This notice is required by law.
Notice of Policies and Practices to Protect the Privacy of Your Health Information
THIS NOTICE DESCRIBES HOW YOUR PROTECTED HEALTH INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
I. Uses and Disclosures for Treatment, Payment, and Health Care Operations
We may use or disclose your protected health information (PHI), for treatment, payment, and health care operations purposes with your written authorization. We may also disclose PHI for payment purposes with your general consent. To help clarify these terms, here are some definitions:
•“PHI” refers to information in your health record that could identify you.
•“Treatment, Payment, and Health Care Operations”
– Treatment is when we provide, coordinate, or manage your health care and other services related to your health care. An example of treatment would be when we consult with another health care provider, such as your family physician or another therapist.
– Payment is when we obtain reimbursement for your healthcare. Examples of payment are when we disclose your PHI to your health insurer to obtain reimbursement for your health care or to determine eligibility or coverage.
– Health Care Operations are activities that relate to the performance and operation of our practice. Examples of health care operations are quality assessment and improvement activities, business-related matters such as audits and administrative services, and case management and care coordination.
•“Use” applies only to activities within our office such as sharing, employing, applying, utilizing, examining, and analyzing information that identifies you.
•“Disclosure” applies to activities outside of our office, such as releasing, transferring, or providing access to information about you to other parties.
•“Authorization” is your written permission to disclose confidential mental health information. All authorizations to disclose must be on a specific legally required form.
II. Other Uses and Disclosures Requiring Authorization
We may use or disclose PHI for purposes outside of treatment, payment, or health care operations when your appropriate authorization is obtained. In those instances when we are asked for information for purposes outside of treatment, payment, or health care operations, we will obtain an authorization from you before releasing this information. We will also need to obtain an authorization before releasing your Psychotherapy Notes. “Psychotherapy Notes” are notes we have made about our conversation during a private, group, joint, or family counseling session, which we have kept separate from the rest of your record. These notes are given a greater degree of protection than PHI.
You may revoke all such authorizations (of PHI or Psychotherapy Notes) at any time, provided each revocation is in writing. You may not revoke an authorization to the extent that (1) we have relied on that authorization; or (2) if the authorization was obtained as a condition of obtaining insurance coverage, law provides the insurer the right to contest the claim under the policy.
We will also obtain an authorization from you before using or disclosing PHI in a way that is not described in this Notice.
III. Uses and Disclosures without Authorization
We may use or disclose PHI without your consent or authorization in the following circumstances:
•Child Abuse – If we have reasonable cause to believe a child known to us in our professional capacity may be an abused child or a neglected child, we must report this belief to the appropriate authorities.
•Adult and Domestic Abuse – If we have reason to believe that an individual (who is protected by state law) has been abused, neglected, or financially exploited, we must report this belief to the appropriate authorities.
•Health Oversight Activities – We may disclose protected health information regarding you, to a health oversight agency for oversight activities authorized by law, including licensure or disciplinary actions.
•Judicial and Administrative Proceedings- If you are involved in a court proceeding and a request is made for information by any party about your evaluation, diagnosis and treatment and the records thereof, such information is privileged under state law, and we must not release such information without a court order. We can release the information directly to you on your request. Information about all other psychological services is also privileged and cannot be released without your authorization or a court order. The privilege does not apply when you are being evaluated for a third party or where the evaluation is court ordered. You must be informed in advance if this is the case.
•Serious Threat to Health or Safety – If you communicate to us a specific threat of imminent harm against another individual or if we believe that there is clear, imminent risk of physical or mental injury being inflicted against another individual, we may make disclosures that we believe are necessary to protect that individual from harm. If we believe that you present an imminent, serious risk of physical or mental injury or death to yourself, we may make disclosures we consider necessary to protect you from harm.
•Worker’s Compensation – We may disclose protected health information regarding you, as authorized by and to the extent necessary to comply with laws relating to worker’s compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.
•When the use and disclosure without your consent or authorization is allowed under other sections of Section 164.512 of the Privacy Rule and the state’s confidentiality law. This includes certain narrowly-defined disclosures to law enforcement agencies, to a health oversight agency (such as HHS or a state department of health), to a coroner or medical examiner, for public health purposes relating to disease or FDA-regulated products, or for specialized government functions such as fitness for military duties, eligibility for VA benefits, and national security and intelligence.
