Please click "Here" for the printable version of this form.
OMNIBUS
Rule
HIPAA
NOTICE OF PRIVACY PRACTICES
for the Healthcare
Facility of:
Name of Facility
: Aurora Orthodontics & TMJ
Address: 14991 E Hampden Ave. Ste. 300 Aurora, CO 80014
THIS NOTICE
DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW
YOU CAN GET ACCESS TO THIS INFORMATION under the HIPAA Omnibus Rule of 2013.
PLEASE REVIEW IT
CAREFULLY
For purposes of this Notice “us” “we” and “our” refers
to the Name of this Healthcare Facility: Aurora
Orthodontics & TMJ and “you” or “your” refers to our patients (or their
legal representatives as determined by us in accordance with state informed
consent law). When you receive healthcare
services from us, we will obtain access to your medical information (i.e. your
health history). We are committed to
maintaining the privacy of your health information and we have implemented
numerous procedures to ensure that we do so.
The Federal Health Insurance Portability &
Accountability Act of 2013, HIPAA Omnibus Rule, (formally HIPAA 1996 & HI
TECH of 2004) require us to maintain the confidentiality of all your healthcare
records and other identifiable patient health information (PHI) used by or
disclosed to us in any form, whether electronic, on paper, or spoken. HIPAA is a Federal Law that gives you
significant new rights to understand and control how your health information is
used. Federal HIPAA Omnibus Rule and
state law provide penalties for covered entities, business associates, and
their subcontractors and records owners, respectively that misuse or improperly
disclose PHI.
Starting April 14, 2003, HIPAA requires us to provide
you with the Notice of our legal duties and the privacy practices we are
required to follow when you first come into our office for health-care
services. If you have any questions
about this Notice, please ask to speak to our HIPAA Privacy Officer.
Our doctors, clinical staff, employees, Business
Associates (outside contractors we hire), their subcontractors and other
involved parties follow the policies and procedures set forth in this
Notice. If at this facility, your
primary caretaker / doctor is unavailable to assist you (i.e. illness, on-call
coverage, vacation, etc.), we may provide you with the name of another
healthcare provider outside our practice for you to consult with. If we do so, that provider will follow the
policies and procedures set forth in this Notice or those established for his
or her practice, so long as they substantially conform to those for our
practice.
OUR RULES ON HOW
WE MAY USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION
Under the law, we must have your signature on a
written, dated Consent Form and/or an Authorization Form of Acknowledgement of
this Notice, before we will use or disclose your PHI for certain purposes as
detailed in the rules below.
Documentation – You will be
asked to sign an Authorization / Acknowledgement form when you receive this
Notice of Privacy Practices. If you did
not sign such a form or need a copy of the one you signed, please contact our
Privacy Officer. You may take back or
revoke your consent or authorization at any time (unless we already have acted
based on it) by submitting our Revocation Form in writing to us at our address
listed above. Your revocation will take
effect when we actually receive it. We
cannot give it retroactive effect, so it will not affect any use or disclosure
that occurred in our reliance on your Consent or Authorization prior to
revocation (i.e. if after we provide services to you, you revoke your
authorization / acknowledgement in order to prevent us billing or collecting
for those services, your revocation will have no effect because we relied on
your authorization/ acknowledgement to provide services before you revoked it).
General Rule
– If you do not sign our authorization/ acknowledgement form or if you revoke
it, as a general rule (subject to exceptions described below under “Healthcare
Treatment, Payment and Operations Rule” and “Special Rules”), we cannot in any
manner use or disclose to anyone (excluding you, but including payers and
Business Associates) your PHI or any other information in your medical
record. By law, we are unable to submit
claims to payers under assignment of benefits without your signature on our
authorization/ acknowledgement form. You
will however be able to restrict disclosures to your insurance carrier for services
for which you wish to pay "out of pocket” under the new Omnibus Rule. We will not condition treatment on you
signing an authorization / acknowledgement, but we may be forced to decline you
as a new patient or discontinue you as an active patient if you choose not to
sign the authorization/ acknowledgement or revoke it.
