DERMATOLOGIC SURGERY OF CENTRAL VIRGINIA
902 E. Jefferson Street, Suite 201
Charlottesville, Virginia 22902
NOTICE OF PRIVACY PRACTICES
Effective Date: September 1, 2013
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice is being provided to you as a requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). It describes how, when and why we may use and/or disclose protected health information (“PHI”) about you. It also describes your rights to access and control of your PHI. “PHI” means any recorded or oral information about you, including demographic data, that may identify you or that can be used to identify you, that is created or received by the DERMATOLOGIC SURGERY OF CENTRAL VIRGINIA(“the Practice”) and that relates to your past, present or future physical or mental health or condition, the provision of health care to you, or the past, present or future payment for the provision of health care to you.
OUR PLEDGE REGARDING MEDICAL INFORMATION:
We understand that PHI about you is personal and confidential. We are committed to protecting the privacy of PHI. This Notice applies to all of the PHI generated or received by the Practice. It also applies to all employees of the Practice who may have access to or are required to use your PHI for any of the purposes described in this Notice, as well as persons having a business associate agreement with the Practice.
WE ARE REQUIRED BY LAW TO:
- make sure that your PHI is kept confidential;
- give you this Notice of our privacy practices with respect to PHI about you;
- abide by the terms of the Notice, as currently in effect; and
- notify you in the event that there is a breach of your unsecured PHI.
I.USES AND DISCLOSURES OF PHI
The following describes ways that we are permitted by HIPAA to use and disclose your PHI. For each category we will explain what we mean and give some examples. Not every use or disclosure is listed and the examples are not exhaustive. This explanation is provided for your general information only. Disclosure of your PHI for the purposes described in this Notice may be made in writing, orally, or electronically, by facsimile or by any other means.
A.TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS
For Treatment. We may use and disclose PHI about you to provide, coordinate, or manage your treatment and related services. This includes the coordination or management of your health care with a third party for treatment purposes. We may disclose PHI about you to doctors, nurses, technicians, counselors, medical students, or other personnel who are involved in taking care of you. For example, we may disclose your PHI to any health care provider who has referred you to us for treatment. We may also disclose PHI about you for treatment activities of other health care providers. For example, if your family doctor has determined that you need to be seen by the Practice, we may send him a report of our diagnostic findings and our plan of treatment to assist him in providing you with care.
For Payment. We may use and disclose PHI about you so that the treatment and services you receive at the Practice may be billed to, and payment may be collected from you, an insurance Center or other third party. For example, we may need to give your health plan information about treatment you received so your health plan will pay us or reimburse you for that treatment. We may also tell your health plan about a treatment you are going to receive in order to obtain prior approval or to determine whether your plan will cover the treatment. We may also disclose PHI to another provider involved in your care for the other provider’s payment activities. This might include disclosures of demographic information to laboratory or x-ray providers for payment of their services.
For Health Care Operations. We may use and disclose PHI about you for our own operations. These uses and disclosures are necessary to run the Practice and provide quality care to patients. For example, we may use PHI to review our treatment and services and to evaluate the performance of our staff in caring for you. We may combine PHI about many of our patients to decide what additional services we should offer, what services are not needed, and whether certain new treatments are effective. We may also disclose information to the Practice personnel for training programs. We may combine the PHI we have with PHI from other providers to compare how we are doing and see where we can make improvements in the care and services we offer. We may sometimes remove information that identifies you from this set of PHI so others may use it to study health care and health care delivery without learning who the specific patients are. We may also provide your PHI to our accountants, attorneys, consultants and others in order to operate the Practice and to make sure we are complying with the laws that affect us.
We may also disclose PHI to another covered entity for certain health care operations of that entity, if the entity either has or had a relationship with you, such as a treatment relationship, and if the PHI pertains to such relationship. Such disclosure is limited to certain activities of the other entity, including quality assessment and related activities, protocol development, care coordination, contacting health care providers and patients with information about treatment alternatives, and reviewing the competency and qualifications of health care professionals.
