HIPAA Notice of Privacy Practices
Effective January 2011
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
If you have any questions about this notice, please contact
HIPAA Privacy and Compliance Officer Jana Braden at InShapeMD
This Notice of Privacy Practices (the “Notice”) tells you about the ways we may use and disclose your protected health information (“medical information”) and your rights and our obligations regarding the use and disclosure of your medical information. This Notice applies to InShapeMD, including its providers and employees (the “Practice”)
We are required by law to:
- Maintain the privacy of your medical information, to the extent required by state and federal law;
- Give you this notice of our legal duties and privacy practices regarding health information about you
- Notify affected individuals following a breach of unsecured medical information under federal law; and
- Follow the terms of our notice that is currently in effect
HOW WE MAY USE AND DISCLOSE HEALTH INFORMATION
The following describes the ways we may use and disclose health information that identifies your (“Health Information”). These categories are intended to be general descriptions only, and not a list of every instance in which we may use or disclose your Health Information. Please understand that for these categories, the law generally does not require us to get your authorization in order for us to use or disclose your Health Information. Except for the purposes described below, we will use and disclose Health Information only with your written permission. You may revoke such permission at any time by writing to our designated Privacy Officer.
For Treatment – We may use and disclose Health Information for your treatment and to provide you with treatment-related health care services, including coordinating and managing your health care. We may disclose Health Information to doctors, nurses, technicians, medical assistants, office staff, or other personnel, including people outside our office, who are involved in your medical care and need the information to provide you with medical care.
For Payment – We may use and disclose Health Information so that we or others may bill and receive payment from you for the treatment and services you received.
For Health Care Operations – We may use and disclose Health Information for health care operations purposes. These uses and disclosures are necessary to make sure that all of our patients receive quality care and to operate and manage our office.
Quality Assurance – We may need to use or disclose your Health Information for our internal processes to assess and facilitate the provision of quality care to our patients.
Utilization Review – We may need to use or disclose your Health Information to perform a review of the services we provide in order to evaluate whether that the appropriate level of services is received, depending on condition and diagnosis
Credentialing and Peer Review – We may need to use or disclose your Health Information in order for us to review the credentials, qualifications and actions of our health care providers.
Treatment Alternatives – We may need to use or disclose your Health Information to tell you about or recommend possible treatment options or alternatives that we believe may be of interest to you.
Appointment Reminders and Health Related Benefits and Services – We may use and disclose Health Information to contact you to provide appointment reminders and other information. We may use and disclose Health Information to tell your about health-related benefits or services that we believe may be of interest to you.
Business Associates – We may disclose Health Information to our business associates that perform functions on our behalf or provide us with services if the information is necessary for such functions or services. For example, We may use another company to perform billing services on our behalf. All of our business associates are obligated to protect the privacy of your information and are not allowed to use or disclose any information other than as specified in our contract.
Individuals Involved in Your Care or Payment for Your Care – When appropriate, we may share Health Information with a person who is involved in your medical care or payment for your care, such as your family or a close friend, We also may notify your family about your location or general condition or disclose such information to an entity assisting in a disaster relief effort.
As Required by Law – We will disclose Health Information when required to do so by international, federal, state or local law or regulations.
To Avert a Serious Threat to Health or Safety – We may use and disclose Health Information when necessary to prevent a serious or imminent threat of injury to your physical, mental or emotional health or safety or the physical safety of the public or another person. Disclosures, however, will be made only to someone who may be able to help prevent the threat, medical or law enforcement personnel.
Military and Veterans – If you are a member of the armed forces, we may release Health Information as required by military command authorities. We also may release Health Information to the appropriate foreign military authority if you are a member of a foreign military.
Workers’ Compensation – We may release Health Information for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.
Public Health Risks – We may disclose Health Information about you to public health authorities for public health activities. As a general rule, we are required by law to disclose certain types of information to public health authorities, such as the Texas Department of State Health Services which includes disclosures to prevent or control disease, injury or disability (including the reporting of a particular disease or injury; to report births and deaths; to report suspected child abuse or neglect; to report reactions to medications or problems with medical devices and supplies; to notify people of recalls of products they may be using; to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; to notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence. We will only make this disclosure if you agree or when required or authorized by law; to provide information about certain medical devices; and to assist in public health investigations, surveillance, or interventions.
Health Oversight Activities – We may disclose Health Information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, civil, administrative, or criminal investigations and proceedings, inspections, licensure and disciplinary actions, and other activities necessary for the government to monitor the health care system, certain governmental benefit programs, certain entities subject to government regulations which relate to health information with civil rights laws.
