Notice
of Privacy Practices
Dr.
Shelly Senders and Associates
This
notice describes how medical information about you may be used and
disclosed and how you can get access to this information. Please
review it carefully.
i.
A
provider may not use or disclose protected health information except
as permitted by the privacy regulations
ii.
A
provider may use or disclose protected health information for
treatment, payment or health care operations without
consent
iii.
A
provider may disclose health information for the treatment
activities of a health care provider
iv.
A
provider may disclose health information to another covered entity
or health care provider for the payment activities of the entity
that receives that information
v.
A
provider may disclose protected health information to another
covered entity for health care operation activities of the entity
that receives the information, if each entity either
has, or had, a relationship with the individual who is the subject
of the protected health information being requested, the protected
health information pertains to such relationship and the disclosure
is:
1.
For
certain health care operations as stated in the privacy rule;
or,
2.
For
the purpose of health care fraud and abuse detection or
compliance
vi.
A
provider that participates in an organized health care arrangement
may disclose private health information about an individual to
another covered entity that participates in the organized health
care arrangement for any health care operations of the organized
heath care arrangement
vii.
“Health
Care Operations†is defined in detail in the privacy regulations. In
general it includes the following activities (This is not a
comprehensive list):
1.
Conducting
quality assessment and improvement activities
2.
Reviewing
the competence of qualifications of health care professionals, evaluating
practitioner and provider performance, conducting training
operations, accreditation, certification licensing or credentialing
activities
3.
Underwriting
premium ratings, and other activities relating to the creation,
renewal or replacement of a contract of health insurance or health
benefits
4.
Conducting
or arranging for medical review, legal services and auditing
functions
5.
Business
planning and development
6.
Business
management and general administrative activities of the provider,
including sale, transfer, merger or consolidation of all or part of
the covered entity and fundraising for the benefit of the covered
entity.
i.
Except
as otherwise permitted or required by the privacy regulations, a
provider may not use or disclose private health information without
valid authorization
ii.
A
provider may not condition the provision of treatment, payment, or
participation in health plan on the giving of an authorization. Some
exceptions apply to research, health plans, and solely for creating
information for disclosure to a third party.
iii.
Authorization
must be obtained for any use or disclosure of psychotherapy notes,
EXCEPT:
1.
For
use by the originator of the notes for treatment
2.
For
use or disclosure by the provider in certain training
programs
3.
For
use or disclosure to defend legal actions brought by the individual
4.
For
oversight of the originator of the notes
iv.
Marketing
1.
Defined
as
a.
“To
make a communication about a product or service that encourages
recipients of the communication to purchase or use the product or
service,†unless the communication is
made:
i.
To
describe a health related product or service that is provided by the
covered entity making the communication
ii.
For
treatment of the individual
iii.
For
case management or care coordination for the individual, or to
direct or recommend alternative treatments, therapies, health care
providers, or settings of care to the
individual
b.
An
arrangement between a covered entity and any other entity whereby
the covered entity discloses protected health information to the
other entity, in exchange for direct or indirect remuneration, for
the other entity or its affiliate to make a communication about its
own product or service that encourages recipients of the
communication to purchase that product or service (i.e. A pharmacy
cannot sell names of medication users to drug
representatives)
2.
Rule:
A covered entity must obtain an authorization for any use or
disclosure of protected health information for marketing unless the
communication is in the form of
a.
Face
to face communication made by a covered entity to an individual;
or,
b.
A
promotional gift of nominal value provided by the covered
entity
i.
General
Rule: A provider may use or disclose protected health information
without a consent or authorization provided the individual is
informed in advance of the use or disclosure and has the opportunity
to agree, prohibit or restrict the disclosure in accordance with the
privacy regulations. Orally informing and oral agreement
or objection is permitted.
ii.
Facility
Directory:
Except when an objection is
expressed, a provider may:
1.
Use
the following protected health information to maintain a directory
of individual’s in it’s facility:
a.
The
individual’s name.
b.
The
individual’s location in the provider’s
facility.
c.
