HIPAA Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices is being provided to you as a requirement of the Health Insurance Portability and Accountability Act (HIPAA). This Notice describes how we may use and disclose your protected health information to carry out treatment, payment, or healthcare operations, and for other purposes that are permitted or required by law. It also describes your rights to access and control your protected health information in some cases. Your “protected health information” means any of your written and oral health information, including demographic data that can be used to identify you. This is health information that is created or received by your healthcare provider, and that relates to your past, present, or future physical or mental health or condition.
I. Uses and Disclosures of Protected Health Information
The Center may use your protected health information for purposes of providing treatment, obtaining payment for treatment, and conducting healthcare operations. Your protected health information may be used or disclosed only for these purposes unless the Center has obtained your authorization or the use or disclosure is otherwise permitted by the HIPAA Privacy Regulations or state law. Disclosures of your protected health information for the purposes described in this Notice may be made in writing, orally or by facsimile.
- Treatment. We will use and disclose your protected health information to provide, coordinate or manage your healthcare and any related services. This includes the coordination or management of your healthcare with a third party for treatment purposes. For example, we may disclose your protected health information to a pharmacy to fulfill a prescription, to a laboratory to order a blood test, or to a home health agency that is providing care in your home. We may also disclose protected health information to other physicians who may be treating you or consulting with the Center with respect to your care. In some cases, we may also disclose your protected health information to an outside treatment provider for purposes of the treatment activities of the other provider.
- Payment. Your protected health information will be used, as needed, to obtain payment for the services that we provide. This may include certain communications to your health insurer to get approval for the surgery that we have scheduled. For example, we may need to disclose information to your health insurer to get prior approval for the surgery. We may also disclose protected health information to your insurance company to determine whether you are eligible for benefits or whether a particular service is covered under your health plan. In order to get payment for your services, we may also need to disclose your protected health information to your insurance company to demonstrate the medical necessity of the services or, as required by your insurance company, for utilization review. We may also disclose patient information to another provider involved in your care for the other provider’s payment activities. This may include disclosure of demographic information to the anesthesiologists for their payment of services.
- Operations. We may use or disclose your protected health information, as necessary, for our own healthcare operations in order to facilitate the function of the practice and to provide quality care to all patients. Healthcare operations include such activities as:
- Quality assessment and improvement activities.
- Employee review activities.
- Training programs, including those in which students, trainees, or practitioners in healthcare learn under supervision.
- Accreditation, certification, licensing, or credentialing activities.
- Review and auditing, including compliance reviews, medical reviews, legal services, and maintaining compliance programs.
- Business management and general administrative activities.
- In certain situations, we may also disclose patient information to another provider or health plan for their healthcare operations.
- Other Uses and Disclosures. As part of treatment, payment, and healthcare operations, we may also use or disclose your protected health information for the following purposes:
- To remind you of your surgery date.
- To inform you of potential treatment alternatives or options.
- To inform you of health-related benefits or services that may be of interest to you.
- To contact you to raise funds for the Center or an institutional foundation related to the Center. If you do not wish to be contacted regarding fundraising, please contact our Privacy Officer.
II. Uses and Disclosures Beyond Treatment, Payment and Healthcare Operations Permitted Without Authorization or Opportunity to Object
- Federal privacy rules allow us to use or disclose your protected health information without your permission or authorization for a number of reasons, including the following:
- When Legally Required. We will disclose your protected health information when we are required to do so by any federal, state, or local law.
- When There Are Risks to Public Health. We may disclose your protected health information for the following public activities and purposes:
- To prevent, control, or report disease, injury, or disability, as permitted by law.
- To report vital events such as birth or death, as permitted or required by law.
- To conduct public health surveillance, investigations, and interventions, as permitted or required by law.
- To collect or report adverse events and product defects, track FDA regulated products, enable product recalls, repairs or replacements to the FDA, and to conduct post marketing surveillance.
- To notify a person who has been exposed to a communicable disease or who may be at risk of contracting or spreading a disease, as authorized by law.
- To report to an employer information about an individual who is a member of the workforce, as legally permitted or required.
- To Report Abuse, Neglect or Domestic Violence. We may notify government authorities if we believe that a patient is the victim of abuse, neglect, or domestic violence. We will make this disclosure only when specifically required or authorized by law, or when the patient agrees to the disclosure.
