I. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
In April 2003 a federal law was passed that changed the way all health care providers store, maintain, use and disclose client/patient information. The notice that you are about to read is required under the new law, and explains the impact of that law on your records. Please be aware that the ethical standards of psychology is often a HIGHER standard of confidentiality than the new law dictates. However, it is important to understand the law before you begin treatment.
II. IT IS MY LEGAL DUTY TO SAFEGUARD YOUR PROTECTED HEALTH INFORMATION (PHI) and ELECTRONIC forms of PHI (EPHI):
By law I am required to ensure that your PHI is kept private in both written and electronic (EPHI) form. The PHI constitutes information created or noted by me that can be used to identify you. It contains data about your past, present, or future health or condition; provision of health care services to you; and the payment for such health care. I am required to provide you with this Notice about my privacy procedures for both written and electronic forms of your PHI. This Notice must explain when, why, and how I would use and/or disclose your PHI. Use of PHI mm,when I share, apply, utilize, examine, or analyze information within my practice; Pm is disclosed when I release, transfer, give, or otherwise reveal it to a third party outside my practice. With some exceptions, I not use or disclose more of your Pill than is necessary to accomplish the purpose for which the use or disclosure is made; however, I am always legally required to follow the privacy practices described in this Notice.
Please note that I reserve the right to change the terms of this Notice and my privacy policies at any time. Any changes will apply to PHI already on file with me. Before I make any important changes to my policies, I will immediately change this Notice and inform my patients. You may also request a copy of this Notice from me.
III. HOW MAY I USE AND DISCLOSE YOUR PHI
I may use and disclose your PHI for many different reasons. Some of the uses or disclosures will require your prior written authorization; others, however, will not. Below you will find the different categories of my uses and disclosures, with some examples.
Although the law allows these disclosures, I will attempt to gain your verbal and written consent for any release of PHI or EPHI, as dictated by my ethical code of conduct. Your confidentiality and sense of safety in treatment are of utmost importance to me.
A. Uses and Disclosures Related to Treatment, Payment, or Health Care Operations That Do Not Require Your Prior Written Consent.
According to HIPAA law, I may use and disclose your PHI without your consent, unless otherwise required by law, for the following reasons:
- For treatment. I may disclose your PHI to physicians, psychiatrists, psychologists, and other licensed health care providers who provide you with health care services or are otherwise involved in your care. Example: If a psychiatrist is treating you, I may disclose your PHI to her/him in order to coordinate your care.
- For health care operations. I may disclose your PHI to facilitate the efficient and correct operation of my practice. For examples: Quality control: I might use your PHI i.n the evaluation of the quality of health care services that you have received or to evaluate the performance of the health care professionals who provided you with these services. I may also provide your PHI to my attorneys, accountants, consultants, and others to make sure that I am in compliance with applicable laws.
- To obtain payment for treatment. I may use and disclose your PHI to bill and collect payment for the treatment and services I provided you. This disclosure may involve electronic transmission of your PHI or EPHI. Example: I might send your PHI to your insurance company or health plan in order to get payment for the health care services that I have provided to you. I could also provide your PHI to business associates, such as billing companies, claims processing companies, and others that process health care claims for my office.
- Other disclosures. For Example: Your consent isn’t required if you need emergency treatment, provided that I attempt to get your consent after treatment is rendered. In the event that I try to get your consent but you are unable to communicate with me (for example, if you are unconscious or in severe pain), but I believe that you would consent to such treatment otherwise, then I may disclose your PHI.
B. Certain Other Uses and Disclosures That Do Not Require Your Consent. I may use and/or disclose your PHI without your consent or authorization for the following reasons:
- When disclosure Is required by federal, state, or local law; Judicial, board, or administrative proceedings; or, law enforcement For Example: I may make a
disclosure to the appropriate officials when a law requires me to report information to government agencies, law enforcement personnel, and/or in an administrative proceeding.
- If disclosure Is compelled by a party to a proceeding before a court of administrative agency pursuant to Its lawful authority.
- If disclosure Is required by a search warrant lawfully Issued to a governmental law enforcement agency.
