NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED OR DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
If you have any concerns or questions, if you need more information, or if you feel your privacy has been compromised, please contact our Office Manager immediately.
About This Notice
We are required by law to maintain the privacy of your Protected Health Information (defined below) and to give you this Notice explaining our privacy practices regarding that information. “Privacy practices” refers to the ways we may use and disclose your Protected Health Information. You have certain rights, and we have certain legal obligations, regarding the privacy of your Protected Health Information, which this Notice explains. We are required to provide you with this Notice, and to abide by the terms of the current version of this Notice. In addition, we are required to notify you following a breach of privacy of your Protected Health Information. If you are a minor, or otherwise incapacitated, we will notify your parent/guardian, or other person responsible for you.
What is Protected Health Information?
“Protected Health Information” (“PHI”) is information that individually identifies you and that we create or get from you or from another health care provider, health plan, your employer, or a health care clearinghouse and that relates to (1) your past, present, or future physical or mental health or conditions, (2) the provision of health care to you, or (3) the past, present, or future payment for your health care.
How We May Use and Disclose Your PHI
We may use and disclose your PHI without your authorization in the following circumstances:
- For Treatment. We may use or disclose your PHI to give you medical treatment or services and to manage and coordinate your medical care. For example, your PHI may be provided to a physician or other health care provider (e.g., a specialist or laboratory) to whom you have been referred to ensure that the physician or other health care provider has the necessary information to diagnose or treat you or provide you with a service.
- For Payment. We may use and disclose your PHI so that we can bill for the treatment and services you receive from us and can collect payment from you, a health plan, or a third party. This use and disclosure may include certain activities that your health insurance plan may undertake before it approves or pays for the health care services we recommend for you, such as making a determination of eligibility or coverage for insurance benefits, reviewing services provided to you for medical necessity, and undertaking utilization review activities. For example, we may need to give your health plan information about your treatment in order for your health plan to agree to pay for that treatment. It is your right to restrict disclosure of PHI to your health plan, when the information is not required by law, but then you must pay for the service in full before the restriction must be observed. We are required to provide any information requested by your insurance company if they are paying for your medical claims.
- For Health Care Operations. We may use and disclose PHI for our health care operations, which are activities that are necessary to run our practice and ensure that patients receive quality care. For example, we may use your PHI to internally review the quality of the treatment and services you receive and to evaluate the performance of our team members in caring for you. We also may disclose information to physicians, nurses, medical technicians, medical students, and other authorized personnel for educational and learning purposes.
- Appointment Reminders/Treatment Alternatives/Health-Related Benefits and Services. We may use and disclose PHI to contact you to remind you that you have or are due/overdue for an appointmentfor medical care; to tell you about possible treatment options, alternatives or health related benefits and services that may be of interest to you.
- We may disclose the PHI of minor children to their parents or guardians unless such disclosure is otherwise prohibited by law. Massachusetts law does require that physicians not disclose certain medical information to parents if so requested by some qualifying minors (this includes but is not limited to sexual activity, sexually transmitted diseases, pregnancy). Qualifying minors are mature of emancipated minors who have the legal ability to give informed consent for their own treatment, and are being treated without parental consent as allowed under Massachusetts law. The consent of qualifying minors is not required, however, if a physician reasonably believes a condition to be so serious that life or limb is endangered. Parents or legal guardians of qualifying minors should note that certain portions of that minor’s medical record (or, in certain instances, the entire medical record) may not be accessible to them. Our providers will always advocate with our patients for parent/child communication regarding all health issues.
- Research. We may use and disclose your PHI for research purposes, but we will only do that if the research has been specially approved by an authorized institutional review board or a privacy board that has reviewed the research proposal and has set up protocols to ensure the privacy of your PHI. Even without that special approval, we may permit researchers to look at PHI to help them prepare for research, for example, to allow them to identify patients who may be included in their research project, aslong as they do not remove, or take a copy of, any PHI. We may use and disclose a limited data set that does not contain specific readily identifiable information about you for research. However, we will only disclose the limited data set if we enter intoa data use agreement with the recipient who must agree to (1) use the data set only for the purposes for which it was provided, (2) ensure the confidentiality and security of the data, and (3) not identify the information or use it to contact any individual.
