BEHAVIORAL HEALTH ASSOCIATES, INC.
(302) 661-2790 (Phone)
_____________________________________________________________________________________________________________________________
NOTICE OF PRIVACY PRACTICES (HIPAA)
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT
CAREFULLY.
I am required by applicable federal and state law to maintain the privacy of your health information. I am also required to allow you to read this Notice about my privacy practices, legal obligations, and your rights concerning your health information (“Protected Health Information” or “PHI”). I must follow the privacy practices that are described in this Notice (which may be amended from time to time).
For more information about my privacy practices, or for a copy of this Notice, please contact me using the information listed in Section II G of this notice.
I. USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
A. Permissible Uses and Disclosures without Your Written Authorization
I may use and disclose PHI without your written authorization, excluding Psychotherapy Notes as described in Section II, for certain purposes as described below. The examples provided in each category are not meant to be exhaustive, but instead are meant to describe the types of uses and disclosures that are permissible under federal and state law.
1. Treatment:
I may use and disclose PHI in order to provide treatment to you. For example, I may use PHI to diagnose and provide counseling services to you. In addition, I may disclose PHI to other health care providers involved in your treatment.
2. Payment:
I may use or disclose PHI so that services you receive are appropriately billed to, and payment is collected from, your health plan. By way of example, I may disclose PHI to permit your health plan to take certain actions before it approves or pays for treatment services. At your request, I may not disclose information to health plans about care for which you have paid for out-of pocket, unless for treatment purposes or in the rare event the disclosure is required by law.
3. Health Care Operations:
I may use and disclose PHI in connection with our health care operations, including quality improvement activities, training programs, accreditation, certification, licensing or credentialing activities.
4. Required or Permitted by Law:
I may use or disclose PHI when I am required or permitted to do so by law. For example, I may disclose PHI to appropriate authorities if I reasonably believe that you are a possible victim of abuse, neglect, or domestic violence or the possible victim of other crimes. In addition I may disclose PHI tothe extent necessary to avert a serious threat to your health or safety or the health or safety of others. Other disclosures permitted or required by law include the following: disclosures for public health activities; health oversight activities, including state or deferral agencies authorized to access PHI; disclosures to judicial and law enforcement officials in response to a court order or other lawful process; disclosures for research when approved by an institutional review board; and disclosures to military or national security agencies, coroners, medical examiners, and correctional institutions or otherwise as authorized by law. PHI and psychotherapy notes may be released in response to a complaint filed against me or another therapist.
5. Office Operations:
I may: refer to you by name in the office waiting room; leave a message on your voicemail noting my name, appointment times or information requested by you; mail or FAX to you billing statements or clinical reports. You may for purposes of confidentiality request that I restrict any of these forms of disclosure. I will make every effort to honor your requests.
6. Breaches:
A “breach” is defined as the acquisition, access, use or disclosure of PHI in violation of the HIPAA Privacy Rule. Examples of a breach include: stolen or improperly accessed PHI; PHI inadvertently sent to the wrong provider; and unauthorized viewing of PHI by an employee in your practice. PHI is “unsecured” if it is not encrypted to government standards. When the practice becomes aware of or suspects a breach, the practice will conduct a risk assessment. The practice will keep a written record of that risk assessment. A business associate may do the risk assessment if it was involved in the breach. While the business associate will conduct a risk assessment of a breach of PHI in its control, the practice will provide any required notice to patients and to the Department of Health and Human Services (HHS). After any breach, particularly one that requires notice, the practice will re-assess its privacy and security practices to determine what changes should be made to prevent the re-occurrence of such breaches. If there is a breach of your PHI, you have the right to be notified, and the breach will be presumed reportable unless, after completing a risk analysis applying four factors, it is determined, that there is a “low probability of PHI compromise.” I will consider all of the following four factors:
a) The nature and extent of the PHI involved- issues to be considered include the sensitivity of the information from a financial or clinical perspective and the likelihood the information can be re-identified;
b) The person who obtained the unauthorized access and whether that person has an independent obligation to protect the confidentiality of the information;
c) Whether the PHI was actually acquired or accessed, determined after conducting a forensic analysis; and
d) The extent to which the risk has been mitigated, such as by obtaining a signed confidentiality agreement from the recipient.
