Our Practice is committed to maintaining the privacy of your protected health information know as (PHI), which is information about you, including demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and the care and treatment you receive from our practice. In addition, this Notice describes your rights to access and control your PHI. This Notice describes how medical information about you may be used and disclosed and how you can obtain access to this information. Please read this Notice carefully and if you should have any questions or concerns about this Privacy Notice please do not hesitate to contact our privacy officer listed above.
This office is required by law to abide by the terms of this Notice of Privacy Practices as well as abiding by any other applicable State laws that may govern privacy practices and/or the scope of the practice of chiropractic. Our office may change and/or modify the terms of this Notice at any time and the new Notice will be effective for all PHI that we obtain at that time. Our office and/or doctor will provide you with a copy of our Notice of Privacy Practices and make a good faith effort to obtain your written acknowledgement of our Notice, no later than the date of your first service delivery. We will also keep you notified of any changes to our Notice of Privacy Practices and if requested by you our office will provide you with an updated copy of same.
Uses and Disclosures of PHI:
Our office may use and disclose of your PHI for health care delivery purposes, which is known as treatment, payment and health care operations (TPO). Your PHI may be used and disclosed by your doctor, our office staff and others outside of our office that are involved in your care and treatment for the purpose of providing health care services to you. Your PHI may also be used and disclosed to pay your health care bills and to support the operation of the doctor’s practice.
It should be noted that even though our list of uses and disclosures of your PHI is fairly comprehensive, it is difficult to take into account each and every single possibility of how your PHI may be used or disclosed. We can assure you that your doctor and his office staff will do everything possible to maintain the confidentiality of your PHI.
If a breach occurs with your PHI our office will notify you. If the breach affects more than 500 individuals the breach will be promptly reported to you as well as Health and Human Services (HHS) Secretary, and the media. If the breach is less than 500 individuals, then the breach will be reported to HHS Secretary on an annual basis.
Listed below are some of the more common types of uses and disclosures of your PHI that our office is allowed to make without your consent and/or authorization. Any other uses and/or disclosures other than those listed below will only be made with your written authorization.
Treatment-Your PHI may be used and disclosed for the coordination or management of your health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding you or the referral of you from one health care provider to another.
Payment-Your PHI may be used and disclosed for payment which encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums to fulfill their coverage responsibilities and provide benefits under the plan and to obtain reimbursement for the provision of healthcare.
Health Care Operations-Your PHI may be used and disclosed for healthcare operations for certain administrative, financial, legal and quality improvement activities that are necessary to run its business and to support the core functions of treatment and payment.
Emergency Situations-Our office and/or doctor may use or disclose your PHI in an emergency treatment situation. If an emergency situation happens to arise we are not required to obtain a written acknowledgement from you of our Notice of Privacy Practices until after the emergency situation has ended.
Minimum Necessary Standard-Our office and/or staff will make reasonable efforts to limit the use and disclosure of and requests for your PHI to the minimum necessary to accomplish the intended purpose.
Employee Limitations-Your doctor will also limit the use and disclosure of your PHI to members of his or her workforce to those who may need access to your PHI for treatment, payment and health care operations. Public Health Purposes and Activities-Your PHI may be disclosed to public health authorities who are legally authorized to receive such reports for the purpose of preventing or controlling disease, injury or disability which would include reporting of disease or injury, reporting vital events like births or deaths and conducting public health surveillance, investigations or interventions. In addition, your PHI may be disclosed for public health activities like child abuse or neglect, quality, safety or effectiveness of a product or activity regulated by the FDA and persons at risk of contracting or spreading disease as well as workplace medical surveillance. Again, this information will be limited to the minimum amount necessary to accomplish the public health purpose.
Business Associate Contract-A business associate is a person or entity who creates, receives, maintains, or transmits PHI on behalf of a covered entity. Business associates may also include subcontractors of an entity as well as any subcontractor of a business associate, if the subcontractor accesses PHI of the covered entity. The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associates that the business associate will safeguard the PHI it receives or creates on behalf of the covered entity from any misuse and will use the information only for the purposes for which it was engaged by the covered entity and not for the business associates independent use or purposes, except as needed for the proper management and administration of the business associate. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
Research Purposes-Your PHI may be used or disclosed for research purposes which has been de-identified and/or you have authorized the use and disclosure of your PHI.
