What is HIPAA?
Health Information Portability and Accountability Act (HIPAA)
What is HIPAA?
“HIPAA” is the acronym for the federal legislation titled Health Insurance Portability and Accountability Act of 1996.
HIPAA was designed to protect patients from disclosure of protected health information (PHI) that is oral, written, or electronic. Patients must be informed of their rights with their PHI, authorize release of information, have the right to see and amend their medical record, and be informed of what is released. HIPAA has been implemented at the Center since April 14, 2003.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. These provisions work to assure confidential patient information and safeguard against inappropriatte disclosure (s).
The Administration Simplification provisions also focuses on the security and privacy of health data. The standards are meant to increase the efficiency and effectiveness of the nation's health care system by encouraging the wide usage of electronic data interchange in the U.S. health care (Wikepedia 2009).
Why does the Center have to comply with HIPAA?
As health care providers it is the Centers duty and due diligence to protect patient’s health information and assure that their health information is only released in appropriate circumstances and to solely authorized (designated) individuals.
What approaches has the Mary M. Gooley Hemophilia Center taken to ensure compliance with HIPAA?
- Designation of a Privacy Officer (Eric Iglewski, LMSW)
- Dispersement and Center display of the Center Privacy Notice.
- Ongoing training of staff/volunteers. Keeping apprised of the latest changes and regulations mandated by the government for HIPAA compliance.
- Ongoing development of policies and procedures to carry out all HIPAA requirements.
Under HIPAA as a patient you have certain rights:
- The right to receive a written and Notice of Privacy Practices
- The right to review and get a copy of health and billing information
- The right to ask that your health and billing information be amended
- The right to request for restrictions in the use of your health and billing information
- The right to request confidential communications
- The right to find out, in instances, who outside of the Center has been privy to your health information since April 14, 2003
- The right to file a complaint with The Mary M. Gooley Hemophilia Center or with the US Department of Health and Human Services Office for Civil Rights if you believe your privacy rights have been violated.
If you have any questions or concerns regarding HIPAA or would like a copy of the Center's Privacy notice.
Please feel to contact:
Eric Iglewski, Privacy Officer
1415 Portland Avenue, Suite 500
Rochester, NY 14621
MARY M. GOOLEY HEMOPHILIA CENTER, INC.
HIPAA PRIVACY NOTICE
THIS NOTICE DESCRIBES HOW YOUR MEDICAL INFORMATION
MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO
PLEASE REVIEW THIS NOTICE CAREFULLY.
The Center is committed to maintaining the privacy of your protected health information ("PHI"), which includes electronic protected health information, and which includes information about your medical condition and the care and treatment you receive from the Center and other health care providers, all in accordance with the provisions of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act, and their regulations (collectively, the “HIPAA Rules”). This Notice details how your PHI may be used and disclosed to third parties for purposes of your care, payment for your care, health care operations of the Center, and for other purposes permitted or required by law and the HIPAA Rules. This Notice also details your rights regarding your PHI.
ORGANIZED HEALTH CARE ARRANGEMENT
The Mary M. Gooley Hemophilia Center, Inc. ("the Center") includes the physicians and other health care providers who provide health care services to you but are legally independent from the Center. Although these health care providers share medical personnel, office staff, equipment and supplies, they are not legally related,in that they are not partners, owners, or employees with or of each other or of the Center. Although these providers are all independent, as you would expect they cooperate to provide an integrated system of care to you. This type of clinically integrated setting in which you receive health care from more than one health care provider is called an organized health care arrangement (“OHCA”).
We may share your health information with participants in the OHCA for treatment, payment, and health care operations of the OHCA. The participants in the OHCA will also share protected health information in order to carry out treatment (including coverage for each other), payment for treatment, and health care operations. Those participating in the OHCA include, but are not limited to, physicians specializing in hematology, dentists, and physical therapists. This Notice is provided as a joint notice made by each of them; and each of them will abide by the terms of this Notice while providing services to you at the Center.
USE OR DISCLOSURE OF PHI
1. The Center may use and/or disclose your PHI for purposes related to your care, payment for your care, and health care operations of the Center. The following are examples of the types of uses and/or disclosures of your PHI that may occur. These examples are not meant to include all possible types of uses and/or disclosures.
