Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
A. Our Legal Duty to Protect Health Information About You. Healthstat and its contracted clinical staff are required by law to protect the privacy of health information about you and that can be identified with you, which we call “protected health information” or “PHI” for short that we hold, develop or receive from other sources. We are also required to give you this Notice about our privacy practices, our legal duties, and your rights concerning your PHI. We must follow the privacy practices that are described in this Notice. We reserve the right to change the terms of this Notice and to make new provisions effective for all PHI that we maintain by posting the revised Notice in our clinics, making copies of the revised Notice available upon request, and posting the revised Notice on our website.
You may request a copy of our Notices at any time. For more information about our privacy practices, or for additional copies of this Notice, please contact us using the information listed at the end of this Notice.
1. Uses and Disclosures of PHI Without Your Authorization. We may use and disclose PHI about you without your authorization in the following circumstances:
To provide healthcare treatment to you: We may use and disclose PHI about you to provide, coordinate or manage your health care and related services. This may include communicating with other health care providers regarding your treatment and coordinating and managing your health care with others.
For example, we may use and disclose PHI about you when you need a prescription, lab work, an x-ray, or other health care services. In addition, we may use and disclose PHI about you when referring you to another health care provider. We will provide your physician or a subsequent health care provider with copies of various reports that should assist him or her in treating you.
For example: Information obtained by a Healthstat clinician will be recorded in your chart and used to determine the course of treatment that should work best for you. Members of your health care team will then record the actions they took and their observations. In that way, your healthcare providers will know how you are responding to treatment.
To obtain payment for services: Generally, we may use and give your PHI to others to obtain payment for services provided to you by us. Specifically, we may share portions of medical information about you with billing departments and insurance companies, health plans and their agents which provide you coverage. For example, we may need to share information with your health plan(s) about your condition, supplies used, and services you received (such as labs). The information is given to our billing department and your health plan so we can be paid or you can be reimbursed.
For healthcare operations: We may use and disclose PHI in performing business activities, which we call “health care operations”. These “health care operations” allow us to improve the quality of care we provide and reduce health care costs. We may disclose PHI to another company that provides “health care operations” services for us, such as transcription services companies. If so, we will have a written contract to ensure that this company also protects the privacy of your PHI. Examples of the way we may use or disclose PHI about you for “health care operations” include the following:
Reviewing and improving the quality, efficiency and cost of care that we provide to you and our other patients.
Improving health care and lowering costs for groups of people who have similar health problems and to help manage and coordinate the care for these groups of people.
Reviewing and evaluating the skills, qualifications, and performance of health care providers taking care of you.
Providing training programs.
Cooperating with outside organizations that assess the quality of the care we and others provide. These organizations might include government agencies or accrediting bodies.
Cooperating with outside organizations that evaluate, certify or license health care providers, staff or facilities in a particular field or specialty.
Assisting various people who review our activities. For example, PHI may be seen by doctors reviewing the services provided to you, and by accountants, lawyers, and others who assist us in complying with applicable laws.
Planning for our organization’s future operations.
Conducting business management and general administrative activities related to our organization and the services it provides.
Resolving grievances within our organization.
Complying with this Notice and applicable laws.
Under other circumstances: We may use and/or disclose PHI about you for a number of circumstances in which you do not have to consent, give authorization or otherwise have an opportunity to agree or object. Those circumstances include:
When the use and/or disclosure is required by law.
When the use and/or disclosure is necessary for public health activities. For example, we may disclose PHI about you if you have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition.
When the disclosure relates to victims of abuse, neglect or domestic violence.
When the use and/or disclosure is for health oversight activities. For example, we may disclose PHI about you to a state or federal health oversight agency which is authorized by law to oversee our operations.
When the disclosure is for judicial and administrative proceedings. For example, we may disclose PHI about you in response to an order of a court or administrative tribunal.
When the disclosure is for law enforcement purposes. For example, we may disclose PHI about you in order to comply with laws that require the reporting of certain types of wounds or other physical injuries.
When the use and/or disclosure relates to decedents. For example, we may disclose PHI about you to a coroner or medical examiner for the purposes of identifying you should you die.
When the use and/or disclosure relates to organ, eye or tissue donation purposes.
When the use and/or disclosure is to avert a serious threat to health or safety. For example, we may disclose PHI about you to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
When the use and/or disclosure relates to specialized government functions. For example, we may disclose PHI about you if it relates to military and veterans’ activities, national security and intelligence activities, protective services for the President, and medical suitability or determinations of the Department of State.
