HIPAA NOTICE OF PRIVACY PRACTICES
501 W. High St.
Ebensburg, PA 15931
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY
For purposes of this Notice “us” “we” and “our” refers to Name of practice: Servello Orthodontics and “you” or “your” refers to our patients (or their legal representatives as determined by us in accordance with state informed consent law). When you receive services from us, we will obtain access to your medical information (i.e. your history). We are committed to maintaining the privacy of your information and we have implemented numerous procedures to ensure that we do so.
State law and the Insurance Portability & Accountability Act of 1996 (HIPAA) require us to maintain the confidentiality of all your records and other individually identifiable information used by or disclosed to us in any form, whether electronically, on paper, or orally (“PHI or Protected Information). HIPAA is a federal law that gives you significant new rights to understand and control how your information is used. HIPAA and state law provide penalties for covered entities and records owners, respectively, that misuse or improperly disclose PHI.
Starting April 14, 2003, HIPAA requires us to provide you with the Notice of our legal duties and the privacy practices we are required to follow when you first come into our office for services. If you have any questions about this Notice, please ask to speak to our privacy officer, (insert name) at (insert telephone number and extension, email address, etc.).
Our doctors, clinical staff, Business Associates (outside contractors we hire), employees and other office personnel follow the policies and procedures set forth in this Notice. If your primary doctor/ caretaker is unavailable to assist you (i.e. illness, on-call coverage, vacation, etc.), we may provide you with the name of another provider outside our practice for you to consult with. If we do so, that provider will follow the policies and procedures set forth in this notice or those established for his or her practice, so long as they substantially conform to those for our practice.
OUR RULES ON HOW WE MAY USE AND DISCLOSE YOUR PROTECTED INFORMATION
Under the law, we must have your signature on a written, dated Consent form and/or an Authorization form (not an Acknowledgement form) before we will use and disclose your PHI for certain purposes as detailed in the rules below.
General Rule – If you do not sign our Consent form or if you revoke it, as a general rule (subject to exceptions described below under “Treatment, Payment and Operations Rule” and “Special Rules”), we cannot in any manner use or disclose to anyone (excluding you, but including payers and Business Associates) your PHI or any other information in your medical record. By law, we are unable to submit claims to payers under assignment of benefits without your signature on our Consent form. We will not condition treatment on your signing an Authorization, but we may be forced to decline you as a new patient or discontinue you as an active patient if you choose not to sign the Consent or revoke it.
Documentation – You will be asked to sign a Consent / Authorization form when you receive this Notice of Privacy Practices. If you did not sign such a form or need a copy of the one you signed, please contact our Privacy Officer. You may take back or revoke your consent or authorization at any time (unless we already have acted based on it) by submitting our Revocation form in writing to us at our address listed above. Your revocation will take effect when we actually receive it. We cannot give it retroactive effect, so it will not affect any use or disclosure that occurred in our reliance on your Consent or Authorization prior to revocation (i.e. if after we provide services to you, you revoke your authorization or consent in order to prevent us billing or collecting for those services, your revocation will have no effect because we relied on your authorization or consent to provide services before you revoked it).
Treatment, Payment and Operations Rule
With your signed consent, we may use or disclose your PHI in order:
To provide you with or coordinate treatment and services. For example, we may review your history form to form a diagnosis and treatment plan, consult with other doctors about your care, delegate tasks to ancillary staff, call in prescriptions to your pharmacy, disclose needed information to your family or others so they may assist you with home care, arrange appointments with other providers, schedule lab work for you, etc.
To bill or collect payment from you, an insurance company, a managed-care organization, a benefits plan or another third party. For example, we may need to verify your insurance coverage, submit your PHI on claim forms in order to get reimbursed for our services, obtain pre-treatment estimates or prior authorizations from your plan or provide your x-rays because your plan requires them for payment; or
To run our office, assess the quality of care our patients receive and provide you with customer service. For example, to improve efficiency and reduce costs associated with missed appointments, we may contact you by telephone, mail or otherwise remind you of scheduled appointments, we may leave messages with whomever answers your telephone or email to contact us (but we will not give out detailed PHI), we may call you by name from the waiting room, we may ask you to put your name on a sign-in sheet, we may tell you about or recommend -related products and complementary or alternative treatments that may interest you, we may review your PHI to evaluate our staff’s performance, or our privacy officer may review your records to assist you with complaints. If you prefer that we not contact you with appointment reminders or information about treatment alternatives or -related products and services, please notify us in writing at our address listed above and we will not use or disclose your PHI for these purposes.
Notwithstanding anything else contained in this Notice, only in accordance with applicable law, and under strictly limited circumstances, we may use or disclose your PHI without your permission, consent or authorization for the following purposes:
When required under federal, state or local law
When necessary in emergencies to prevent a serious threat to your and safety or the and safety of other persons
When necessary for public reasons (i.e. prevention or control of disease, injury or disability, reporting information such as adverse reactions to anesthesia, ineffective or dangerous medications or products, suspected abuse, neglect or exploitation of children, disabled adults or the elderly, or domestic violence)
For federal or state government oversight activities (i.e. civil rights laws, fraud and abuse investigations, audits, investigations, inspections, licensure or permitting, government programs, etc.)
