HIPAA Notice of Privacy Practices
OUR PLEDGE REGARDING PROTECTED HEALTH INFORMATION
This notice outlines your protected health information, how it may be used, and what your rights are. Please review carefully and ask any questions before signing. Questions about this notice can be directed to Marley Nutrition and Fitness Business Owner (email@example.com) or MNF Care Coordinator/Billing Administrator (firstname.lastname@example.org).
OUR PLEDGE REGARDING PROTECTED HEALTH INFORMATION:
We, Marley Nutrition and Fitness understand that protected health information about you and your health is personal. We are committed to protecting health information about you. This Notice applies to all of the records of your care generated by Marley Nutrition and Fitness, whether made by Marley Nutrition and Fitness personnel or your personal doctor or other health care provider. This Notice will tell you about the ways in which we may use and disclose protected health information about you. We also describe your rights and certain obligations we have regarding the use and disclosure of protected health information.
The law requires us to:
Make sure that protected health information that identifies you is kept private
Notify you about how we protect protected health information about you
Explain how, when, and why we use and disclose protected health information
Follow the terms of the Notice that is currently in effect
We are required to follow the procedures in this Notice. We reserve the right to change the terms of this Notice and to make new notice provisions effective for all protected health information that we maintain by:
Posting the revised Notice in our office
Making copies of the revised Notice available upon request
Posting the revised Notice on our website
HOW WE MAY USE AND DISCLOSE PROTECTED HEALTH INFORMATION ABOUT YOU
The following categories describe different ways that we use and disclose protected health information without your written authorization.
For Treatment: We may use protected health information about you to provide you with, coordinate or manage your medical treatment or services. We may disclose protected health information about you to doctors, nurses, technicians, medical students, or other personnel who are involved in taking care of you. Marley Nutrition and Fitness staff may also share protected health information about you in order to coordinate the different things you need, such as prescriptions, lab work, and x-rays. We also may disclose protected health information about you to people outside Marley Nutrition and Fitness’s office who may be involved in your medical care. We may use and disclose protected health information to contact you as a reminder that you have an appointment for treatment or medical care at Marley Nutrition and Fitness. We may use and disclose protected health information to tell you about or recommend possible treatment options or alternatives or health-related benefits or services.
For Payment for Services: We may use and disclose protected health information about you so that the treatment and services you receive at Marley Nutrition and Fitness may be billed to and payment may be collected from you, an insurance company, or a third party. For example, we may need to give your health plan information about services you received at Marley Nutrition and Fitness so your health plan will pay us or reimburse you for the service. We may also tell your health plan about the services you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment.
For Health Care Operations: We may use and disclose protected health information about you for Marley Nutrition and Fitness health care operations, such as our quality assessment and improvement activities, case management, coordination of care, business planning, customer services, and other activities. These uses and disclosures are necessary to run the facility, reduce healthcare costs, and make sure that all of our patients receive quality care. We may also combine protected health information about many Marley Nutrition and Fitness patients to decide what additional services Marley Nutrition and Fitness should offer, what services are not needed, and whether certain new treatments are effective. We may also disclose information to doctors, nurses, technicians, medical students, and other Marley Nutrition and Fitness personnel for review and learning purposes. We may also combine the protected health information we have with protected health information from other healthcare facilities to compare how we are doing and see where we can make improvements in the care and services we offer. We may remove information that identifies you from this set of protected health information so others may use it to study healthcare and healthcare delivery without learning who the specific patients are. We may also contact you as part of a fundraising effort. Subject to applicable state law, in some limited situations the law allows or requires us to use or disclose your health information for purposes beyond treatment, payment, and operations. However, some of the disclosures set forth below may never occur at our facilities.
As Required By Law: We will disclose protected health information about you when required to do so by federal, state, or local law.
Research: We may disclose your PHI/ePHI to researchers when their research has been approved by an institutional review board or privacy board that has reviewed the research proposal and established protocols to ensure the privacy of your information.
Health Risks: We may disclose protected health information about you to a government authority if we reasonably believe you are a victim of abuse, neglect, or domestic violence. We will only disclose this type of information to the extent required by law, if you agree to the disclosure, or if the disclosure is allowed by law and we believe it is necessary to prevent or lessen a serious and imminent threat to you or another person.
Judicial and Administrative Proceedings: If you are involved in a lawsuit or dispute, we may disclose your information in response to a court or administrative order. We may also disclose health information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made, either by us or the requesting party, to tell you about the request or to obtain an order protecting the information requested.
Business Associates: We may disclose information to business associates who perform services on our behalf (such as billing companies); however, we require them to appropriately safeguard your information. Public Health. As required by law, we may disclose your protected health information to public health or legal authorities charged with preventing or controlling disease, injury, or disability.
To Avert a Serious Threat to Health or Safety: We may use and disclose protected health information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.
Health Oversight Activities: We may disclose health information to a health oversight agency for activities authorized by law. These activities include audits, investigations, and inspections, which may be necessary for licensure and for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Law Enforcement: We may release protected health information as required by law, or in response to an order or warrant of a court, a subpoena, or an administrative request. We may also disclose protected health information in response to a request related to the identification or location of an individual, victims of crime, decedents, or a crime on the premises.