We may use or disclose your PHI in order for third party “business associates” to perform various activities involving treatment, payment or operations on behalf of our Center. However, whenever our arrangement between the Practice and a business associate involves the use or disclosure of your PHI, we will have a written contract, as and when required by law that contains terms to protect the privacy of your PHI.
B.USES AND DISCLOSURES BEYOND TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS PERMITTED WITHOUT AUTHORIZATION OR OPPORTUNITY TO OBJECT
Federal privacy rules allow us to use or disclosure your PHI without your permission or authorization for a number of reasons including the following:
Treatment Alternatives. We may use and disclose PHI about you to tell you about or recommend possible treatment options or alternatives that may be of interest to you.
Health-Related Benefits and Services. We may use and disclose PHI about you to tell you about health-related benefits or services that may be of interest to you.
Appointment and Patient Recall Reminders. We may use and disclose PHI about you to contact you as a reminder you have an appointment or that you are due to receive periodic care. This contact may be by phone, in writing, automated appointment system, e-mail, or otherwise and may involve leaving an email, message over an answering machine or which could (potentially) be received or intercepted by others.
As Required by Law. We may disclose PHI about you when required to do so by, and if we limit the disclosure as required by, federal, state or local law.
To Avert a Serious Threat to Health or Safety. We may use and disclose limited PHI about you when we believe it is necessary to prevent a serious threat to your health or safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
Eye, Organ and Tissue Donation. If you are an organ donor, we may disclose PHI about you to organizations that handle eye organ or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
Military and Veterans. If you are a member of the armed forces, we may disclose PHI about you as required by military command authorities in certain situations. We may also disclose PHI about foreign military personnel to the appropriate foreign military authority.
Worker’s Compensation. We may disclose PHI about you for workers’ compensation or similar programs as required by law. These programs provide benefits for work-related injuries or illness without regard to fault.
Public Health Activities. We may disclose PHI about you to a public health authority for public health activities. These activities generally include the following:
- to prevent, control, or report disease, injury or disability;
- to report vital events such as births and deaths;
- to report child abuse or neglect;
- to report reactions to medications or problems with products, track FDA regulated products, enable product recalls, repairs or replacements and to conduct post marketing surveillance;
- to notify people of recalls of products they may be using;
- to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition.
Schools. We may disclose PHI about you (or your child) to a school if you (or your child) are a student or a prospective student, and:
(i) the PHI is limited to proof of immunization;
(ii) the school is required by law to have proof of such immunization prior to admission; and
(iii) we obtain and document your agreement to the disclosure.
Emergency Situations. We may disclose PHI about you to an organization assisting in a disaster relief effort or in an emergency situation so that your family or others can be notified about your general condition and location or death.
Victims of Abuse, Neglect and Domestic Violence. We may use and disclose PHI about you to notify the appropriate government authorities if we believe you have been a victim of abuse, neglect or domestic violence, but we will only make this disclosure; (i) if you agree; (ii) when required by law; or (iii) when authorized by law and certain other conditions are met.
Health Oversight Activities. We may disclose PHI to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections and licensure. These activities are necessary for the government to monitor the health care system, government programs and compliance with civil rights laws and other activities necessary for oversight of the health care system, government benefit payments and entities subject to government regulation. This does not include disclosure for investigations or other activities in which you are a subject of the investigation and which do not arise out of the receipt of health care, a claim for public health benefits or the qualification for receipt of public health benefits or services.
Lawsuits and Administrative Proceedings. We may disclose PHI about you in response to a court or administrative order. We may also disclose PHI pursuant to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made by the party requesting the information to tell you about the request or to obtain an order protecting the information requested. We may also use such information to defend ourselves or any personnel of the Practice in any actual or threatened action.
Law Enforcement Purposes. We may disclose PHI if asked to do so by a law enforcement official:
- In response to a court order, subpoena, warrant, summons, grand jury subpoenas or similar process;
- To identify or locate a suspect, fugitive, material witness, or a missing person;
- About the victim of a crime if the individual agrees and, under certain limited circumstances, where we are unable obtain the person’s agreement;
- About a death we believe may be the result of criminal conduct;
- About criminal conduct at the Practice;
- In emergency circumstances to report a crime, the location of the crime or victims, or the identity, description or location of the person who committed the crime; or
- About certain types of wound or physical injuries as required by law.
