The Health Insurance Portability and Accountability Act of 1996 (HIPAA) enacts sweeping changes in how the healthcare professions handle the administrative details of their practices, and contains a broad and stringent framework, for the privacy and confidentiality of personally identifiable health information. This Federal statute was enacted as Public Law 104-191. Further information regarding this act can be found at the Department of Health and Human Services (HHS) website.
I. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
II. I HAVE A LEGAL DUTY TO SAFEGUARD YOUR PROTECTED HEALTH lNFORMATION (PHI)
I am legally required to protect the privacy of your PHI, which includes information that can be used to identify you that I’ve created or received about your past, present, or future health or condition, the provision of health care to you, or the payment of this health care. I must provide you with this Notice about my privacy practices, and such Notice must explain how, when, and why I will “use” and “disclose” your PHI. A “use” of PHI occurs when I share, examine, utilize, apply, or analyze such information within my practice; PHI is “disclosed” when it is released, transferred, has been given to, or is otherwise divulged to a third party outside of my practice. With some exceptions, I may not use or disclose any more of your PHI than is necessary to accomplish the purpose for which the use or disclosure is made. And, I am legally required to follow the privacy practices described in this Notice.
However, I reserve the right to change the terms of this Notice and my privacy policies at any time. Any changes will apply to PHI on file with me already. Before I make any important changes to my policies, I will promptly change this Notice and post a new copy of it on my website. You can also request a copy of this Notice from me.
III. HOW I MAY USE AND DISCLOSE YOUR PHI.
I will use and disclose your PHI for many different reasons. For some of these uses or disclosures, I will need your prior authorization; for others, however, I do not. Listed below are the different categories of my uses and disclosures along with some examples of each category.
A. Uses and Disclosures Relating to Treatment, Payment, or Health Care Operations Do Not Require Your Prior Written Consent. I can use and disclose your PHI without your consent for the following reasons:
- For treatment. I can disclose your PHI to physicians, psychiatrists, psychologists, and other licensed health care providers who provide you with health care services or are involved in your care. For example, if you’re being treated by a psychiatrist, I can disclose your PHI to your psychiatrist in order to coordinate your care.
- To obtain payment for treatment. I can use and disclose your PHI to bill and collect payment for the treatment and services provided by me to you. For example, I might send your PHI to your insurance company or health plan to get paid for the health care services that I have provided to you. I may also provide your PHI to my business associates, such as billing companies, claims processing companies, and others that process my health care claims.
- For health care operations. I can disclose your PHI to operate my practice. For example, I might use your PHI to evaluate the quality of health care services that you received or to evaluate the performance of the health care professionals who provided such services to you. I may also provide your PHI to our accountants, attorneys, consultants, and others to make sure I’m com-plying with applicable laws.
- Other disclosures. I may also disclose your PHI to others with-out your consent in certain situations. For example, your consent isn’t required if you need emergency treatment, as long as I try to get your consent after treatment is rendered, or if I try to get your consent but you are unable to communicate with me (for example, if you are unconscious or in severe pain) and I think that you would consent to such treatment if you were able to do so.
B. Certain Uses and Disclosures Do Not Require Your Consent. I can use and disclose your PHI without your consent or authorization for the following reasons:
- When disclosure is required by federal, state or Iocal law; judicial or administrative proceedings; or, law enforcement. For example, I may make a disclosure to applicable officials when a law requires me to report information to government agencies and law enforcement personnel about victims of abuse or neglect; or when ordered in a judicial or administrative proceeding.
- For public health activities. For example, I may have to report information about you to the county coroner.
- For health oversight activities. For example, I may have to provide information to assist the government when it conducts an investigation or inspection of a health care provider or organization.
- For research purposes. In certain circumstances, I may provide PHI in order to conduct medical research.
- To avoid harm. In order to avoid a serious threat to the PHI to law enforcement personnel or persons able to prevent or lessen such harm.
- For specific government functions. I may disclose PHI of military personnel and veterans in certain situations. And I may disclose PHI for national security purposes, such as protecting the President of the United States or conducting intelligence operations.
- For workers’ compensation purposes. I may provide PHI in order to comply with workers’ compensation laws.
- Appointment reminders and health related benefits or services. I may use PHI to provide appointment reminders or give you information about treatment alternatives, or other health care services or benefits I offer.