When the use and/or disclosure relates to correctional institutions and in other law enforcement custodial situations. For example, in certain circumstances, we may disclose PHI about you to a correctional institution having lawful custody of you.
When the use and/or disclosure relates to workers’ compensation. For example, we may disclose PHI about you for workers’ compensation or other programs that provide benefits for work-related injuries.
When the information is not personally identifiable.
2. You can object to certain uses and disclosures. Unless you object, we may use or disclose PHI about you in the following circumstances:
We may share with a family member, relative, friend or other person identified by you, PHI directly related to that person’s involvement in your care or payment for your care. We may share with a family member, personal representative or other person responsible for your care PHI necessary to notify such individuals of your location, general condition or death.
We may share with a public or private agency (for example, American Red Cross) PHI about you for disaster relief purposes. Even if you object, we may still share the PHI about you, if necessary for the emergency circumstances.
If you would like to object to our use or disclosure of PHI about you in the above circumstances, please call or write to us at the address listed below.
3. Use of PHI for Appointments. We may use and/or disclose PHI to contact you to provide a message to you about an appointment you have for treatment or medical care. For example, we may leave a message on your answering machine about an upcoming or missed appointment or we may send a postcard if we cannot contact you by phone to notify you that you need to reschedule.
4. ANY OTHER USE OR DISCLOSURE OF PHI ABOUT YOU REQUIRES YOUR WRITTEN AUTHORIZATION. Under any circumstances other than those listed above, we will ask for your written authorization before we use or disclose PHI about you. Any use or disclosure of psychotherapy notes, uses and disclosures of PHI for marketing purposes and disclosures that constitute the sale of PHI require your written authorization. If you sign a written authorization allowing us to disclose PHI about you in a specific situation, you can later cancel your authorization in writing by contacting us at the address below. If you cancel your authorization in writing, we will not disclose PHI about you after we receive your cancellation, except for disclosures which were being processed before we received your cancellation. We may disclose your medical information to a family member, friend or other person to the extent necessary to help with your healthcare or with payment for your healthcare, but only if you agree that we may do so.
Although your health record is the physical property of the health care practitioner or facility that compiled it, the information belongs to you.
B. Your Rights Regarding Health Information about You.
1. Restrictions on Uses and Disclosures. You have the right to request restrictions on disclosures of your PHI to your health plan for health services or items for which you paid out-of-pocket in full, and we must comply with such request. You have the right to request that we restrict other uses and disclosures of PHI about you, and we are not required to agree to those requested restrictions. However, even if we agree to your request, in certain situations your restrictions may not be followed. These situations include emergency treatment, disclosures to the Secretary of the Department of Health and Human Services, and uses and disclosures described above. You may send a written request for a restriction to the address shown below.
2. Method of Communication. You have the right to request how and where we contact you about PHI. For example, you may request that we contact you at your work address or phone number or by email. We must accommodate reasonable requests, but, when appropriate, may condition that accommodation on your providing us with information regarding how payment, if any, will be handled and your specification of an alternative address or other method of contact. You may request alternative communications by submitting a request in writing to the address shown below. If we have all or any portion of your health information in an electronic format, you may request an electronic copy of those records or request that we send an electronic copy to any person or entity you designate in writing.
3. Access. You have the right to request to see and receive a copy of PHI contained in clinical, billing and other records used to make decisions about you. We may charge you related fees depending on materials, shipping costs, and staff time necessary to comply with your request, as allowed under applicable law. Instead of providing you with a full copy of the PHI, we may give you a summary or explanation of the PHI about you, if you agree in advance to the form and cost of the summary or explanation. There are certain situations in which we are not required to comply with your request. Under these circumstances, we will respond to you in writing, stating why we will not grant your request and describing any rights you may have to request a review of our denial. You may request to see and receive a copy of PHI by submitting a request in writing to the address shown below.
4. Amendment of PHI. You have the right to request that we make amendments to clinical, billing and other records used to make decisions about you. Your request must be in writing and must explain your reason(s) for the amendment. We may deny your request if: 1) the information was not created by us (unless you prove the creator of the information is no longer available to amend the record); 2) the information is not part of the records used to make decisions about you; 3) we believe the information is correct and complete; or 4) you would not have the right to see and copy the record as described in paragraph 3 above. We will tell you in writing the reasons for the denial and describe your rights to give us a written statement disagreeing with the denial. If we accept your request to amend the information, we will make reasonable efforts to inform others of the amendment, including persons you name who have received PHI about you and who need the amendment. You may request an amendment of PHI about you by submitting a request in writing to the address shown below.