- To Conduct Health Oversight Activities. We may disclose your protected health information to a health oversight agency for activities including audits; civil, administrative or criminal investigations, proceedings or actions; inspections; licensure or disciplinary actions; or other activities necessary for appropriate oversight as authorized by law. We will not disclose your health information if you are the subject of an investigation and your health information is not directly related to your receipt of healthcare or public benefits.
- In Connection With Judicial and Administrative Proceedings. We may disclose your protected health information in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal as expressly authorized by such order. In certain circumstances, we may disclose your protected health information in response to a subpoena, to the extent authorized by state law, if we receive satisfactory assurances that you have been notified of the request or that an effort was made to secure a protective order.
- For Law Enforcement Purposes. We may disclose your protected health information to a law enforcement official for law enforcement purposes as follows:
- As required by law for reporting of certain types of wounds or other physical injuries.
- Pursuant to court order, court ordered warrant, subpoena, summons, or similar process.
- For the purpose of identifying or locating a suspect, fugitive, material witness, or missing person.
- Under certain limited circumstances, when you are the victim of a crime.
- To a law enforcement official, if the Center has a suspicion that your death was the result of criminal conduct.
- In an emergency, in order to report a crime.
- To Coroners, Funeral Directors and for Organ Donation. We may disclose protected health information to a coroner or medical examiner for identification purposes, to determine cause of death, or for the coroner or medical examiner to perform other duties authorized by law. We may also disclose protected health information to a funeral director, as authorized by law, in order to permit the funeral director to carry out his/her duties. We may disclose such information in reasonable anticipation of death. Protected health information may be used and disclosed for cadaveric organ, eye or tissue donation purposes.
- For Research Purposes. We may use or disclose your protected health information for research when the use or disclosure for research has been approved by an institutional review board or privacy board that has reviewed the research proposal and research protocols to address the privacy of your protected health information.
- In the Event of a Serious Threat to Health or Safety. We may, consistent with applicable law and ethical standards of conduct, use or disclose your protected health information if we believe, in good faith, that such use or disclosure is necessary to prevent or lessen a serious and imminent threat to your health or safety or to the health and safety of the public.
- For Specified Government Functions. In certain circumstances, the federal regulations authorize the Center to use or disclose your protected health information to facilitate specified government functions relating to military and veterans activities, national security and intelligence activities, protective services for the president and others, medical suitability determinations, correctional institutions, and law enforcement custodial situations.
- For Workers’ Compensation. The Center may release your health information to comply with workers’ compensation laws or similar programs.
III. Uses and Disclosures Permitted Without Authorization, but with Opportunity to Object
- We may disclose your protected health information to your family member or a close personal friend if it is directly relevant to the person’s involvement in your surgery or payment related to your surgery. We can also disclose your information in connection with trying to locate or notify family members or others involved in your care concerning your location, condition or death.
- You may object to these disclosures. If you do not object to these disclosures, or we can infer from the circumstances that you do not object, or we determine, in the exercise of our professional judgment, that it is in your best interests for us to make disclosure of information that is directly relevant to the person’s involvement with your care, we may disclose your protected health information as described.
IV. Uses and Disclosures Which You Authorize
Other than as stated above, we will not disclose your health information other than with your written authorization. You may revoke your authorization in writing at any time except to the extent that we have taken action in reliance upon the authorization.
V. Your Rights
You have the following rights regarding your health information:
- The right to inspect and copy your protected health information. You may inspect and obtain a copy of your protected health information that is contained in a designated record set for as long as we maintain the protected health information. A “designated record set” contains medical and billing records, and any other records that your physician and the Center uses for making decisions about you. These records must be given to you in paper format or electronic, as per your request.
- Under federal law, however, you may not inspect or copy the following records: psychotherapy notes; information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and protected health information that is subject to a law that prohibits access to protected health information. Depending on the circumstances, you may have the right to have a decision to deny access reviewed.
- We may deny your request to inspect or copy your protected health information if, in our professional judgment, we determine that the access requested is likely to endanger your life or safety, or that of another person, or that it is likely to cause substantial harm to another person referenced within the information. You have the right to request a review of this decision.
- To inspect and copy of your medical information, you must submit a written request to the Privacy Officer, whose contact information is listed on the last pages of this Notice. If you request a copy of your information, we may charge you a fee for the costs of copying, mailing, or other costs incurred by us in complying with your request.
Please contact our Privacy Officer if you have questions about access to your medical record.
