2. My responsibilities: I am required by law to protect the privacy of your PHI, to provide this notice about my privacy policies, and to abide by the terms of this notice. If these policies and procedures for protecting PHI change (for example based on these September 2013 HIPAA changes listed below), I will change this notice, keep it posted prominently in my office and on my website. You may request your own copy at any time. Except for the purposes related to your treatment, to collect payment for my services, to perform necessary business functions, or when otherwise permitted or required by law, I will not use or disclose your PHI without your authorization.
3. Understanding your PHI: As part of clinical treatment, personal and clinical information is added to your medical record. The medical record may include a description of your symptoms, recent stressors, historical information, medical problems, a mental status exam, any relevant lab test results, diagnoses, and a treatment plan. Your official medical record is kept in a protected place and it serves as a: (a) Basis for planning your care and treatment; (b) Means of communication among the health professionals who contribute to your care; (c) Legal document of the care you receive; (d) Means by which you or a third-party payer (e.g. health insurance company) can verify that services you received were appropriately billed; (e) Information which I can assess and work with to improve the care I provide to you.
4. Your health information rights - you have the following rights related to your medical record: (a) You can read this notice in the waiting room and take a copy with you if you like; (b) Before I use or disclose your health information, other than as described below, I will obtain your written authorization, which you may revoke at any time to stop future use or disclosure; (c) You may request a copy of your medical record from me at any time; (d) If you believe the information in your record is inaccurate or incomplete, you may request that I correct it; (e) You may request that when I communicate with you about your health information that I do so in a specific way. For example: A certain mail address or phone number. I will make every reasonable effort to comply; (f) You may request a list of any disclosures of your PHI that I have made for reasons other than treatment, payment or healthcare operations; (g) You have the right to not be retaliated against for exercising you HIPAA rights.
Additional HIPAA rights and requirements have been added and are mandated as of September 23rd, 2013. These include: (a) Breach notification requirements – the obligation to notify patients if there is a breach of their PHI is expanded and clarified under these new rules. Breaches are now presumed reportable unless, after completing a risk analysis applying four factors, it is determined, that there is a “low probability of PHI compromise.” The physician must consider all of the following four factors: i. the nature and extent of the PHI involved with issues to be considered including the sensitivity of the information from a financial or clinical perspective and the likelihood the information can be re-identified; ii. the person who obtained the unauthorized access and whether that person has an independent obligation to protect the confidentiality of the information; iii. whether the PHI was actually acquired or accessed, determined after conducting a forensic analysis; and iv. the extent to which the risk has been mitigated, such as by obtaining a signed confidentiality agreement from the recipient. (b) Disclosures to health plans – at the patient’s request, physicians may not disclose information about care the patient has paid for out-of-pocket to health care plans, unless for treatment purposes or in the rare event the disclosure is required by law. This change updates the previous HIPAA Privacy Rule governing patient requests for restrictions on the use or disclosure of their PHI. Previously, while physicians and other health care providers could refuse to abide by any such request, the new rule requires physicians and other health care providers to abide by the patient’s request not to disclose PHI to a health plan for those services for which the patient has paid out-of-pocket and request the restriction. (c) Marketing communications – the new rules further limit the circumstance when physicians may provide marketing communications to their patient in the absence of the patient’s written authorization. Generally speaking, the only time a physician may tell a patient about a third-party’s product or service without the patient’s written authorization is when: i. the physician receives no compensation for the communication; ii. the communication is face-to-face; ii. the communication involves a drug or biologic the patient is currently being prescribed and the payment is limited to reasonable reimbursement of the costs of the communication (no profit); iv. the communication involves government or government–sponsored programs. Physicians are also still permitted to give patients promotional gifts of nominal value (e.g. pamphlets). (d) Sale of PHI – the new rules clarify that the prohibition on the sale of PHI in the absence of the patient’s written authorization extends to licenses or lease agreements, and to the receipt of financial or in-kind benefits. It also includes disclosures in conjunction with research if the remunerations received include any profit margin. On the other hand, the prohibition on PHI sales does not extend to permitted disclosures for payment or treatment or to permitted disclosures to patients or their designees in exchange for a reasonable cost-based fee. (e) Childhood immunizations – under the new rules, physicians may disclose immunizations to schools required to obtain proof of immunizations prior to admitting the student so long as the physicians have and document the patient or patient’s legal representative’s “informal agreement” to disclosure. (f) Descendants – the new rules allow physicians to make relevant disclosures to the deceased’s family and friends under essentially the same circumstance such disclosures were permitted when the patient was alive; that is, when these individuals were involved in providing care or payment for care and the physician is unaware of any expressed preference to the contrary. The new rule also eliminates any HIPAA protection for PHI 50 years after a patient’s death. (g) Copies of e-PHI – physician will now have only 30 days to respond to a patient’s written request for his or her PHI with on 30 days extension, regardless of where the records are kept (eliminating the longer 60 day timeframe for records maintained offsite). They must provide access to Electronic Healthcare Records (EHR) and other electronic records in the electronic form and format requested by the individual if the records are “readily reproducible” in that format. Otherwise, they must provide the records in another mutually agreeable electronic format. Hard copies of ePHI information is permitted only when the individual rejects all readily reproducible e-formats. Texas law states physicians have two weeks to respond to a request for clinical records once proper written consent is provided. I do not keep patient medical records in an EHR. Therefore no clinical records are in electronic format. (h) Emailing PHI – physicians must also consider transmission security, and may send PHI in unencrypted emails only if the requesting individual is advised of the risk and still requests that form of transmission. (i) Charging for copies of e-PHI or PHI – the new rules modify the costs that may be charged to the individual for copies to include labor costs (potentially to include skilled technical labor costs fro extracting electronic PHI and supply costs if the patient requests a paper copy, or if electronic, the cost of any portable media (such as a USB memory stick or a CD), assuming state law does not set a lower reimbursement rate. Texas limits costs to clearly defined copy costs only. (j) Research authorizations – the new rules permit physicians to combine conditioned and unconditioned authorizations for research participation, provided individuals can opt-in to the unconditioned research activity. Moreover, these authorizations may encompass future research. I do not participate in any research activities in my practice. (k) Business associates – the final rule requires that business associates and their subcontractors comply with the HIPAA rules in the same manner as covered entities. Any entity that “creates, receives, or transmits” PHI on behalf of a covered entity may now be held directly liable for impermissible uses/disclosures. Business associates must do the same for their subcontractors.
5. Your treatment is confidential - except in the situations described below - I will not disclose information about you or our work together unless you request that I do so. If you request disclosure, I will ask you to sign a written Release of Information. While the new HIPAA law allows disclosures to family without a patient’s specific written consent (as long as it contributes to your treatment), my office policy is that I will not share your clinical information with your family without permission from you. You have the right to revoke your authorization at any time. If you request that I speak with family I would prefer to speak to them in your presence, unless it is an emergency situation.
6. Some of the exceptions to the rules of confidentiality, where I may disclose your health information without your consent: (a) In order to facilitate your medical treatment. For example: Your primary care physician or your psychotherapist might call me to discuss your treatment, and in that situation I would disclose your health information; (b) In the case of a medical emergency I may provide health information to assist in your evaluation and treatment; (c) If I have reason to believe that suicide or injury to another person is an immediate danger, I am ethically obligated to take action to try and protect my patient or an endangered person; (d) State laws require me to notify authorities in certain situations. For example: if I believe or suspect that a child or elderly person is being abused; (e) In order to facilitate routine office operations. For example: communications with office staff involved in calling pharmacies or transcribing correspondence about your treatment services; (f) I may disclose to the Food and Drug Administration (FDA) your health information relating to adverse events due to medications; (g) Legal Proceedings: I may be required to disclose your medical information in the course of judicial or administrative proceedings in response to an order from the court or some other appropriate legal process. Strong protections are in place but it is possible under certain legal circumstances your information may be disclosed without your consent.; (h) In order to collect payment for health care services that I provide. For example: In order to get paid for my services, significantly overdue unpaid bills may be turned over to a collection agency.
7. I am providing to you clinical treatment, not a forensic evaluation for legal proceedings, and it is my policy not to provide your clinical records or my testimony for any legal proceedings. I ask that you do not voluntarily involve me in any such proceedings. If you are seeking an evaluation for a legal proceeding you must inform me prior to your initial evaluation.
8. Please let me know at any time if you have any questions or concerns about any of these policies. If you feel that your privacy has been violated please discuss your concerns with me. You also have the right to file a compliant with the Secretary of Health and Human Services. Office for Civil Rights, Department of Health and Human Services Attn: Patient Safety Act , 200 Independence Ave., SW, Rm. 509F , Washington, DC 20201 (202) 619-0403 ; TDD 1-800-537-7697; FAX: (202) 619-3818