Healthcare
Treatment, Payment and Operations Rule
With your signed consent, we may use or disclose your
PHI in order:
· To provide you with or coordinate healthcare treatment
and services. For example, we may review
your health history form to form a diagnosis and treatment plan, consult with
other doctors about your care, delegate tasks to ancillary staff, call in prescriptions
to your pharmacy, disclose needed information to your family or others so they
may assist you with home care, arrange appointments with other healthcare
providers, schedule lab work for you, etc.
· To bill or collect payment from you, an insurance
company, a managed-care organization, a health benefits plan or another third
party. For example, we may need to
verify your insurance coverage, submit your PHI on claim forms in order to get
reimbursed for our services, obtain pre-treatment estimates or prior
authorizations from your health plan or provide your x-rays because your health
plan requires them for payment; Remember, you will be able to restrict
disclosures to your insurance carrier for services for which you wish to pay
"out of pocket” under this new Omnibus Rule.
· To run our office, assess the quality of care our
patients receive and provide you with customer service. For example, to improve efficiency and reduce
costs associated with missed appointments, we may contact you by telephone,
mail or otherwise remind you of scheduled appointments, we may leave messages
with whomever answers your telephone or email to contact us (but we will not
give out detailed PHI), we may call you by name from the waiting room, we may
ask you to put your name on a sign-in sheet, (we will cover your name just
after checking you in), we may tell you about or recommend health-related
products and complementary or alternative treatments that may interest you, we
may review your PHI to evaluate our staff’s performance, or our Privacy Officer
may review your records to assist you with complaints. If you prefer that we not contact you with
appointment reminders or information about treatment alternatives or
health-related products and services, please notify us in writing at our
address listed above and we will not use or disclose your PHI for these
purposes.
· New HIPAA Omnibus Rule does not require that we
provide the above notice regarding Appointment Reminders, Treatment Information
or Health Benefits, but we are including these as a courtesy so you understand
our business practices with regards to your (PHI) protected health information.
Additionally, you should be made aware of these protection
laws on your behalf, under the new HIPAA Omnibus Rule:
· That Health Insurance plans that underwrite
cannot use or disclose genetic information for underwriting purposes (this
excludes certain long-term care plans). Health plans that post their NOPPs on
their web sites must post these Omnibus Rule changes on their sites by the
effective date of the Omnibus Rule, as well as notify you by US Mail by the
Omnibus Rules effective date. Plans
that do not post their NOPPs on their Web sites must provide you information
about Omnibus Rule changes within 60 days of these federal revisions.
· Psychotherapy Notes maintained by a
healthcare provider, must state in their NOPPs that they can allow “use and disclosure” of such notes only with your
written authorization.
Special Rules
Notwithstanding anything else contained in this
Notice, only in accordance with applicable HIPAA Omnibus Rule, and under
strictly limited circumstances, we may use or disclose your PHI without your
permission, consent or authorization for the following purposes:
· When required under federal, state or local law
· When necessary in emergencies to prevent a serious
threat to your health and safety or the health and safety of other persons
· When necessary for public health reasons (i.e.
prevention or control of disease, injury or disability, reporting information
such as adverse reactions to anesthesia, ineffective or dangerous medications
or products, suspected abuse, neglect or exploitation of children, disabled
adults or the elderly, or domestic violence)
· For federal or state government health-care oversight
activities (i.e. civil rights laws, fraud and abuse investigations, audits,
investigations, inspections, licensure or permitting, government programs, etc.)
