The law requires us to keep our patients' protected health information ("PHI") private in accordance with our Notice of Privacy Practices ("Notice"), as long as the Notice remains in effect. Additionally, our Practice takes our patients' privacy seriously and expects our employees, agents and business associates to do the same. If you ever have any questions regarding privacy or security of a patient's PHI, please contact our Privacy Officer.
OUR LEGAL DUTIES
Minimum Necessary. In all cases in which we use or disclose a patient's PHI, we must only do so to the minimum extent necessary to accomplish the underlying purpose of the use or disclosure. If you are unsure whether a use or disclosure meets this requirement, contact our Privacy Officer for clarification.
Uses and Disclosures. We may use or disclose PHI for treatment, payment, or health care operations. The following are some examples of permitted uses or disclosures:
Treatment. A patient's PHI may be used by or disclosed to any physicians or other health care providers involved with the medical services provided to that patient.
Payment. PHI may be used or disclosed in order to collect payment for the medical services provided to our patients.
Health Care Operations. PHI may be used or disclosed as part of quality of care audits of staff and affiliates, conducting training programs, accreditation, certification, licensing, or credentialing activities.
Authorizations. If we have received written authorization from a patient, we use or disclose PHI for any purpose consistent with that Authorization. We may not require such an authorization as a condition of treatment. A patient may revoke an authorization at any time by writing to the Privacy Officer. However, such revocation will not affect any prior authorized uses or disclosures.
Family Members and Friends. With the patient's permission, or in some emergencies, we may disclose PHI to family members, friends, or other people to aid in treatment or collection of payment. A disclosure of PHI may also be made if we determine it is reasonably necessary or in the patient's best interests for such purposes as allowing a person acting on the patient's behalf to receive filled prescriptions, medical supplies, X rays, etc.
Facility Directories. [Optional Language for In-patient facilities] Our facility directory may list the following patient information: (1) name, (2) location in our facility, (3) general condition without reference to specific medical information, e.g., stable, serious, fair, etc., and (4) religious affiliation, if any. Our facility directory information may be disclosed to clergymen and, except for religious affiliation, to other people. We must honor a patient's request to restrict or prohibit the release of any of the above information.
Locating Responsible Parties. PHI may be disclosed in order to locate, identify or notify a family member, personal representative, or other person responsible for a patient's care. A patient may prohibit or restrict the extent or recipients of such disclosure, unless we determine in our reasonable professional judgment that a patient is incapable of doing so. If we so determine, we must limit the amount of PHI disclosed to the minimum necessary.
Disasters. We may use or disclose PHI to any public or private entity authorized by law or by its charter to assist in disaster relief efforts.
Required by Law. We must use or disclose medical information when we are required to do so by law. For example, PHI may be released when required by privacy laws, workers' compensation or similar laws, public health laws, court or administrative orders, subpoenas, certain discovery requests, or other laws, regulations or legal processes. Under certain circumstances, we may make limited disclosures of PHI directly to law enforcement officials or correctional institutions regarding an inmate, lawful detainee, suspect, fugitive, material witness, missing person, or a victim or suspected victim of abuse, neglect, domestic violence or other crimes. We may disclose PHI to the extent reasonably necessary to avert a serious threat to a patient's health or safety or the health or safety of others. We may disclose PHI when necessary to assist law enforcement officials to capture a third party who has admitted to committing a crime against the patient or who has escaped from lawful custody. If you are unsure of the lawful authority of the person requesting the PHI, contact the Privacy Officer prior to making any use or disclosure under this section.
Deceased Persons. We may disclose PHI of a deceased patient to a coroner, medical examiner, funeral director, or organ procurement organization in limited circumstances.
Research. PHI may also be used or disclosed for research purposes only in those limited circumstances not requiring a written authorization, such as those which have been approved by an institutional review board that has established procedures for ensuring the privacy of your PHI. Prior to conducting any research under this section, please obtain the approval of our Privacy Officer to ensure that all procedural requirements have been met.
Military and National Security. We may disclose to military authorities the medical information of Armed Forces personnel under certain circumstances. When required by law, we may disclose PHI for intelligence, counterintelligence, and other national security activities. Contact the Privacy Officer prior to making any use or disclosure of PHI under this section.
Continuing Care. [May be Unlawful Marketing under Proposed Regulations] We may provide patients with information concerning health issues, benefits and services, or treatment alternatives based upon their PHI. We may disclose PHI to a business associate to assist us in these activities. By notifying our Privacy Officer, a patient may opt out of receiving such information, except that which is contained in a general newsletter, is presented in person or is for nominally valued items.
Fundraising. [May be Unlawful Marketing under Proposed Regulations] We may use demographic information and the dates of a patient's health care to contact them for fundraising purposes. We may disclose this information to a business associate to assist us in fundraising activities. A patient may opt out of receiving such information by notifying our Privacy Officer.
Access and Copies. In most cases, patients have the right to review or to purchase copies of their PHI by requesting access or copies in writing to our Privacy Officer. All such requests should be handled quickly and efficiently but should not interfere with our treatment of other patients. We require that a patient schedule an appointment to review PHI at our office. Our Privacy Officer is responsible for setting copying fees.
