HIPAA
Repsher & Associates Physical Therapy
NOTICE OF PRIVACY PRACTICES
Effective Date: September 2013
THIS NOTICE DISCLOSES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW CAREFULLY.
We are required by law to protect the privacy of health information that may reveal your identity, and to provide you with a copy of this notice which describes the health information privacy practices of our office, its medical staff and affiliated medical providers that jointly provide health care services with our office. You will also be able to obtain your own copy by accessing our website at www.repsherphysicaltherapy.com, calling our office at 518-489-2524 or asking for one at the time of your next visit.
If you have any questions about this notice or would like further information, please contact the Privacy Officer at 518-489-2524.
WHO WILL FOLLOW THIS NOTICE?
Repsher & Associates Physical Therapy provides health care to patients jointly with physicians and other health care professionals and organizations. The privacy practices described in this notice will be followed by:
Any health care professional who treats you;
All employees, medical staff, trainees, students or volunteers;
Any business associates of our office (which are described further below)
PERMISSIONS DESCRIBED IN THIS NOTICE
This notice will explain the different types of permission we will obtain from you before we use or disclose your health information for a variety of purposes. The three types of permissions referred to in this notice are:
A “general written consent,” which we must obtain from you in order to use and disclose your health information in order to treat you, obtain payment for that treatment and conduct our business operations. We must obtain this general written consent the first time we provide you with treatment or services. This general written consent is a broad permission that does not have to be repeated each time we provide treatment or services.
An “opportunity to object,” which we must provide to you before we may use or disclose your health information for certain purposes. In these situations, you will have an opportunity to object to the use or disclosure of your health information in person, over the phone or in writing.
A “written authorization,” which will provide you with detailed information about the persons who may receive your health information and the specific purposes for which your health information may be used or disclosed. We are only permitted to use and disclose your health information described on the written authorization in ways that are explain on the written authorization form you have signed. A written authorization will have an expiration date.
IMPORTANT SUMMARY INFORMATION
Requirement For Written Authorization. We will generally obtain your written authorization before using your health information or sharing it with others outside the office. You may also initiate the transfer of your records to another person by completing a written authorization form. If you provide us with a written authorization you may revoke that written authorization at any time, extent that we have already relied upon it. To revoke a written authorization, please write to the Privacy Office.
Exceptions To Written Authorization Requirement. There are some situations when we do not need your written authorization before using your health information or sharing it with others. They are:
Exception For Treatment, Payment, And Business Operations. We only obtain your general written consent one time to use and disclose your health information to treat your condition, collect payment for that treatment, or run our business operations. In some cases, we also may disclose your health information to another health care provider, see “Treatment, Payment and Business Operations.”
Exception For Patient Directory And Disclosure To Family And Friends Involved In Your Care. We will ask you whether you have any objection to including information about you in our Patient Directory or sharing information about your health with your family or friends involved in your care. For more information see “Patient Directory/ Family And Friends.”
Exception In Emergencies Or Public Need. We may use or disclose your health information in a emergency or for important public needs. For example, we may share your information with public health officials at the New York State or County health departments who are authorized to investigate and control the spread of diseases. For more examples see “See Emergencies or Public Need.”
Exception If Information Is Completely Or Partially De-Identified. We may use or disclose your health information if we have removed any information that might identify you so that the health information is “completely de-identified” information, if the person who will receive the information agrees in writing to protect the privacy of the information. For more information , please see “Completely De-Identified or Partially De-Identified Information.”
How To Access Your Health Information. You generally have the right to inspect and copy your health information. For more information please see “Your Rights To Access And Control Your Health Information.”
How To Correct Your Health Information. You have the right to request that we amend your health information if you believe it is inaccurate or incomplete. For more information please see “Right To Amend Records.”
How To Identify Others Who Have Received Your Health Information. You have the right to receive an “accounting of disclosures,” which identifies certain persons or organizations to whom we have disclosed your health information in accordance with the protections described in this Notice of Privacy Practices. Many routine disclosures we make will not be included in this accounting, but the accounting will identify many non-routine disclosures of your information. For more information, please see “Right To An Accounting of Disclosures.”