(a) Care - In order to provide, coordinate and manage your care, the Center will provide your PHI to those health care professionals, whether on the Center's staff or not, directly involved in your care so that they may understand your medical condition and needs and provide advice or treatment (e.g., a specialist or laboratory). For example, a physician treating you for a condition such as arthritis may need to know what medications have been prescribed for you by the Center's physicians.
(b) Payment - In order to get paid for some or all of the health care provided by the Center, the Center may provide your PHI, directly or through a billing service, to appropriate third party payors, pursuant to their billing and payment requirements. For example, the Center may need to provide your health insurance carrier with information about health care services that you received from the Center so that the Center can be properly reimbursed. The Center may also need to tell your insurance plan about the need to hospitalize you so that the insurance plan can determine whether or not it will pay for the expense.
(c) Health Care Operations - In order for the Center to operate in accordance with applicable law and insurance requirements and in order for the Center to provide quality and efficient care, it may be necessary for the Center to compile, use and/or disclose your PHI. For example, the Center may use your PHI in order to evaluate the performance of the Center's personnel in providing care to you.
AUTHORIZATION NOT REQUIRED
1. The Center may use and/or disclose your PHI, without a written Authorization from you, in the following instances:
(a) De-identified Information - Your PHI is altered so that it does not identify you and, even without your name, cannot be used to identify you.
(b) Business Associate - To a business associate, which is someone who the Center contracts with to provide a service necessary for your treatment, payment for your treatment and health care operations (e.g., billing service or transcription service). The Center will obtain satisfactory written assurance, in accordance with applicable law and the HIPAA Rules, that the business associate will appropriately safeguard your PHI and that the business associate will ensure its subcontractors, if any, appropriately safeguard your PHI as well.
(c) To You or a Personal Representative - To you, or to a person who, under applicable law, has the authority to represent you in making decisions related to your health care.
(d) Public Health Activities - Such activities include, for example, information collected by a public health authority, as authorized by law, to prevent or control disease, injury or disability. This includes reports of child abuse or neglect.
(e) Food and Drug Administration - If required by the Food and Drug Administration to report adverse events, product defects or problems or biological product deviations, or to track products, or to enable product recalls, repairs or replacements, or to conduct post marketing surveillance.
(f) Abuse, Neglect or Domestic Violence - To a government authority if the Center is required by law to make such disclosure. If the Center is authorized by law to make such a disclosure, it will do so if it believes that the disclosure is necessary to prevent serious harm or if the Center believes that you have been the victim of abuse, neglect or domestic violence. Any such disclosure will be made in accordance with the requirements of law, which may also involve notice to you of the disclosure.
(g) Health Oversight Activities - Such activities, which must be required by law, involve government agencies involved in oversight activities that relate to the health care system, government benefit programs, government regulatory programs and civil rights law. Those activities include, for example, criminal investigations, audits, disciplinary actions, or general oversight activities relating to the community's health care system.
(h) Judicial and Administrative Proceeding - For example, the Center may be required to disclose your PHI in response to a court order or a lawfully issued subpoena.
(i) Law Enforcement Purposes - In certain instances, your PHI may have to be disclosed to a law enforcement official for law enforcement purposes. Law enforcement purposes include: (1) complying with a legal process (i.e., subpoena) or as required by law; (2) information for identification and location purposes (e.g., suspect or missing person); (3) information regarding a person who is or is suspected to be a crime victim; (4) in situations where the death of an individual may have resulted from criminal conduct; (5) in the event of a crime occurring on the premises of the Center; and (6) a medical emergency (not on the Center's premises) has occurred, and it appears that a crime has occurred.
(j) Coroner or Medical Examiner - The Center may disclose your PHI to a coroner or medical examiner for the purpose of identifying you or determining your cause of death, or to a funeral director as permitted by law and as necessary to carry out its duties.
(k) Organ, Eye or Tissue Donation - If you are an organ donor, the Center may disclose your PHI to the entity to whom you have agreed to donate your organs.
(l) Research - If the Center is involved in research activities, your PHI may be used, but such use is subject to numerous governmental requirements intended to protect the privacy of your PHI such as approval of the research by an institutional review board and the requirement that protocols must be followed.