· For judicial and administrative proceedings and law
enforcement purposes (i.e. in response to a warrant, subpoena or court order,
by providing PHI to coroners, medical examiners and funeral directors to locate
missing persons, identify deceased persons or determine cause of death)
· For Worker’s Compensation purposes (i.e. we may
disclose your PHI if you have claimed health benefits for a work-related injury
or illness)
· For intelligence, counterintelligence or other
national security purposes (i.e. Veterans Affairs, U.S. military command, other
government authorities or foreign military authorities may require us to
release PHI about you)
· For organ and tissue donation (i.e. if you are an
organ donor, we may release your PHI to organizations that handle organ, eye or
tissue procurement, donation and transplantation)
· For research projects approved by an Institutional
Review Board or a privacy board to ensure confidentiality (i.e. if the
researcher will have access to your PHI because involved in your clinical care,
we will ask you to sign an authorization)
· To create a collection of information that is “de-identified”
(i.e. it does not personally identify you by name, distinguishing marks or
otherwise and no longer can be connected to you)
· To family members, friends and others, but only if you
are present and verbally give permission.
We give you an opportunity to object and if you do not, we reasonably
assume, based on our professional judgment and the surrounding circumstances,
that you do not object (i.e. you bring someone with you into the operatory or
exam room during treatment or into the conference area when we are discussing
your PHI); we reasonably infer that it is in your best interest (i.e. to allow
someone to pick up your records because they knew you were our patient and you
asked them in writing with your signature to do so); or it is an emergency
situation involving you or another person (i.e. your minor child or ward) and,
respectively, you cannot consent to your care because you are incapable of
doing so or you cannot consent to the other person’s care because, after a
reasonable attempt, we have been unable to locate you. In these emergency situations we may, based
on our professional judgment and the surrounding circumstances, determine that
disclosure is in the best interests of you or the other person, in which case
we will disclose PHI, but only as it pertains to the care being provided and we
will notify you of the disclosure as soon as possible after the care is
completed. As per HIPAA law 164.512(j) (i)… (A) Is necessary to prevent or lessen a serious or
imminent threat to the health and safety of a person or the public and (B) Is
to person or persons reasonably able to prevent or lessen that threat.
Minimum
Necessary Rule
Our staff will not use or access your PHI unless it is
necessary to do their jobs (i.e. doctors uninvolved in your care will not
access your PHI; ancillary clinical staff caring for you will not access your
billing information; billing staff will not access your PHI except as needed to
complete the claim form for the latest visit; janitorial staff will not access
your PHI). All of our team members are
trained in HIPAA Privacy rules and sign strict Confidentiality Contracts with
regards to protecting and keeping private your PHI. So are our Business Associates and their
Subcontractors.
Know that your PHI is protected several layers deep with regards to our
business relations. Also, we disclose to
others outside our staff, only as much of your PHI as is necessary to
accomplish the recipient’s lawful purposes.
Still in certain cases, we may use and disclose the entire contents of
your medical record:
· To you (and your legal representatives as stated
above) and anyone else you list on a Consent or Authorization to receive a copy
of your records
· To healthcare providers for treatment purposes (i.e.
making diagnosis and treatment decisions or agreeing with prior recommendations
in the medical record)
· To the U.S. Department of Health and Human Services
(i.e. in connection with a HIPAA complaint)
· To others as required under federal or state law
· To our privacy officer and others as necessary to
resolve your complaint or accomplish your request under HIPAA (i.e. clerks who
copy records need access to your entire medical record)
In accordance with HIPAA law, we presume that requests
for disclosure of PHI from another Covered Entity (as defined in HIPAA) are for
the minimum necessary amount of PHI to accomplish the requestor’s
purpose. Our Privacy Officer will
individually review unusual or non-recurring requests for PHI to determine the minimum
necessary amount of PHI and disclose only that. For non-routine requests or disclosures, our
Privacy Officer will make a minimum necessary determination based on,
but not limited to, the following factors:
· The amount of information being disclosed
· The number of individuals or entities to whom the
information is being disclosed
· The importance of the use or disclosure
· The likelihood of further disclosure
· Whether the same result could be achieved with
de-identified information
· The technology available to protect confidentiality of
the information
· The cost to implement administrative, technical and
security procedures to protect confidentiality
If we believe that a request from others for
disclosure of your entire medical record is unnecessary, we will ask the
requestor to document why this is needed, retain that documentation and make it
available to you upon request.