How To Request Additional Privacy Protections. You have the right to request further restrictions on the way we use your health information or share it with others. We are not required to agree to the restriction, but if we do, we will be bound by our agreement. For more information, please see “Right To Request Additional Privacy Protections.”
How To Request More Confidential Communications. You have the right to request that we contact you in a way that is more confidential for you, such as at home instead of at work. We will try to accommodate all reasonable requests. For more information, please see “Right to Request Confidential Communications.”
How Someone May Act On Your Behalf. You have the right to name a personal representative who may act on your behalf to control the privacy of your health information. Parents and guardians will generally have the right to control the privacy of health information about minors unless the minors are permitted by law to act on their own behalf.
How To Learn About Special Protections For HIV, Alcohol And Substance Abuse, Mental Health And Genetic Information. Special privacy protections apply to HIV-related information, alcohol and substance abuse treatment information, mental health information and genetic information. If you would like more information about these special protections, please contact the Privacy Office.
How To Obtain A Copy Of This Notice. You have the right to a paper copy of this notice. You may request a paper copy at any time, even if you have previously agreed to receive this notice electronically. To do so, please call the Privacy Office at 518-489-2524. You may also obtain a copy of this notice from our website at www.repsherphysicaltherapy.com or by requesting a copy at your next visit.
How To Obtain A Copy Of Revised Notice. We may change our privacy practices from time to time. If we do, we will revise this notice so you will have an accurate summary of our practices. The revised notice will apply to all of your health information. We will post any revised notice in our office reception area. You will also be able to obtain your own copy of the revised notice by accessing our website www.repsherphysicaltherapy.com or calling our office at 518-489-2524, or by asking for one at the time of your next visit. The effective date of the notice will always be noted in the top of the right hand corner of the first page. We are required to abide by the terms of the notice that is currently in effect.
How To File A Complaint. If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with us please contact the Privacy Office at 121 Everett Rd. Albany, NY 12205 or 518-489-2524. No one will retaliate or take action against you for filing a complaint.
WHAT HEALTH INFORMATION IS PROTECTED
We are committed to protecting the privacy of information we gather about you while providing health-related services. Some examples of protected health information are:
Information indicating that you are a patient at our office or receiving treatment or other health-related services from our office;
Information about your health condition (such as a disease you may have);
Information about health care products or services you have received or may receive in the future (such as an operation); or
Information about your health care benefits under an insurance plan (such as whether a prescription is covered);
when combined with:
Demographic information (such as your name, address, or insurance status);
Unique numbers that may identify you (such as your social security number, your phone number, or your driver’s license number); and
Other types of information that may identify who you are.
HOW WE MAY USE AND DISCLOSE YOUR HEALTH INFORMATION
1. Treatment, Payment And Business Operations
With your general written consent, we may use your health information or share it with others in order to treat your condition, obtain payment for that treatment, and run our business operations. In some cases, we may also disclose your health information for payment activities and certain business operations of another health care provider or payor. Below are further examples of how your information may be used and disclosed for these purposes.
Treatment. We may share your health information with doctors or nurses who are involved in taking care of you, and they may in turn use that information to diagnose or treat you. A therapist at our office may share your health information with another therapist inside our office, to determine how to diagnose or treat you. Your doctor may also share your health information with another doctor whom you have been referred for further health care.
Payment. We may use your health information or share it with others so that we may obtain payment for your health care services. For example, we may share information about you with your health insurance company in order to obtain reimbursement after we treated you, or to determine whether it will cover your treatment. We might also need to inform your health insurance company about your health condition in order to obtain pre-approval for your treatment, such as admitting you to the hospital for a particular type of surgery. Finally, we may share your information with other health care providers and payors for their payment activities.
