April 27th, 2016
DALLAS NEPHROLOGY ASSOCIATES
NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice is being provided to you in accordance with the requirements of the Standards for Privacy of Individually Identifiable Health Information of the Health Insurance Portability and Accountability Act (the “HIPAA Privacy Rules”) and by the amendments to the HIPAA Privacy Rules made by the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and by the final HIPAA OMNIBUS Rule effective on September 23, 2013.
I. WE HAVE A LEGAL DUTY TO SAFEGUARD YOUR PROTECTED HEALTH INFORMATION (PHI):
We are legally required to protect the privacy of your health information. We call this information “protected health information,” or “PHI” for an abbreviation and it includes information that can be used to identify you that we’ve created or received about your past, present, or future health or condition, the provision of health care to you, or the payment of this health care. PHI also includes “genetic information” as that term is defined in the HIPAA Privacy Rules.
We must provide you with this Notice about our privacy practices that explains how, when, and why we use and disclose your PHI. With some exceptions, we may not use or disclose any more of your PHI than is necessary to accomplish the purpose of the use or disclosure. We are legally required to follow the privacy practices that are described in this Notice.
We prohibit our medical staff and patients from the use of cell phone cameras, video equipment, or recording devices in connection with any patient encounters or anywhere within our office premises without express permission from both the patient and our senior management.
However, we reserve the right to change the terms of this Notice and our privacy policies at any time. Any changes will apply to the PHI we already have. Before we make an important change to our policies, we will promptly change this Notice and post a new Notice in the waiting area. You can also request a copy of this Notice from the office receptionist in the office where your appointment is scheduled and can view a copy of the Notice on our Web site at www.dneph.com.
II. HOW WE MAY USE AND DISCLOSE YOUR PHI:
We use and disclose health information for many different reasons. We are not required to obtain your consent or authorization to make uses or disclosures of your PHI for the Primary Purposes and other possible uses described in Subsections A and B below, and in certain other very limited situations. In some cases as described in Subsection C and D, you may be given an opportunity to agree or object before the use or disclosure is made. However, as described in Subsection E below, your prior written authorization is required before we can use or disclose your PHI for most other purposes. Below, we describe the different categories of our uses and disclosures and give you some examples of each category.
A. PRIMARY USES AND DISCLOSURES OF PHI:
- For treatment: We may disclose your PHI to physicians, nurses, medical students, and other health care personnel who provide you with health care services or are involved in your care. For example, if you’re being treated for a knee injury, we may disclose your PHI to the physical rehabilitation department in order to coordinate your care.
- To obtain payment for treatment: We may use and disclose your PHI in order to bill and collect payment for the treatment and services provided to you. For example, we may provide portions of your PHI to our billing department and your health plan to get paid for the health care services we provided to you. We may also provide your PHI to our business associates, such as billing companies, claims processing companies, and others that process our health care claims.
- For health care operations: We may disclose your PHI in order to operate our clinical facilities. For example, we may use your PHI in order to evaluate the quality of health care services that you received or to evaluate the performance of the health care professionals who provided health care services to you. We may also provide your PHI to our accountants, attorneys, consultants, and others in order to make sure we’re complying with the laws that affect us. It may be necessary to provide PHI for purposes of obtaining malpractice insurance.
- Appointment reminders and health-related benefits or services: We may use PHI to provide appointment reminders or give you information about treatment alternatives, or other health care services or benefits we offer.
- Fundraising activities: We may use PHI to raise funds for our organization. The money raised through these activities is used to expand and support the health care services and educational programs we provide to the community. If you do not wish to be contacted as part of our fundraising efforts, please notify us in writing and we will not use or disclose your information for these purposes.
B. OTHER POSSIBLE USES AND DISCLOSURES OF PHI:
- When a disclosure is required by federal, state or local law, judicial or administrative proceedings, or law enforcement: For example, we make disclosures when a law requires that we report information to government agencies and law enforcement personnel about victims of abuse, neglect, or domestic violence; when dealing with gunshot and other wounds; or when ordered in a judicial or administrative proceeding.
- For public health activities: For example, we report information about births, deaths, and various diseases, to government officials in charge of collecting that information, and we provide coroners, medical examiners, and funeral directors necessary information relating to an individual’s death.
- For health oversight activities: For example, we will provide information to assist the government when it conducts an investigation or inspection of a health care provider or organization.