Incidental
Disclosure Rule
We will take reasonable administrative, technical and
security safeguards to ensure the privacy of your PHI when we use or disclose
it (i.e. we shred all paper containing PHI, require employees to speak with
privacy precautions when discussing PHI with you, we use computer passwords and
change them periodically (i.e. when an employee leaves us), we use firewall and
router protection to the federal standard, we back up our PHI data off-site and
encrypted to federal standard, we do not allow unauthorized access to areas
where PHI is stored or filed and/or we
have any unsupervised business associates sign Business Associate
Confidentiality Agreements).
However, in the event that there is a breach in
protecting your PHI, we will follow Federal Guide Lines to HIPAA Omnibus Rule
Standard to first evaluate the breach situation using the Omnibus Rule, 4-Factor
Formula for Breach Assessment. Then we
will document the situation, retain copies of the situation on file, and report
all breaches (other than low probability as prescribed by the Omnibus Rule) to
the US Department of Health and Human Services at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html
We will also make proper notification to you and any
other parties of significance as required by HIPAA Law.
Business
Associate Rule
Business Associates are defined as: an entity, (non-employee) that in the course
of their work will directly / indirectly use, transmit, view, transport, hear,
interpret, process or offer PHI for this Facility.
Business Associates and other third parties (if any)
that receive your PHI from us will be prohibited from re-disclosing it unless
required to do so by law or you give prior express written consent to the
re-disclosure. Nothing in our Business
Associate agreement will allow our Business Associate to violate this
re-disclosure prohibition. Under Omnibus
Rule, Business Associates will sign a strict confidentiality agreement binding
them to keep your PHI protected and report any compromise of such information
to us, you and the United States Department of Health and Human Services, as
well as other required entities. Our
Business Associates will also follow Omnibus Rule and have any of their
Subcontractors that may directly or indirectly have contact with your PHI, sign
Confidentiality Agreements to Federal Omnibus Standard.
Super-confidential
Information Rule
If we have PHI about you regarding communicable
diseases, disease testing, alcohol or substance abuse diagnosis and treatment,
or psychotherapy and mental health records (super-confidential information
under the law), we will not disclose it under the General or Healthcare
Treatment, Payment and Operations Rules (see above) without your first signing
and properly completing our Consent form (i.e. you specifically must initial
the type of super-confidential information we are allowed to disclose). If you do not specifically authorize
disclosure by initialing the super-confidential information, we will not
disclose it unless authorized under the Special Rules (see above) (i.e. we are
required by law to disclose it). If we
disclose super-confidential information (either because you have initialed the
consent form or the Special Rules authorizing us to do so), we will comply with
state and federal law that requires us to warn the recipient in writing that
re-disclosure is prohibited.
Changes to
Privacy Policies Rule
We reserve the right to change our privacy practices
(by changing the terms of this Notice) at any time as authorized by law. The changes will be effective immediately
upon us making them. They will apply to
all PHI we create or receive in the future, as well as to all PHI created or
received by us in the past (i.e. to PHI about you that we had before the
changes took effect). If we make
changes, we will post the changed Notice, along with its effective date, in our
office and on our website. Also, upon
request, you will be given a copy of our current Notice.
Authorization
Rule
We will not use or disclose your PHI for any purpose
or to any person other than as stated in the rules above without your signature
on our specifically worded, written Authorization / Acknowledgement Form (not a
Consent or an Acknowledgement). If we
need your Authorization, we must obtain it via a specific Authorization Form,
which may be separate from any Authorization / Acknowledgement we may have
obtained from you. We will not condition
your treatment here on whether you sign the Authorization (or not).
