigations, disciplinary actions, or general oversight activities relating to the community’s health care system.
I. Judicial and Administrative Proceeding- For example, the Practice may be required to disclose your PHI in response to a court order or a lawfully issued subpoena.
J. Law Enforcement Purposes- In certain instances, your PHI may have to be disclosed to a law enforcement official. For example, your PHI may be the subject of a grand jury subpoena. Or, the Practice may disclose your PHI if the practice believes that your death was the result of criminal conduct.
K. Coroner or Medical Examiner- The Practice may disclose your PHI to a coroner or medical examiner for the purpose of identifying you or determining your cause of death.
L. Organ, Eye or Tissue Donation- If you are an organ donor, the Practice may disclose your PHI to the entity to whom you have agreed to donate your organs
M. Research- If the Practice is involved in research activities, your PHI may be used. Such use is subject to numerous governmental requirements intended to protect the privacy of PHI.
N. Avert a Threat to Health or Safety- The Practice may disclose your PHI if it believes that such disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the disclosures to an individual who is reasonably able to prevent or lessen the threat.
O. Specialized Government Functions- This refers to disclosures of PHI that relate primarily to military and veteran activity.
P. Workers’ Compensations-If you are involved in a Workers’ Compensation claim, the Practice may be required to disclose your PHI to an individual or entity that is part of the Workers’ Compensation system.
Q. National Security and Intelligence Activities- The Practice may disclose your PHI in order to provide authorized governmental officials with necessary intelligence information for national security activities and purposes authorized by law.
R. Military and Veterans- If you are a member of the armed forces, the Practice may disclose your PHI as required by the military command authorities.
S. Marketing Purposes- Uses and disclosures of your PHI by the Practice for marketing purposes, as prescribed by federal law, will be allowed only with your written authorization.
T. Sale of your PHI- Uses or disclosure by the Practice that constitute sale of your PHI can be completed only after written authorization of the patient is obtained.
U. Fundraising Uses- Your PHI may be utilized by the Practice for fund raising opportunities conducted by this office. If such use occurs the patient must be given the option to opt out of receiving such fund raising communications in the future as well as the manner in which they must opt out. If the patient opts out in writing, delivered to our Privacy Officer, there may be no further such communications between the office and the patient for fundraising purposes.
Form for marketing or fundraising it is included as (Form G)
V. Disclosure Following Death- The Practice may make relevant disclosure of your PHI after your death to family and friends, but only such disclosure as is consistent with what disclosure which was allowed prior to your death, that is when these individuals were involved in providing care or payment for care and the Practice is unaware of any expressed preferences to the contrary. HIPAA protections of your PHI ends 50 years after your death.
The Practice may, from time to time, contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you. The following appointment reminders are used by the practice: a) a postcard mailed to you at the address provided by you: b) telephoning your home and leaving a message on your answering machine or with the individual answering the phone: c) sending a text message to the cell phone number provided by you: and d) sending an email to the email address provided by you.
The Practice may, from time to time, send out letter or newsletter for the purpose of providing health related information, information on office activities, changes in office procedure, or such information as they may find necessary to convey to patients of the Practice. This will be done in a newsletter form or a letter enclosed within an envelope and mailed directly to the patient or done by email.
The Practice may, from time to time, transmit information about you to insurers, other health care professionals and providers, and appropriate government agencies utilizing facsimile transmissions.
DIRECTORY/ SIGN-IN LOG
The Practice may in the future maintain a Directory or sign-in log for individuals seeking care and treatment in the office. Directory and sign-in log are located in a position where staff can readily see who is seeking care in the office, as well as the individual’s location within the Practice’s office. This information may be seen by, and is accessible to, others who are seeking care or services in the Practice’s offices.
The Practice may disclose to your family member, other relative, a close personal friend, or any other person identified by you, your PHI directly relevant to such person’s involvement with your care or the payment for your care. The Practice may also use or disclose your PHI to notify or assist in the notification (including identifying or locating) condition or death. However, in both cases, the following conditions will apply:
1) If you are present at or prior to the use or disclosure of your PHI, the Practice may use or disclose your PHI if you agree or if the Practice can reasonably infer from the circumstance, based on the exercise of its professional judgment, that you do not object to the use or disclosure.
2) If you are not present, the Practice will, in the exercise of professional judgment, determine whether the use or disclosure is in your best interests and, if so, disclose only the PHI that is directly relevant to the person’s involvement with your care.
Uses and/or disclosures, other than those described above, will be made only with your written Authorization.
1. You have the right to:
A) Revoke any Authorization, in writing, at any time. To request a revocation, you must submit a written request to the Practice’s Privacy Officer.
B) Request restrictions on certain use and/ or disclosure of your PHI as provided by law. However, the Practice is not obligated to agree to any requested restrictions. To request restrictions, you must submit a written request to the Practice’s Privacy Officer. In your written request, you must inform the Practice of what information you want to limit, whether you want to limit the Practice’s use or disclosure, or both, and to whom you want the limits to apply. If the Practice agrees with you request, the Practice will comply with your unless the information is needed in order to provide you with emergency treatment.(Forms H, I & J)
C) Receive confidential communications or PHI by alternative means or at alternative locations. You must make your request in writing to the Practice’s Privacy Officer. The Practice will accommodate all reasonable requests.