C. Certain Uses and Disclosures Require You to Have the Opportunity to Object.
- Disclosures to family, friends, or others. I may provide your PHI to a family member, friend, or other person that you indicate is involved in your care or the payment for your health care, unless you object in whole or in part. The opportunity to consent may be obtained retroactively in emergency situations.
D. Other Uses and Disclosures Require Your Prior Written Authorization. In any other situation not described in sections III A, B, and C above, I will ask for your written authorization before using or disclosing any of your PHI. If you choose to sign an authorization to disclose your PHI, you can later revoke such authorization in writing to stop any future uses and disclosures (to the extent that I haven’t taken any action in reliance on such authorization) of your PHI by me.
IV. WHAT RIGHTS YOU HAVE REGARDING YOUR PHI
You have the following rights with respect to your PHI:
A. The Right to Request Limits on Uses and Disclosures of Your PHI. You have the right to ask that I limit how I use and disclose your PHI. I will consider your request, but I am not legally required to accept it. If I accept your request, I will put any limits in writing and abide by them except in emergency situations. You may not limit the uses and disclosures that I am legally required or allowed to make.
B. The Right to Choose How I Send PHI to You. You have the right to ask that I send information to you to at an alternate address (for example, sending information to your work address rather than your home address) or by alternate means (for example, e-mail instead of regular mail) I must agree to your request so long as I can easily provide the PHI to you in the format you requested.
C. The Right to See and Get Copies of Your PHI. In most cases, you have the right to look at or get copies of your PHI that I have, but you must make the request in writing. If I don’t have your PHI but I know who does, I will tell you how to get it. I will respond to you within 30 days of receiving your written request. In certain situations, I may deny your request. If I do, I will tell you, in writing, my reasons for the denial and explain your right to have my denial reviewed. If you request copies of your PHI, I will charge you not more than $.25 for each page. Instead of providing the PHI you requested, I may provide you with a summary or explanation of the PHI as long as you agree to that and to the cost in advance.
D. The Right to Get a List of the Disclosures I Have Made.
You have the right to get a list of instances in which I have disclosed your PHI. The list will not include uses or disclosures that you have already consented to, such as those made for treatment, payment, or health care operations, directly to you, or to your family. The list also won’t include uses and disclosures made for national security purposes, to corrections or law enforcement personnel, or disclosures made before April 15, 2003.
I will respond to your request for an accounting of disclosures within 60 days of receiving your request. The list I will give you will include disclosures made in the last six years unless you request a shorter time. The list will include the date of the disclosure, to whom PHI was disclosed (including their address, if known), a description of the information disclosed, and the reason for the disclosure. I will provide the list to you at no charge, but if you make more than one request in the same year, I will charge you a reasonable cost based fee for each additional request.
E. The Right to Correct or Update Your PHI. If you believe that there is a mistake in your PHI or that a piece of important information is missing, you have the right to request that I correct the existing information or add the missing information. You must provide the request and your reason for the request in writing. I will respond within 60 days of receiving your request to correct or update your PHI. I may deny your request in writing if the PHI is (i) correct and complete, (ii) not created by me, (iii) not allowed to be disclosed, or (iv) not part of my records. My written denial will state the reasons for the denial and explain your right to file a written statement of disagreement with the denial. If you don’t file one, you have the right to request that your request and my denial be attached to all future disclosures of your PHI. If I approve your request, I will make the change to your PHI, tell you that I have done it, and tell others that need to know about the change to your PHI.
F. The Right to Get This Notice by E-Mail. You have the right to get a copy of this notice by e-mail. Even if you have agreed to receive notice via e-mail, you also have the right to request a paper copy of it.
V. HOW TO COMPLAIN ABOUT MY PRIVACY PRACTICES
If you think that I may have violated your privacy rights, or you disagree with a decision I made about access to your PHI, you may file a complaint with the person listed in Section VI below. You also may send a written complaint to the Secretary of the Department of Health and Human Services at 200 Independence Avenue S.W., Washington, D.C. 20201. I will take no retaliatory action against you if you file a complaint about my privacy practices.
VI. PERSON TO CONTACT FOR INFORMATION ABOUT THIS NOTICE OR TO COMPLAIN ABOUT MY PRIVACY PRACTICES
If you have any questions about this notice or any com-plaints about my privacy practices, or would like to know how to file a complaint with the Secretary of the Department of Health and Human Services, please contact me at: Lisa Wenninger, PO Box 1604, Mill Valley CA 94942 or by email to firstname.lastname@example.org
VII. EFFECTIVE DATE OF THIS NOTICE
This notice went into effect on June 30, 2021.