Marketing and
Fund Raising Rules
Limitations on
the disclosure of PHI regarding Remuneration
The disclosure or sale of your PHI without
authorization is prohibited. Under the
new HIPAA Omnibus Rule, this would exclude disclosures for public health
purposes, for treatment / payment for healthcare, for the sale, transfer,
merger, or consolidation of all or part of this facility and for related due
diligence, to any of our Business Associates, in connection with the business
associate's performance of activities for this facility, to a patient or
beneficiary upon request, and as required by law. In addition, the disclosure
of your PHI for research purposes or for any other purpose permitted by HIPAA
will not be considered a prohibited disclosure if the only reimbursement
received is “a reasonable, cost-based fee” to cover the cost to prepare and
transmit your PHI which would be expressly permitted by law. Notably, under the Omnibus Rule, an
authorization to disclose PHI must state that the disclosure will
result in remuneration to the Covered Entity. Notwithstanding the changes in
the Omnibus Rule, the disclosure of limited data sets (a form of PHI with a
number of identifiers removed in accordance with specific HIPAA requirements)
for remuneration pursuant to existing agreements is permissible until September
22, 2014, so long as the agreement is not modified within one year before that
date.
Limitation on
the Use of PHI for Paid Marketing
We will, in accordance with Federal and State Laws,
obtain your written authorization to use or disclose your PHI for marketing
purposes, (i.e.: to use your photo in ads) but not for activities that
constitute treatment or healthcare operations.
To clarify, Marketing is defined by HIPAA’s Omnibus Rule,
as "a communication about a product or service that encourages recipients
. . . to purchase or use the product or service." Under the Omnibus Rule, we will obtain a
written authorization from you prior to recommending you to an alternative
therapist, or non-associated Healthcare Covered Entity.
Under Omnibus Rule we will obtain your written
authorization prior to using your PHI or
making any treatment or healthcare recommendations, should financial
remuneration for making the communication be involved from a third party whose
product or service we might promote (i.e.: businesses offering this facility
incentives to promote their products or services to you). This will also apply to our Business
Associate who may receive such remuneration for making a treatment or healthcare
recommendations to you. All such
recommendations will be limited without your expressed written permission.
We must clarify to you that financial remuneration
does not include “as in-kind payments” and payments for a purpose to implement
a disease management program. Any
promotional gifts of nominal value are not subject to the authorization
requirement, and we will abide by the set terms of the law to accept or reject
these.
The only exclusion to this would include: "refill reminders", so long as the
remuneration for making such a communication is "reasonably related to our
cost" for making such a communication. In accordance with law, this
facility and our Business Associates will only ever seek reimbursement from you
for permissible costs that include:
labor, supplies, and postage. Please note that “generic equivalents” ,
“adherence to take medication as directed” and “self-administered drug or
delivery system communications” are all
considered to be "refill reminders."
Face-to-face marketing communications, such as sharing
with you, a written product brochure or pamphlet, is permissible under current
HIPAA Law.
Flexibility on
the Use of PHI for Fundraising
Under the HIPAA Omnibus Rule use of PHI is more
flexible and does not require your authorization should we choose to include
you in any fund raising efforts attempted at this facility? However, we will offer the opportunity for
you to “opt out” of receiving future fundraising communications. Simply let us
know that you want to “opt out” of such situations. There will be a statement on your HIPAA
Patient Acknowledgement Form where you can choose to “opt out”. Our commitment to care and treat you will in
no way effect your decision to participate or not participate in our fund
raising efforts.
Improvements to
Requirements for Authorizations Related to Research
Under HIPAA Omnibus Rule, we may seek authorizations
from you for the use of your PHI for future research. However, we would have to make clear what
those uses are in detail.
Also, if we request of you a compound authorization
with regards to research, this facility would clarify that when a compound
authorization is used, and research-related treatment is conditioned upon your
authorization, the compound authorization will differentiate between the
conditioned and unconditioned components.
YOUR RIGHTS
REGARDING YOUR PROTECTED HEALTH INFORMATION
If you got this Notice via email or website, you have
the right to get, at any time, a paper copy by asking our Privacy Officer. Also, you have the following additional
rights regarding PHI we maintain about you:
To Inspect and
Copy
You have the right to see and get a copy of your PHI
including, but not limited to, medical and billing records by submitting a
written request to our Privacy Officer.