There may be additional disclosures of PHI that we are required or permitted by law to make without your consent or authorization, however the disclosures listed above are the most common.
IV. Patient’s Rights and Psychologist’s Duties
•Right to Request Restrictions – You have the right to request restrictions on certain uses and disclosures of protected health information. However, we are not required to agree to a restriction you request.
•Right to Receive Confidential Communications by Alternative Means and at Alternative Locations – You have the right to request and receive confidential communications of PHI by alternative means and at alternative locations. (For example, you may not want a family member to know that you are seeing us. On your request, we will send your bills to another address.) It is our normal practice to communicate with you at your home address, daytime phone number, and email address you provided us with when you scheduled your appointment. We may contact you about health matters, appointment reminders, and other pertinent reasons. Sometimes we may leave you a voicemail or message. You have the right to request that our office communicate with you in a different way.
•Right to Inspect and Copy – You have the right to inspect or obtain a copy (or both) of PHI in our mental health and billing records used to make decisions about you for as long as the PHI is maintained in the record and Psychotherapy Notes. On your request, we will discuss with you the details of the request for access process. Please note that we have 30 days to respond to your request and we may charge a reasonable fee for the cost of copying, mailing, and supplies.
•Right to Amend – You have the right to request an amendment of PHI for as long as the PHI is maintained in the record. We may deny your request. On your request, we will discuss with you the details of the amendment process. We will make a decision on your request within 60 days or in some cases within 90 days.
•Right to an Accounting – You generally have the right to receive an accounting of disclosures of PHI. On your request, we will discuss with you the details of the accounting process.
•Right to a Paper Copy – You have the right to obtain a paper copy of the notice from us upon request, even if you have agreed to receive the notice electronically.
•Right to Restrict Disclosures When You Have Paid for Your Care Out-of-Pocket - You have the right to restrict certain disclosures of PHI to a health plan when you pay out-of-pocket in full for my services.
•Right to Be Notified if There is a Breach of Your Unsecured PHI - You have a right to be notified if: (a) there is a breach (a use or disclosure of your PHI in violation of the HIPAA Privacy Rule) involving your PHI; (b) that PHI has not been encrypted to government standards; and (c) my risk assessment fails to determine that there is a low probability that your PHI has been compromised.
•We are required by law to maintain the privacy of PHI and to provide you with a notice of our legal duties and privacy practices with respect to PHI.
•We reserve the right to change the privacy policies and practices described in this notice. Unless we notify you of such changes, however, we are required to abide by the terms currently in effect.
•If we revise our policies and procedures, we will offer a paper copy of the revised notice.
V. Breach Notification
A “breach” is defined as the acquisition, access, use or disclosure of PHI in violation of the HIPAA Privacy Rule. Examples of a breach include: stolen or improperly accessed PHI; PHI inadvertently sent tothe wrong provider; and unauthorized viewing of PHI by an employee in your practice. PHI is “unsecured” if it is not encrypted to government standards.
When we become aware of or suspect a breach we will conduct a Risk Assessment. The risk assessment considers the following four factors to determine if PHI has been compromised: 1) the nature and extent of PHI involved, 2) to whom the PHI may have been disclosed, 3) whether the PHI was actually acquired or viewed, 4) the extent to which the risk to the PHI has been mitigated. We will keep a written record of that Risk Assessment.
The risk assessment can be done by a business associate if the business associate was involved in the breach. While the business associate will conduct a risk assessment of a breach of PHI in its control, we will provide any required notice to patients and HHS.
Unless we determine that there is a low probability that PHI has been compromised, we will give notice of the breach including: a brief description of the breach, including dates; a description of types of unsecured PHI involved; the steps you should take to protect against potential harm; a brief description of steps we have taken to investigate the incident, mitigate harm, and protect against further breaches; and our contact information. After any breach, particularly one that requires notice, the Practice will re-assess its privacy and security practices to determine what changes should be made to prevent the re-occurrence of such breaches.
If you are concerned that we have violated your privacy rights, or you disagree with a decision we made about access to your records, you may contact the office manager at (224)723-5772.
You may also send a written complaint to the Secretary of the U.S. Department of Health and Human Services. The person listed above can provide you with the appropriate address upon request.
This notice will go into effect on June 10th, 2015. We reserve the right to change the terms of this notice and to make the new notice provisions effective for all PHI that we maintain. We will provide you with a revised notice by offering a paper copy of the revised notice.