Disclosure Accounting. We are required by law to maintain a Disclosure Accounting log of the instances, if any, in which PHI is disclosed for purposes other than those described in the following sections above: Use and Disclosures, Facility Directories, Family Members and Friends, Locating Responsible Parties, and Access and Copies. For each 12-month period, a patient has the right, upon request, to receive one free copy of an accounting certain details surrounding such disclosures that occurred after April 13, 2003. If a patient requests a disclosure accounting more than once in a 12-month period, we will charge a fee for each additional request. Please contact our Privacy Officer regarding these fees.
Additional Restrictions. A patient may request that we place additional restrictions on our use or disclosure of PHI, but we are not required to honor such a request. We will be bound by such restrictions only if we agree to do so in writing signed by our Privacy Officer.
Alternate Communications. Patients have the right to request that we communicate with them about their PHI by alternative means or in alternative locations. We will accommodate any reasonable request if it specifies in writing the alternative means or location, and provides a satisfactory explanation of how future payments will be handled.
Amendments to PHI. A patient has the right to request that we amend his or her PHI. Any such request must be in writing and contain a detailed explanation for the requested amendment. Under certain circumstances, we may deny the request but must provide you a written explanation of the denial. A patient has the right to send us a Statement of Disagreement, which we must file with the disputed PHI entry. We may then prepare and file a rebuttal to the patient's Statement of Disagreement, a copy of which must be provided to the patient at no cost. Please contact our Privacy Officer before changing or amending any medical record or other PHI.
Complaints. A patient is entitled to file a complaint with us or with the Secretary of the U.S. Department of Health and Human Services if he or she believes we have violated any privacy rights with respect to our Notice of Privacy Practices. We shall not retaliate in any way if a patient chooses to file such a complaint. All such complaints must be forwarded to the Privacy Officer.
1. Sign-in Sheets. Public sign-in sheets should request only the patient's name. Any other information collected from the patient should be kept private.
2. Oral Communications. Discussions about PHI should be held behind closed doors and/or out of earshot of those who have no right to access the PHI discussed. Use only the patient's name when calling him or her from the waiting room.
3. Patient Files. All reasonable efforts must be used to prevent unauthorized persons from accessing patient files. Files should be monitored by staff to ensure they are accessed only by authorized personnel. Unattended files should be kept in a locked room or cabinet. Patient files shall not be altered, copied or removed from the premises without first notifying the Privacy Officer.
4. Confidentiality Agreement. Anyone with access to patient records, files or other PHI must sign a confidentiality agreement. Violation of the confidentiality agreement should result in a reprimand, such as removal, demotion, suspension, or termination.
5. Fax Confidentiality. PHI should be faxed only in emergencies. In all other cases, PHI should be sent by mail or hand delivery, marked "confidential." PHI should not be faxed on or to a machine that is accessible to the general public. Indicate the confidential nature of the fax on the cover sheet as well as each sheet of the document. The coversheet should also request that any erroneous recipient destroy or return the fax. Always notify the recipient of a forthcoming confidential fax and verify the fax number before faxing PHI. Wait to send the confidential fax until you are able to contact the recipient. Verify the fax number once again on the fax confirmation sheet after the fax is sent. If an error occurred, contact the accidental recipient and request the return or destruction of the fax.
6. Remote Consultation Confidentiality. Patient privacy and confidentiality must be maintained whenever PHI is viewed or discussed during a medical consultation session conducted over the telephone, internet or similar remote communication device. The provider who is consulting must confirm that the consultation is attended only by individuals who have a legitimate interest in the patient's care. Additionally, all PHI presented shall remain confidential.
7. Transcription Confidentiality. All employees, independent contractors, agents, or business associates involved in dictation, transcription, maintenance, storage, and retrieval of transcribed data must protect the privacy and confidentiality of any PHI to which they have access. The transcription system and all transcribed data are part of are the property of Practice. Anyone using such equipment shall have no right to privacy in their use of the transcription system or its data. Practice reserves the right to monitor, audit and read transcribed documents as well as the content and usage of the transcription system to support operational, maintenance, auditing, security and investigative services. Dictation and dictation playback must be done in a secure environment that protects the information from being overheard by unauthorized persons. PHI may not be dictated into cellular phones or into public telephones where others can overhear the dictation or into equipment, such as an answering machine. Dictation may be maintained in a recorded voice format only until it has been transcribed and reviewed and must immediately thereafter be erased. Transcription media shall not be reused until it is first erased. After a transcription is completed, it must be authenticated by an identifier assigned by the Privacy Officer.
8. Email Confidentiality. PHI should not be sent by email or other electronic transmission unless it conforms to the appropriate encryption standard. The e-mail system and all messages generated or handled by e-mail, including backup copies, are property of Practice. E-mail users have no right to privacy in their use of the computer system, including e-mail. Practice may monitor the content and usage of the computer system, including, email, at any time and for any reason. E-mail Users should restrict use of the e-mail system to proper business purposes. Any personal email use should be avoided and may result in removal, demotion, suspension, or termination in some circumstances.
9. Electronic Data Confidentiality. Officers, agents, employees, independent contractors, business associates and others using portable data media, including, diskettes, tapes, CD-ROMs, portable computers or other electronic data media may not download, maintain, or transmit confidential patient or other information without the written authorization of the Privacy Officer. Failure to comply with this provision may result in removal, demotion, suspension, or termination in some circumstances.