NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOUR PATIENTS MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice serves as a notice for Medical Practice Automation Associates, LLC (MPAA). We will follow the terms of this Notice and may share health information with each other for purposes of treatment, payment and health care operations as described in this Notice and as required under the Health Insurance Portability and Accountability Act of 1996.
OUR DUTIES REGARDING YOUR PATIENTS' HEALTH INFORMATION
We respect the confidentiality of your patients’ health information and recognize that information about your patients’ health is personal. We are committed to protecting your patients’ health information and to informing you of their rights regarding such information. We are also required by law to protect the privacy of your patients’ protected health information and to provide you with notice of these legal duties.
This Notice explains how, when and why we typically use and disclose health information and our privacy rights regarding your patients’ health information. In our Notice, we refer to our uses and disclosures of health information as our "Privacy Practices." Protected health information generally includes information that we create or receive that identifies your patients and their past, present or future health status or care or the provision of or payment for that health care. We are obligated to abide by these Privacy Practices as of the effective date listed above.
We may, however, change our Privacy Practices in the future and specifically reserve our right to change the terms of this Notice and our Privacy Practices. We will communicate any change in our Notice and Privacy Practices as described at the end of this Notice. Any changes that we make in our Privacy Practices will affect any protected health information that we maintain.
Generally, our Privacy Practices strive:
- To make sure that health information that identifies your patients is kept private;
- To give you this Notice of our Privacy Practices and legal duties with respect to protected health information;
- To follow the terms of the Notice that is currently in effect; and
- To make a good faith effort to obtain from you acknowledgement that you have received or been given an opportunity to receive this Notice.
MPAA is including HITECH Act provisions to its Notice as follows:
HITECH Notification Requirements
Under HITECH, MPAA is required to notify users whose patients’ PHI has been breached. Notification must occur by first class mail within 60 days of the event. A breach occurs when an unauthorized use or disclosure that compromises the privacy or security of PHI poses a significant risk for financial, reputational, or other harm to the individual. This notice must:
- Contain a brief description of what happened, including the date of the breach and the date of discovery;
- The steps the individual should take to protect themselves from potential harm resulting from the breach;
- A brief description of what MPAA is doing to investigate the breach, mitigate losses, and to protect against further breaches.
MPAA’s Business Associate Agreements have been amended to provide that all HIPAA security administrative safeguards, physical safeguards, technical safeguards and security policies, procedures, and documentation requirements apply directly to the business associate.
Access to E-Health Records
HITECH expands this right, giving individuals the right to access their own e-health record in an electronic format and to direct MPAA to send the e-health record directly to a third party. MPAA may only charge for labor costs under the new rules.
Accounting of E-Health Records for Treatment, Payment, and Health
MPAA does not currently have to provide an accounting of disclosures of PHI to carry out treatment, payment, and health care operations. However, starting January 1, 2014, the Act will require MPAA to provide an accounting of disclosures through an e-health record to carry out treatment, payment, and health care operations. This new accounting requirement is limited to disclosures within the three-year period prior to the individual’s request.
MPAA must either: (1) provide an individual with an accounting of such disclosures it made and all of its business associates disclosures; or (2) provide an individual with an accounting of the disclosures made by MPAA and a list of business associates, including their contact information, who will be responsible for providing an accounting of such disclosures upon request.
HOW WE MAY USE AND DISCLOSE HEALTH INFORMATION ABOUT YOUR PATIENTS
The MPAA technology is designed to facilitate referrals from one Healthcare Provider (and/or their staff) to another Healthcare Provider (and/or their staff). Under no circumstances will health information about your patients be shared with another Healthcare Provider (and/or their staff), unless it is in support of a referral that you have made and in that case, health information will only be shared with the healthcare providers that you designate. Those healthcare providers, in accordance with the HIPAA guidelines have the ability to share that information with their various staff members and/or designees. In addition, there are situations where the law permits or requires us to use and disclose your patients’ health information without your authorization. Such situations are described in this section of the Notice. Specifically, we may use and disclose your patients’ protected health information as follows:
For Permitted or Required by Law Activities.
There are situations where we may use and/or disclose your patients’ health information without first obtaining your written authorization for purposes other than for treatment or health care operations. Except for the specific situations where the law requires us to use and disclose information (such as reports of births to the health department or reports of abuse or neglect to social services), we have listed all these permitted uses and disclosures in this section.
- For Public Health Activities.We may use or disclose health information to a public health authority that is authorized by law to collect or receive information in order to report, among other things, communicable diseases and child abuse, or to the F.D.A. to report medical device or product related events. In certain limited situations, we may also disclose health information to notify a person exposed to a communicable disease.
- For Health Oversight Activities.We may disclose health information to a health oversight agency that includes, among others, an agency of the federal or state government that is authorized by law to monitor the health care system.
- For Law Enforcement Activities.We may disclose limited health information in response to law enforcement official’s request for information to identify or locate a victim, a suspect, a fugitive, a material witness or a missing person (including individuals who have died) or for reporting a crime that has occurred on our premises or that may have caused a need for emergency services.
- For Judicial and Administrative Proceedings.We may disclose health information in response to a subpoena or order of a court or administrative tribunal.