Workers’ Compensation Purposes-Due to the variability among State laws the Privacy Rule permits disclosure of your PHI for purposes as authorized by and to the extent necessary to comply with workers’ compensation laws without your authorization and no minimum necessary determination is required.
Marketing Purposes-Your PHI may be used and disclosed for marketing purposes if it is in the form of a face-to-face communication or a communication involving a promotional gift of nominal value by the covered entity i.e.: health care provider, health care plan or clearinghouse. Marketing is defined as “making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” This type of marketing has certain exceptions, which do not require authorization for the use and disclosure of your PHI and are listed as follows.
1. A communication is not marketing if it is made to describe a health-related product or service that is provided by or included in a plan of benefits of the covered entity making the communication.
2. A communication is not marketing if it is made for treatment of the individual.
3. A communication is not marketing if it is made for case management or care coordination for an individual or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.
Note: Besides the above exceptions any other form of marketing would require your authorization to use and disclose your PHI.
Fundraising Purposes-Individuals have the right to opt out of receiving any types of communications related to fundraising.
Personal Representative-Your PHI may be used and disclosed, under State law, to a person who is authorized to act on your behalf in making your health care related decisions.
Legal Proceedings-Your PHI may be disclosed if requested by any judicial or administrative proceedings, court order, a subpoena, law enforcement purposes etc.
Miscellaneous uses and disclosures of PHI-We may use a sign-in-sheet at our front desk so our staff can easily see who is seeking care. We are allowed to use and disclose your name in the waiting room when your doctor is ready to see you. We may use and disclose your PHI to contact you to remind you of your appointment. We are also allowed to use and disclose your name and address to send you a newsletter about our practice and services we offer. In addition, we may send you information about products or services that we feel may benefit you.
Patient’s Rights to Access and Control their PHI:
The Privacy Rule allows you certain rights with regards to your records, which are as follows:
You have the right to review and receive copies of your records as it relates to your own care. Your request would have to be put in writing and the law requires that your doctor respond within 30 days of your request. The law does allow for a onetime 30-day extension for your doctor to respond. Your doctor will also provide you with electronic copies of your records if requested, or hard copies if you reject all readily reproducible e-formats. In addition, your doctor is allowed to deny you access to your records, but only if it is going to cause you harm or someone else harm. If your doctor denies you access to your records the denial has to be referred to a healthcare review professional, which would be the privacy officer who was designated. Your doctor is allowed to charge a copy fee, which should not exceed State law allowance.
You have the right to request that the use and disclosure of your PHI be restricted. This means you have the right to request restrictions on how your doctor will use or disclose your PHI about treatment, payment and health care operations. Your doctor is not required to agree to your request for restriction, but would be bound by any restrictions to which you and your doctor agree on.
You have the right to request to receive confidential communications from your doctor by alternative means or at an alternative location. Your doctor must accommodate your request, provided it is reasonable, and you clearly state that not doing so could endanger you.
You have the right to request amendments (changes) to your records. If changes are made to your record it does not mean that your doctor will destroy his or her records or your doctor will rewrite their records, it means that your doctor will add an addendum to your current records to reflect your changes. Your doctor has the right to deny or reject your request to change your records, but you have the right to submit a statement in the medical record that you disagree. Your doctor also has the right to add to the record a rebuttal statement.
The rules also restrict your doctor from disclosing any electronic health records (PHI) to health plans for treatment that individuals pay for in full (out-of-pocket).
You have the right to receive your doctor’s Notice of Privacy Practices. The law requires that your doctor provide you in writing their policy on how they are protecting and using your PHI.
You have the right to revoke an authorization. The revocation can be done at any time provided it is in writing. There is an exception to revocation that is if your doctor has taken any action in reliance on the use or disclosure indicated in the doctor’s Authorization Notice.
Patient’s Right to File a Complaint:
If you believe, that any of your Privacy Rights have been violated by us you can file a written complaint with our Privacy Officer (please see our privacy officer to obtain a complaint form). Your complaint must be filed within 180 days of when you knew or should have known that the act had occurred. In addition, you can also file a written complaint either on paper or electronically with the Office of Civil Rights (OCR). Please note that the Privacy law prohibits our office from taking any retaliatory actions against you.