The
individual’s condition described in general terms that do not
communicated specific medical information about the
individual.
d.
The
individual’s religious affiliation (only to be released to
clergy
2.
Disclose
for directory purposes such information:
a.
To
members of the clergy; or
b.
Except
for religious affiliation, to other persons who ask for the
individual by name.
3.
A
provider must provide an individual with an opportunity to restrict
or prohibit some or all of the permitted uses and
disclosures.
4.
If
the opportunity to object cannot practicably be provided because of
the individual’s incapacity, or emergency treatment circumstances,
the provider may use or disclose some or all of the protected health
information if such disclosure is;
a.
Consistent
with a prior expressed preference of the individual that is known to
the provider
b.
In
the individual’s best interest as determined by the provider in the
exercise of professional judgment.
iii.
Disclosures
to family members and others involved in the individuals
care.
1.
Subject
to the requirements stated in (2) and (3), below a provider may
disclose to a family member, other relative, or a close personal
friend of the individual, the protected health information directly
relevant to such person’s involvement with the individual’s care or
payment related to the individual’s health care.
2.
Subject
to the requirements stated in (3), (4), and (5), below, a provider
may use or disclose protected health information to notify or assist
in the notification of (including identifying or locating), a family
member, a personal representative of the individual, or another
person responsible for the care of the individual, of the
individual’s location, general condition or
death.
3.
If
the individual is present for, or otherwise available prior to, a
use or disclosure permitted by (1) above, and has the capacity to
make health care decisions, the provider may use or disclose the
health information if it;
a.
Obtains
the individual’s agreement
b.
Provides
the individual with the opportunity to object to the disclosure, and
the individual does not express objection; or
c.
Reasonably
infers from the circumstances, based on the exercise of professional
judgment that the individual does not object to the
disclosure.
4.
If
the individual is not present for, or the opportunity to agree or
object to the use or disclosure cannot practicably be provided
because of the individual’s incapacity or emergency circumstances,
the provider may, in the exercise of professional judgment,
determine whether the disclosure is in the best interest of the
individual and, if so, disclose only the protected health
information that is directly relevant to the person’s involvement
with the individual’s health care. A provider may use professional
judgment and it’s experience with common practice to make reasonable
inferences of the individual’s best interest in allowing a person to
act on behalf of the individual to pick up filled prescriptions,
medical supplies, x-rays, or other similar forms of protected health
information.
5.
A
provider may use or disclose protected health information to a
public or private entity authorized by law or by its charter to
assist with disaster relief efforts, for the purpose of coordinating
with such entities the use or disclosures permitted by (1) and (2),
above. The requirements of (3) and (4), above, apply to such uses
and disclosures to the extent the provider, in the exercise of
professional judgment, determines that those requirements do not
interfere with the ability to respond to the emergency
circumstances.
i.
General
Rule: A provider may use or disclose protected health information
without the authorization of the individual, or the opportunity for
the individual to agree or object, in various situations stated in
the privacy regulation.
ii.
The
situations permitted: Uses and Disclosures for which consent
authorization or opportunity to agree or object is not required
are:
1.
Uses
and disclosures required by law.
a.
A
provider may use or disclose protected health information to the
extent required by law and the use or disclosure complies with and
is limited to the relevant requirements of such law. In doing so,
the provider must meet the requirements of (3), (5), or (6)
below
2.
Use
and disclosure for public health activities
a.
A
provider may disclose protected health information for the public
health activities and purposes stated in the privacy regulation.
Those purposes include:
i.
A
public health authority that is authorized by law to collect or
receive such information for the purpose of preventing, controlling
disease, injury, or disability, including but not limited to, the
reporting of disease, injury, vital events such as birth or death,
and the conduct of public health surveillance, public health
investigations, and public health
interventions.
b.
A
public health authority or another appropriate government authority
authorized by law to receive reports of child abuse or neglect.
c.
A
person who may have been exposed to communicable disease or may
otherwise be at risk for contracting or spreading a disease or
condition, if the provider or public health authority is authorized
by law to notify such persons as necessary in the conduct of a
public health intervention or investigation.
d.
