THIS NOTICE DESCRIBES HOW YOUR PROTECTED HEALTH INFORMATION MAY BE USED AND DISCLOSED. PLEASE REVIEW IT CAREFULLY.
OUR LEGAL DUTY:
GRIFFEY EYE CARE is required to comply with all applicable federal and state laws to maintain the privacy of your Protected Health Information (‘PHI’). PHI is defined as “any individually identifiable health information that relates to any physical or mental health or that can otherwise be used to identify the individual”.
GRIFFEY EYE CARE is also required to provide you with this notice about our privacy practices, our legal obligations, and your rights concerning your PHI. This notice is effective [DATE, YEAR] and is subject to any amendments enacted by the governing statutes. Periodic amendments may also be made in order to clarify certain language of the applicable laws and statutes. We may tell you about any changes to our notice through a newsletter, patient portal, website or a letter.
You may request a copy of this notice (or any subsequent revision of this notice) at any time, even if you agreed to get this Notice by electronic means, you still have the right to ask for a paper copy. For more information about our privacy practices, or for additional copies of this notice, please contact us using the information listed at the end of this notice.
Uses and Disclosures of Protected Health Information:
GRIFFEY EYE CARE may use and disclose your PHI to (1) facilitate your medical treatment, (2) obtain payment from your health insurance company for medical services, and (3) industry standard health care operations. Such use and disclosure of your PHI is considered under HIPAA as “permissible use”. Any and all “permissible use” of your PHI will be made within “minimum necessary” limitations, and only to facilitate specific activity directly relative to treatment, payment and / or operations.
Following are examples of permissible use of your PHI.
Treatment: GRIFFEY EYE CARE may use and disclose your PHI to provide, coordinate, or manage your health care and any related services as recommended by your medical provider. This includes the coordination or management of your health care with a third party or other physicians who may currently be involved with your medical care or whom it may be determined by your medical condition to be required with your medical care for the purposes of diagnosis and treatment (i.e. specialist, laboratory, hospital, or other facility). If you receive services through Telemedicine, we will also collect information as part of the services or information provided during the audio and/or video teleconference encounter itself, and to the extent applicable, through other telephonic communications. We may also collect information from the electronic medical record system (if applicable) of your selected provider in order to facilitate the provision of services.
Payment: GRIFFEY EYE CARE may use and disclose your PHI to obtain payment for your health care services. This may include providing copies of the pertinent medical record to your health insurance plan in order to determine eligibility and benefits, obtain pre-authorization on your behalf for recommended medical services, review of medical services provided to you to confirm medical necessity, and other health plan utilization review activities. For example, obtaining approval for a hospital admission may require that your relevant PHI be disclosed to the health plan to obtain approval for the hospital admission.
Health Care Operations: GRIFFEY EYE CARE may use and disclose your PHI in order to facilitate industry standard business and operational activities. These activities include, but are not limited to, daily clinic operations relative to scheduling, appointment reminders, assembly and maintenance of your medical record, and inter-departmental coordination of your medical care. For example, we may use a sign-in sheet at the registration desk where you will be asked to sign your name, call you by name in the waiting room when your doctor is ready to see you, or contact you by telephone or mail to ensure necessary continuum of care or other related activities.
Sharing your PHI with you. GRIFFEY EYE CARE must give you access to your own PHI. GRIFFEY EYE CARE, including our affiliates and/or vendors, may call or text you by using an automatic telephone dialing system and/or an artificial voice. The calls/texts may be about appointment reminders, appointment confirmations, treatment options, health-related benefits and services and to gather feedback regarding your experience. If you do not want to be contacted by phone or text, just let the caller know and we will add you to our Do Not Call list. We will then no longer call or text you. However, if you initiate communications using e-mail, we will assume (unless you have explicitly stated otherwise) that e-mail communications are acceptable to you. Communications via email over the internet are not secure. Although it is unlikely, there is a possibility information included in an email can be intercepted and read by other parties besides the person to whom it is addressed. You understand you must take reasonable steps to protect the unauthorized use of electronic communications by others, and the GRIFFEY EYE CARE is not responsible for breaches of confidentiality caused by you or an independent third party.
