As of April 14, 2003, the Federal regulation on patient information privacy, known as the Health Insurance Portability and Accountability Act (HIPAA), requires that we provide (in writing) detailed notice regarding our privacy practices. Specifically, this notice describes how medical information about you may be used and disclosed, and how you may obtain access to this information.
ORIGINAL EFFECTIVE DATE: APRIL 14, 2003
LAST REVISED: MAY 10, 2013
I. Our commitment to protecting Health Information about you
In this notice, we describe the ways that we may use and disclose health information about our patients. The
HIPAA Privacy Rule requires that we protect the privacy of health information that identifies a patient, or where there is a reasonable basis to believe the information can be used to identify a patient. This information is called “protected health information” or “PHI.” This notice describes your rights as our patient and our obligations regarding the use and disclosure of PHI. We are required by law to:
- Maintain the privacy of PHI about you;
- Give you this notice of our legal duties and privacy practices with respect to PHI, and
- Comply with the terms of our Notice of Privacy Practices that are currently in effect.
As permitted by the HIPAA Privacy Rule, we reserve the right to make changes to this notice and to make such changes effective for all PHI we may already have about you. If and when this notice is changed, we will post a copy in our office in a prominent location. We will also provide you with a copy of the revised notice upon your request made to our Privacy Official.
You will be asked to sign a form to show that you received this notice. Even if you do not sign this form, we will still provide you with treatment.
II. How we may use and disclose Protected Health Information about you
USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS
The following categories describe the different ways we may use and disclose PHI for treatment, payment, or health care operations without your consent or authorization. The examples included in each category do not list every type of use or disclose that may fall within that category.
A. Treatment
We may use and disclose PHI about you to provide, coordinate, or manage your health care and related services. We may consult with other health care providers regarding your treatment and coordinate and manage your health care with others. For example, we may use and disclose PHI when you need a prescription, lab work, an x-ray, or other health are services. In addition, we may use and disclose PHI about you when referring you to another health care provider. For example, if you are referred to another physician, we may disclose PHI to your new physician regarding whether you are allergic to any medications. In emergencies, we may use and disclose PHI to provide the treatment you need.
We may also disclose PHI about you for the treatment activities of another health care provider. For example, we may send a report about you to a physician that we refer you to so that the other physician may treat you.
B. Payment
We may use and disclose PHI so that we can bill and collect payment for the treatment and services provided to you. Before providing treatment or services, we may share details with your health plan concerning the services you are scheduled to receive. For example, we may ask for payment approval from your health plan before we provide care or services. We may use and disclose PHI to find out if your health plan will cover the cost of care and services we provide. We may use and disclose PHI to confirm you are receiving the appropriate amount of care to obtain payment for services. We may use and disclose PHI for billing, claims management, and collection activities. We may disclose PHI to insurance companies providing you with additional coverage. We may disclose limited PHI to consumer reporting agencies relating to collection of payments owed to us.
We may also disclose PHI to another health care provider, or to a company, or health plan required to comply with the HIPAA Privacy Rule for the payment activities of that health care provider, company, or health plan. For example, we may allow a health insurance company to review PHI for the insurance company’s activities to determine the insurance benefits to be paid for your care.
C. Health Care Operations
We may use and disclose PHI in performing business activities that are called health care operations. Health care operations include doing things that allow us to improve the quality of care we provide and to reduce health care costs. We may use and disclose PHI about you in the following health care operations:
- Reviewing and improving the quality, efficiency, and cost of care that we provide to our patients. For example, we may use PHI about you to develop ways to assist our physicians and staff in deciding how we can improve the medical treatment we provide to others.
- Improving health care and lowering costs for groups or people who have similar health problems and helping to manage and coordinate the care for these groups of people. We may use PHI to identify groups of people with similar health problems to give them information, or instance, about treatment alternatives and educational classes.
- Reviewing and evaluating the skills, qualifications, and performance of health care providers taking care of you and our other patients.
- Providing training programs for students, trainees, health care providers, or non-health care professionals (for example: billing personnel) to help them practice or improve their skills.
- Cooperating with outside organizations that assess the quality of the care that we provide.