- To coroners, medical examiners, funeral directors or for purposes of organ donation: We may disclose PHI to a coroner or medical examiner for purposes of identifying a deceased person, determining cause of death, or for the coroner or medical examiner to perform other duties authorized by law. We may also disclose information to funeral directors, as authorized by law, so that they may carry out their duties. Further, we may notify organ procurement organizations to assist them in organ, eye, or tissue donation and transplants.
- For research purposes: In certain circumstances, we may provide PHI in order to conduct medical research.
- To avoid harm: In order to avoid a serious threat to the health or safety of a person or the public, we may provide PHI to law enforcement personnel or persons able to prevent or lessen such harm.
- For specific government functions: We may disclose PHI of military personnel and veterans in certain situations. And we may disclose PHI for national security purposes, such as protecting the president of the United States or conducting intelligence operations.
- For workers’ compensation purposes: We may provide PHI in order to comply with workers’ compensation laws.
- Lawsuits and disputes: If you are involved in a lawsuit or a dispute, we may disclose health information about you in response to a court or administrative order. Subject to all applicable legal requirements, we may also disclose health information about you in response to a subpoena.
- Family and Friends: We may disclose your health information to your family members or close friends if we obtain verbal agreement to do so or if we give you the opportunity to object to such disclosure and you do not raise an objection. We may also disclose health information to your family or friends if we can infer from the circumstances, based on our professional judgment that you would not object. For example, we may assume that you agree to our disclosure of your personal health information to your spouse when you bring your spouse with you into the exam room during treatment or when treatment is discussed.
In situations where you are not capable of giving consent, (because you are not present or due to you incapacity or medical emergency), we may determine, using our professional judgment, that a disclosure to your family member or friend is in your best interest. We will disclose only health information relevant to the person’s involvement in your care.
C. PARTICIPATION IN A HEALTH INFORMATION EXCHANGE (HIE):
As part of our health care operations, we intend to participate in an electronic HIE, which is a local or regional arrangement of health care organizations and providers who have agreed to work with each other to facilitate access to health care information that may be relevant to your care. For example, if you are admitted to a facility on an emergency basis and cannot provide important information about your health condition, the HIE will allow participating providers access to your pertinent health information shared from your various providers so that they may be more quickly able to offer you appropriate treatment. When it is needed, ready access to your health information means better care for you. Once we begin participation in a HIE, we will retain health care information (including PHI) about our patients in a shared electronic medical record with other health care providers who also participate in the HIE.
We intend that your PHI be used responsibly by our organization as well as the organizations we are affiliated with such that data will be encrypted and stored within a secure network and if your PHI is transmitted, it will be done over a private secure network, with administrative, physical and technical safeguards in accordance with this Notice and the law.
If you choose not to participate in the electronic HIE, you will be given an opportunity to opt out of the HIE. If you later change your mind, you will be given an opportunity to opt back into the HIE.
D. “OPTING-OUT” OR “OPTING-BACK” INTO THE HEALTH INFORMATION EXCHANGE (HIE):
If you opt-out of the HIE, your health information will continue to be used in accordance with this Notice and the law, but will NOT be made available through the HIE, even in medical emergencies. Your choice for” opting-out” or “opting-back” into the HIE will have to have to be made by a written request. The necessary form to enable you to do so will be provided by the staff at any of our medical office practice sites upon your request.
E. ANY OTHER USES AND DISCLOSURES OF PHI MAY REQUIRE PRIOR WRITTEN AUTHORIZATION:
In most situations not described in Subsections A and B above, we will ask for your written authorization before using or disclosing any of your PHI. If you choose to sign an authorization permitting us to use or disclose your PHI, you can later revoke that authorization in writing to stop any future uses and disclosures (to the extent that we haven’t taken any action relying on the authorization).
In some instances, we may need specific written authorization from you in order to disclose certain types of specially-protected health information such as HIV results, substance abuse and mental health records, and genetic testing information for purposes such as treatment, payment and healthcare operations.
III. WHAT RIGHTS YOU HAVE REGARDING YOUR PHI
You have the following rights with respect to your PHI:
A. The right to request limits on uses and disclosures of your PHI: You have the right to ask that we limit how we use and disclose your PHI. We will consider your request but, we are not legally required to accept it unless the requested restriction involves a disclosure to a health plan for purposes of carrying out payment or health care operations and you have paid out-of-pocket and in full for the item or service to which the disclosure relates. If we accept your request, we will put any limits in writing and abide by them except in emergency situations. You may not limit the uses and disclosures that we are legally required or allowed to make.