5. Listing of Disclosures. If you ask our contact person in writing, you have the right to receive a written list of certain of our disclosures of PHI about you. You may ask for disclosures made up to six (6) years before your request. We are required to provide a listing of all disclosures except the following:
For your treatment,
For billing and collection of payment for your treatment,
For health care operations,
Made to or requested by you, or that you authorized,
Occurring as a byproduct of permitted uses and disclosures,
Made to individuals involved in your care, for directory or notification purposes, or for other purposes described above,
Allowed by law when the use and/or disclosure relates to certain specialized government functions or relates to correctional institutions and in other law enforcement custodial situations, and
As part of a limited set of information which does not contain certain information which would identify you.
The list will include the date of the disclosure, the name (and address, if available) of the person or organization receiving the information, a brief description of the information disclosed, and the purpose of the disclosure. If, under permitted circumstances, PHI about you has been disclosed for certain types of research projects, the list may include different types of information. If you request a list of disclosures more than once in 12 months, we can charge you a reasonable fee. You may send a written request for disclosures, including the date range, to the address shown below.
6. Patient Rights
Access: With limited exceptions, you have the right to look at a copy of your medical information. We will use the format you request unless we cannot practicably do so. You must make a request in writing to obtain access to your medical information. You may obtain a form to request access by using the contact information listed at the end of this Notice. You may also request access by sending us a letter to the address at the end of this Notice. We may charge you related fees depending on material, shipping costs, and staff time necessary to comply with your request, as allowed under applicable law.
Advance Directives: You have the right to direct all healthcare providers to comply with your “advance directives”. An advance directive is a document by which a person makes provision for healthcare decisions in the event that, in the future, he/she becomes unable to make those decisions.
There are two main types of advance directive – the “Living Will” and the “Durable Power of Attorney for Health Care”.
There are also hybrid documents which combine elements of the Living Will with those of the Durable Power of Attorney.
Disclosure Accounting: You have the right to receive a list of instances in which we disclosed your medical information for purposes other than treatment, payment, healthcare operations and certain other activities, for at least 6 years, but not before April 14, 2003. If you request this accounting more than once in a 12-month period, we may charge you a reasonable, cost-based fee for responding to these additional requests.
Restriction: You have the right to request that we place additional restrictions on our use or disclosure of your medical information. We are not required to agree to these additional restrictions, but if we do, we will abide by our agreement, except in an emergency.
Alternative Communication: You have the right to request that we communicate with you about your medical information by alternative means or to alternative locations. You must make your request in writing. Your request must specify the alternative means or location, and provide a satisfactory explanation on how payments will be handles under the alternative means or location you request.
Amendment: You have the right to request that we amend your medical information. Your request must be in writing, and it must explain why the information should be amended. We may deny your request under certain circumstances.
Electronic Notice: If you receive a Notice of Privacy Practices by our website or by electronic mail or email, you are entitled to receive one in written form.
Notification of a Breach of Your Unsecured Medical Information. You have the right to be notified in the event that we discover an unauthorized disclosure of your medical information.
Questions and Complaints
If you want more information about privacy practices or have questions or concerns, please contact your clinic or the office as indicated in the Notice of Privacy Practices.
If you feel that we may have violated your privacy rights, or you disagree with a decision we made about access to your medical information or in response to a request you made to amend or restrict the use or disclosure of your medical information or want us to communicate with you by alternative means or alternative locations, you may complain to us at the office that provided you with this notice. You also may submit a written compliant to the U.S. Department of Health and Human Services. We will provide you with the address to file your complaint with the U.S. Department of Health and Human Services upon request.
8. Notification of a Breach of Your Unsecured PHI. You have the right to be notified in the event that we discover a breach of unsecured PHI involving your medical information.