Business Operations. We may use your health information or share it with others in order to conduct our business operations. For example, we may use your health information to evaluate the performance of our staff in caring for you or to educate staff on how to improve the care they provide you. Finally, we may share your information with other health care providers and payors for certain of their business operations if the information is related to a relationship the provider or payor currently has or previously had with you, and if the provider or payor is required by federal law to protect the privacy of your health information.
Appointment Reminders, Treatment Alternatives, Benefits And Services. In the course of providing treatment to you, we may use your health information to contact you with a reminder that you have an appointment for treatment or services at our facility. We may also use your health information in order to recommend possible treatment alternatives or health-related benefits and services that may be of interest to you.
Fundraising. To support our business operations, we may use demographic information about you, including information about your age and gender, where you live or work, and the dates that you received treatment, in order to contact you to raise money to help us operate. We may also share this information with a charitable foundation that will contact you to raise money on our behalf.
Business Associates. We may disclose your health information to contractors, subcontractors, agents and other business associates who need the information in order to assist us with obtaining payment or carrying out our business operations. (i.e. patient safety organizations, health information organizations, e-prescribing gateways, and document storage entities that have PHI [Protected Health Information]; and entities that offer personal health records to patients on behalf of a covered entity as “business associates”). For example, we may share your health information with a billing company that helps us to obtain payment from your insurance company. Another example is that we may share your health information with an accounting firm or law firm that provides professional advice to us about how to improve our health care services and comply with the law. If we do disclose your health information to a business associate, we will have a written contract to ensure that our business associate also protects the privacy of your health information.
We can do all of these things if you have signed a general written consent form. Once you sign this general written consent form, it will be in effect indefinitely until you revoke your general written consent. You may revoke your general written consent at any time, except to the extent that we have already relied upon it. For example, if we provide you with treatment before you revoke your general written consent, we may still share your health information with your insurance company in order to obtain payment for that treatment. To revoke your general written consent please write to the Privacy Office at 518-489-2524.
1. Patient Directory/Family And Friends
We may use your health information in, and disclose it from, our Patient Directory, or share it with family and friends involved in your care, without your written authorization. We will always give you an opportunity to object unless there is insufficient time because of medical emergency (in which case we will discuss your preferences with you as the emergency is over). We will follow your wishes unless we are required by law to do otherwise.
Patient Directory. If you do not object, we will include your name, your location in our facility, your general condition (e.g., fair, stable, critical, etc.) and your religious affiliation in our Patient Directory while you are a patient in the office listed at the beginning of this notice. This directory information, except for your religious affiliation, may be released to people who ask for you by name. Your religious affiliation may be given to a member of the clergy, such as a priest or rabbi, even if he or she doesn’t ask for you by name.
Family And Friends Involved In Your Care. If you do not object, we may share your health information with a family member, relative, or close personal friend who is involved in your care or payment for that care. We may also notify a family member, personal representative or another person responsible for your care about your location and general condition here at the office, or about the unfortunate event of your death. In some cases, we may need to share your information with a disaster relief organization that will help us notify these persons.
1. Emergency Or Public Need
We may use your health information and share it with others in order to treat you in an emergency or to meet important public needs. We will not be required to obtain your general written consent before using or disclosing your information for these reasons. We will, however, obtain your written authorization in these situations when state law specifically requires that we do so.
Emergencies. We may use or disclose your health information if you need emergency treatment or if we are required by law to treat you but are unable to obtain your general written consent. If this happens, we will try to obtain your general written consent as soon as we reasonably can, after we treat you.
Communication Barriers. We may use and disclose your health information if we are unable to obtain your general written consent because of substantial communication barriers, and we believe you would want us to treat you if we could communicate with you.
As Required By Law. We may use or disclose your health information if we are required by law to do so. We also will notify you of these uses and disclosures if notice is required by law.