An
employer, about an individual who is a member of the workforce of
the employer for certain purposes and if certain conditions are met.
e.
A
person subject to the jurisdiction of the Food and Drug
Administration (FDA)
3.
Disclosures
about victims of abuse, neglect or domestic violence.
Except
for reports of child abuse or neglect permitted under (2)(b), above.
A provider may disclose protected health information about an
individual Whom the provider reasonably believes to be a victim of
abuse, neglect, or Domestic violence to a government authority,
including a social service or Protective services agency, authorized
by law to receive reports of such Abuse, neglect or domestic
violence
a.
To
the extent the disclosure is required by law and the disclose
complies with and is limited to the relevant requirements of such
law;
b.
If
the individual agrees to the disclosure; or,
c.
To
the extent the disclosure is expressly authorized by statute or
regulation and:
i.
The
provider, in the exercise of professional judgment, believes the
disclosure is necessary to prevent serious harm to the individual of
other potential victims; or,
ii.
If
the individual is unable to agree because of incapacity, a law
enforcement or other public official authorized to receive the
reports represents that the protected health information for which
disclose is sought is not intended to be used against the individual
and that an immediate enforcement activity that depends upon the
disclosure would be materially and adversely affected by waiting
until the individual is able to agree to the
disclosure.
d.
A
provider that makes a disclosure in these circumstances must
promptly inform the individual that such a report has been or will
be made, except:
i.
If
the provider, in the exercise of professional judgment, believes
that informing the individual would place the individual at risk of
serious harm; or,
ii.
The
provider would be informing a personal representative, and the
provider reasonably believes the personal representative is
responsible for the abuse, neglect, or other injury, and informing
such person would not be in the best interest of the individual as
determined by the provider, in the exercise of professional
judgment.
4.
Use
and disclosures for health oversight
activities
a.
A
provider may disclose protected health information to a health
oversight agency for oversight activities authorized by law,
including audits; civil, administrative, or criminal investigations,
inspections, licensure or disciplinary actions; civil,
administrative, or criminal proceedings or actions; or other
activities necessary for appropriate oversight of
b.
The
health care system
c.
Government
benefit programs for which health information is relevant to
eligibility;
d.
Entities
subject to government regulatory programs for which health
information is necessary for determining compliance with program
standards; or,
e.
Entities
subject to civil rights laws for which health information is
necessary for determining compliance
f.
For
purposes of such disclosures, a health oversight activity does not
include an investigation or other activity in which the individual
is the subject of the investigation or activity and such
investigation or other activity does not arise out of and is not
directly related to:
i.
The
receipt of health care;
ii.
A
claim for public benefits related to health,
or,
iii.
Qualification
for, or receipt of, public benefits or service when a patient’s
health is integral to the claim for public benefits of
services.
5.
Disclosures
for judicial and administrative proceedings
a.
A
provider may disclose protected health information in the course of
any judicial or administrative proceeding
b.
In
response to an order of a court or administrative tribunal, provided
that the provider discloses only the protected health information
authorized by such order; or,
c.
In
response to a subpoena, discovery request, or other lawful process
that is not accompanied by an order of a court or administrative
tribunal, if:
i.
The
provider receives satisfactory assurance for the party seeking the
information that reasonable efforts have been made by such party to
ensure that the individual who is the subject of the protected
health information that had been requested has been given notice of
the request; or,
ii.
The
provider receives satisfactory assurance from the party seeking the
information that reasonable efforts have been made by such part to
secure a “qualified protective order†that meets the requirements of
the privacy regulation.
d.
Not
withstanding (2), above, a provider may disclose protected health
information in response to such lawful process without receiving the
satisfactory assurances, if the provider makes reasonable efforts to
provide notice to the individual sufficient to meet the requirement
s of (2)(a) or (2)(b), above.
6.
Disclosures
for law enforcement purposes.
A
provider may disclose protected health information for a law
enforcement purpose to a law enforcement official if conditions
stated in the privacy regulations are met. Specific conditions are
stated for each of the following situations:
a.