For judicial and administrative proceedings and law enforcement purposes (i.e. in response to a warrant, subpoena or court order, by providing PHI to coroners, medical examiners and funeral directors to locate missing persons, identify deceased persons or determine cause of death)
For workers’ compensation purposes (i.e. we may disclose your PHI if you have claimed benefits for a work-related injury or illness)
For intelligence, counterintelligence or other national security purposes (i.e. Veterans Affairs,U.S.military command, other government authorities or foreign military authorities may require us to release PHI about you)
For organ and tissue donation (i.e. if you are an organ donor, we may release your PHI to organizations that handle organ, eye or tissue procurement, donation and transplantation)
For research projects approved by an Institutional Review Board or a privacy board to ensure confidentiality (i.e. if the researcher will have access to your PHI because involved in your clinical care, we will ask you to sign an authorization)
To create a collection of information that is “de-identified” (i.e. it does not personally identify you by name, distinguishing marks or otherwise and no longer can be connected to you)
To family members, friends and others, but only if you verbally give permission. We give you an opportunity to object and if you do not, we reasonably assume, based on our professional judgment and the surrounding circumstances, that you do not object (i.e. you bring someone with you into the operatory or exam room during treatment or into the conference area when we are discussing your PHI); we reasonably infer that it is in your best interest (i.e. to allow someone to pick up your records because they knew you were our patient and you asked them in writing with your signature to do so); or it is an emergency situation involving you or another person (i.e. your minor child or ward) and, respectively, you cannot consent to your care because you are incapable of doing so or you cannot consent to the other person’s care because, after a reasonable attempt, we have been unable to locate you. In these emergency situations we may, based on our professional judgment and the surrounding circumstances, determine that disclosure is in the best interests of you or the other person, in which case we will disclose PHI, but only as it pertains to the care being provided and we will notify you of the disclosure as soon as possible after the care is completed.
Minimum Necessary Rule
Our staff will not use or access your PHI unless it is necessary to do their jobs (i.e. doctors uninvolved in your care will not access your PHI; ancillary clinical staff caring for you will not access your billing information; billing staff will not access your PHI except as needed to complete the claim form for the latest visit; janitorial staff will not access your PHI). Also, we disclose to others outside our staff only as much of your PHI as is necessary to accomplish the recipient’s lawful purposes. For example, we may use and disclose the entire contents of your medical record:
To you (and your legal representatives as stated above) and anyone else you list on a Consent or Authorization to receive a copy of your records
To providers for treatment purposes (i.e. making diagnosis and treatment decisions or agreeing with prior recommendations in the medical record)
To the U.S. Department of and Human Services (i.e. in connection with a HIPAA complaint)
To others as required under federal or state law
To our privacy officer and others as necessary to resolve your complaint or accomplish your request under HIPAA (i.e. clerks who copy records need access to your entire medical record)
In accordance with the law, we presume that requests for disclosure of PHI from another Covered Entity (as defined in HIPAA) are for the minimum necessary amount of PHI to accomplish the requestor’s purpose. Our Privacy Officer will individually review unusual or non-recurring requests for PHI to determine the minimum necessary amount of PHI and disclose only that. For non-routine requests or disclosures, the Plan’s
Privacy Officer will make a minimum necessary determination based on, but not limited to, the following factors:
The amount of information being disclosed
The number of individuals or entities to whom the information is being disclosed
The importance of the use or disclosure
The likelihood of further disclosure
Whether the same result could be achieved with de-identified information
The technology available to protect confidentiality of the information
The cost to implement administrative, technical and security procedures to protect confidentiality
If we believe that a request from others for disclosure of your entire medical record is unnecessary, we will ask the requestor to document why this is needed, retain that documentation and make it available to you upon request.
Incidental Disclosure Rule
We will take reasonable administrative, technical and security safeguards to ensure the privacy of your PHI when we use or disclose it (i.e. we require employees to talk softly when discussing PHI with you, we use computer passwords and change them periodically (i.e. when an employee leaves us), we allow access to areas where PHI is stored or filed only when we are present to supervise and prevent unauthorized access.
Business Associate Rule
Business Associates and other third parties (if any) that receive your PHI from us will be prohibited from re-disclosing it unless required to do so by law or you give prior express written consent to the re-disclosure. Nothing in our Business Associate agreement will allow our Business Associate to violate this re-disclosure prohibition.
Super-confidential Information Rule
If we have PHI about you regarding HIV testing, alcohol or substance abuse diagnosis and treatment, or psychotherapy and mental records (super-confidential information under the law), we will not disclose it under the General or Treatment, Payment and Operations Rules (see above) without your first signing and properly completing our Consent form (i.e. you specifically must initial the type of super-confidential information we are allowed to disclose). If you do not specifically authorize disclosure by initialing the super-confidential information, we will not disclose it unless authorized under the Special Rules (see above) (i.e. we are required by law to disclose it). If we disclose super-confidential information (either because you have initialed the consent form or the Special Rules authorize us to do so), we will comply with state and federal law that requires us to warn the recipient in writing that re-disclosure is prohibited.
Changes to Privacy Policies Rule
We reserve the right to change our privacy practices (by changing the terms of this Notice) at any time as authorized by law. The changes will be effective immediately upon us making them. They will apply to all PHI we create or receive in the future, as well as to all PHI created or received by us in the past (i.e. to PHI about you that we had before the changes took effect). If we make changes, we will post the changed Notice, along with its effective date, in our office. Also, upon request, you will be given a copy of our current Notice.
We will not use or disclose your PHI for any purpose or to any person other than as stated in the rules above without your signature on a specifically worded, written Authorization form (not a Consent or an Acknowledgement). If we need your Authorization, we must obtain it a specific Authorization form, which may be separate from any Consent or Acknowledgement we may have obtained from you. We will not condition treatment on whether you sign the Authorization (or not).