Victims of a Crime: We may disclose your PHI if asked by a law enforcement official, if (i) you are suspected to be a victim of a crime, (ii) you agree to the disclosure or (iii) we are unable to obtain your agreement because of incapacity or other emergency circumstances. However, the law enforcement official must represent that the information is needed to determine whether a violation of law by a person other than you has occurred, and the information is not intended to be used against you, that immediate law enforcement activity depends on the disclosure and would be materially and adversely affected by waiting until you are able to agree, and we determine that the disclosure is in your best interest in the exercise of professional judgment.
Coroners, Medical Examiners and Funeral Directors. We may disclose PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death or for the coroner or medical examiner to perform other duties authorized by law. We may also disclose PHI about patients of the Practice to funeral directors as necessary to carry out their duties.
National Security and Intelligence Activities. We may disclose PHI about you to authorized federal officials so they may conduct intelligence, counter-intelligence and other activities authorized by the National Security Act.
Protective Services for the President and Others. We may disclosure PHI about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations.
Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may disclose PHI about you to the correctional institution or law enforcement official. This disclosure may be necessary (i) for the institution to provide you with health care; (ii) to protect your health and safety or the health and safety of others; or (iii) for the safety and security of the correctional institution.
Research. Under certain circumstances, we may use and disclose PHI about you for research purposes regarding medications, efficiency of treatment protocols and the like. All research projects are subject to an approval process, which evaluates a proposed research project and its use of PHI. Before we use or disclose PHI for research, the project will have been approved through this research approval process by an Institutional Review Board (“IRB”) or a Privacy Board. We will obtain an Authorization from you before using or disclosing your individually PHI unless the authorization requirement has been altered or waived by the IRB or Privacy Board. If reasonably possible, we may make the information non-identifiable to a specific patient. If the information has been sufficiently de-identified, an Authorization for the use or disclosure is not required. If we obtain certain representations from the researcher, we may use and disclose PHI about you for the researcher to prepare protocols preparatory to research.
Incidental Disclosures. We may use and disclose PHI about you incident to otherwise permitted or required uses and disclosures. For example, we may ask you to sign a sign-in sheet when you arrive for an appointment at the Practice as an incident to the treatment process.
To the Secretary of the Department of Health and Human Services. We are required to disclose PHI about you when requested by the Secretary of the Department of Health and Human Services in order to investigate or determine our compliance with HIPAA.
C.USES AND DISCLOSURES PERMITTED WITHOUT AUTHORIZATION BUT WITH YOUR OPPORTUNITY TO OBJECT.
Disclosures to Family, Friends or Others Involved in Your Case. We may disclose your PHI to your family members, to a close personal friend or other person that you identify if it is directly relevant to the person’s involvement in your care or payment related to your care. We may also disclose PHI concerning your location, condition or death in connection with trying to locate or notify family members or others involved in your care. Generally, we will obtain your verbal agreement before using or disclosing PHI in this way. However, under certain circumstances, such as in an emergency situation, we may make these uses and disclosures without your express agreement if we feel, in the exercise of professional judgment, that it is in your best interest.
Objection to Disclosures. You may object to these disclosures by indicating the names and relationship of individuals that you do not want to receive your medical information on the “Acknowledgement of Receipt of Notice of Privacy Practices” form. If you are present and do not object to these disclosures, or if you are present and we can infer from the circumstances that you do not object, or if you are not present or able to object and we determine, in the exercise of our professional judgment, that it is in your best interests for us to make disclosure of information that is directly relevant to the person’s involvement with your care, we may disclose your PHI for such purpose.
D.USES AND DISCLOSURES WHICH YOU MAY AUTHORIZE
1.Psychotherapy Notes. We must obtain a valid authorization from you for any use or disclosure of psychotherapy notes, unless such use or disclosure is: (i) necessary to carry out treatment, payment or health care operations; or (ii) otherwise required by law.