- As Required by Law. We will disclose PHI about you when required to do so by international, federal, state, or local law.
- To Avert a Serious Threat to Health or Safety. We may use and disclose PHI when necessary to prevent a serious threat to your health or safety or to the health or safety of others. But we will only disclose the information to someone who may be able to help prevent the threat.
- Business Associates. We may disclose PHI to our business associates who perform functions on our behalf or provide us with services if the PHI is necessary for those functions or services. For example, we may use another company to do our billing, or to provide consulting services for us. All of our business associates are obligated, under contract with us, to protect the privacy and ensure the security of your PHI.
- Organ and Tissue Donation. If you are an organ or tissue donor, we may use or disclose your PHI to organizations that handle organ procurement or transplantation – such as an organ donation bank– as necessary to facilitate organ or tissue donation and transplantation.
- Military and Veterans. If you are a member of the armed forces, we may disclose PHI as required by military command authorities. We also may disclose PHI to the appropriate foreign military authority if you are a member of a foreign military.
- Workers’ Compensation. We may use or disclose PHI for workers’ compensation or similar programs that provide benefits for work-related injuries or illness.
- Public Health Risks. We may disclose PHI for public health activities. This includes disclosures to:
(1) a person subject to the jurisdiction of the Food and Drug Administration (“FDA”) for purposes related to the quality, safety or effectiveness of an FDA-regulated product or activity;
(2) prevent or control disease, injury or disability;
(3) report births and deaths;
(4) report child abuse or neglect, elder abuse or neglect, disabled persons abuse or neglect, or rape or sexual assault;
(5) report reactions to medications or problems with products;
(6) notify people of recalls of products they may be using;
(7) a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition, or
(8) report abortions performed after 24 weeks of pregnancy to state government agencies as required by law.
- Abuse, Neglect, or Domestic Violence. We may disclose PHI to the appropriate government authority if we believe a patient has been the victim of abuse, neglect, or domestic violence and the patient agrees or we are required or authorized by law to make that disclosure.
- Health Oversight Activities. We may disclose PHI to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, licensure, and similar activities that are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
- Data Breach Notification Purposes. We may use or disclose your PHI to provide legally required notices of unauthorized access to or disclosure of your health information.
- Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose PHI in response to a court or administrative order. We also may disclose PHI in response to a subpoena, discovery request, or other legal process from someone else involved in the dispute, but only if efforts have been made to tell you about the request or to get an order protecting the information requested. We may also use or disclose your PHI to defend ourselves in the event of a lawsuit.
- Law Enforcement. We may disclose PHI, so long as applicable legal requirements are met, for law enforcement purposes as required by law or in compliance with a court order or a grand jury or administrative subpoena.
- Military Activity and National Security. If you are involved with military, national security or intelligence activities or if you are in law enforcement custody, we may disclose your PHI to authorized officials so they may carry out their legal duties under the law.
- Coroners, Medical Examiners, and Funeral Directors. We may disclose PHI to a coroner, medical examiner, or funeral director so that they can carry out their duties.
- If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may disclose PHI to the correctional institution or law enforcement official if the disclosure is necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) the safety and security of the correctional institution.
- Ordered Examination. We may disclose PHI when required to report findings from an examination ordered by a court or detention facility.
- As required by law. We may use and disclose PHI when required to do by any other law not already referred to in the preceding categories.
Uses and Disclosures that Require Us to Give You an Opportunity to Object and Opt Out
- Individuals Involved in Your Care or Payment for Your Care. Unless you object, we may disclose to a member of your family, a relative, a close friend or any other person you identify, your PHI that directly relates to that person’s involvement in your health care. If you are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in your best interest based on our professional judgment.
- Disaster Relief. We may disclose your PHI to disaster relief organizations that seek your PHI to coordinate your care, or notify family and friends of your location or condition in a disaster. We will provide youwith an opportunity to agree or object to such a disclosure whenever we practicably can do so.
