NOTICE OF PRIVACY PRACTICE
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Regulations issued under Federal law known as the Health Insurance Portability and Accountability Act of 1996, (“HIPAA”), which became effective on April 14, 2002, require covered entities to provide notice of the uses and disclosures of protected health information, and of the individual’s rights with respect to protected health information. We are required by law to maintain the privacy of Protected Health Information (PHI), to provide individuals with notice of its legal duties and privacy practices with respect to PHI and to notify affected individuals following a breach of unsecured PHI.
- At FOCUS Bariatrics we are committed to treating and using your protected health information responsibly. Each time you visit FOCUS Bariatrics a record, usually referred to as a “medical record” of your visit is made. The medical record is completed to document your evaluation, diagnosis and treatment. The information in the medical record serves many useful purposes. It is a valuable tool to the physician that assists the physician to provide care to the patient.
New York State law requires a physician to maintain a medical record for each patient which accurately reflects the evaluation and treatment of a patient. Unless otherwise provided by law, medical records must be retained for at least six years. Obstetrical records and records of minor patients must be retained at least six years, and until the minor patient reaches the age of nineteen.
“Treatment” means “The provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another”.
As an example of treatment, information obtained by a physician or other member of the health care team at FOCUS Bariatrics will be recorded and used as a tool to help determine the course of medical treatment for the patient. The medical record will document the evaluation, diagnosis and treatment the patient has received, the manner the patient has responded to treatment and the doctor’s medical observations and plan of care. When planning the patient’s course of treatment, we will often review the medical record and use it as a reference to evaluate the patient’s health or condition.
At the patient’s request, we will make copies of your records or various reports contained in the record available to subsequent treating physicians or health care professionals who may use the medical records as a reference in the patient’s treatment.
“Payment” includes activities that must be undertaken by a health care professional to obtain reimbursement for the provision of health care. Payment also includes programs maintained by health payors involving review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges. Payment may also include programs maintained by health payors involving utilization review, including pre-certification and pre-authorization services, concurrent and retrospective review of services.
As an example, prior to providing services to an HMO patient, we may be required by the HMO to provide medical information about the patient to determine whether the HMO will pay for the proposed treatment. If we bill for the services that were provided to the patient, the HMO may require information about the treatment before making payment.
“Health care operations” includes various types of activities, including, but not limited to:
- Quality assessment and quality improvement activities;
- Review of the competence and qualifications of health care professionals;
- Conducting or arranging for medical review, legal services and auditing functions;
- Business planning;
- Business management and administration.
An example of health care operations is quality assessment and improvement activities. We may review information contained in the medical record as part of our ongoing effort to improve the quality and effectiveness of the services that we provide.
Consent As used under the HIPAA Privacy Regulations, the term “consent” refers to obtaining an individual’s consent prior to using or disclosing protected health information for treatment,
payment or health care operations.
The Final HIPAA regulations were modified in August 2002 so that a covered entity is not required to obtain an individual’s consent prior to using or disclosing protected health information for activities involving treatment, payment or health care operations.
Although the HIPAA Privacy Rule does not require consent, state law may require the patient’s general consent to disclose health information to parties outside of (Name of Medical Practice) for treatment, payment or health care operations. For example, even prior to the Federal HIPAA Privacy regulations, we have obtained the patient’s general consent to submit information to health care payors for payment purposes.
Authorization The term “Authorization” under the HIPAA Privacy regulations is used to refer to obtaining an individual’s authorization for uses and disclosures of protected health information not otherwise permitted or required by the HIPAA Privacy regulation. Specifically, except for psychotherapy notes, covered entities are not required to obtain an individual’s authorization to use or disclose protected health information for treatment, payment or health care operations.
As an example, an authorization is required prior to the use or disclosure of protected health information for marketing purposes. “Marketing” means “to make a communication about a product or service that encourages a recipient to purchase or use the product or service”. However, “marketing” does not include communications by a doctor to an individual about treatment. For example, if a doctor sends a reminder to a patient regarding a scheduled test, the doctor is engaging in a “treatment” communication and does not need the patient’s authorization to use the patient’s protected health information to send the patient the reminder.