Original records will not leave the premises, will be available for
inspection only during our regular business hours, and only if our Privacy
Officer is present at all times. You may
ask us to give you the copies in a format other than photocopies (and we will do
so unless we determine that it is impractical) or ask us to prepare a summary
in lieu of the copies. We may charge you
a fee not to exceed state law to recover our costs (including postage,
supplies, and staff time as applicable, but excluding staff time for search and
retrieval) to duplicate or summarize your PHI.
We will not condition release of the copies on summary of payment of
your outstanding balance for professional services if you have one). We will comply with Federal Law to provide
your PHI in an electronic format within the 30 days, to Federal specification,
when you provide us with proper written request. Paper copy will also be made available. We will respond to requests in a timely
manner, without delay for legal review, or, in less than thirty days if
submitted in writing, and in ten business days or less if malpractice
litigation or pre-suit production is involved.
We may deny your request in certain limited circumstances (i.e. we do
not have the PHI, it came from a confidential source, etc.). If we deny your request, you may ask for a
review of that decision. If required by
law, we will select a licensed health-care professional (other than the person
who denied your request initially) to review the denial and we will follow his
or her decision. If we select a licensed
healthcare professional who is not affiliated with us, we will ensure a
Business Associate Agreement is executed that prevents re-disclosure of your PHI
without your consent by that outside professional.
To Request
Amendment / Correction
If another doctor involved in your care tells us in
writing to change your PHI, we will do so as expeditiously as possible upon
receipt of the changes and will send you written confirmation that we have made
the changes. If you think PHI we have
about you is incorrect, or that something important is missing from your
records, you may ask us to amend or correct it (so long as we have it) by
submitting a “Request for Amendment / Correction” form to our Privacy
Officer. We will act on your request
within 30 days from receipt, but we may extend
our response time (within the 30-day period) no more than once and by no more
than 30 days, or as per Federal Law allowances, in which case we will notify
you in writing why and when we will be able to respond. If we grant your request, we will let you
know within five business days, make the changes by noting (not deleting) what
is incorrect or incomplete and adding to it the changed language, and send the
changes within 5 business days to persons you ask us to and persons we know may
rely on incorrect or incomplete PHI to your detriment (or already have). We may deny your request under certain
circumstances (i.e. it is not in writing, it does not give a reason why you
want the change, we did not create the PHI you want changed (and the entity
that did can be contacted), it was compiled for use in litigation, or we
determine it is accurate and complete).
If we deny your request, we will (in writing within 5 business days)
tell you why and how to file a complaint with us if you disagree, that you may
submit a written disagreement with our denial (and we may submit a written
rebuttal and give you a copy of it), that you may ask us to disclose your
initial request and our denial when we make future disclosure of PHI pertaining
to your request, and that you may complain to us and the U.S. Department of
Health and Human Services.
To an Accounting
of Disclosures
You may ask us for a list of those who got your PHI
from us by submitting a “Request for Accounting of Disclosures” form to
us. The list will not cover some
disclosures (i.e. PHI given to you, given to your legal representative, given
to others for treatment, payment or health-care-operations purposes). Your request must state in what form you want
the list (i.e. paper or electronically) and the time period you want us to
cover, which may be up to but not more than the last six years (excluding dates
before April 14, 2003). If you ask us
for this list more than once in a 12-month period, we may charge you a
reasonable, cost-based fee to respond, in which case we will tell you the cost
before we incur it and let you choose if you want to withdraw or modify your
request to avoid the cost.
To Request
Restrictions
You may ask us to limit how your PHI is used and
disclosed (i.e. in addition to our rules as set forth in this Notice) by
submitting a written “Request for Restrictions on Use, Disclosure” form
to us (i.e. you may not want us to disclose your surgery to family members or
friends involved in paying for our services or providing your home care). If we agree to these additional limitations,
we will follow them except in an emergency where we will not have time to check
for limitations. Also, in some
circumstances we may be unable to grant your request (i.e. we are required by
law to use or disclose your PHI in a manner that you want restricted, you
signed an Authorization Form, which you may revoke, that allows us to use or
disclose your PHI in the manner you want restricted; in an emergency).