Pursuant
to process and as otherwise required by law.
b.
Limited
information for identification and location
purposes.
c.
Victim
of a crime.
d.
Decedents.
e.
Crime
on premises.
f.
Reporting
crime in emergencies.
7.
Use
and disclosures about decedents
A
provider may disclose protected health
information:
a.
To
a coroner or medical examiner for the purpose of identifying a
deceased person, determining a cause of death, or other duties as
authorized by law. A provider that also performs the duties of a
coroner or medical examiner may use the protected heath information
for those same purposes.
b.
To
a funeral director consistent with applicable law, as necessary to
carry out their duties with respect to the decedent. If necessary
for funeral directors to carry out their duties, this disclosure may
occur prior to, and in reasonable anticipation of, the individual
death.
8.
Use
and disclosures for cadaver organ, eye and tissue donation
purposes
a.
A
provider may use or disclose protected health information to the
organ procurement organization or to her entities engaged in the
procurement, banding or transplantation of cadaver organs, eyes, or
tissues for the purpose of facilitating organ, eye, or tissue
donation and transplantation.
9.
Uses
and Disclosures for Research Purposes
a.
A
provider may use or disclose protected health information for
research provided various conditions stated in the privacy
regulations are met. These include that an Institutional Review
board or a Privacy Board has waived specific
authorization.
10. Uses
and Disclosures to Avert a Serious Threat to Health or
Safety
a.
A
provider may, consistent with applicable laws and standards of
ethical conduct, use or disclose protected health information, if
the provider, in good faith believes the use or
disclosure:
b.
Is
necessary to prevent or lessen a serious and imminent threat to the
safety of a person or the public and is to a person or persons
reasonably able to prevent or lessen the threat, including the
target of the threat; or,
c.
Is
necessary for law enforcement authorities to identify or apprehend
an individual
i.
With
certain expectations stated in the privacy regulation, because of a
statement by an individual admitting participation in a violent
crime that the provider reasonably believes may have caused serious
harm to the victim; or,
ii.
Where
it appears from all the circumstances that the individual has
escaped from a correctional institution or from lawful custody.
11. Uses
and Disclosures for Specialized government functions
a.
The
privacy regulations permit use and disclosure of protected health
information for certain military and veteran activities, national
security and intelligence activities, and protective services for
the President and others.
12. Disclosures
for worker’s compensation
a.
A
provider may disclose protected health information as authorized by
and to the extent necessary to comply with the laws relating to
workers compensation or other similar programs, established by law,
the provided benefits for work related injuries or illnesses without
regard to fault.
i.
De-identification
of Protected Health Information.
The
regulations address what is required to de-identify protected health
information so that is it is no longer individually identifiable
health information
ii.
Limited
Data Set
1.
A
covered entity may use or disclose a limited data set that meets the
requirements of the regulations if it enters into a “data use
agreement†with the recipient of the
information
2.
Limited
data set is protected health information that excludes the following
direct identifiers of the individual or of relatives, employers, or
household members of the individual:
a.
Names
b.
Postal
address information other than town or city, state and zip
code
c.
Telephone
numbers
d.
Fax
numbers
e.
E-mail
addresses
f.
Social
security numbers
g.
Medical
record numbers
h.
Health
plan beneficiary numbers
i.
Account
numbers
j.
Certificate/license
numbers
k.
Vehicle
identifiers and serial numbers, including license plate
numbers
l.
Device
identifiers and serial numbers
m.
URLs
n.
Internet
protocol (IP) address numbers
o.
Biometric
identifiers, including finger and voice prints
p.
Full
face photographic images and any comparable
images
3.
Permitted
purpose. A limited data set may be used or disclosed only for the
purposes of research, public health, or health care operations.
4.
Data
Use Agreement. The required data use agreement must contain all of
the provisions required for such an agreement by the privacy
regulations. Those provisions are similar, but not identical, to
what is required for a business associate
contract
iii.
Minimum
Necessary Requirements
1.
General
rule. With the exception of disclosures by a provider to another