Uses and disclosures for which consent or authorization is not required
HIPAA provides exceptions where protected health information may be used or disclosed without consent or authorization. Generally;
- We may use or disclose protected health information to the extent that the use or disclosure is required by law;
- We may use or disclose protected health information to a legally authorized public health authority involving activities such as:
- to prevent or control disease;
- to report births or deaths;
- to report suspected child abuse or neglect;
- to report with respect to food or product defects or problems;
- to track products if required by the Food and Drug Administration;
- to enable product recalls, repairs or replacement;
- to notify a person who may have been exposed to a communicable disease or who
may have been exposed or may otherwise be at risk of contracting or spreading a disease;
- to report abuse, neglect or domestic violence to a government entity if required by law or the individual agrees with the disclosure.
- Health Oversight Activities – We may report information to a health oversight agency for health oversight activities authorized by law, including audits, administrative or licensure. Health oversight activities include oversight of (i) the health care system; (ii) Government benefit programs for which health information is relevant to determine beneficiary eligibility; (iii) Government regulatory programs for which health information is necessary for determining compliance with standards; or (iv) entities subject to civil rights laws for which health information is necessary for determining compliance.
- Judicial and Administrative Proceedings - We may use or disclose protected health information:
- in response to a court order or order of an administrative tribunal;
- in response to a subpoena that is not accompanied by an order of a court or administrative tribunal, but only of the party seeking the information has provided satisfactory assurance that reasonable efforts have been made to ensure that the individual who is the subject of the protected health information has been given notice or that reasonable efforts have been made to secure a protective order.
- Law Enforcement – We may use or disclose protected health information:
- As may be required by law such as laws requiring the reporting of every gun shot wound and wounds by knives or other sharp or pointed objects which may result in death;
- A court ordered warrant, subpoena or warrant issued by a judicial officer;
- A grand jury subpoena;
- In response to a law enforcement official’s request we may disclose certain information for the purpose of identifying or locating a suspect, fugitive, material witness or missing person;
- In response to a law enforcement official’s request we may disclose information regarding an individual who is believed to be a victim of a crime. Generally, disclosure will not be made without the individual’s agreement. A disclosure may be made without the individual’s agreement if the information will not be used against the victim and the law enforcement official represents that immediate disclosure would be materially and adversely affected by waiting for the individual’s agreement;
- We may disclose information about an individual who has died in order to alert law enforcement of the death if it is believed criminal conduct was involved;
- We may disclose protected health information if we in good faith believe that the protected health information is evidence of criminal conduct that occurred on our premises.
- Coroners and Medical Examiners. We may use or disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining cause of death, or other duties authorized by law.
- Funeral Directors. We may use or disclose protected health information to funeral directors, consistent with law, as necessary to carry out their duties with respect to the decedent.
- Cadaveric organ, eye or tissue donation. We may use or disclose protected health information to organ procurement organizations to facilitate organ, eye or tissue donation and transplantation.
- Serious and Imminent Threat to Health or Safety. We may consistent with the applicable law and medical ethics, use or disclose protected health information if we in good faith believe the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the person(s) receiving the information is (are) reasonably able to prevent or lessen the threat.
- National Security and Intelligence Activities. We may use or disclose protected health information to authorized federal officials for intelligence, counter intelligence and other national security activities authorized by Federal law.
- We may use or disclose protected health information to authorized federal officials for the provision of protective services for the President or other officials or to foreign heads of state, as authorized under Federal law.
- Inmates. We may use or disclose protected health information to a correctional
institution or a law enforcement official having lawful custody of an inmate if the institution or official represents that the information is necessary for: (A) the provision of health care to the inmate; (B) the health and safety of the inmate or others; (C) the health and safety of the officers, employees or others at the institution; (D) the health and safety of persons responsible for transporting inmates; (E) Law enforcement on the premises of the correctional institution and (F) purposes of safety, security and good order of the correctional institution.