Data Breach Notification Purposes – We may use or disclose your Protected Health Information to provide legally required notices of unauthorized access to or disclosure of your health information.
Legal Matters – If you are involved in a lawsuit or a dispute, we may disclose Health Information in response to a court or administrative order, a subpoena, discovery request, or other lawful process. In addition to lawsuits, there may be other legal proceedings for which we may be required or authorized to use or disclose your Health Information, such as investigations of health care providers, competency hearings on individuals, or claims over the payment of fees for medical services.
Law Enforcement, National Security and Intelligence Activities – We may release Health Information if asked by law enforcement officials, or if we are required by law to do so, if the information is: (1) in response to a court order, subpoena, warrant, summons or similar process; (2) limited information to identify or locate a suspect, fugitive, material witness, or missing person; (3) about the victim of a crime even if, under certain very limited circumstances, we are unable to obtain the person’s agreement; (4) about a death we believe may be the result of criminal conduct; (5) about criminal conduct on our premises; and (6) in an emergency to report a crime, the location of the crime or victims, or the identity, description or location of the person who committed the crime. We may release Health Information to authorized federal officials for intelligence, counter-intelligence, and other national security activities authorized by law.
Marketing of Related Health Services – We may use or disclose your Health Information to send you treatment or healthcare operations communications concerning treatment alternatives or other health-related products or services. We may provide such communications to you in instances where we receive financial remuneration from a third party in exchange for making the communication only with your specific authorization unless the communication; (i) is made face-to-face by the Practice to you, (ii) consists of a promotional gift of nominal value provided by the Practice, or (iii) is otherwise permitted by law. If the marketing communication involves financial remuneration and an authorization is required, the authorization must state that such remuneration is involved. Additionally, if we use or disclose information to send a written marketing communication (as defined by Texas law) through the mail, the communication must be sent in an envelope showing only the name and addresses of sender and recipient and must (i) state the name and toll-free number of the entity sending the market communication; and (ii) explain the recipient’s right to have the recipient’s name removed from the sender’s mailing list.
Electronic Disclosures of Medical Information – Under Texas law, we are required to provide notice to you if your Health Information is subject to electronic disclosure. This Notice serves as general notice that we may disclose your Health Information electronically for treatment, payment, or health care operations or as otherwise authorized by state or federal law.
Data Breach Notification Purposes – We may use or disclose your Protected Health Information to provide legally required notices of unauthorized access to or disclosure of your health information.
OTHER USES OF MEDICAL INFORMATION
Authorizations. – There are times we may need or want to use or disclose your Health Information for reasons other than those listed above, but to do so we will need your prior authorization. Other than expressly provided herein, any other uses or disclosure of your Health Information will require your specific written authorization.
Right to Revoke Authorization. – Other uses and disclosures of Protected Health Information not covered by this Notice or the laws that apply to us will be made only with your written authorization. If you do give us an authorization, you may revoke it at any time by submitting a written revocation to our Privacy Officer and we will no longer use or disclose Protected Health Information for the reasons covered by your written authorization. You understand that we are unable to take back any uses or disclosures we have already made in reliance upon your authorization before you revoked it will not be affected by the revocation. We are required to retain our records of the care that we provided to you.
YOUR RIGHTS REGARDING HEALTH INFORMATION ABOUT YOU
Federal and state laws provide you with certain rights regarding the Health Information we have about you. The following is a summary of those rights.
Right to Inspect and Copy – Under most circumstances, you have the right to inspect and/or copy Health Information, that we have in our possession, that may be used to make decisions about your care or payment for your care. This includes medical and billing records, other than psychotherapy notes. To inspect and copy this Health Information, you must make your request, in writing, to the HIPAA Privacy Officer, InShapeMD. We have up to 30 days to make your Protected Health Information available to you and we may charge you a reasonable fee for the costs of copying, mailing or other supplies associated with your request. We may deny your request in certain limited circumstances. If we do deny your request, you have the right to have the denial reviewed by a licensed healthcare professional who was not directly involved in the denial of your request, and we will comply with the outcome of the review.
Right to an Electronic Copy of Electronic Medical Records – If your Protected Health Information is maintained in an electronic format (known as an electronic medical record or an electronic health record), you have the right to request that an electronic copy of your record be given to you or transmitted to another individual or entity. We will make every effort to provide access to your Protected Health Information in the form or format you request, if it is readily producible in such form or format. If the Protected Health Information is not readily producible in the form or format you request your record will be provided in either our standard electronic format or if you do not want this form or format, a readable hard copy form. We may charge you a reasonable, cost-based fee for the labor associated with transmitting the electronic medical record.