- To Coroners, Medical Examiners, and Funeral Directors.We may release health information to a coroner or medical examiner to identify a deceased person or to determine the cause of death.
- For Purposes of Organ Donation.We may disclose health information to an organ procurement organization or other facility that participates in the procurement, banking or transplantation of organs or tissues.
- For Purposes of Research.We may conduct and/or participate in medical, social, psychological and other types of research. Most research projects are subject to a special approval process to evaluate the proposed research project and its use of health information before we use or disclose health information. In certain circumstances, however, we may disclose health information to people preparing to conduct a research project to help them determine whether a research project can be carried out or will be useful, so long as the health information they review does not leave our premises.
- To Avoid Harm to a Person or for Public Safety.We may use and disclose health information if we believe that the disclosure is necessary to prevent or lessen a serious threat or harm to the public or the health or safety of another person.
- For Specialized Government Functions.We may use and disclose health information of certain military individuals, for specific governmental security needs, or as needed by correctional institutions.
- For Workers' Compensation Purposes.We may disclose your health information to comply with the workers’ compensation laws or other similar programs.
- For Appointment Reminders and to Inform You of Health Related Products or Services.We may use or disclose your health information to contact you for medical appointments or other scheduled services, or to provide you with information about treatment alternatives or other health-related products and services.
All Other Uses and Disclosures Require Your Prior Written Authorization.
For situations not generally described in our Notice, we will ask for your written authorization before we use or disclose your patients’ health information. You may revoke that authorization, in writing, at any time to stop future disclosures of your patients’ information. Information previously disclosed, however, will not be requested to be returned nor will your revocation affect any action that we have already taken. In addition, if we collected the information in connection with a research study, we are permitted to use and disclose that information to the extent it is necessary to protect the integrity of the research study.
YOUR PATIENTS' RIGHTS REGARDING THEIR HEALTH INFORMATION
This portion of our Notice describes your patients' individual privacy rights regarding their health information and how they may exercise those rights.
Requesting Restrictions of Certain Uses and Disclosures of Health Information.
You may request, in writing, a restriction on how we use or disclose your patients’ protected health information for treatment or for activities related to our health care operations. You may also request a restriction on what health information we may disclose to someone who is involved in your patients’ care, such as a family member or friend. To make a request to MPAA please contact us at email@example.com
We are not required to agree to your request. Additionally, any restriction that we may approve will not affect any use or disclosure that we are legally required or permitted to make under the law.
Requesting Confidential Communications.
You may request and receive reasonable changes in the manner or the location where we may contact your patients for appointment reminders, lab results or other related information. You must make your request in writing and specify the alternate method or location where your patients wish to be contacted. To make a request to MPAA please contact us at firstname.lastname@example.org
We will accommodate your reasonable request, but in determining whether your request is reasonable, we may consider the administrative difficulty it may impose on us.
Inspecting and Obtaining Copies of Your Patients’ Health Information.
You may ask to look at and obtain a copy of your patients’ health information. You must make your request in writing. To make a request to MPAA please contact us at email@example.com
We may charge a fee for copying or preparing a summary of requested health information. We will respond to your request for health information within 30 days of receiving your request unless your patients’ health information is not readily accessible.
As stated previously, HITECH expands this right, giving individuals the right to access their own e-health record in an electronic format and to direct MPAA to send the e-health record directly to a third party. MPAA may only charge for labor costs under electronic transfers of e-health records.
Requesting a Change in Your Health Information.
You may request, in writing, a change or addition to your patients’ health information. To make a request to MPAA please contact us at firstname.lastname@example.org. The law limits your ability to change or add to your patients’ health information. These limitations include whether we created or include the health information within our medical records or if we believe that the health information is accurate and complete without any changes. Under no circumstances will we erase or otherwise delete original documentation in your patients’ health information.
Requesting an Accounting of Disclosures of Your Patients’ Health Information.
You may ask, in writing, for an accounting of certain types of disclosures of your patients’ health information. The law excludes from an accounting many of the typical disclosures, such as those made to care for your patients or where you provided your written authorization to the disclosure.
To make a request for an accounting: for MPAA, please submit your request to the individual listed in the Contact Section of this Notice. Generally, we will respond to your request within 60 days of receiving your request unless we need additional time.
Obtaining a Notice of Our Privacy Practices.
We provide you with our Notice to explain and inform you of our Privacy Practices, and this Notice is available on the MPAA website. Even if you have requested this Notice electronically, you may request a paper copy at any time.
CHANGES TO THIS NOTICE
We reserve the right to change this Notice concerning our Privacy Practices affecting all the health information that we now maintain, as well as information that we may receive in the future. We will provide you with the revised Notice by making it available to you upon request and by posting it at our service sites. We will also post the revised Notice on our website.
We welcome an opportunity to address any concerns that you may have regarding the privacy of your patients’ health information. If you believe that the privacy of your patients’ health information has been violated, you may file a complaint with the individual(s) listed in this Notice. You also may file a complaint with the Secretary of the U.S. Department of Health and Human Services.
YOU WILL NOT BE PENALIZED OR RETALIATED AGAINST FOR FILING A COMPLAINT