Public Health Activities. We may disclose your health information to authorized public health officials (or a foreign government agency collaborating with such officials) so they may carry out their public health activities. For example, we may share your health information with government officials that are responsible for controlling disease, injury or disability. We may also disclose your health information about you to your employer if your employer hires us to provide you with a physical exam and we discover that you have a work-related injury or disease that your employer must know about in order to comply with employment laws.
Victims Of Abuse, Neglect, Or Domestic Violence. We may release your health information to a public health authority that is authorized to receive reports of abuse, neglect or domestic violence. For example, we may report your information to government officials if we reasonably believe that you have been a victim of such abuse, neglect or domestic violence. We will make every effort to obtain your permission before releasing this information, but in some cases we may be required or authorized to act without your permission.
Health Oversight Activities. We may release your health information to government agencies authorized to conduct audits, investigations, and inspections of our facility. These government agencies monitor the operation of the health care system, government benefit programs such as Medicare and Medicaid, and compliance with government regulatory programs and civil rights laws.
Product Monitoring, Repair And Recall. We may disclose your health information to a person or company that is regulated by the Food and Drug Administration for the purpose of: (1) reporting or tracking product defects or problems; (2) repairing, replacing or recalling defective or dangerous products; or (3) monitoring the performance of a product after it has been approved for use by the general public.
Lawsuits And Disputes. We may disclose your health information if we are ordered to do so by a court or administrative tribunal that is handling a lawsuit or other dispute.
Law Enforcement. We may disclose your health information to law enforcement officials for the following reasons:
To comply with court orders or laws that we are required to follow;
To assist law enforcement officers with identifying or locating a suspect, fugitive, witness or missing persons;
If you have been the victim of a crime and we determine that: (1) we have been unable to obtain your general written consent because
of an emergency or your incapacity; (2) enforcement officials need this information immediately to carry out their law enforcement
duties; and (3) in our professional judgment disclosure to these officers is in your best interest;
If we suspect that your death resulted from criminal conduct;
If necessary to report a crime that occurred on our property; or
If necessary to report a crime discovered during an offsite medical emergency (for example, by emergency medical technicians at the scene of a crime).
To Avert A Serious And Imminent Threat To Health Or Safety. We may use your health information or share it with others when necessary to prevent a serious and imminent threat you your health or safety, or the health or safety of another person or the public. In such cases, we will only share information with someone able to help prevent the threat. We may also disclose your health information to law enforcement officers if you tell us that you participated in a violent crime that may have caused serious physical harm to another person (unless you admitted that fact while counseling), or if we determine that you escaped from a lawful custody (such as a prison or mental institution).
National Security And Intelligence Activities Or Protective Services. We may disclose your health information to authorized federal officials who are conducting national security and intelligence activities or providing protective services to the President or important officials.
Military And Veterans. If you are in the Armed Forces, we may disclose health information about you to appropriate military command authorities for activities they deem necessary to carry out their military mission. We may also release health information about foreign military personnel to the appropriate foreign military authority.
Inmates And Correctional Institutions. If you are an inmate or you are detained by a law enforcement officer, we may disclose your health information to the prison officers or law enforcement officers if necessary to provide you with health care, or to maintain safety, security and good order at the place where you are confined. This includes sharing information that is necessary to protect the health and safety of other inmates or persons involved in supervising or transporting inmates.
Workers’ Compensation. We may disclose your health information for workers’ compensation or similar programs that provide benefits for work-related injuries.
Coroners, Medical Examiners and Funeral Directors. In the unfortunate event of your death, we may disclose your health information to a coroner or medical examiner. This may be necessary, for example, to determine the cause of death. We may also release this information to funeral directors as necessary to carry out their duties.
Organ And Tissue Donation. In the unfortunate event of your death, we may disclose your health information to organizations that procure or store organs, eyes or other tissues so that these organizations may investigate whether donation or transplantation is possible under applicable laws.