2.Marketing. We must obtain a valid authorization from you for any use or disclosure of your PHI for marketing purposes unless the marketing communication is in the form of a face-to-face communication; is a promotional gift of nominal value; or is a refill reminder or other communication regarding a drug or biological currently being prescribed.
3.Sale of PHI. We must obtain a valid authorization from you for any use or disclosure of your PHI which results in a sale of your PHI for which the Practice receives financial remuneration.
Other uses and disclosures of PHI not described in this Notice or in the laws that apply to us will be made only with your written authorization. If you provide us with a written authorization to use or disclose PHI about you, you may revoke that authorization, in writing, at any time to the extent that we haven’t already taken any action relying on the authorization. If you revoke your authorization, we will no longer disclose PHI about you pursuant to that revoked authorization. You understand that we are unable to take back any disclosures we have already made with your authorization, and that we are required to retain our records of the care that we provided you.
This Section Describes Your Rights And The Obligations Of The Practice Regarding The Use And Disclosure Of Your PHI.
You have the following rights regarding PHI we maintain about you:
Right to Inspect and Copy. You have the right to inspect and copy your PHI that is contained in a “designated record set.” A “designated record set” contains medical and billing records and any other records that the Practice uses for making decisions about your care. This does not include information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and PHI that is subject to a law that prohibits access to PHI or information which your doctor identifies as potentially harmful to you or others if it is released.
To inspect and copy PHI in your designated record set, you must submit your request in writing to our Privacy Officer, as identified on the last page of this Notice. If you request a copy of the information, we may charge a cost-based fee for the costs of copying, mailing or other supplies (tapes, diskettes, etc.) associated with your request. We will respond to you within 15 days after receiving your written request.
We may deny your request to inspect or copy, in certain limited circumstances. If you are denied access to your PHI because a physician has determined it may be dangerous to you or another person, you may request that the denial be reviewed. Another licensed health care professional chosen by the Practice will review your request and the denial. The person conducting the review will not have participated in the first decision to deny your request. In the alternative, you may choose another provider to review the material at your expense. We will comply with the outcome of that review.
Right to Amend. If you feel that the PHI in your designated record set is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by the Practice.
To request an amendment, your request must be made in writing and submitted to the Practice’s Privacy and Security Officer, as identified on the last page of this Notice. In addition, you must provide:
- the reasons for the request;
- a description of the problem – how the information is incorrect or incomplete;
- a description of the administrative information to be corrected; and/or medical information to be amended including the source if known, date and provider of service;
- the specific wording to make the entry correct/complete;
- identification of person(s) who need to be advised of the amendment, including contact information and authorization to advise them if necessary.
The request must be dated and signed by you. We will act on your request within 60 days of receiving your request. If we are unable to act on the request within the 60-day period, we may extend the time for action by no more than 30 days by providing you, within the initial 60 days, with a written statement of the reasons for the delay and the date by which we will complete our action on your request.
We may deny your request for an amendment if it is not made in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:
- Was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
- Is not part of the designated record set kept by or for the Practice;
- Is not part of the information which you would be permitted to inspect or copy; or
- Is accurate and complete.
Our written denial will state the reasons for the denial and explain your right to file a written statement of disagreement with the denial. If you don’t file one, you have the right to ask that your request and our denial be attached to all future disclosures of your PHI. If we approve your request, we will make the change to your PHI, tell you we have done it, and tell others whom you identify and authorize us to tell that need to know about the change to your PHI.
Right to an Accounting of Disclosures. You have the right to request an accounting of certain disclosures of your PHI. This right applies to disclosures for purposes other than treatment, payment or health care operations as described in this Notice. We are also not required to account for disclosures made to you, disclosures that you agreed to by signing an authorization, disclosures for a facility directory, to friends or family members involved in your care, incidental disclosures, or certain other disclosures we are permitted to make without your authorization.
To request this accounting of disclosures, you must submit your request in writing to our Privacy Officer, as identified on the last page of this Notice. Your request must state a time period, which may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, on paper or electronically). The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs involved and you may choose to withdraw or modify your request at that time, before any costs are incurred. We will respond within 60 days of receiving your request. If we are unable to respond within the 60 day period, we may extend the period for up to an additional 30 days if we send you a written statement of the reasons for the delay within the initial 60 day period. In certain situations we are required by HIPAA to temporarily suspend your right to receive an accounting of disclosures.