D) The patient has the right to restrict disclosure of PHI by the Practice to insurance and health plans if the individual has paid for services completely out of pocket. Such request should be made by the patient, in writing, to the Privacy Officer.
E) Inspect and copy your PHI as provided by law. To inspect and copy your PHI, or transmit a copy to another person, you must submit a written request to the Practice’s Privacy Officer. You may request a digital or written copy of your information. The Practice can charge you a fee for the cost of copying, mailing or other supplies associated with your request but such cost shall not exceed the cost of the office to produce the material including the cost of copies, employee time involved etc. The Practice has 30 days following the written request to produce the requested information in the format requested or negotiate an alternative format. In certain situations that are defined by law, the Practice may deny your request, but you will have the right to have the denial reviewed as set forth more fully in the written denial notice.(Forms K, L, M & N)
F) Amend your PHI as provided by law. To request an amendment, you must submit a written request to the Practice’s Privacy Officer. You must provide a reason that supports your request. The Practice may deny your request if it is not I in writing, if you do not provide a reason in support of you request, if the information to be amended was not created by the Practice (unless the individual or entity that created the information is no longer available), if the information is not part of your PHI maintained by the Practice, if the information is not part of the information you would be permitted to insect and copy, and/or in the information is accurate and complete. If you disagree with the Practice’s denial, you will have the right to submit a written statement of disagreement.(Forms O & P)
G) Receive an accounting of disclosures of your PHI as provided by Law. To request an accounting, you must submit a written request to the Practice’s Privacy Officer. The request must state a time periods which may not be longer than six (6) years and may not include dates before April 14, 2003. The request should indicate in what form you want the list (such as paper or electronic copy). The first list you request within a twelve (12) month period will be free, but the Practice may charge you for the cost of providing additional lists. The Practice will notify you of the costs involved and you can decide to withdraw or modify your request before any costs are incurred.(Forms Q, R & S)
H) Receive a paper copy of the Privacy Notice from the Practice upon request to the Practice’s Privacy Officer.
I) Complain to the Practice or to the Secretary of HHS if you believe your privacy rights have been violated. To file a complaint with the Practice, our must contact the Practice’s Privacy Officer. All complaints must be in writing.(Forms T, U, V & Document 3)
1. The Practice
A) Is required by federal law to maintain of your PHI and to provide you with this Privacy Notice detailing the Practice’s legal duties and privacy practices with respect to your PHI.
B) Under the Privacy rule may be required by state law to grant greater access or maintain greater restrictions on the use or release of your PHI then that which is provided for under federal law.
C) Is required to abide by the terms of this Privacy Notice.
D) Reserves the right to change the terms of this Privacy Notice and to make the new Privacy Notice provisions effective for your entire protected health information that it maintains.
E) Will distribute any revised Privacy Notice to you prior to implementation.
F) Will not retaliate against you for filing a complaint.
G) The Practice is required to notify you, in writing or by email, of a breach or incidence of unsecured PHI if such breach has led to, or may lead to, your PHI being compromised.
HIPAA OMNIBUS RULE:
NEW CHANGES TO HIPAA PRIVACY PRACTICES AND SECURITY RULES
There are four areas that providers need to focus on to comply with the HIPAA Omnibus Rule:
• Breach notification policies and procedures;
• Notice of privacy practices (“NPP”);
• Business associate agreements; and
• HIPAA privacy policies and procedures.
The following summary provides an overview of the steps providers will need to take in each of these areas to meet the new requirements under the HIPAA Omnibus Rule.
Breach Notification Policies and Procedures
The HIPAA Omnibus Rule lowers the standard for breach notification. Under the previous rule, breaches were not required to be reported to the Department of Health and Human Services (“HHS”) unless they posed a “significant risk of reputational, financial or other harm” to individuals. The new standard presumes that a reportable breach has occurred unless the covered entity or business associate, through the use of a multi-factor risk assessment, determines that there is a low probability that the protected health information (“PHI”) has been compromised by the unauthorized use or disclosure.
To demonstrate that there is a low probability that a breach compromised PHI, a provider must perform a risk assessment that addresses the following minimum standards:
• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the PHI or to whom the disclosure was made, and whether the PHI was actually acquired or viewed;
• Whether the PHI was actually acquired or viewed; and
• The extent to which the risk to the PHI has been mitigated.
A provider must be able to quickly perform a risk assessment that will: (1) review a potential breach; (2) identify whether it is reportable and how to mitigate the harm; and (3) remediate the problem. Providers should revise their breach notification policies and procedures prior to September 23, 2013 to reflect this new breach analysis process.
Notice of Privacy Practices
As a result of the changes in the HIPAA Omnibus Rule, providers will be required to revise their Notice of Privacy Practices and post their NPP in a clear and prominent location. If the provider maintains a website, the NPP also must be posted there. NPPs now must include the following provisions:
• Authorizations: A statement that the following uses and disclosures will be made only with authorization from the individual:
o uses and disclosures for marketing purposes; and
o uses and disclosures that constitute the sale of PHI.