(m) Avert a Threat to Health or Safety - The Center may disclose your PHI if it believes that such disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the disclosure is to an individual who is reasonably able to prevent or lessen the threat.
(n) Specialized Government Functions - When the appropriate conditions apply, the Center may use PHI of individuals who are Armed Forces personnel: (1) for activities deemed necessary by appropriate military command authorities; (2) for the purpose of a determination by the Department of Veteran Affairs of eligibility for benefits; or (3) to a foreign military authority if you are a member of that foreign military service. The Center may also disclose your PHI to authorized federal officials for conducting national security and intelligence activities including the provision of protective services to the President or others legally authorized.
(o) Inmates - The Center may disclose your PHI to a correctional institution or a law enforcement official if you are an inmate of that correctional facility and your PHI is necessary to provide care and treatment to you or is necessary for the health and safety of other individuals or inmates.
(p) Workers' Compensation - If you are involved in a Workers' Compensation claim, the Center may be required to disclose your PHI to an individual or entity that is part of the Workers' Compensation system.
(q) Disaster Relief Efforts - The Center may use or disclose your PHI to a public or private entity authorized to assist in disaster relief efforts.
(r) Required by Law - If otherwise required by law, but such use or disclosure will be made in compliance with the law and limited to the requirements of the law.
As detailed in the HIPAA Rules, certain uses and disclosures of psychotherapy notes, uses and disclosures of PHI for marketing purposes (as described in the “Marketing” section of this Privacy Notice), and disclosures that constitute a sale of PHI require a written authorization from you, and other uses and disclosures not otherwise permitted as described in this Privacy Notice will only be made with your written authorization, which you may revoke at any time as detailed in the “Your Rights” section of this Privacy Notice.
The Center may use a sign-in sheet at the registration desk. The Center may also call your name in the waiting room when your physician or other provider is ready to see you.
The Center may, from time to time, contact you to provide appointment reminders. The reminder may be in the form of a letter or postcard. The Center will try to minimize the amount of information contained in the reminder. The Center may also contact you by phone and, if you are not available, the Center will leave a message for you.
The Center may, from time to time, contact you about treatment alternatives, or other health benefits or services that may be of interest to you.
The Center may only use and/or disclose your PHI for marketing activities if we obtain from you a prior written Authorization. "Marketing" activities include communications to you that encourage you to purchase or use a product or service, and the communication is not made for your care or treatment. However, marketing does not include, for example, sending you a newsletter about this Center. Marketing also includes the receipt by the Center of financial remuneration, directly or indirectly, from a third party whose product or service is being marketed to you. The Center will inform you if it engages in marketing and will obtain your prior Authorization.
The Center may use and/or disclose some of your PHI in order to contact you for fundraising activities supportive of the Center and you have a right to opt out of receiving such communications. Any fundraising materials sent to you will describe how you may opt out of receiving any further communications.
In order to provide on-call coverage for you, it is necessary that the Center establish relationships with other physicians who will take your call if a physician from the Center is not available. Those on-call physicians will provide the Center with whatever PHI they create and will, by law, keep your PHI confidential.
The Center may disclose to your family member, other relative, a close personal friend, or any other person identified by you, your PHI directly relevant to such person's involvement with your care or the payment for your care. The Center may also use or disclose your PHI to notify or assist in the notification (including identifying or locating) of a family member, a personal representative, or another person responsible for your care, of your location, general condition or death. However, in both cases, the following conditions will apply:
(a) The Center may use or disclose your PHI if you agree, or if the Center provides you with opportunity to object and you do not object, or if the Center can reasonably infer from the circumstances, based on the exercise of its judgment, that you do not object to the use or disclosure.
(b) If you are not present, the Center will, in the exercise of its judgment, determine whether the use or disclosure is in your best interests and, if so, disclose only the PHI that is directly relevant to the person's involvement with your care.
The Center is subject to various rules and regulations of New York State and the federal government. As a result of those rules and regulations, periodically representatives from federal or state agencies will audit the operations of the Center and, in the process of that audit, will review medical records, some of which may contain your PHI. In addition you, as a recipient of Medicare or other benefits, may have agreed to allow representatives from the federal or state governments to review your medical records as a result of an audit being conducted of the Center. Access by a federal or state agency to your PHI for audit purposes does not require your prior authorization.