Organ and Tissue Donation: If you are an organ donor, we may release protected health information to organizations that handle organ procurement or organ, eye, or tissue transplantation or to an organ donation bank to facilitate organ or tissue donation and transplantation.
Special Government Functions: If you are a member of the armed forces, we may release protected health information about you if it relates to military and veterans’ activities. We may also release your protected health information for national security and intelligence purposes, protective services for the President, and medical suitability or determinations of the Department of State.
Coroners, Medical Examiners, and Funeral Directors: We may release protected health information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also disclose protected health information to funeral directors consistent with applicable law to enable them to carry out their duties.
Correctional Institutions and Other Law Enforcement Custodial Situations: If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release protected health information about you to the correctional institution or law enforcement official as necessary for your or another person’s health and safety.
Worker’s Compensation: We may disclose information as necessary to comply with laws relating to worker’s compensation or other similar programs established by law.
Food and Drug Administration: We may disclose to the FDA, or persons under the jurisdiction of the FDA, protected health information relative to adverse events with respect to drugs, foods, supplements, products, and product defects, or post-marketing surveillance information to enable product recalls, repairs, or replacement.
YOU CAN OBJECT TO CERTAIN USES AND DISCLOSURES. Unless you object, or request that only a limited amount or type of information be shared, we may use or disclose protected health information about you in the following circumstances:
We may share with a family member, relative, friend, or other person identified by you protected health information directly relevant to that person’s involvement in your care or payment for your care. We may also share information to notify these individuals of your location, general condition, or death.
We may share information with a public or private agency (such as the American Red Cross) for disaster relief purposes. Even if you object, we may still share this information if necessary for emergency circumstances.
If you would like to object to the use and disclosure of protected health information in these circumstances, please call or write to our contact person listed on page 1 of this Notice.
YOUR RIGHTS REGARDING PROTECTED HEALTH INFORMATION ABOUT YOU.
You have the following rights regarding the protected health information we maintain about you:
Right to Inspect and Copy: You have the right to inspect and copy protected health information that may be used to make decisions about your care. Usually, this includes medical and billing records. To inspect and copy protected health information that may be used to make decisions about you, you must submit your request in writing to Marley Nutrition and Fitness. If you request a copy of the information, we may charge a fee for the costs of copying, mailing, or other supplies associated with your request, and we will respond to your request no later than 30 days after receiving it. There are certain situations in which we are not required to comply with your request. In these circumstances, we will respond to you in writing, stating why we will not grant your request and describe any rights you may have to request a review of our denial.
Right to Amend: If you feel that protected health information we have about you is incorrect or incomplete, you may ask us to amend or supplement the information. To request an amendment, your request must be made in writing and submitted to Marley Nutrition and Fitness. In addition, you must provide a reason that supports your request. We will act on your request for an amendment no later than 60 days after receiving the request. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request, and will provide a written denial to you. In addition, we may deny your request if you ask us to amend information that:
Was not created by us, unless the person or entity that created the information is no longer available to make the amendment
Is not part of the protected health information kept by Marley Nutrition and Fitness
Is not part of the information which you would be permitted to inspect and copy, or
We believe is accurate and complete.
Right to an Accounting of Disclosures: You have the right to request an "accounting of disclosures." This is a list of the disclosures we made of protected health information about you. To request this list or accounting of disclosures, you must submit your request in writing to Marley Nutrition and Fitness. You may ask for disclosures made up to six years before your request (not including disclosures made before June 25, 2014). The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We are required to provide a listing of all disclosures except the following:
For your treatment
For billing and collection of payment for your treatment
For healthcare operations
Made to or requested by you, or that you authorized
Occurring as a byproduct of permitted use and disclosures
For national security or intelligence purposes or to correctional institutions or law enforcement regarding inmates
As part of a limited data set of information that does not contain information identifying you
Right to Request Restrictions: You have the right to request a restriction or limitation on the protected health information we use or disclose about you for treatment, payment, or health care operations or to persons involved in your care. We are not required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide you with emergency treatment, the disclosure is to the Secretary of the Department of Health and Human Services, or the disclosure is for one of the purposes described on pages 4-5. To request restrictions, you must make your request in writing to Marley Nutrition and Fitness.
Right to Request Confidential Communications: You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. To request confidential communications, you must make your request in writing to Marley Nutrition and Fitness. We will accommodate all reasonable requests.
Right to a Paper Copy of This Notice: You have the right to a paper copy of this Notice at any time by contacting Marley Nutrition and Fitness.
OTHER USES AND DISCLOSURES
We will obtain your written authorization before using or disclosing your protected health information for purposes other than those provided for above (or as otherwise permitted or required by law). You may revoke this authorization in writing at any time. Upon receipt of the written revocation, we will stop using or disclosing your information, except to the extent that we have already taken action in reliance on the authorization.