Research. In most cases, we will ask for your written authorization before using your health information or sharing it with other in order to conduct research. However, under some circumstances, we may use and disclose your health information without your written authorization if we obtain approval through a special process to ensure that research without your written authorization poses a minimal risk to your privacy. Under no circumstances, however, would we allow researchers to use your name or identity publicly. We may also release your health information without your written authorization to people who are preparing a future research project, so long as any information identifying you does not leave our facility. In the unfortunate event of death, we may share your health information of deceased persons as long as they agree not to remove from our facility any information that identifies you.
1. Completely De-identified Or Partially De-identified Information.
We may use and disclose your health information if we have removed any information that has the potential to identify you so that the health information is “completely de-identified.” We may also use and disclose “partially de-identified” health information about you if the person who will receive the information signs an agreement to protect the privacy of the information as required by federal and state law. Partially de-identified health information will not contain any information that would directly identify you (such as your name, street address, social security number, phone number, fax number, electronic mailing address, website address, or license number).
1. Incidental Disclosures.
While we will take reasonable steps to safeguard the privacy of your health information, certain disclosures of your health information may occur during or as an unavoidable result of our otherwise permissible uses or disclosures of your health information. For example, during the course of your treatment session, other patients in the treatment area may see, or overhear discussion of, your health information.
YOUR RIGHTS TO ACCESS AND CONTROL YOUR HEALTH INFORMATION
We want you to know that you have the following rights to access and control your health information. These rights are important because they will help you make sure that the health information we have about you is accurate. They may also help you control the way we use your medical information and share it with others, or the way we communicate with you about you medical matters.
1. Right To Inspect And Copy Records
You have the right to inspect and obtain a copy of any health information that may be used to make decisions about you and your treatment for as long as we maintain this information in our records. This includes medical and billing records. To inspect or obtain a copy of your health information, please submit your request in writing to Clinical Information Center. If you request a copy of the information, we may charge a fee for the cost of copying, mailing, or other supplies we use to fulfill your request. The standard fee is $0.75 per page and must generally be paid before or at the time we give copies to you. Providers complying with a patient’s request for an electronic copy of his or her PHI are required to provide access to such records in the electronic format requested by the patient if the records are maintained by the provider in an electronic designated record set and are readily producible in the requested format. There has been no change to the rules regarding whether a provider is required to grant access to a patient’s medical records.
We will respond to your request for inspection within 10 days. We ordinarily will respond to requests for copies within 30 days if the information is located in our facility and within 60 days if it is located off-site at another facility. If we need additional time to respond to a request for copies, we will notify you in writing within the time frame above to explain the reason for the delay and when you can expect to have a final answer to your request.
Under certain very limited circumstances, we may deny your request to inspect or obtain a copy of your information. If we do, we will provide you with a summary of the information instead. We will also provide a written notice that explains our reasons for providing only a summary, and a complete description of your rights. The notice will also include information on how to file a complaint about these issues with us or with the Secretary of the Department of Health and Human Services. If we have reason to deny only part of your request, we will provide complete access to the remaining parts after excluding the information we cannot let you inspect or copy.
1. Right To Amend Records
If you believe that the health information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept in our records. To request an amendment, please write to the Clinical Information Center. Your request should include the reasons why you think we should make the amendment. Ordinarily we will respond to your request within 60 days. If we need additional time to respond, we will notify you in writing within 60 days to explain the reason for the delay and when you can expect to have a final answer to your request.
If we deny part or all of you request, we will provide a written notice that explains our reasons for doing so. You will have the right to have certain information related to your requested amendment included in you records. For example, if you disagree with our decision, you will have an opportunity to submit a statement explaining your disagreement which we will include in your records. We will also include information on how to file a complaint with us or with the Secretary of the Department of Health and Human Services. These procedures will be explained in more detail in any written denial notice we send you.
1. Right To Limit Disclosures
A provider must comply with a patient’s request that PHI regarding a specific health care item or service not be disclosed to a health plan for purposes of payment or health care operations if the patient paid out-of-pocket, in full for that item or service.