1. You have the right to:
(a) Revoke any Authorization, in writing, at any time. To request a revocation, you must submit a written request to the Center's Privacy Officer.
(b) Request restrictions on certain uses and/or disclosures of your PHI as provided by law and the HIPAA Rules. However, the Center is not obligated to agree to every requested restriction, except to the extent required by the HIPAA Rules or by law. To request restrictions, you must submit a written request to the Center's Privacy Officer. In your written request, you must inform the Center of what information you want to limit, whether you want to limit the Center's use or disclosure, or both, and to whom you want the limits to apply. If the Center agrees to your request, the Center will comply with your request unless the information is needed in order to provide you with emergency treatment.
(c) Restrict certain disclosures of PHI about you to a health plan where you pay out of pocket in full for the health care item or service.
(d) Receive confidential communications of PHI by alternative means or at alternative locations. You must make your request in writing to the Center's Privacy Officer. The Center will accommodate all reasonable requests.
(e) Inspect and copy your PHI as provided by law. To inspect and copy your PHI, you must submit a written request to the Center's Privacy Officer. In certain situations that are defined by law, the Center may deny your request, but you will have the right to have the denial reviewed. The Center can charge you a fee for the cost of copying, mailing or other supplies associated with your request, all in accordance with applicable law.
(f) Amend your PHI as provided by law. To request an amendment, you must submit a written request to the Center's Privacy Officer. You must provide a reason that supports your request. The Center may deny your request if it is not in writing, if you do not provide a reason and support of your request, if the information to be amended was not created by the Center (unless the individual or entity that created the information is no longer available), if the information is not part of your PHI maintained by the Center, if the information is not part of the information you would be permitted to inspect and copy, and/or if the information is accurate and complete. If you disagree with the Center's denial, you have the right to submit a written statement of disagreement.
(g) Receive an accounting of disclosures of your PHI as provided by law. To request an accounting, you must submit a written request to the Center's Privacy Officer which must comply with the applicable HIPAA Rules. The request should indicate in what form you want the list (such as a paper or electronic copy). The first list you request within a 12 month period will be free, but the Center may charge you for the cost of providing additional lists in that same 12 month period. The Center will notify you of the costs involved and you can decide to withdraw or modify your request before any costs are incurred.
(h) Receive a paper copy of this Privacy Notice from the Center upon request to the Center's Privacy Officer.
(i) Be notified following a breach of your Unsecured PHI (as such term is defined by the HIPAA Rules).
(j) Complain to the Center, or to the Region II--Office for Civil Rights, U.S. Department of Health and Human Services, Jacob Javits Federal Building, 26 Federal Plaza-Suite 3312, New York, New York 10278. A list of the regional offices of the Office for Civil Rights can be found at www.hhs.gov/ocr/office/about/rgn-hqaddresses.html. To file a complaint with the Center, you must contact the Center's Privacy Officer. All complaints must be in writing.
(k) To obtain more information on, or have your questions about your rights answered, you may contact the Center's Privacy Officer, Eric Iglewski, at 585-922-5700 or via e-mail at email@example.com.
1. The Center:
(a) Is required by law to maintain the privacy of your PHI and to provide you with this Privacy Notice of the Center's legal duties and privacy practices with respect to your PHI.
(b) Is required to abide by the terms of this Privacy Notice, which is currently in effect.
(c) Reserves the right to change the terms of this Privacy Notice and to make the new Privacy Notice provisions effective for all of your PHI that it maintains.
(d) Will not retaliate against you for making a complaint.
(e) Must make a good faith effort to obtain from you an acknowledgement of receipt of this Notice.
(f) Will post this Privacy Notice on the Center's web site, if the Center maintains a web site.
(g) Will provide this Privacy Notice to you by e-mail if you so request. However, you also have the right to obtain a paper copy of this Privacy Notice.
The Original Notice was originally in effect as of April 14, 2003 and was revised on May 18, 2009. This Revised Notice is in effect as of September 23, 2013.