To Request
Alternative Communications
You may ask us to communicate with you in a different
way or at a different place by submitting a written “Request for Alternative
Communication” Form to us. We will
not ask you why and we will accommodate all reasonable requests (which may
include: to send appointment reminders in closed envelopes rather than by
postcards, to send your PHI to a post office box instead of your home address,
to communicate with you at a telephone number other than your home
number). You must tell us the
alternative means or location you want us to use and explain to our
satisfaction how payment to us will be made if we communicate with you as you
request.
To Complain or
Get More Information
We will follow our rules as set forth in this
Notice. If you want more information or
if you believe your privacy rights have been violated (i.e. you disagree with a
decision of ours about inspection / copying, amendment / correction, accounting
of disclosures, restrictions or alternative communications), we want to make it
right. We never will penalize you for
filing a complaint. To do so, please
file a formal, written complaint within 180 days with:
The U.S. Department of Health & Human Services
Office of Civil Rights
200 Independence Ave., S.W.
Washington, DC
20201
877.696.6775
Or, submit a written Complaint form to us at the
following address:
Our
Privacy Officer: Trish Westin
Office
Name: Aurora Orthodontics & TMJ
Office
Address: 14991 E Hampden Ave. Ste. 300
Aurora, CO 80014
Office
Phone: 303-690-0100
Office
Fax: 720-881-7406
Email
Address: [email protected]
You may get your “HIPAA Complaint” form by
calling our privacy officer.
These privacy practices are in accordance with the
original HIPAA enforcement effective April 14, 2003, and undated to Omnibus
Rule effective March 26, 2013 and will remain in effect until we replace them
as specified by Federal and/or State Law.
OPTIONAL RULES
FOR NOPP
Faxing and
Emailing Rule
When you request us to fax or email your PHI as an
alternative communication, we may agree to do so, but only after having our
Privacy Officer or treating doctor review that request. For this communication, our Privacy Officer
will confirm that the fax number or email address is correct before sending the
message and ensure that the intended recipient has sole access to the fax
machine or computer before sending the message; confirm receipt, locate our fax
machine or computer in a secure location so unauthorized access and viewing is
prevented; use a fax cover sheet so the PHI is not the first page to print out
(because unauthorized persons may view the top page); and attach an appropriate
notice to the message. Our emails are
all encrypted per Federal Standard for your protection.
Practice
Transition Rule
If we sell our practice, our patient records
(including but not limited to your PHI) may be disclosed and physical custody
may be transferred to the purchasing healthcare provider, but only in
accordance with the law. The healthcare
provider who is the new records owner will be solely responsible for ensuring
privacy of your PHI after the transfer and you agree that we will have no
responsibility for (or duty associated with) transferred records. If all the owners of our practice die, our
patient records (including but not limited to your PHI) must be transferred to
another healthcare provider within 90 days to comply with State & Federal
Laws. Before we transfer records in
either of these two situations, our Privacy Officer will obtain a Business
Associate Agreement from the purchaser
and review your PHI for super-confidential information (i.e. communicable
disease records), which will not be
transferred without your express written authorization (indicated by your
initials on our Consent form).
Inactive Patient
Records
We will retain your records for seven years from your
last treatment or examination, at which point you will become an inactive
patient in our practice and we may destroy your records at that time (but
records of inactive minor patients will not be destroyed before the child’s eighteenth
birthday). We will do so only in
accordance with the law (i.e. in a confidential manner, with a Business
Associate Agreement prohibiting re-disclosure if necessary).
Collections
If we use or disclose your PHI for collections
purposes, we will do so only in accordance with the law.
HIPAA
made EASY™
©All Rights Reserved
|
|
|