- Cooperating with outside organizations that evaluate, certify, or license health care providers or staff in a particular field or specialty. For example, we may use or disclose PHI so that one of our nurses may become certified as having expertise in a specific field of nursing.
- Cooperating with various people who review our activities. For example, PHI may be seen by doctors reviewing the services provided to you, and by accountants, lawyers, and others who assist us in complying with the law and managing our business.
- Assisting us in making plans for our practice’s future operations.
- Resolving grievances within our practice.
- Reviewing our activities and using or disclosing PHI in the event that we sell our practice to someone else or combine with another practice.
- Business planning and development, such as cost-management analyses.
- Business management and general administrative activities of our practice, including managing our activities related to complying with the HIPAA Privacy Rule and other legal requirements.
- Creating “de-identified” information that is not identifiable to any individual, and disclosing PHI to a business associate for the purpose of creating de-identified information, regardless of whether we will use the de- identified information.
- Creating a “limited data set” of information that does not contain information directly identifying a patient. (Our ability to disclose this information to others under limited conditions is discussed later in this notice.)
If another health care provider, company, or health plan, that is required to comply with the HIPAA Privacy Rule, also has or once had a relationship with you, we may disclose PHI about you for certain health care operations of that health care provider or company. For example, such health care operations may include: reviewing and improving the quality, efficiency, and cost of care provided to you; reviewing and evaluating the skills, qualifications, and performance of health care providers; providing training programs for students, trainees, health care providers, or non-health care professionals; cooperating with outside organizations that evaluate, certify, or license health care providers or staff in a particular field or specialty; and assisting with legal compliance activities of that health care provider or company.
We may also disclose PHI for the health care operations of any “organized health care arrangement” in which we participate. An example of an organized health care arrangement is the joint care provided by a hospital and the physicians who see patients at the hospital.
D. Communication from our office
We may contact you to remind you of appointments and to provide you with information about treatment alternatives or other health-related benefits and services that may be of interest to you.
OTHER USES AND DISCLOSURES WE CAN MAKE WITHOUT YOUR WRITTEN AUTHORIZATION FOR WHICH YOU HAVE THE OPPORTUNITY TO AGREE OR OBJECT
Individuals involved in your care or payment for your care:
We may use and disclose PHI about you in some situations where you have the opportunity to agree or object to certain uses and disclosures of PHI about you. If you do not object, we may make these types of uses and disclosures of PHI.
- We may disclose PHI about you to your family member, close friend, or any other person identified by you if that information is directly relevant to the person’s involvement in your care or payment for your care.
- If you are present and able to consent or object (or if you are available in advance), then we may only use and disclose PHI if you do not object after you have been informed of your opportunity to object.
- If you are not present or you are unable to consent or object, we may exercise professional judgment in determining whether the use or disclosure of PHI is in your best interest. For example, if you are brought into this office and are unable to communicate normally with your physician for some reason, we may find it is in your best interest to give your prescription and other medical supplies to the friend or relative who brought you in for treatment.
- We may also use and disclose PHI to notify such persons of your location, general condition, or death. We also may coordinate with disaster relief agencies to make this type of notification.
- We may also use professional judgment and our experience with common practice to make reasonable decisions about your best interests in allowing a person to act on your behalf to pick up filled prescriptions, medical supplies, x-rays, or other things that contain PHI about you.
OTHER USES AND DISCLOSURES WE CAN MAKE WITHOUT YOUR WRITTEN AUTHORIZATION OR OPPORTUNITY TO AGREE OR OBJECT
We may use and disclose PHI about you in the following circumstances without your authorization or opportunity to agree or object, provided that we comply with certain conditions that may apply.
A. Required by law
We may use and disclose PHI as required by federal, state, or local law to the extent that the use or disclosure complies with the law and is limited to the requirements of the law.