GRIFFEY EYE CARE may share your PHI with third party “business associates” that perform certain activities (i.e. billing, transcription services) for the company. Whenever an arrangement between our office and a business associates involves “permissible use” of your PHI, your PHI is protected by a Business Associate Agreement that contains terms that will protect your PHI.
Uses and Disclosures Based On Your Written Authorization: Any other uses and disclosures of your PHI will be made only with your written authorization, unless otherwise permitted or required by law as described below.
You may give us written authorization to use your PHI or to disclose it to anyone for any purpose. Your written authorization may be revoked in writing at any time. Your revocation will not affect any use or disclosure permitted by your authorization while it was in effect. Without your written authorization, we will not disclose your health care information except as described in this notice.
Health information that has been properly de-identified is not protected by the HIPAA Privacy Rule and may be used for research and other statistical purposes.
Others Involved in Your Health Care: Unless you object, we may disclose to a member of your family, a relative, a close friend, or any other person you identify as an emergency contact, your PHI that directly relates to that person’s involvement in your health care. If you are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in your best interest based on our professional judgment. We may use or disclose PHI to notify or assist in notifying a family member, personal representative, or any other person that is responsible for your care of your location, general condition, or death.
Uses and Disclosures Required by Law:
Research; Death; Organ Donation: Your (de-identified) PHI may be used or disclosed for research purposes in limited circumstances. Your PHI may be disclosed to a coroner, protected health examiner, funeral director, or organ procurement organization under specific circumstances.
Public Health and Safety: Your PHI may be disclosed to the extent necessary to avert a serious and imminent threat to your personal health or safety, or the public health or safety of others. Your PHI may be disclosed to a government health agency authorized to oversee the health care system or government programs or its contractors, and to public health authorities for public health purposes.
Health Oversight: Your PHI may be disclosed to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies seeking this information include government agencies that oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.
Abuse or Neglect: Your PHI may be disclosed to a public health authority that is authorized by law to receive reports of abuse, neglect, or domestic violence to the governmental entity or agency authorized to receive such information. In this case, the disclosure will be made consistent with the requirements of applicable federal and state laws.
Food and Drug Administration: Your PHI may be disclosed to a person or company required by the Food and Drug Administration to report adverse events, product defects or problems, biologic product deviations; to track products to enable product recalls; to make repairs or replacements; or to conduct post marketing surveillance, as required.
Criminal Activity: Consistent with applicable state and federal laws, your PHI may be disclosed, if we believe that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. We may also disclose PHI if it is necessary for law enforcement authorities to identify or apprehend an individual.
Required by Law: Your PHI may be disclosed when we are required to do so by law. For example, we must disclose your PHI to the U.S Department of Health and Human Services upon request for purposes of determining whether we are in compliance with privacy laws. We may disclose your PHI when authorized by Workers’ Compensation or other similar laws.
Process and Proceedings: Your PHI may be disclosed to legally authorized law enforcement officials in response to a court or administrative order, subpoena, discovery request or other lawful process, under certain circumstances. GRIFFEY EYE CARE may disclose PHI of an inmate or other person in lawful custody to a law enforcement official or correctional institution under certain circumstances. We may disclose PHI where necessary to assist law enforcement officials to capture an individual who has admitted to participation in a crime or who has escaped from lawful custody.
Accreditation Organizations: Disclosure to accreditation organizations for quality purposes. Any accreditation organizations would be considered a Business Associate and would enter into an agreement with us to maintain confidentiality and protect the privacy of your PHI.
Disaster Relief: To respond to a disaster relief organization inquiry that seeks your PHI to coordinate your care or notify family or friends of your location or condition in a disaster.
USES AND DISCLOSURES OF PHI THAT REQUIRE YOUR AUTHORIZATION
The following uses and disclosures of your PHI will be made only with your written authorization:
• Uses and disclosures of PHI for marketing purposes; and
• Use and disclose genetic information of you or your dependents for underwriting purposes.
For certain kinds of PHI, federal and state law may require enhanced privacy protection and we can only disclose such information with your written permission except when specifically permitted or required by law. This includes PHI that is:
• Maintained in psychotherapy notes and mental health notes.