- Workers’ Compensation. We may use or disclose protected health information as authorized by and to the extent necessary to comply with laws relating to Workers Compensation;
- Military and Veteran Activities. We may use or disclose protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission.
- To an employer – We may use or disclose protected health information to your employer if we provide health care to you at the request of your employer for the purpose of disclosing protected health information to your employer concerning work related injuries or illness, or workplace medical surveillance in situations where the employer has a duty to keep records on or act on such information under the Occupational Safety and Health Act (OSHA) and similar laws. In such case we will give you written notice at the time health care is provided that the protected health information relating to the medical surveillance or work related injury or illness will be disclosed to your employer.
Other uses and disclosures that do not involve treatment, payment or health care operations, and which do not involve any of the exceptions listed above in which HIPAA does not require consent or authorization, will be made only with your written authorization. You may revoke the authorization at any time provided the authorization is in writing, except to the extent that we have already taken action in reliance of your authorization.
HIV Related Information – New York law, Article 27-F of the Public Health law and regulations of the New York State Department of Health provide protection to the confidentiality of HIV Related Information. A summary of HIV/AIDS Testing, Reporting and Confidentiality of HIV Related Information is found on the website of the New York State Department of Health at http://www.health.state.ny.us/nysdoh/rfa/hiv/full63.htm.
We may contact you to provide appointment reminders or information about treatment alternatives or other health related benefits and services that may be of interest to you.
We may disclose to your family members, other relatives, close personal friends, or any other person that you identify the protected health information directly related to such person’s involvement with your health care or payment related to your care. We may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating) a family member, a person responsible for your care concerning your location, general condition, or death.
If you are present and have the capacity to make your own decision, we may disclose protected health information only (1) if we have your agreement to disclose to the third parties involved in your care, (2) we have provided you an opportunity to object and there is no objection; or (3) we reasonably infer under the circumstances, based on the exercise of reasonable judgment, that there is no objection to disclosure.
If you are not present or when the opportunity to agree or object to the use or disclosure cannot practicably be provided due to your incapacity or an emergency circumstance, we may, in the exercise of professional judgment, determine whether the disclosure is in your best interests and if so disclose only the protected health information that is directly relevant to the person’s involvement with your care.
1) Right to request restriction of uses and disclosures.
- You may request that we restrict uses or disclosures of protected health information of protected health information to carry out treatment, payment and health care operations;
- The right to request restrictions to disclosures extends to the right to request restrictions to disclosures to persons involved in the patient’s care, such as next of kin other family
members or friends;
- We are not required to agree to the requested restriction; except in case of a disclosure restricted under 164.522 (a) (1) (VII) which provides that a covered entity must agree to the restriction of an individual to restrict disclosure of PHI about the individual to a health plan if: (a) the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law and (b) the PHI pertain solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.
2) Right to request access to protected health information.
- You have a right of access to inspect and obtain a copy of patient information;
- The right of access is not absolute. The HIPAA Privacy Regulations provide numerous exceptions to your right of access. Among these exceptions include the following which HIPAA states are unreviewable grounds for denial:
- Psychotherapy notes – “psychotherapy notes” means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the medical record;
- Information complied in reasonable anticipation of, or for use in a civil, criminal or administrative action or proceeding;
- Information held by a clinical laboratory subject to the Clinical Laboratory Improvement Amendment of 1988 (CLIA) if CLIA prohibits such access. CLIA states that clinical laboratories may provide clinical laboratory test records and reports only to “authorized persons” as defined primarily by state law.
- Protected health information regarding a prison inmate if the inmate’s obtaining a copy of the information would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for transporting the inmate;
- Research – A covered entity may deny an individual access to protected health information obtained by a provider in the course of research that includes treatment of research participants while the research is in progress, provided that the individual had agreed to the denial of access when the individual consented to participate in the research;
- Privacy Act – Protected health information contained in records covered under the Federal Privacy Act if denial is permitted under the Privacy Act. [This exception applies only to certain federal agencies and health care practices that are contractors to federal agencies covered under the Privacy Act.].