B. The right to choose how we send PHI to you: You have the right to ask that we send information to you to an alternate address (for example, sending information to your work address rather than your home address). We must agree to your request so long as we can easily provide it in the format you requested.
C. The right to see and get copies of your PHI: In most cases, you have the right to look at or get copies of your PHI that we have, but you must make the request in writing. If we don’t have your PHI but we know who does, we will tell you how to get it. We will respond to you within 15 days after receiving your written request. In certain situations, we may deny your request. If we do, we will tell you, in writing, our reason for the denial and explain your right to have the denial reviewed. You have the right to request a copy of your health information in electronic format.
A physician may charge “a reasonable fee” for copying medical records, and the Texas State Board of Medical examiners has clarified the interpretation of “reasonable” to be a charge of no more than $25 for the first twenty (20) pages and $.15 per page thereafter. We usually provide medical records to patients when requested for no charge on an annual basis; however, if medical records are requested more frequently than annually, a charge will be submitted.
D. The right to get a list of the disclosures we have made: You have the right to get a list of instances in which we have disclosed your PHI. The list will not include uses or disclosures that you have already consented to, such as those made for treatment, payment, or health care operations, directly to you or to your family. The list also won’t include uses and disclosures made for national security purposes, to corrections or law enforcement personnel, or before April 1, 2003.
We will respond within 60 days of receiving your request. The list will include the date of the disclosure, to whom PHI was disclosed (including their address, if known), a description of the information disclosed, and the reason for the disclosure. We will provide the list to you at no charge, but if you make more than one request in the same year, we will charge you according to our fee schedule for each additional request.
E. The right to correct or update your PHI: If you believe that there is a mistake in your PHI or that a piece of important information is missing, you have the right to request that we correct the existing information or add the missing information. You must provide the request and your reason for the request in writing. We will respond within 60 days of receiving your request. We may deny your request in writing if the PHI is (i) correct and complete, (ii) not created by us, (iii) not allowed to be disclosed, or (iv) not part of our records. Our written denial will state the reasons for the denial and explain your right to file a written statement of disagreement with the denial. If you don’t file one, you have the right to request that your request and our denial be attached to all future disclosures of your PHI. If we approve your request, we will make the change to your PHI, tell you that we have done it, and tell others that need to know about the change to your PHI.
F. The right to be notified in the event of a “breach” of unsecured PHI: We make every effort to secure the privacy of your PHI. If, however, there is an unauthorized acquisition, use, or access of your unsecured PHI that is a “reportable breach” (under the HITECH Act and the Omnibus Rule), we will notify you in writing within 60 days. The notification will explain the incident, the steps we are taking to lessen any harm that might be caused by the incident, and any steps you should take to protect yourself from any potential harm resulting from the incident. If you have any questions about our procedures in the event of a “breach” of your unsecured PHI, please contact DNA’s Privacy Officer.
G. The right to get this Notice by e-mail. You have the right to get a copy of this Notice by e-mail. Even if you have agreed to receive Notice via e-mail, you also have the right to request a paper copy of this Notice.
IV. HOW TO COMPLAIN ABOUT OUR PRIVACY PRACTICES
If you think that we may have violated your privacy rights, or you disagree with a decision we made about access to your PHI, you may file a complaint with the following person/persons. We will take no retaliatory action against you if you file a complaint about our privacy practices.
DNA Privacy Officer:
Bruce Wall, M.D.
13154 Coit Road
Dallas, TX 75240
Office for Civil Rights:
Office of Civil Rights
U.S. Department of Health and Human Services
1301 Young Street, Suite 1169
Dallas, TX 75202
Fax (214) 767-0432
V. EFFECTIVE DATE OF THIS NOTICE
This Notice went into effect on April 1, 2003, and was amended effective February 17, 2010 with added requirements from the HITECH Act.
This Notice was amended again, effective in November 2012 with the Texas House Bill 300 which requires that patients be provided copies of their requested health information within 15 days of the written request instead of the 30 days as required under HIPAA requirements.
This Notice was amended again, effective September 23, 2013 with added requirements from the final HIPAA Omnibus Rule.
This Notice was amended again, effective January 6, 2014 with change of DNA Privacy Officer.
This Notice was amended again, effective January, 2015.