• About alcohol and drug abuse prevention, treatment and referral.
• About HIV/AIDS testing, diagnosis or treatment.
• About venereal and/or communicable diseases(s).
• About genetic testing.
You may revoke your authorization at any time by submitting a written revocation to our Privacy Officer and we will no longer disclose PHI under the authorization. But disclosure that we made in reliance on your authorization before you revoked it will not be affected by the revocation.
Your Rights Regarding Your PHI
You have the following rights, subject to certain limitations, regarding your PHI:
• Inspect and obtain a copy of your PHI that is included in paper or electronic records we maintain. If the PHI is not readily producible in the form or format you request your record will be provided in a readable hard copy form.
• Request restrictions in how the PHI we use or disclose about you for treatment, payment, or health care operations. We are not required by law to agree to your request. If we do agree with your request, we will comply unless the information is needed to provide emergency treatment. To request restrictions, you must make your request in writing to the Privacy Officer. Your request must state the specific restriction requested, whether you want to limit our use and/or disclosure; and to whom you want the restriction to apply. Further, we will honor your request, to the extent permitted by law, not to disclose information to us, an insurer or a third party about a medical visit, service or prescription for which you pay the full amount out of your pocket at the time of service.
• Request an accounting of disclosures we have made of your PHI. To request this list or accounting of disclosures, you must submit your request in writing to the Privacy Officer. We will provide you with the date on which we made the disclosure, the name of the person or entity to which we disclosed your PHI, a description of the PHI we disclosed, the reason for the disclosure, and certain other information. If you request this list more than once in a 12-month period, we may charge you a reasonable, cost-based fee for responding to these additional requests.
• Request confidential communications whereby we communicate with you only in certain ways to preserve your privacy. For example, you may request that we contact you by mail at a specific address or call you only at your work number. You must make any such request in writing and you must specify how or where we are to contact you.
• Receive notice of a breach in the event of a breach of any of your PHI.
• Request an amendment of your PHI that you believe is incorrect or incomplete. You have the right to request an amendment for as long as the information is kept by or for us. A request for amendment must be made in writing to the Privacy Officer at the address provided below and it must tell us the reason for your request. In certain cases, we may deny your request for an amendment and will inform you of the reason for the decision within 60 days.
Website Privacy: Any personal information you provide us with via our website, including your e-mail address, will never be sold or shared with any third party without your express permission. If you provide us with any personal contact information in order to receive anything from us, we may collect and store that personal data. We do not automatically collect your personal e-mail address simply because you visit our site. In some instances, we may partner with a third party to provide services such as newsletters, surveys to improve our services, health or company updates, and in such case, we may need to provide your contact information to said third parties. This information, however, will only be provided to these third-party partners specifically for these communications, and the third party will not use your information for any other reason. While we may track the volume of visitors on specific pages of our website and download information from specific pages, these numbers are used in aggregate and without any personal information. This demographic information may be shared with our partners, but it is not linked to any personal information that can identify you or any visitor to our site.
Questions and Complaints:
If you want more information about our privacy practices or if you have questions or concerns, please contact GRIFFEY EYE CARE’s HIPAA Privacy Officer indicated below.
If you believe that we may have violated your privacy rights, or you disagree with a decision we made about access to your PHI or in response to a request you made, please submit your concerns in writing to the GRIFFEY EYE CARE HIPAA Privacy Officer indicated below. You also may submit your concerns to the U.S Department of Health and Human Services upon request.
We support your right to protect the privacy of your PHI. We will not retaliate in any way if you choose to file a complaint with us or with the U.S Department of Health and Human Services.
HIPAA Privacy Officer:
Attention: Privacy Officer
Office: 1360 East Venice Avenue, Venice, FL 34285
Email: [email protected]
You may also contact the Secretary of the U.S. Department of Health and Human Services if you believe your privacy rights have been violated. Your complaint can be sent by email, fax, or mail to the Office of Civil Rights. U.S. Dept. of Health, OCR, 200 Independence Avenue SW, Washington, D.C., 20201. For more information, see their website at: http: www.hhs.gov/ocr/privacy/hipaa/complaints/.
No action will be taken against you for filing a complaint.