- Fundraising Activities. We may use or disclose your PHI, as necessary, in order to contact you for fundraising activities. You have the right to opt out of receiving fundraising communications.
Your Written Authorization is Required for Other Uses and Disclosures
The following uses and disclosures of your PHI will be made only with your written authorization:
- Highly Confidential Information: Federal and state law require special privacy protections for disclosure of certain highly confidential information about you for any purpose, including treatment, payment, or health care operations purposes. We must obtain your separate and specific consent for the release of this information, unless we are otherwise permitted by law to make the disclosure. Your highly confidential information includes:
- Your HIV/AIDS status
- Mental/behavioral documentation and genetic testing information
- Confidential communications with a psychotherapist, psychologist, social worker, allied mental health professional, or human services professional
- Substance abuse (alcohol or drug) treatment or rehabilitation information
- Venereal disease information
- Abortion consent form(s)
- Mammography records
- Family planning services
- Treatment or diagnosis of emancipated minors
- Mental health community program records
- Research involving controlled substances.
- Uses and disclosures of PHI for marketing purposes. We must obtain your written authorization prior to using PHI to send you marketing materials. However, we can provide you with marketing materials in a face-to-face encounter without authorization. Wecan also give you a promotional gift of nominal value without your authorization. In addition, we may communicate with you about products or services relating to your treatment, case management or care coordination, or alternative treatments, therapies,providers or care settings without your Marketing Authorization and we may use PHI to identify health-related services and products that may be beneficial to your health and then contact you about the services and products.
- Disclosures that constitute a sale of your PHI.
- Other uses and disclosures of PHI not covered by this Notice or the laws that apply to us will be made only with your written authorization. If you do give us an authorization, you may revoke it at any time by submitting a written revocation to our Privacy Officer and we will no longer disclose PHI under the authorization. But disclosure that we made in reliance on your authorization before you revoked it will not be affected by the revocation.
Your Rights Regarding Your PHI
You have the following rights, subject to certain limitations, regarding your PHI:
- Right to Inspect and Copy. You have the right to inspect and copy PHI that may be used to make decisions about your care or payment for your care. We have up to 30 days to make your PHI available to you and we may charge you a reasonable fee for the costs of copying, mailing or other supplies associated with your request. We may not charge you a fee if you need the information for a claim for benefits under the Social Security Act or any other state or federal needs-based benefit program. We may deny your request in certain limited circumstances. If we do deny your request, you have the right to have the denial reviewed by a licensed healthcare professional who was not directly involved in the denial of your request, and we will comply with the outcome of the review. All requests must be made in writing. Certain information (for example, psychotherapy notes) may be withheld from you in certain circumstances.
- Right to a Summary or Explanation. We can also provide you with a summary of your PHI, rather than the entire record, or we can provide you with an explanation of the PHI which has been provided to you, so long as you agrees to this alternative form and pay the associated fees. All requests must be made in writing.Right to an Electronic Copy of Electronic Medical Records. If your PHI is maintained in an electronic format (known as an electronic medical record or an electronic health record), you have the right to request that an electronic copy of your record be given to you or transmitted to another individual or entity. We will make every effort to provide access to your PHI in the form or format you request, if it is readily producible in such form or format. If the PHI is not readily producible in the form or format you request your record will be provided in either our standard electronic format or if you do not want this form or format, a readable hard copy form. We may charge you a reasonable, cost-based fee for the labor associated with transmitting the electronic medical record. All requests must be made in writing.
- Right to Get Notice of a Breach. You have the right to be notified upon a breach of any of your unsecured PHI.
- Right to Request Amendments. If you feel that the PHI we have is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for us. A request for amendment must be made in writing to the Office Manager at the address provided at the beginning of this Notice and it must tell us the reason for your request. In certain cases, we may deny your request for an amendment, if for example we believe that the information that would be amended is accurate and complete or other special circumstances apply. If we deny your request for an amendment, you have the right to file a statement of disagreement with us and we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal.