B. Public Health Activities
We may use and disclose PHI to public health authorities or other authorized persons to carry out certain activities related to public health, including the following activities:
- To prevent or control disease, injury, or disability;
- To report disease, injury, birth, or death;
- To report child abuse or neglect;
- To report reactions to medications or problems with products or devices regulated by the federal Food and Drug Administration (FDA) or other activities related to quality, safety, or effectiveness of FDA-regulated products or activities;
- To locate and notify persons of product recalls they may be using;
- To notify a person who may have been exposed to a communicable disease in order to control who may be at risk of contracting or spreading the disease; or
- To report to your employer, under limited circumstances, information related primarily to workplace injuries or illnesses, or workplace medical surveillance.
C. Abuse, neglect, or domestic violence
We may disclose PHI in certain cases to proper government authorities if we reasonably believe that a patient has been a victim of domestic violence, abuse, or neglect.
D. Health oversight activities
We may disclose PHI to a health oversight agency for oversight activities including, for example, audits, investigations, inspections, licensure and disciplinary activities, and other activities conducted by health oversight agencies to monitor the health care system, government health care programs, and compliance with certain laws.
E. Lawsuits and other legal proceedings
We may use or disclose PHI when required by a court or administrative tribunal order. We may also disclose PHI in response to subpoenas, discovery requests, or other required legal process when efforts have been made to advise you of the request or to obtain an order protecting the information requested.
F. Law enforcement
Under certain conditions, we may disclose PHI to law enforcement officials for the following purposes where the disclosure is:
- About a suspected crime victim if, under certain limited circumstances, we are unable to obtain a person’s agreement because of incapacity or emergency;
- To alert law enforcement of a death that we suspect was the result of criminal conduct;
- Required by law;
- In response to a court order, warrant, subpoena, summons, administrative agency request, or other authorized process;
- To identify or locate a suspect, fugitive, material witness, or missing person;
- About a crime or suspected crime committed at our office; or
- In response to a medical emergency not occurring at the office, if necessary to report a crime, including the nature of the crime, the location of the crime or the victim, and the identity of the person who committed the crime.
G. Coroners, medical examiners, funeral directors
We may disclose PHI to a coroner or medical examiner to identify a deceased person and determine the cause of death. In addition, we may disclose PHI to funeral directors, as authorized by law, so that they may carry out their jobs.
H. Organ and tissue donation
If you are an organ donor, we may use or disclose PHI to organizations that help procure, locate, and transplant organs in order to facilitate an organ, eye, or tissue donation and transplantation.
I. Research
We may use and disclose PHI about you for research purposes under certain limited circumstances. We must obtain a written authorization to use and disclose PHI about you for research purposes, except in situations where a research project meets specific, detailed criteria established by the HIPAA Privacy Rule to ensure the privacy of PHI.
J. To avert a serious threat to health or safety
We may use and disclose PHI about you in limited circumstances when necessary to prevent a threat to the health or safety of a person or to the public. This disclosure can only be made to a person who is able to help prevent the threat.
K. Specialized government functions
Under certain conditions, we may disclose PHI:
- For certain military and veteran activities, including determination of eligibility for veterans benefits and where deemed necessary by military command authorities;
- For national security and intelligence activities;
- To help provide protective services for the President of the United States and others;
- For the health or safety of inmates and others at correctional institutions or other law enforcement custodial situations or for general safety and health related to correctional facilities.
L. Workers’ Compensation
We may disclose PHI as authorized by workers’ compensation laws or other similar programs that provide benefits for work-related injuries or illnesses.
M. Disclosures required by HIPPA Privacy Rule
We are required to disclose PHI to the Secretary of the United States - Department of Health and Human Services when requested by the Secretary to review our compliance with the HIPAA Privacy Rule. We are also required in certain cases to disclose PHI to you upon your request to access PHI or for an accounting of certain disclosures of PHI about you (these requests are described in Section III of this notice).
N. Incidental disclosures
We may use or disclose PHI incident to a use or disclosure permitted by the HIPAA Privacy Rule so long as we have reasonably safeguarded against such incidental uses and disclosures and have limited them to the minimum necessary information.
O. Limited data set disclosures
We may use or disclose a limited data set (PHI that has certain identifying information removed) for the purposes of research, public health, or health care operations. This information may only be disclosed for research, public health, and health care operations purposes. The person receiving the information must sign an agreement to protect the information.
