PATIENT RECORDS PRIVACY POLICIES
I value your privacy in our work together. As such, in connection with the Health Insurance Portability and Accountability Act, I have implemented the following privacy policies:
Use and Disclosure of PHI
Protected Health Information (“PHI”) may not be used or disclosed in violation of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule (45 C.F.R. parts 160 and 164) (hereinafter, the “Privacy Rule”) or in violation of state law.
I am permitted, but not mandated, under the Privacy Rule to use and disclose PHI without patient consent or authorization in limited circumstances. However, state or federal law may supercede, limit, or prohibit these uses and disclosures.
Under the Privacy Rule, these permitted uses and disclosures include those made:
- To the patient
- For treatment, payment, or health care operations purposes, or
- As authorized by the patient.
Additional permitted uses and disclosures include those related to or made pursuant to:
- Reporting on victims of domestic violence or abuse, as required by law
- Court orders
- Workers’ compensation laws
- Serious threats to health or safety
- Government oversight (including disclosures to a public health authority, coroner or medical examiner, military or veterans’ affairs agencies, an agency for national security purposes, law enforcement)
- Health research
- Marketing or fundraising.
I do not use or disclose PHI in ways that would be in violation of the Privacy Rule or state law. I use and disclose PHI as permitted by the Privacy Rule and in accordance with state or other law. In using or disclosing PHI, I meet the Privacy Rule’s “minimum necessary requirement,” as appropriate.
Use and Disclosure of PHI—Minimum Necessary Requirement
When using, disclosing or requesting PHI, I make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. I recognize that the requirement also applies to covered entities that request my patients’ records and require that such entities meet the standard, as required by law.
The minimum necessary requirement does not apply to disclosures for treatment purposes or when I share information with a patient. The requirement does not apply for uses and disclosures when patient authorization is given. It does not apply for uses and disclosures as required by law or to uses and disclosures that are required for compliance with the Privacy Rule.
Use and Disclosure of PHI—Psychotherapy Notes Authorization
I abide by the Psychotherapy Notes authorization requirement of the Privacy Rule, unless otherwise required by law. In addition, authorization is not required in the following circumstances--
- For my use for treatment
- For use or disclosure in supervised training programs where trainees learn to practice counseling
- To defend myself in a legal action brought by the patient, who is the subject of the PHI
- For purposes of HHS in determining my compliance with the Privacy Rule
- By a health oversight agency for a lawful purpose related to oversight of my practice
- ·To a coroner or medical examiner
- In instances of permissible disclosure related to a serious or imminent threat to the health or safety of a person or the public.
I recognize that a patient may revoke an authorization at any time in writing, except to the extent that I have, or another entity has, taken action in reliance on the authorization.
As required under the Privacy Rule, and in accordance with state law, I provide notice to patients of the uses and disclosures that may be made regarding their PHI and my duties and patient rights with respect to notice. I make a good faith effort to obtain written acknowledgment that my patient receives this notice.
Patient Rights—Restrictions and Confidential Communications
The Privacy Rule permits patients to request restrictions on the use and disclosure of PHI for treatment, payment, and health care operations, or to family members. While I am not required to agree to such restrictions, I will attempt to accommodate a reasonable request. Once I have agreed to a restriction, I may not violate the restriction; however, restricted PHI may be provided to another health care provider in an emergency treatment situation.
A restriction is not effective to prevent uses and disclosures when a patient requests access to his or her records or requests an accounting of disclosures. A restriction is not effective for any uses and disclosures authorized by the patient, or for any required or permitted uses recognized by law.
The Privacy Rule also permits patients to request receiving communications from me through alternative means or at alternative locations. As required by the Privacy Rule, I will accommodate all reasonable requests.
Patient Rights—Access to and Amendment of Records
In accordance with state law, the Privacy Rule, and other federal law, patients have access to and may obtain a copy of the medical and billing records that I maintain. Patients are also permitted to amend their records in accordance with such law.
Patient Rights—Accounting of Disclosures
I provide my patients with an accounting of disclosures upon request, for disclosures made up to six years prior to the date of the request. While I may, I do not have to provide an accounting for disclosures made for treatment, payment, or health care operations purposes, or pursuant to patient authorization. I also do not have to provide an accounting for disclosures made for national security purposes, to correctional institutions or law enforcement officers, or that occurred prior to April 14, 2003.
I rely on certain persons or other entities, who or which are not my employees, to provide services on my behalf. These persons or entities may include accountants, lawyers, billing services, and collection agencies. Where these persons or entities perform services, which require the disclosure of individually identifiable health information, they are considered under the Privacy Rule to be my business associates.
I enter into a written agreement with each of my business associates to obtain satisfactory assurance that the business associate will safeguard the privacy of the PHI of my patients. I rely on my business associate to abide by the contract but will take reasonable steps to remedy any breaches of the agreement that I become aware of.
Administrative Requirement—Privacy Officer
I am the designated Privacy Officer, who is responsible for the development and implementation of the policies and procedures to protect PHI, in accordance with the requirements of the Privacy Rule. As the contact person for my practice, the privacy officer receives complaints and fulfills obligations as set out in notice to patients.
As required by the Privacy Rule, I am trained on policies and procedures to protect PHI.
To protect the privacy of the PHI of my patients, I have in place appropriate administrative, technical, and physical safeguards, in accordance with the Privacy Rule.
The privacy of my patients’ PHI is critically important for my relationship with my patients and for my practice. If you believe your privacy rights have been violated, you may contact me in writing at Roy Jerome, Living Wellness Center, 201 Eastern Parkway, Suite 1A, Brooklyn, NY, 11238. You also have the right to file a complaint with the Department of Health and Human Services at 200 Independence Avenue, S.W., 20201. You will not be penalized for filing a complaint.
I mitigate, to the extent possible, any harmful effect that I become knowledgeable of regarding my use or disclosure, or my business associate’s use or disclosure, of PHI in violation of policies and procedures or the requirements of the Privacy Rule.
Administrative Requirement—Retaliatory Action and Waiver of Rights
I believe that patients should have the right to exercise their rights under the Privacy Rule. I do not take retaliatory action against a patient for exercising his or her rights or for bringing a complaint. Of course, I will take legal action to protect myself, if I believe that a patient undertakes an activity in bad faith.
I will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against a patient for exercising a right, filing a complaint or participating in any other allowable process under the Privacy Rule.
I will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against a patient or other person for filing an HHS compliance complaint, testifying, assisting, or participating in a compliance review, proceeding, or hearing, under the Administrative Simplification provisions of HIPAA.
I will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against a patient or other person for opposing any act or practice made unlawful under the Privacy Rule, provided that the patient or other person has a “good faith belief” that the practice is unlawful and the manner of opposition is reasonable and does not involve disclosure of PHI.
I will not require a patient to waive his or her rights provided by the Privacy Rule or his or her right to file an HHS compliance complaint as a condition of receiving treatment.
Administrative Requirement—Policies and Procedures
To ensure that I am in compliance with the Privacy Rule, I have implemented policies and procedures to ensure compliance with the privacy rule.
I meet applicable state laws and the Privacy Rule’s requirements regarding documentation.