- The right to request a restriction on uses and disclosures of your protected health information. You may ask us not to use or disclose certain parts of your protected health information for the purposes of treatment, payment or healthcare operations. You may also request that we not disclose your health information to family members or friends who may be involved in your care or for notification purposes as described in this Notice of Privacy Practices. Your request must state the specific restriction requested and to whom you want the restriction to apply. We are not required to agree to a requested restriction, except for requests to limit disclosures to your health plan for purposes of payment or healthcare operations when you have paid in full, out-of-pocket for the item or service covered by the request and when the uses or disclosures are not required by law.
- We will notify you if we deny your request to a restriction. If the Center does agree to the requested restriction, we may not use or disclose your protected health information in violation of that restriction unless it is needed to provide emergency treatment. Under certain circumstances, we may terminate our agreement to a restriction. You may request a restriction by contacting the Privacy Officer.
- The right to request to receive alternative means of confidential communications from us. You have the right to request that we communicate with you in certain ways. We will accommodate reasonable requests. We may condition this accommodation by asking you for information as to how payment will be handled or specification of an alternative address or other method of contact. We will not require you to provide an explanation for your request. Requests must be made in writing to our Privacy Officer.
- The right to have your physician amend your protected health information. You may request an amendment to protected health information about you in a designated record set for as long as we maintain this information. In certain cases, we may deny your request for an amendment. If we deny your request for amendment, you have the right to file a statement of disagreement with us and we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal. Requests for amendment must be in writing and must be directed to our Privacy Officer. In this written request, you must also provide a reason to support the requested amendment.
- The right to receive an accounting. You have the right to request an accounting of certain disclosures of your protected health information made by the Center. This right applies to disclosures for purposes other than treatment, payment, or healthcare operations as described in this Notice of Privacy Practices. We are also not required to account for disclosures that you requested, disclosures that you agreed to by signing an authorization form, disclosures for a Center directory, to friends or family members involved in your care, or certain other disclosures we are permitted to make without your authorization. The request for an accounting must be made in writing to our Privacy Officer. The request should specify the time period sought for the accounting. We are not required to provide an accounting for disclosures that took place prior to April 14, 2003. Accounting requests may not be made for periods of time in excess of six years. We will provide the first accounting you request during any 12-month period without charge. Subsequent accounting requests may be subject to a reasonable cost-based fee.
- The right to opt out of Marketing or Advertising for the center. You have the right to request that your PHI not be used for purposes of Marketing that would result in financial remuneration from a third party. If the center was interested in using your PHI for Marketing, we would require your Authorization.
- The right to obtain a paper copy of this Notice. Upon request, we will provide a separate paper copy of this notice, even if you have already received a copy of the Notice or have agreed to accept this Notice electronically.
VI. Our Duties
The Center is required by law to maintain the privacy of your health information and to provide you with this Notice of our duties and privacy practices. We are required to abide by terms of this Notice as may be amended from time to time. We reserve the right to change the terms of this Notice and to make the new Notice provisions effective for all protected health information that we maintain. If the Center changes its Notice, we will provide a copy of the revised Notice by sending a copy of the Revised Notice via regular mail or through in-person contact.
Notification of a Breach
In order to explain our duties to our patients regarding breaches in your protected health information, it is important to understand what a breach is:
Definition of Breach
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
There are three exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a covered entity or business associate. The second exception applies to the inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information. It is our duty, following a breach of unsecured protected health information to provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities that a breach has occurred.
Notification Requirements for a Breach
Following a breach of unsecured protected health information covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities that a breach has occurred.
We must notify the affected individuals following the discovery of a breach of unsecured protected health information. This individual notice will be in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If we have insufficient or out-of-date contact information for 10 or more individuals, we must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside. If we have insufficient or out-of-date contact information for fewer than 10 individuals, the we may provide you substitute notice by an alternative form of written, telephone, or other means.
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity. Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.
If we experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. We will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.
You have the right to express complaints to the Center and to the Secretary of Health and Human Services if you believe that your privacy rights have been violated. You may complain to the Center by contacting the Center’s Privacy Officer verbally or in writing, using the contact information below. We encourage you to express any concerns you may have regarding the privacy of your information. You will not be retaliated against in any way for filing a complaint.
The Center’s contact person for all issues regarding patient privacy and your rights under the federal privacy standards is the Privacy Officer. Information regarding matters covered by this Notice can be requested by contacting the Privacy Officer. Complaints against the Center can be mailed to the Privacy Officer at the following address:
Waterbury Surgery Center
1312 West Main Street, Suite 101
Waterbury, CT 06708
ATTN: Privacy Officer
The Privacy Officer can be contacted by telephone at (203) 346-2202.
This Notice is effective February 2017.