OTHER USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION THAT REQUIRES YOUR AUTHORIZATION
All other uses and disclosures of PHI about you will only be made with your written authorization. If you have authorized us to use or disclose PHI about you, you may later revoke your authorization at any time, except to the extent we have taken action based on the authorization.
III. Your rights regarding Protected Health Information about you
Under Federal law, you have the following rights regarding PHI about you:
A. Right to request restrictions:
You have the right to request additional restrictions on the PHI that we may use or disclose for treatment payment and health care operations. You may also request additional restrictions on our disclosure of PHI certain individuals involved in your care that otherwise are permitted by the Privacy Rule. Please be informed that we are not required to agree to your request. If we do agree to your request, we are required to comply with our agreement except in certain cases, including where the information is needed to treat you in the case of an emergency. To request restrictions, you must make your request in writing to our Privacy Official. In your request, please include (1) the information that you want to restrict; (2) how you want to restrict the information (for example, restricting use to this office, only restricting disclosure to persons outside this office, or restricting both); and (3) to whom you want those restrictions to apply.
B. Right to receive confidential communications:
You have the right to request that you receive communications regarding PHI in a certain manner or at a certain location. For example, you may request that we contact you at home, rather than at work. You must make your request in writing. You must specify how you would like to be contacted (for example, by regular mail to your post office box and not your home). We are required to accommodate only reasonable requests.
C. Right to inspect and copy
You have the right to request the opportunity to inspect and receive a copy of PHI about you in certain records that we maintain. This includes your medical and billing records, but does not include psychotherapy notes or information gathered or prepared for a civil, criminal, or administrative proceeding. We may deny your request to inspect and copy PHI only in limited circumstances. To inspect and copy PHI, please contact our Privacy Official. If you request a copy of PHI about you, we may charge you a reasonable fee for the copying, postage, labor, and supplies used in meeting your request.
D. Right to amend
You have the right to request that we amend PHI about you as long as such information is kept by or for our office. To make this type of request, you must submit your request in writing to our Privacy Official. You must also give us a reason for your request. We may deny your request in certain cases, including if it is not in writing or if you do not give us a reason for the request.
E. Right to receive an Accounting of Disclosures
You have the right to request an “accounting” of certain disclosures that we have made of PHI about you. This is a list of disclosures made by us during a specified period of up to 6 years, other than disclosures made: for treatment, payment, and health care operations; for use in or related to a facility directory; to family members or friends involved in your care; to you directly; pursuant to an authorization of you or your personal representative; for certain notification purposes (including national security, intelligence, correctional, and law enforcement purposes); as incidental disclosures that occur as a result of otherwise permitted disclosures; as part of a limited data set of information that does not directly identify you; and before April 14, 2003. If you wish to make such a request, please contact our Privacy Official identified on the last page of this notice. The first list that you request in a 12-month period will be free, but we may charge you for our reasonable costs of providing additional lists in the same 12-month period. We will tell you about these costs, and you may choose to cancel your request at any time before costs are incurred.
F. Right to a paper copy of this notice
You have the right to receive a paper copy of this notice at any time. You are entitled to a paper copy of this notice even if you have previously agreed to receive this notice electronically. To obtain a paper copy of this notice, please contact our Privacy Official listed in this notice.
IV. E-mail Communication of your Protected Health Information
Please be informed that our office may communicate your PHI, via electronic mail (e-mail), to Physicians and/or other Healthcare entities directly and/or indirectly involved in your medical care. In addition, we may communicate your PHI to you directly, via e-mail, at your discretion and request. The purpose of our participation in e-mail communication is to expedite the sharing of PHI that may (or may not) be necessary to expedite the delivery optimization of your medical care and services.
Please be aware that our Patient Registration Form and Release of Information Authorization Form acknowledge e-mail use by requesting an e-mail address from you and by informing you that, unless objected by you (in writing), you are formally providing our office with the necessary consent to communicate your PHI via e-mail.