Right to Amend ~ If you feel that Health Information we have is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for our office. To request an amendment, you must make your request, in writing, to the Compliance Officer. In your request, you must provide a reason as to why you want this amendment. If we accept your request, we will notify you of that in writing.
We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that (i) was not created by us (unless you provide a reasonable basis for asserting that the person or organization that created the information is no longer available to act on the requested amendment), (ii) is not part of the information kept by the Practice, (iii) is not part of the information which you would be permitted to inspect and copy, or (iv) is accurate and complete. If we deny your request, we will notify you of that denial in writing.
Right to an Accounting of Disclosures ~ You have the right to request an “accounting of disclosures” of your Health Information. This is a list of certain disclosures we made of Health Information for purposes other than treatment, payment and health care operations or for which you provided written authorization. To request an accounting of disclosures, you must make your request, in writing, to the Compliance Officer.
If we make disclosures through an electronic health records (EHR) system, you may have an additional right to an accounting of disclosures for Treatment, Payment, and Health Care. Contact the Compliance Officer for more information regarding an accounting of disclosures made through an EHR for the purposes of Treatment, Payment, or Health Care Operations.
To request an accounting of disclosures, you must make your request, in writing, to the Compliance Officer.
Right to Request Restrictions ~ You have the right to request a restriction or limitation on the Health Information we use or disclose for treatment, payment, or health care operations. You also have the right to request a limit on the Health Information we disclose to someone involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not share information about a particular diagnosis or treatment with your spouse.
We are not required to agree to your request or limitation. If we do agree, we will comply with your request unless the information is needed to provide emergency treatment. In addition, there are certain situations where we won’t be able to agree to your request, such as when we are required by law to use or disclose your Health Information. To request a restriction, you must make your request, in writing, to the Compliance Officer. In your request, you must specifically tell us what information you want to limit, whether you want us to limit our use, disclosure, or both, and to whom you want the limits to apply.
In most instances we do not have to agree to your request for restrictions on disclosures that are otherwise allowed, unless you are asking us to restrict the use and disclosure of your Protected Health Information to a health plan for payment or health care operation purposes and such information you wish to restrict pertains solely to a health care item or service for which you or another person (other than a health plan) pays on your behalf for an item or service in full, out-of-pocket and you request that we not disclose the Health Information relating solely to that item or service to a health plan for the purposes of payment or health care operations, then we will be obligated to abide by that request for restriction unless the disclosure is otherwise required by law. Such restrictions may have unintended consequences, particularly if other providers need to know that information (such as a pharmacy filling a prescription). It will be your obligation to notify any such other providers of this restriction. Such a restriction may impact your health plan’s decision to pay for related care that you may not want to pay for out of pocket (and which would not be subject to the restriction). If we agree, we will comply with your request unless the information is needed to provide you with emergency treatment.
Right to Request Confidential Communications – You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you by mail or at work. To request confidential communications, you must make your request, in writing, to the Compliance Officer. We will use our best efforts to accommodate reasonable requests, but there are some requests with which we will not be able to comply. Your request must specify how or where you wish to be contacted.
Right to a Paper Copy of This Notice – You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice. To obtain a paper copy of this notice, contact our Compliance Officer.
Right to Breach Notification –In certain instances, we may be obligated to notify you (and potentially other parties) if we become aware that your Health Information has been improperly disclosed or other subject to a “breach” as defined in and/or required by HIPAA and applicable state law.
CHANGES TO THIS NOTICE:
We reserve the right to change this notice, along with our privacy policies and practices. We reserve the right to make the revised or changed Notice effective for Health Information we already have about you as well, as any information we receive in the future. We will post a copy of our current notice at our office. The notice will contain the effective date on the first page, in the top right-hand corner.
If you believe your privacy rights have been violated, you may file a complaint with our office or with the Secretary of the Department of Health and Human Services.
Office of Civil Rights
U.S. Department of Health & Human Services
1301 Young Street, Suite 1124, Dallas, TX 75202
To file a complaint with our office, contact our Compliance Officer, all complaints must be made in writing. You will not be penalized for filing a complaint.
PHI use and disclosure by the Plan is regulated by federal law under HIPAA. You may find these rules under 45 C.F.R. 160 & 164. This Notice attempts to summarize the Privacy Standards. The Privacy Standards will supersede any discrepancy between the information in this Notice and the Privacy Standards.