C. Wellness Program Notice. To the extent your employer maintains a wellness program which involves a voluntary health risk assessment, biometric screening, or other medical examination, the following provisions apply to such wellness program(s) and the PHI gathered through such wellness program(s):
1. Voluntary Program. Healthstat may have been engaged by your employer to help administer a voluntary wellness program your employer sponsors, which program is available to all employees. The program is administered according to federal rules permitting employer-sponsored wellness programs that seek to improve employee health or prevent disease, including the Americans with Disabilities Act of 1990, the Genetic Information Nondiscrimination Act of 2008, and the Health Insurance Portability and Accountability Act, as applicable, among others. If you choose to participate in the wellness program you may be asked to complete a voluntary health risk assessment or “HRA” that asks a series of questions about your health-related activities and behaviors and whether you have or had certain medical conditions (e.g., cancer, diabetes, or heart disease) and/or will also be asked to complete a biometric screening, which may include a blood test for systolic BP, diastolic BP, blood glucose, triglycerides, total cholesterol, HDL, LDL, and other standard measurements of health. These tests may also determine your body mass index, susceptibility to or identification of chronic disease(s) (such as diabetes), tobacco use, and whether you have had a physical examination within the last year.
You are not required to complete the HRA or to participate in the biometric screening or other medical examinations. However, employees who choose to participate in the wellness program will receive an incentive for completing the required conditions, which conditions may include reaching certain health goals, engaging in certain activities, and/or periodic visits to the on-site clinic. Although you are not required to complete the HRA or participate in the biometric screening, only employees who do so will receive the incentive determined by your employer.
To the extent the wellness program requires you to (a) engage in activities that you may not be able to complete because of a health condition or (b) achieve certain health outcomes, such as reducing health risk factors, if you are unable to participate in any of the health-related activities or achieve any of the health outcomes required to earn an incentive, you may be entitled to a reasonable accommodation or an alternative standard. You may request a reasonable accommodation or an alternative standard by contacting your human resources department.
The information from your HRA and the results from your biometric screening will be used to provide you with information to help you understand your current health and potential risks, and may also be used to offer you services through the wellness program, such as counseling regarding health risks or tobacco cessation. You also are encouraged to share your results or concerns with your own doctor.
2. Protections from Disclosure of Medical Information. As explained in this Notice of Privacy Practices, we are required by law to maintain the privacy and security of your PHI. Although the wellness program and your employer may use aggregate information it collects to design a program based on identified health risks in the workplace, Healthstat will never disclose any of your personal information either publicly or to the employer, except as necessary to respond to a request from you for a reasonable accommodation needed to participate in the wellness program, as described in this Notice of Privacy Practices, or as otherwise expressly permitted by law or this Notice. Medical information that personally identifies you that is provided in connection with the wellness program will not be provided to your supervisors or managers and may never be used to make decisions regarding your employment.
Your health information will not be sold, exchanged, transferred, or otherwise disclosed except to the extent permitted by law to carry out specific activities related to the wellness program, and you will not be asked or required to waive the confidentiality of your health information as a condition of participating in the wellness program or receiving an incentive. Anyone who receives your information for purposes of providing you services as part of the wellness program will abide by the same confidentiality requirements. The only individual(s) who will receive your PHI are the healthcare providers at your employer’s on-site clinic or other individuals allowed to have such information under this Notice or as allowed by law, in order to provide you with services under the wellness program or administer the wellness program and any group health plan of which it is a part.
In addition, all medical information obtained through the wellness program will be maintained separate from your personnel records, information stored electronically will be encrypted, and no information you provide as part of the wellness program will be used in making any employment decision. Appropriate precautions will be taken to avoid any data breach, and in the event a data breach occurs involving information you provide in connection with the wellness program, we will notify you in accordance with the law.
You may not be discriminated against in employment because of the medical information you provide as part of participating in the wellness program, nor may you be subjected to retaliation if you choose not to participate (though you will not receive any incentives is you fail to participate and/or meet program conditions or, when appropriate, a reasonable alternative standard). If you have questions or concerns regarding this Notice, or about protections against discrimination and retaliation, please contact your human resources department. You acknowledge and agree, however, that Healthstat is not responsible for the actions of your employer and you agree to hold Healthstat harmless for and covenant not to sue Healthstat regarding any damages arising from illegal or negligent actions of your employer related to or arising from the wellness program.
D. Complaints about Our Privacy Practices. If you think we have violated your privacy rights, or you want to complain to us about our privacy practices, you may contact our Privacy Office at the address shown below. You may also send a written complaint to the United States Secretary of the Department of Health and Human Services. If you file a complaint, we will not take any action against you or change our treatment of you in any way.
E. Effective Date of this Notice. This Notice of Privacy Practices is effective on 01/01/2017.