Right to Request Restrictions. You have the right to request a restriction or limitation on the PHI we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the PHI we disclose about you to someone who is involved in your care, like a family member or friend or for notification purposes. For example, you could ask that we not use or disclose information about a particular treatment that you had.
We are not required to agree to your request, except for disclosures to a health plan which would have been made in the course of carrying out the Practice’s payment or healthcare operations, and pertain solely to a healthcare item or service for which the Practice has been paid out-of-pocket in full. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment or unless the information is required to be disclosed by law. It is your obligation and not the Practice’s, to notify downstream health care providers of this restriction on the disclosure of PHI.
To request such restrictions, you must make your request in writing to our Privacy Officer, as identified on the last page of this Notice. In your request, you must tell us (i) what information you want to limit; (ii) whether you want to limit our use, disclosure or both; and (iii) to whom you want the limits to apply, for example, disclosures to your spouse or children.
We may terminate our agreement to a restriction, except for a restriction relating to disclosures to a health plan which would have been made in the course of carrying out the Practice’s payment or healthcare operations, and pertain solely to a healthcare item or service for which the Practice has been paid out-of-pocket in full, if:
- you agree to or request the termination in writing;
- you orally agree to the termination and the oral agreement is documented; or
- we inform you that we are terminating the agreement, except that such termination is only effective with respect to protected health information created or received after we have so informed you.
Right to Request Alternative Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail, that we not leave voice mail or email, or the like.
To request confidential communications, you must make your request in writing to our Privacy Officer, as identified on the last page of this Notice. We will not ask you the reason for your request. We will accommodate all reasonable requests as long as we can easily provide it in the format you requested. Your request must specify how or where you wish to be contacted.
Right to a Paper Copy of this Notice. You have the right to a paper copy of this Notice. You may ask us to give you a copy of this Notice at any time. Even if you have agreed to receive this Notice electronically, you are still entitled to a paper copy of this Notice. You may also view a copy of this Notice on our web site.
The Right To Get This Notice by E-mail. You have the right to get a copy of this Notice by e-mail. Even if you have agreed to receive this Notice via e-mail, you also have the right to request a paper copy of this Notice. To obtain a paper copy of this Notice contact our Privacy and Security Officer, as identified on the last page of this Notice.
III.CHANGES TO THIS NOTICE
We reserve the right to change this Notice at any time. We reserve the right to make the revised or changed Notice effective for protected health information that we already have about you as well as any such information we receive in the future. We will post a copy of the current Notice in the administrative area at the Practice. The Notice will contain on the first page, in the top right-hand corner, and at the end of the Notice, the effective date. In addition, each time you register at, or are admitted to, the Practice for treatment or health care services, you may request a copy of the current Notice in effect. You may also receive a copy of the current Notice by emailing us at https://dermsurgcv.com/
If you believe your privacy rights have been violated, you may file a complaint with the Practice or the Office for Civil Rights, U.S. Department of Health and Human Services. There will be no retaliation for filing a complaint with either our Privacy and Security Officer or the Office for Civil Rights. The address for the OCR is below:
Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Room 509F, HHH Building
Washington, DC 20201
To file a complaint with us, please contact our HIPAA Privacy and Security Officer at the address and telephone number noted below. All complaints must be submitted in writing.
NOTICE: You will not be retaliated against or penalized by us for filing a complaint.
V.PRIVACY AND SECURITY OFFICER
The Practice’s Privacy and Security Officer for all issues regarding your rights under HIPAA is the Practice’s Privacy and Security Officer. Information regarding matters covered by this Notice can be requested by contacting our Privacy and Security Officer, Brandy Martin, at:
Privacy and Security Officer
Dermatologic Surgery Of Central Virginia
902 E. Jefferson Street, Suite 201
Charlottesville, Virginia 22902
The Privacy and Security Officer may be contacted by telephone at 434-979-7700.