• Breach notification statement: A statement that the provider must notify an affected individual of a breach of unsecured PHI;
• Fundraising disclosures: A statement that the recipient of fundraising materials may opt out of future fundraising communications (if the provider conducts fundraising); and
• Restrict disclosure to health plans: A description of an individual’s right to restrict disclosures of protected health information to health plans if an individual has paid for services completely out of pocket.
The HIPAA Omnibus Rule also eliminates requirements to include information in NPPs concerning appointment reminders, treatment alternatives, and health-related benefits or services, but the rule does not require that such information be removed either.
Business Associate Agreements
The definition of the term “business associate” has been expanded to include: health information organizations, personal health vendors, subcontractors of the business associate, and individuals or entities that create, receive, maintain, or transmit PHI for a covered entity. It is significant that this definition now includes subcontractors of business associates and entities that maintain PHI. By adding this language, HHS clarified that you can have a “business associate of a business associate” and that business associates who use subcontractors for functions involving PHI will need to enter into business agreements with those subcontractors. Further, based on the addition of the word “maintain” to the definition, covered entities should require off-site records storage facilities or cloud storage providers, who maintain PHI, to sign business associate agreements.
The OCR has published a form business associate agreement on its website, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html, incorporating the new HIPAA Omnibus Rule. A sample business associate agreement is also attached to this memo. Providers should compare their existing templates to these new forms, or adopt one of the forms as their new agreement. Business associates should require applicable subcontractors to sign business associate agreements that track the new form and in addition to addressing the terms of the business associate agreement with the covered entity.
Liability for Business Associates
One of the important clarifications under the HIPAA Omnibus Rule relates to covered entities’ liability for the conduct of their business associates. Prior to the promulgation of the HIPAA Omnibus Rule, it was unclear whether covered entities could be held liable for their business associates’ HIPAA violations if the covered entity had an appropriate business associate agreement in place and took reasonable steps to address breaches. The HIPAA Omnibus Rule clarified that a covered entity can indeed be held liable for the acts or omissions of its business associates that are acting as the covered entity’s “agent,” as determined under the federal common law of agency. This agent liability also extends to a business associate for the actions or omissions of its subcontractors.
Whether an agency relationship exists under federal common is a fact specific inquiry. While there are many factors to consider, HHS has indicated that the essential factor in determining whether an agency relationship exists is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity. Ultimately, the more discretion and independence the business associate has in performing functions for the covered entity, the less likely it is that an agency relationship exists.
HIPAA Privacy Policies and Procedures
Providers must update privacy policies and procedures to address changes made by the HIPAA Omnibus Rule in the following areas:
• Individual rights: If an individual requests a digital copy of certain electronic PHI or directs a provider in writing to transmit a copy to another person, the provider generally must produce the information in the format requested if readily producible within 30 days or negotiate an alternative format. Further, if an individual requests that a copy of his or her PHI be sent via unencrypted email, then a provider is permitted to do so, as long as the covered entity has advised the individual of the risks and the individual still prefers the unencrypted email.
• Patient’s Right to Request Restrictions: A provider must comply with an individual’s request for restrictions on disclosures made to health plans for payment or health care operations purposes if the PHI pertains to an item or service for which the individual paid completely out-of-pocket.
• Marketing: A provider must obtain written authorization to use and disclose PHI for marketing purposes, including most non-face-to-face communications when the provider receives payment to make the communication. If payment is involved, the marketing authorization must disclose the fact. However, a provider may inform a patient about a third party’s product or service without the patient’s written authorization when the provider receives no compensation for the communication; the communication is face-to-face; the communication involves a drug or biologic the patient is currently being prescribed and the payment is limited to reasonable reimbursement of the costs of the communication; and the communication involves general health promotion. A provider is also still permitted to give patients promotional gifts of nominal value (e.g., pamphlet).
• Fundraising: A provider now may disclose more information to institutionally-related foundations for fundraising, but they must explain how the recipient may opt out of receiving future fundraising communications. If an individual opts-out, the provider must not make any further communications to the individual.
• Research: If a provider engages in research, the provider should review the new standards applicable to research.
• Sale of PHI: A provider must obtain authorization if the provider receives direct or indirect remuneration (including nonfinancial) in exchange for the disclosure of or access to PHI. The authorization must state the provider is receiving remuneration in exchange for the PHI. There are several exceptions that apply (e.g., public health activities, treatment, and payment).
• Deceased Persons: A provider may make relevant disclosures to the deceased’s family and friends under essentially the same circumstances that such disclosures were permitted when the patient was alive; that is, when these individuals were involved in providing care or payment for care and the provider is unaware of any expressed preference to the contrary. The HIPAA Omnibus Rule also eliminates any HIPAA protection for PHI 50 years after a patient’s death.
This Notice is in effect as of Jan 1, 2016.
Estill County Chiropractic, PLLC
John C. Allen, D.C.
Notice of Nondiscrimination