- Right to an Accounting of Disclosures. You have the right to ask for an “accounting of disclosures,” which is a list of the disclosures we made of your PHI. This right applies to disclosures for purposes other than treatment, payment or healthcare operations as described in this Notice. It excludes disclosures we may have made to you, to family members involved in your care, or for notification purposes. The right to receive this information is subject to certain exceptions, restrictions and limitations. Additionally, limitations are different for electronic health records. The first accounting of disclosures you request within any 12-month period will be free. For additional requests within the same period, we may charge you for the reasonable costs of providing the accounting. We will tell what the costs are, and you may choose to withdraw or modify your request before the costs are incurred. Time periods for information requested cannot exceed six years and cannot include dates before April 14,2003.
- Right to Request Restrictions. You have the right to request a restriction or limitation on the PHI we use or disclose for treatment, payment, or health care operations. You also have the right to request a limit on the PHI we disclose about you to someone who is involved in your care or the payment for your care, like a family member. You may also request restrictions on our use or disclosure of PHI for purposes of notifying or assisting in the notification of such individuals regarding your location or general condition. To request a restriction on who may have access to your PHI, you must submit a written request to the Privacy Officer (Office Manager). Your request must state the specific restriction requested and to whom you want the restriction to apply. We are not required to agree to your request, unless you are asking us to restrict the use and disclosure of your PHI to a health plan for payment or health care operation purposes and such information you wish to restrict pertains solelyto a health care item or service for which you have paid us “out-of-pocket” in full. If you request a limitation on certain family members, we may not be able to bill your family’s health plan and you will have to be financially responsible to pay us for the care we provided to you. You may not ask us to restrict disclosures that we are legally required to make. If we do agree to the requested restriction, we may not use or disclose your PHI in violation of that restriction unless it is needed to provideemergency treatment.
- Out-of-Pocket-Payments. If you paid out-of-pocket (or in other words, you have requested that we not bill your health plan) in full for a specific item or service, you have the right to ask that your PHI with respect to that item orservice not be disclosed to a health plan for purposes of payment or health care operations, and we will honor that request.
- Right to Request Confidential Communications. You have the right to request that we communicate with you only in certain ways to preserve your privacy. For example, you may request that we contact you by mail at a specific address or call you only at your work number. You must make any such requestin writing and you must specify how or where we are to contact you. We will accommodate all reasonable requests. We will not ask you the reason for your request.
- Right to a Paper Copy of This Notice. You have the right to a paper copy of this Notice, even if you have agreed to receive this Notice electronically. You may request a copy of this Notice at any time.
- Right to Revoke Your Authorization. You may revoke any authorization you have provided by providing a written revocation statement to the Office Manager. However, such revocation does not apply to uses or disclosures made in reliance on authorization given prior to revocation.
How to Exercise Your Rights
To exercise your rights described in this Notice, send your request, in writing, to our Privacy Officer at the address listed at the beginning of this Notice. We may ask you to fill out a form that we will supply. To exercise your right to inspect and copy your PHI, you may also contact your physician directly. To get a paper copy of this Notice, contact our Privacy Officer by phone or mail.
Changes To This Notice
We reserve the right to change this Notice. We reserve the right to make the changed Notice effective for PHI we already have as well as for any PHI we create or receive in the future. A copy of our current Notice is posted in our office and on our website.
You may file a complaint with us or with the Secretary of the United States Department of Health and Human Services if you believe your privacy rights have been violated.
To file a complaint with us, contact our Privacy Officer (Officer Manager) at the address listed at the beginning of this Notice. All complaints must be made in writing and should be submitted within 180 days of when you knew or should have known of the suspected violation.
To file a complaint with the Secretary, mail it to: Secretary of the U.S. Department of Health and Human Services, 200Independence Ave, S.W., Washington, D.C. 20201. Call (202) 619-0257 (or toll free (877) 696-6775) or go to the website of the Office for Civil Rights, www.hhs.gov/ocr/hipaa/, for more information.
There will be no retaliation against you for filing a complaint.
This Notice of Privacy Practices is effective as of May 21, 2018