YOU MAY FILE A COMPLAINT ABOUT OUR PRIVACY PRACTICES
If you believe your privacy rights have been violated, you may file a complaint with Marley Nutrition and Fitness, or file a written complaint with the Secretary of the Department of Health and Human Services. A complaint to the Secretary should be filed within 180 days of the occurrence of the complaint or violation. If you file a complaint, we will not take any action against you or change our treatment of you in any way.
Texas Medical Privacy Act Adopts and Expands the HIPAA Privacy Regulations*
On June 17, 2001, Texas Governor Rick Perry signed the Texas Medical Privacy Act into law. S.B.11 (2001). The Act is designed to bring Texas into compliance with Federal standards on patient privacy as enumerated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 65 Fed. Reg. 82,461 (2000). See http://aspe.os.dhhs.gov/admnsimp/Index.htm. The Texas Medical Privacy Act will also expand the protections mandated by HIPAA in three areas. First, the Act applies to a broader range of entities. Second, the Act does not allow a patient’s health information to be marketed, or to be used in marketing, without that patient’s consent or authorization. Third, the Act prohibits the re-identification of information that has been de-identified.
§181.052-181.057 Uses and Disclosures Allowed Without Consent or Authorization: No consent or authorization need be obtained prior to the use and disclosure of PHI for:
Financial institutions for the processing of payment transactions;
Worker’s compensation insurance;
Employee benefit plans;
Red Cross; and
Offenders with mental impairments.
§181.051(b). Psychotherapy Notes: A licensed psychologist or a psychiatrist who is providing psychological or psychiatric services to an individual is not required to permit the individual to inspect or copy a personal diary containing PHI relating to the individual if the information contained in the diary has not been disclosed to a person other than another psychologist or psychiatrist for the specific purpose of clinical supervision conducted in the regular course of treatment.
§181.102(a)(1)-(4). Research: The Texas law includes the same requirements as HIPAA except that consent or authorization is required for research without an IRB waiver.
§181.152(a),(b),&(c). Marketing: PHI may not be used, disclosed, or sold for marketing purposes without first obtaining consent or authorization from the individual. Written communications must explain the recipient’s right to removal from the mailing list, and removal must be accomplished within five days after the receipt of the request. The Texas Medical Privacy Act is much more restrictive of marketing than HIPAA is. HIPAA allows covered entities to market virtually all types of health products, with a few restrictions, without obtaining authorization from the individual. The Texas Medical Privacy Act prohibits any release of PHI for marketing purposes without consent or authorization from the individual.
§181.151. De-identification and Re-identification: A person may not re-identify or attempt to re-identify an individual who is the subject of any protected health information without obtaining the individual’s consent or authorization. HIPAA allows de-identified information to be re-identified under specific guidelines, however, the Texas Medical Privacy Act does not allow re-identification at all.
Breach Notification Rule
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third-party service providers, pursuant to section 13407 of the HITECH Act.
Definition of Breach: A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
The unauthorized person who used the protected health information or to whom the disclosure was made;
Whether the protected health information was actually acquired or viewed; and
The extent to which the risk to the protected health information has been mitigated.
Covered entities and business associates, where applicable, have the discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.
There are three exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.
Unsecured Protected Health Information and Guidance: Covered entities and business associates must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.
This guidance was first issued in April 2009 with a request for public comment. The guidance was reissued after consideration of public comment received and specifies encryption and destruction as the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Additionally, the guidance also applies to unsecured personal health records and identifiable health information under the FTC regulations. Covered entities and business associates, as well as entities regulated by the FTC regulations, that secure information as specified by the guidance, are relieved from providing notifications following the breach of such information.
Breach Notification Requirements: Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate. Business Associate shall report any Breach of Unsecured PHI to Covered Entity promptly by telephone (503-352-2160) and following up in writing no later than five (5) calendar days after Business Associate’s knowledge of such Breach. For purposes of this Agreement, Business Associate shall be deemed to have knowledge of such Breach at the time such Breach is known to Business Associate or any of Business Associate’s employees, officers, directors,
Subcontractors or other agents or, by exercising reasonable diligence, would have been known to Business Associate, or any of Business Associate’s employees, officers, directors, Subcontractors, or other agents (excepting the person committing the Breach, who is an employee, officer or agent of Business Associate). Business Associate shall not contact any Individuals suspected to be affected by the Breach without prior written approval of the Covered Entity. The Business Associate shall provide Covered Entity with the name and contact information for a primary point of contact for the Business Associate regarding the incident.
Individual Notice: Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its website for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or by other means.
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).
With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has a relationship with the individual.
Media Notice: Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.
Notice to the Secretary: In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS website and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.
Notification by a Business Associate: If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals.
Administrative Requirements and Burden of Proof: Covered entities and business associates, as applicable, have the burden of demonstrating that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. Thus, with respect to an impermissible use or disclosure, a covered entity (or business associate) should maintain documentation that all required notifications were made, or, alternatively, documentation to demonstrate that notification was not required: (1) its risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure; or (2) the application of any other exceptions to the definition of “breach.”
Covered entities are also required to comply with certain administrative requirements with respect to breach notification. For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.