- If disclosure Is compelled by the patient or the patient’s representative pursuant to California Health and Safety Codes or to corresponding federal statutes of regulations, such as the Privacy Rule that requires this Notice.
- To avoid harm. I may provide PHI to law enforcement personnel or persons able to prevent or mitigate a serious threatto the health or safety of a person or the public.
- If disclosure Is compelled or permitted by the fact that you are In such mental or emotional condition as to be dangerous to yourself or the person or property of others, and if 1 determine that disclosure Is necessary to prevent the threatened danger.
- If disclosure Is mandated by the California Child Abuse and Neglect Reporting law. For example, if I have a reasonable suspicion of child abuse or neglect.
- If disclosure Is mandated by the California Elder/Dependent Adult Abuse Reporting law. For example; if I have a reasonable suspicion of elder abuse or dependent adult abuse.
- If disclosure Is compelled or permitted by the fact that you tell me of a serious/Imminent threat of physical violence by you against a reasonably identifiable victim or victims.
- For public health activities. For Example: In the event of your death, if a disclosure is permitted or compelled, I may need to give the county coroner information about you.
- For health oversight activities. For Example: I may be required to provide information to assist the government .in the course of an investigation or inspection of a health care organization or provider.
- For specific government functions.For Example: I may disclose PHI of military personnel and veterans under certain circumstances. Also, I may also disclose PHI in the interests of national security, such as protecting the President of the United States or assisting with intelligence operations.
- For research purposes. In certain circumstances, I may provide PHI in order to conduct medical research.
- For Workers’ Compensation purposes. I may provide PHI in order to comply with Workers’ Compensation laws.
- Appointment reminders and health related benefits or services. For Example: I may use PHI to provide appointment reminders. I may also use PHI to give you information about alternative treatment options, or other health-related benefits/services that may be of interest to you.
- If an arbitrator or arbitration panel compels disclosure, when arbitration is lawfully requested by either party, pursuant to subpoena duces tectum (e.g., a subpoena for mental health records) or any other provision authorizing disclosure in a proceeding before an arbitrator or arbitration panel.
- If disclosure is required or permitted to a health oversight agency for oversight activities authorized by law. For example: When compelled by U.S. Secretary of Health and Human Services to investigate or assess my compliance with HIP AA regulations.
- If disclosure is otherwise specifically required by law.
C. Certain Uses and Disclosures Require You to Have the Opportunity to Object:
Disclosures to family, friends.or others. I may provide your PHI to a family member, friend, or other individual who you indicate is involved in your care or responsible for the payment for your health care, unless you object in whole.
D. Other Uses and Disclosures Require Your Prior Written Authorization.
In any other situation not described in Sections lilA, 1118, and IIIC above, I will request your written authorization before using or disclosing any of your PHI. Even if you have signed an authorization to disclose your PHI, you may later revoke that authorization, in writing, to stop any future uses and disclosures (assuming that I haven’t taken any action subsequent to the original authorization) of your PHI by me.
IV. WHAT RIGHTS YOU HAVE REGARDING YOUR PHI
- The Right to See and Get Copies of Your PHI/EPHI. In general, you have the right to see your PHI that is in my possession, or to get copies of it; however, you must request it in writing. If I do not have your PHI, but I know who does, I will advise you how you can get it. You will receive a response from me within 30 days of my receiving your written request. Under certain circumstances, I may feel I must deny your request, but if I do, I will give you, in writing, the reasons for the denial. I will also explain your right to have my denial reviewed. If you ask for copies of your PHI, I will charge you not more than $.25 per page. I may see fit to provide you with a summary or explanation of the PHI, but only if you agree to it, as well as to the cost, in advance.
- The Right to Request Limits on Uses and Disclosures of Your PHI. You have the right to ask that I limit how I use and disclose your PHI. While I will consider your request, I am not legally bound to agree. If I do agree to your request, I will put those limits in writing and abide by them except in emergency situations. You do not have the right to limit the uses and disclosures that I am legally required or permitted to make.
- The Right to Choose How I Send Your PHI to You. It is your right to ask that your PHI be sent to you at an alternate address (for example. sending information to your work address rather than your home address) or by an alternate method (for example, via email instead of by regular mail). I am obliged to agree to your request providing that I can give you the PHI/EPHJ, in the format you requested, without undue inconvenience.