7. Additional instances where the use and disclosure without your consent or authorization is allowed:
There may be certain narrowly-defined disclosures to law enforcement agencies, to a health oversight agency (such as HHS or a state department of health), to a coroner or medical examiner, for public health purposes relating to disease or FDA regulated products, or for specialized government functions such as fitness for military duties, eligibility for VA benefits, and national security and intelligence.
B. Uses and Disclosures Requiring Your Written Authorization
The following uses and disclosures of PHI will be made only with your (or your authorized representative’s) written authorization:
1. Psychotherapy Notes:
Notes recorded by your clinician documenting the contents of a counseling session with you (“Psychotherapy Notes”) will be used only by your clinician and will not otherwise be used or disclosed without your written authorization, except as noted in I.A. above.
2. Marketing Communications:
I will not use your health information for marketing communications without your written authorization. Additionally, you have the right to opt out of fundraising communications.
3. Other Uses and Disclosures:
Uses and disclosures other than those described in Section I.A. above will only be made with your written authorization. For example, you will need to sign an authorization form before I can send PHI to your life insurance company, to a school, or to your attorney. You may revoke any such authorization at any time.
II. YOUR INDIVIDUAL RIGHTS
A. Right to Inspect and Copy.
You may request access to your medical record and billing records maintained by me in order to inspect and request companies of the records. All requests for access must be made in writing. Under limited circumstances, I may deny access to your records. I may charge a fee for the costs of copying and sending you any records requested. If you are a parent or legal guardian of a minor, please note that certain portions of the minor’s medical record will not be accessible to you. Clients may ask for copies of their electronic health records in electronic form. I must provide patients with access to their PHI in the form and format requested by the patient, if it is easy to produce in that format. Otherwise, PHI should be produced
in a readily electronic form/format that is agreed upon by the patient and me. In addition, if you request your PHI be provided directly to another person, I must comply with the request if the request is in writing, signed by you, and identifies the designated person and where to send the PHI
B. Right to Alternative Communications.
You may request, and I will attempt to accommodate, any reasonable written request for you to receive PHI by alternative means of communication or at alternative locations. I may send PHI in unencrypted e-mail only if you are advised of the risk and still request use of e-mail as means of transmission.
C. Right to Request Restrictions.
You have the right to request a restriction on PHI used for disclosure for treatment, payment or health care operations. You must request any such restriction in writing addressed to the Privacy Officer as indicated below. Unless required by law, you have the right to restrict certain disclosures of PHI to a health plan when you pay out-of-pocket in full for my services.
C. Right to Accounting of Disclosures.
Upon written request, you may obtain an accounting of certain disclosures of PHI. This right applies to disclosures for purposes other than treatment, payment or health care operations, excludes disclosures made to you or disclosures otherwise authorized by you, and is subject to other restrictions and limitations.
D. Right to be Notified if There is a Breach of Your Unsecured PHI.
You have a right to be notified if: (a) there is a breach (a use or disclosure of your PHI in violation with HIPAA Privacy Rule) involving your PHI; (b) that PHI has not been encrypted to government standards; and (c) my risk assessment fails to determine that there is a low probability that your PHI has been compromised.
E. Right to Request Amendment:
You have the right to request that I amend your health information. Your request must be in writing, and it must explain why the information should be amended. I may deny your request under certain circumstances.
F. Right to Obtain Notice.
You have the right to obtain a paper copy of this Notice by submitting a request to the Privacy Officer at any time.
G. Questions and Complaints.
If you desire further information about your privacy rights, or are concerned that I have violated your privacy rights, you may contact me. You may also file written complaints with the Director, Office for Civil Rights of the U.S. Department of Health and Human Services. I will not retaliate against you if you file a complaint with the Director or myself.
III. EFFECTIVE FATE AND CHANES TO THIS NOTICE
A. Effective Date. This Notice is effective on September 23, 2013.
B. Changes to this Notice. I may change the terms of this Notice at any time. If I change this Notice, I may make the new notice terms effective for all PHI that I maintain, including any information created or received prior to issuing the new notice. If I change this Notice, I will post the revised Notice in the waiting area of my office. You may also obtain any revised notice by contacting the relevant Privacy Officer.
The Privacy Officer for Behavioral Health Associates, Inc. is Stephen DiJulio, Ph.D. (302-655-1100 ext. 1)