In accordance with California law, which supersedes federal HIPAA law (when applicable), PHI information containing disclosure of any of the following cannot be e-mailed: Sexually Transmitted Diseases (STDs), Human Immunodeficiency Virus (HIV), Acquired Immune Deficiency (Immunodeficiency) Syndrome (AIDS), mental health, alcohol abuse, drug abuse, and any test results relating to routinely processed tissues, which include skin biopsies, Papanicolaou tests (Pap Smears), products of conception and/or confirmation of pregnancy, bone marrow aspirations for morphological evaluation, and/or any test result which reveals a malignancy. For further information pertaining to California HIPAA law, please visit the State of California Office of Health Information Integrity (CalOHii) website: http://www.ohii.ca.gov/calohi/ .
Please be further informed that the use of e-mail in our office, as it pertains to communicating your PHI, is considered to be as secure (and unsecure) as sharing medical information (about you) via traditional U.S. Postal mail correspondence and facsimile methods. If you elect to provide our office with an e-mail address, you are responsible for informing us of the accuracy of that e-mail address, just as is expected of you when providing our office with a personal physical address, telephone and/or facsimile number.
In regard to electronic record storage, our office proactively takes the necessary measures to protect all electronic medical information on computer servers that are extensively monitored and secured (from external penetration) via a network of firewalls and other shields. Our systems are monitored twenty-four hours per day, seven days per week.
In regard to sharing PHI with others electronically, please know that our office has taken extra steps to inform Community Physicians and other applicable Healthcare entities of our intent to share PHI via e-mail, with their ultimate option to participate, or not participate. Those entities that have informed us of their option to participate in e-mail exchange of your PHI have provided our office with secure and accurate e-mail addresses for communication purposes. We entrust that all participating entities that will receive your PHI will use and protect your PHI as we would in our office. However, please be specifically informed that further dissemination (or misuse) of your PHI, on behalf of the receiving entity, is no longer under our direct control, and therefore, our office is not liable for any damages resulting from such further dissemination and/or misuse.
Last, please be informed that encryption of e-mail is not a federal or state requirement at this time – rather it is currently considered an “addressable implementation specification” (Source: U.S. Department of Health & Human Services, Is the use of encryption mandatory in the Security Rule?, http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2001.html, Does the Security Rule allow for sending electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied?, http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2006.html , date reconfirmed: May 10, 2013). Please be informed that our office takes safeguarding your e-PHI just as seriously as regular PHI. For this reason, we have implemented additional, necessary and reasonable measures to continuously train our employees on how to properly handle your PHI electronically. These safeguards include, but are not limited to, verifying the accuracy of e-mail addresses to minimize the probability of “sending error.” Additionally, our Electronic Medical Record (EMR) system utilizes an integrated encryption software component when we transmit your PHI to you via email. And our Patient Portal website (which provides you with limited, online access to your PHI) is also safeguarded with a Security Socket Layer (SSL) certificate (which serves as an online-connection encryption platform). In the future, our policy regarding e-PHI safeguards will be modified to accommodate changes in federal and state requirements.
You have the right to elect that our office not communicate your PHI via e-mail (to you or any other entity) by informing our office in writing at any time. Please note that objections to the sharing of PHI via e-mail are not retro-active to periods when prior authorization to share PHI was present.
If you would like additional information regarding our e-PHI practices, please contact our Privacy Official.
V. Complaints
If you believe your privacy rights have been violated, you may file a complaint with our office, or with the Secretary of the U.S. Department of Health and Human Services. To file a complaint with our office, please contact our Privacy Official. We will not retaliate or take action against you for filing a complaint.
VI. Questions
If you have any questions regarding any of the policies disclosed in this notice, please contact our Privacy Official.
Additional (federal) information may be obtained directly at the U.S Department of Health & Human Services
website: http://www.hhs.gov/ocr/privacy/ .
Additional (state) information may be obtained directly at the State of California Office of Health Information Integrity (CalOHii) website: http://www.ohii.ca.gov/calohi/ .
VII. Privacy Official Contact Information
Privacy Official: ROSS NATHAN, M.D., MEDICAL DIRECTOR Address: 3633 LONG BEACH BOULEVARD SUITE 100
LONG BEACH CA 90807
Telephone: (562) 424-9000
Facsimile: (562) 424-9030 OR (562) 424-9067
E-mail: [email protected]
Revisions by: A. Merino, 05-10-13