The Department of Health and Human Services, Office of Civil Rights, under the Public Law 104-191 (the Health Insurance Portability and Accountability Act of 1996) (HIPPA), mandates that we issue this new revised Privacy Notice to our patients. This notice to our patients meets all current requirements as it relates to the Standard for Privacy of Individually Identifiable Health Information,(IIHI), affecting our patients. You are urged to read this notice.
As a part of Privacy Standard, implemented on April 14, 2001, you are required to provide this office with a new, signed and dated, Consent Agreement. Every patient must receive our new Privacy Notice and execute a new Consent Agreement before this office may use your information for treatment, payment, or other health care operations (TPO).
Our Privacy Notice informs you of our use and disclosure of your PROTECTED Health Information (PHI), defined as “any information, whether oral or recorded, in any medium, that is either created or received by a health care provider, health plan, public health authority, employer, life insurance company, school or university or clearing house and that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past present or future payment for the provision of health care to an individual”.
Our office will use or disclose your PHI for purposes of treatment, payment and other healthcare purposes as required, providing you the best quality healthcare services that we offer to the extent permitted by your Consent Agreement or in such specific situations, by your signed and dated Authorization. It is our policy to control access to your PHI; and even in cases where access is permitted, we exercise a “minimum necessary information” restriction to that access. We define the minimum necessary information as the minimum necessary to accomplish the intent of the request.
An Authorization differs from a Consent Agreement in that it is very specific with regard to the information allowed to be disclosed or used, the individual or entity to which the information may be disclosed, the intent for which it may be disclosed, and the date that it was initiated which may include the duration of the authorization. This is a form, separate from the Consent Agreement, and usually used only for one specific request for information. In the event of a non-healthcare related request for personal health information, this office will request you to complete an Authorization form.
You, as our patient, may revoke any Consent Agreement or Authorization at any time, and all use and disclosure and administration of related healthcare services will be revised accordingly, with the exception of matters already in process as a result of prior use of your PHI. To revoke either the Consent Agreement or Authorization, you will have to provide this office with a written request with your signature and date and your specific instructions regarding an existing Authorization or Consent Agreement. Any revocation will not apply to information already used or disclosed.
If you have a “personal representative” initiate an Authorization, you may revoke that authorization at any time.
You, the patient, have access to your health care information. You may request to examine your information, may request copies of your information, and under the law, you may request amendments to your information. The physician or principal will exercise professional judgment with regard to requests for amendments and is not bound by law to make any changes to the information. If the physician or professional agrees with the request to amend the information, we are bound by law to abide by the changes.
In limited circumstances, The Privacy Standard permits, but does not require, covered entities to continue certain existing disclosures of health information without individual consent for specific public responsibilities.
These permitted disclosures include: emergency circumstances, identification of the body of a deceased person, assistance in determining the cause of death, public health needs, research generally limited to when a waiver of authorization is independently approved by a privacy board or Institutional Review Board, oversight of the health care system, judicial and administrative proceedings, limited law enforcement activities, and activities related to national defense and security. There are specific state laws that require the disclosure of health care information related to national defense and security. There are specific state laws that require the disclosure of health care information related to Hepatitis C and AIDS. Where the state laws are more stringent than HIPPA Privacy Standard, the state laws will prevail.
All of these disclosures could occur previously under former laws and regulations. However, The Privacy Standard establishes new safeguards and limits. If there is no other law requiring that your information be disclosed, we will use our professional judgment to decide whether to disclose any information reflecting our own policies and ethical principals.
On some occasions, we may furnish your PHI to a third party. This could be an insurance company for the purpose of payment or another health care provider for further treatment or additional services. Although we will institute a “chain of trust” contract and monitor our business associates’ contracts with us, we cannot absolutely guarantee that they will not use or disclose your PHI in such a way as to violate the Privacy Standard.
The law requires a signed and dated Privacy Notice. It is the law that your rights are communicated in this manner.
It is our practice to retain information about non-healthcare related requests for your health care information for a period of six years.
In complying with the Privacy Standard, we have appointed a Privacy Officer, trained our Privacy Officer and the staff in the law, and implemented policies to protect your PHI.
We have instituted privacy and security processes to guard and protect your IIHI. This office is taking and continues to monitor and improve steps for the protection of your information and to remain in compliance with the law.
The obligation to notify patients if there is a breach of their Protected Health Information (PHI) has been clarified under the new rule. The subjective “harm” standard in the interim final rule has been eliminated. Under the “harm” standard, a breach did not occur unless the access, use, or disclosure posed “a significant risk of financial, reputational, or other harm to an individual.” Now, any acquisition, access, use, or disclosure of unsecured PHI not permitted under HIPAA is presumed to be a breach unless it is determined that there is a low probability that the PHI has been compromised based on a four-factor risk assessment:
1. The nature and extent of PHI involved;
2. The unauthorized person who used the PHI or to whom the disclosure was made;
3. Whether PHI was actually acquired or viewed; and
4. The extent to which the risk to PHI has been mitigated (e.g., assurances from trusted third parties that the information was destroyed).
Individuals have a right to access and to obtain a copy of PHI within 30 days of their request. Under the new rule, if an individual requests a copy of PHI that is maintained electronically, the provider must, with limited exception, give the individual access to the PHI in an electronic format.
At an individual’s request, a health care provider may not disclose the individual’s PHI to a health plan, if the disclosure is not required by law, the request relates to payment or health care operations, and the individual has paid for the item or service out of pocket in full. If an individual makes such a request, providers will want to document the request and ensure that the patient understands that no claims will be submitted by the provider to the patient’s insurer. Providers will also need to employ some method to flag medical records with respect to the PHI that has been restricted.
Under the new rule, providers may disclose PHI to family members of a decedent who were involved in the person’s care prior to his or her death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.
The new rule requires providers to obtain an individual authorization for the sale of PHI, with some exceptions, including disclosures for payment or treatment or permitted disclosures to patients in exchange for a reasonable fee.
In any fundraising materials sent by a provider, the provider is required to give individuals the opportunity to opt-out of receiving further fundraising communications.
The new rule permits a provider to combine an authorization for the disclosure of PHI for research purposes that requires the signing of that form for the patient to be treated with an authorization for the use of PHI for other purposes that does not include the same conditions, provided that the authorization allows the individual to opt in to the unconditioned activities, and the research does not involve the use or disclosure of psychotherapy notes. These authorizations may also encompass future research, which was not permitted under the existing rules.
The definition of “marketing” has been modified to encompass communications by a provider for purposes of treatment and health care operations about health-related products or services if the provider receives financial remuneration for making the communication from or on behalf of the third party whose product or service is being described. A provider must obtain an individual’s written authorization prior to sending marketing communications to the individual.