- The Right to Get a List of the Disclosures I Have Made. You are entitled to a list of disclosures of your PHI that I have made. The list will not include uses or disclosures to which you have already consented, i.e., those for treatment, payment, or health care operations, sent directly to you, or to your family; neither will the list include disclosures made for national security purposes, to corrections or Jaw enforcement personnel, or disclosures made before April 15, 2003. After April 15, 2003, disclosure records will be held for six years. I will respond to your request for an accounting of disclosures within 60 days of receiving your request The list I give you will include disclosures made in the previous six years (the first six year period being 2003,2009) unless you indicate a shorter period, The list will include the date of the disclosure, to whom PHI was disclosed (including their address, if known), a description of the information disclosed, and the reason for the disclosure. I will provide the list to you at no cost, unless you make more than one request in the same year, in which case I will charge you a reasonable sum based on a set fee for each additional request.
- The Right to Amend Your PHI. If you believe that there is some error in your PHI or that important information has been omitted, it is your right to request that I correct the existing information or add the missing information. Your request and the reason for the request must be made in writing. You will receive a response within 60 days of my receipt of your request. I may deny your request, in writing, if I find that: the PHI is (a) correct and complete, (b) forbidden to be disclosed, (c) not part of my records, or (d} written by someone other than me. My denial must be in writing and must state the reasons for the denial. It must also explain your right to file a written statement objecting to the denial If you do not file a written objection, you still have the right to ask that your request and my denial be attached to any future disclosures of your PHI. If I approve your request, I will make the change(s) to your PHI. Additionally, I will tell you that the changes have been made, and I will advise all others who need to know of change(s) to your PHI.
- The Right to Get This Notice by Email. You have the right to get this notice by email You have the right to request a paper copy of it, as well.
V. KNOW THE SECURITY STANDARDS OF YOUR PHI AND EPHI:
- Risk Analysis: As a sole practitioner, I do not have employees, but I do have a billing service handling your private health information (PHI). They handle all health care claims (Worker compensation claims), health care payments from insurance carriers, and insurance authorizations for psychological services in a confidential manner. There is little risk that your PHI will be erroneously provided to non-essential parties. In the case of an accidental disclosure, I would request that the recipient shred any confidential information upon receipt.
- Administrative Standards: As a sole practitioner, I have insured that no one is allowed to access my file cabinet of patient records without my explicit request (in case of emergency), without a key to my office doors (e.g., one exterior and one interior locks). The only persons allowed into the office cabinet areas are other professional practitioners, who are bond by the same ethical and legal standards as I am.
- Physical Standards: As a sole practitioner, I share an office suite with other psychologists and licensed therapists, who are held to the same ethical/legal standards. The only personnel, who have been given the security code to enter the building and who have a key to enter the building is the cleaning service. There are two Jocks between the front door and my office, where a file cabinet contains all patient PHI/EPHI.D.
- Technical Standards: As a sole practitioner, I have hand-written all my intake and assessment information on patients. My computer is only accessible with a password known by me. My computer is also protected by anti-virus software with a firewall to insure that information cannot be extracted without my knowledge. As of 01/01/12, HIPAA law requires electronic billing for insurance claims. My billing service is mandated to safely transmit your EPI. Additionally, patients are dentified by patient’s first name and last initial only. I only utilize fax machines with a paper-to-paper transmission or utilize an encrypted email program (SEND INC). On my cover page I have an explicit statement about confidentiality and I follow-up with a telephone call to insure receipt of faxed information. If a fax was erroneously made, I have requested that the recipient shred the information immediately.
Vl: HOW TO COMPLAIN ABOUT MY PRIVACY PRACTICE
If, in your opinion, I may have violated your privacy rights, or if you object to a decision I made about access to your PHI, you are entitled to file a complaint. You may also send a written complaintto the Secretary of the Department of Health and H u m a n Services a 1200 Independence Avenue Washington, D.C. 20201.
If you file a complaint about my privacy practices, I will take no retaliatory action against you.
I acknowledge receipt of this HIPAA notice about Privacy and Security conditions.