- An individual’s access may be denied if the protected health information was obtained from someone other than a health care provider under a promise of
confidentiality and the access requested would be reasonably likely to reveal the source of the information.
- HIPAA also provides the following reviewable grounds for denial:
- In our professional judgment, we believe that the access requested is reasonably
likely to endanger the life or physical safety of the requesting individual or another person;
- The protected health information makes reference to another person (unless such other person is a health care provider) and in our professional judgment we believe that the access requested is likely to cause substantial harm to the individual or another person;
- The request for access is made by the individual’s personal representative and in the exercise of professional judgment we believe that the provision of access to the personal representative is reasonably likely to cause substantial harm to the individual or another person.
- If we deny access on the basis of a reviewable ground, you have the right to have the denial reviewed by a licensed health professional that we designate as a reviewing official and who did not participate in the original decision to deny.
- HIPAA provides that we may charge a cost based fee for copies of your protected health information.
- New York Public Health law section 17 and 18 also provide patients and certain representatives of patients access to medical records. Summaries of section 17 and 18 are available by contacting the New York State Department of Health or a medical society. In some respects Public Health Law section 18 provides the individual greater rights of access than the HIPAA regulations and in other respects it provides more restricted rights than HIPAA. Generally, Public Health Law section 17 and 18 is more restrictive regarding the fees that a health car professional may charge for copies of medical records. Generally, section 17 and 18 permit the health care professional to charge a reasonable fee not to exceed 75 cents per page. A reasonable fee not exceeding the costs of copying may be imposed for x-rays and other records that cannot be photocopied. You are entitled to an original mammogram. We may retain a copy of the mammogram for our records but we may not charge you for the costs of copying the mammogram. Public Health Law section 18 further provides that the health care professional may not deny access to records if you cannot afford to pay the copying charge.
3) Amendment of Protected Health Information
- You may request an amendment to the protected health information;
- We may deny your request for an amendment if we determine that the protected health information:
- was not create by this medical practice, unless you provide reasonable basis to believe that the originator of the protected health information is no longer available to act on the requested amendment;
is not part of your medical records or billing records;
- is not available for inspection as set forth above under exceptions to the right of access;
- is accurate and complete.
- If we agree to make the amendment we will add or append information to the medical record. We are not required to delete any information in the original records;
- If we deny a request for an amendment, you will be permitted to submit a written statement disagreeing with the denial. We may reasonably limit the length of a statement of disagreement, and we may prepare a written rebuttal to the statement of disagreement.
4) Accounting of Disclosures of Protected Health Information.
- You have a right to receive an accounting of disclosures of protected health information made by this medical practice for the six years prior to the date of the request, except you do not have the right to an accounting of disclosures:
- to carry out treatment, payment or health care operations;
- made to you;
- to persons involved in your care or other notification purposes (see General Practices);
- pursuant to your authorization;
- for national security or intelligence purposes as provided by law;
- to correctional institutions or law enforcement officials as provided by law;
- that occurred prior to April 14, 2003.
Duties of FOCUS Bariatrics:
FOCUS Bariatrics is required by law to maintain the privacy of protected health information and to provide individuals with notice of its legal duties and privacy practices with respect to protected health information.
We are required to abide by the terms of the notice currently in effect.
FOCUS Bariatrics maintains a web site and is therefore required by law to make this Notice of Privacy Practice available through its web site which is located at http://www.FOCUSbariatrics.com/
We reserve the right to change the terms of this notice and to make new notice provisions effective for all protected health information. If the notice is revised, the revised notice will be available upon request at this office and will be available on FOCUS Bariatrics’ website.
QUESTIONS AND COMPLAINTS
You also may submit a written complaint to the Department of Health and Human Services (HHS). We will provide you with the HHS address upon request.
We support your right to the privacy of your health information. We will not retaliate in any way if you choose to file a complaint with us or with the HHS.