1. Right To An Accounting Of Disclosures
After April 14, 2003, you have the right to request an “accounting of disclosures” which identifies certain other persons or organizations to whom we have disclosed your health information in accordance with applicable law and other protections afforded in the Notice of Privacy Practices. An accounting of disclosures does not describe the ways that your health information has been shared within and between the office and the facilities listed at the beginning of this notice, as long as all other protections described in this Notice of Privacy Practices have been followed (such as obtaining the required approvals before sharing your health information with our therapists for research purposes).
An accounting of disclosures also does not include information about the following disclosures:
Disclosures we made to you or your personal representative;
Disclosures we made pursuant to your written authorization;
Disclosures we made for treatment, payment, or business operations;
Disclosures made from the Patient Directory;
Disclosures made to your family and friends involved in your care or payment for your care;
Disclosures that were made incidental to permissible uses and disclosures of your health information (for example, when information is overheard by another patient passing by);
Disclosures for purposes of research public health or our business operations of limited portions of your health information that do not directly identify you;
Disclosures made to federal officials for national security and intelligence activities;
Disclosures about inmates to correctional institutions or law enforcement officers;
Disclosures made before April 14, 2003.
To request an accounting of disclosures, please write to the Privacy Office. Your request must state a time period within the past six years (but after April 14, 2003) for the disclosures you want us to include. For example, you may request a list of the disclosures that we made between January 1, 2004 and January 1, 2005. You have the right to receive one accounting within every 12 month period for free. However, we may charge you for the cost of providing any additional accounting in that same 12 month period. We will always notify you of any cost involved so that you may choose to withdraw or modify your request before any costs are incurred.
Ordinarily we will respond to your request for accounting within 60 days. If we need additional time to prepare the accounting you have requested, we will notify you in writing about the reason for the delay and the date when you can expect to receive the accounting. In rare cases, we may have to delay providing you with the accounting without notifying you because a law enforcement official or government agency has asked us to do so.
1. Right To Request Additional Privacy Protections
You have the right to request that we further restrict the way we use and disclose your health information to treat your condition, collect payment for that treatment, or run our business operations. You may also request that we limit how we disclose information about you to family or friends involved in your care. For example, you could request that we not disclose information about a surgery you had. To request restrictions, please write to the Privacy Office. Your request should include: (1) what information you want to limit; (2) whether you want to limit how we use the information, how we share it with others, or both; and (3) to whom you want the limits to apply.
We are not required to agree to your request for a restriction, and in some cases the restriction you request may not be permitted under law. However, if we do agree, we will be bound by our agreement unless the information is needed to provide you with emergency treatment or comply with the law. Once we have agreed to a restriction, you have the right to revoke the restriction at any time. Under some circumstances, we will also have the right to revoke the restriction as long as we notify you before doing so; in other cases, we need your permission before we can revoke the restriction.
1. Right To Request Confidential Communications
You have the right to request that we communicate with you about your medical matters in a more confidential way by requesting that we communicate with you by alternative means or at alternative locations. For example, you may ask that we contact you at home instead of at work. To request more confidential communications, please write to the Privacy Office. We will not ask you the reason for your request, and we will try to accommodate all reasonable requests. Please specify in your request how or where you wish to be contacted, and how payment for your health care will be handled if we communicate with you though this alternative method or location.
1. Breach Notifications Requirements
The obligation to notify patients if there is a breach of their PHI is expanded and clarified under the new rules. Breaches are now presumed reportable unless, after completing a risk analysis applying four factors, it is determined, that there is a “low probability of PHI compromise.” The physicians must consider all of the following four factors:
The nature and extent of the HPI involved-issues to be considered include the sensitivity of the information from a financial or clinical
perspective and the likelihood the information can be re-identified;
The person who obtained the unauthorized access and whether that person has an independent obligation to protect the
confidentiality of the information;
Whether the PHI was actually acquired or accessed, determined after conducting a forensic analysis; and
The extent to which the risk has been mitigated, such as by obtaining a signed confidentiality agreement from the recipient.