Notice of Privacy Practices - Last Revised May, 2018
PRIVACY ACT STATEMENT - HEALTH CARE RECORDS
THIS IS NOT A CONSENT FORM TO RELEASE OR USE HEALTH CARE INFORMATION PERTAINING TO YOU. THIS FORM ADDRESSES:
1. AUTHORITY FOR COLLECTION OF INFORMATION INCLUDING SOCIAL SECURITY NUMBER (SSN)
Sections 1819(f), 1919(f), 1819(b)(3)(A), 1919(b)(3)(A), and 1864 of the Social Security Act.
2. PRINCIPAL PURPOSES FOR WHICH INFORMATION IS INTENDED TO BE USED
This form provides you the advice required by The Privacy Act of 1974. The personal information will facilitate ranking of changes in your health and functional status over time for purposes of evaluating and assuring the quality of care provided to patients.
3. ROUTINE USES
The primary use of this information is to aid in the administration of the survey and certification of Medicare/Medicaid providers and to improve the effectiveness and quality of care rendered by certified providers. This system will also support regulatory, reimbursement, policy, and research functions. This system will collect the minimum amount of personal data needed to accomplish its stated purpose.
The information collected will be entered into the Long-Term Care Minimum Data Set (LTC MDS) system of records, System No. 09-70-1517. Information from this system may be disclosed under specific circumstances (routine uses) which include to the Census Bureau and to:
(1) Agency contractors, or consultants who have been engaged by the Agency to assist in accomplishment of a function of CMS (Center for Medicare & Medicaid Services),
(2) another Federal or State agency, agency of a State government, an agency established by State law, or its fiscal agent to administer a Federal health program or a Federal/State Medicaid program and to contribute to the accuracy of reimbursement made for such programs,
(3) to Quality Improvement Organizations (QIOs) to perform Title XI or Title XVIII functions,
(4) to insurance companies, underwriters, third party administrators (TPA), employers, self-insurers, group health plans, health maintenance organizations (HMO) and other groups providing protection against medical expenses to verify eligibility for coverage or to coordinate benefits with the Medicare program,
(5) an individual or organization for research, evaluation, or epidemiological project related to the prevention of disease or disability, the restoration of health, or payment related projects,
(6) to a member of Congress or congressional staff member in response to an inquiry from a constituent,
(7) to the Department of Justice,
(8) to a CMS contractor that assists in the administration of a CMS-administered health benefits program or to a grantee of a CMS administered grant program,
(9) to another Federal agency or to an instrumentality of any governmental jurisdiction that administers, or that has the authority to investigate potential fraud or abuse in a health benefits program funded in whole or in part by Federal funds to prevent, deter, and detect fraud and abuse in those programs,
(10) to national accrediting organizations, but only for those locations that are accredited and that participate in the Medicare program.
4. WHETHER DISCLOSURE IS MANDATORY OR VOLUNTARY AND THE EFFECT ON INDIVIDUALS FOR NOT PROVIDING INFORMATION
For patients receiving services from a Medicare/Medicaid provider the requested information is mandatory because of the need to assess the appropriateness of services, effectiveness and quality of care rendered by certified providers. If the requested information is not furnished the determination of beneficiary services and resultant reimbursement may not be possible.
NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This joint Notice of Privacy Practices applies to all CHSGa health care providers participating as “Affiliated Covered Entities” (these health care providers are affiliated covered entities for the sole purpose of compliance with the Health Insurance Portability and Accountability Act, commonly known as “HIPAA”). The CHSGa health care providers all follow this Notice of Privacy Practices and they may share protected health information with each other as necessary for the purpose of treatment, payment and/or healthcare operations as allowed under HIPAA.
We are committed to safeguarding your protected health information (PHI).
We understand that information about you and your health is personal. We are committed to protecting your health information. We create a record of the care and services you receive at the location, as well as records regarding payment for those services. We need these records to provide care for you and to comply with certain legal requirements. This notice applies to the records of your care generated or maintained by the location, whether made by location personnel or other healthcare providers. Your personal doctor may have different policies or notices regarding the doctor’s use and disclosure of your PHI created in the doctor’s office or clinic.
This notice will tell you about the ways in which we may use and disclose medical information about you. We also describe your rights and certain obligations that we have regarding the use and disclosure of medical information.
We are required by federal law to maintain the privacy of your PHI; to give you this notice of our legal duties and privacy practices with respect to PHI about you; and to follow the terms of the notice currently in effect.
How we may use and disclose health information about you.
We may use or disclose your health information in one of the following ways: (1) when permitted by law; (2) when required by law; (3) pursuant to your verbal agreement (for use in our location directory or to discuss your health with family or friends who are involved in your care); and/or (4) pursuant to your written authorization when we are required to obtain it.
The following categories describe different ways that we use and disclose health information. For each category of uses or disclosures, we will explain what we mean and give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall into one of the categories.
Uses and disclosures relating to treatment, payment and health care operations do not require your prior authorization.
-
For treatment: We may use health information about you to provide you with medical treatment or services. We may disclose medical information about you to doctors, nurses, healthcare providers, healthcare students, or other appropriate personnel who are involved in taking care of you. For example, we will share information about you with the pharmacy so that they may provide your medications.
-
For payment: We may use and disclose health information about you so that the treatment and services you receive may be appropriately billed, and that payment may be collected from you, an insurance company, or another third party. For example, we may release information about the care and services you received to your insurance company to receive payment.
-
For health care operations: We may use and disclose medical information about you for health care operations. For example, we may use healthcare information to review care and services and to evaluate the effectiveness of programs or systems of care. There are some services provided in our organization through contracts with business associates. When we contract for these services, we may disclose your health information so that our business associates can perform the job we have asked them to do. To protect your health information, however, we require the business associate to appropriately safeguard your information. Unless you object and as applicable, we will include certain limited information about you in the location directory while you are a resident at the location. This information may include your name, location, your general condition (e.g., fair, stable, etc.) and your religious affiliation. The directory information, except for your religious affiliation, may be released to people who ask for you by name. Your religious affiliation may be given to a member of the clergy, even if they do not ask for you by name. This is so your family, friends and clergy can visit you in the location and generally know how you are doing. We may place a name tag on your door and take a photograph of you for identification. In order to recognize your birthday, we may post your name (with month and day of your birth) on a bulletin board (standard and/or digital) and include this same information in our newsletter. In addition, pictures taken during activity programs may be posted on the bulletin boards. Please let us know if you object.
-
For health information organizations/exchanges: We may participate in a Health Information Organization/Exchange to communicate your health information to other providers for treatment, payment or healthcare operations. As permitted by law, your health information may be shared with an organization/exchange in order to provide faster access, better coordination of care and assist providers in making informed decisions regarding your care.
Certain other uses and disclosures do not require your prior authorization.
We may use and disclose your PHI without your authorization for the following reasons:
-
When a disclosure is required by federal, state, or local law or for judicial or administrative proceedings. For example, if you are involved in a lawsuit or a dispute, we may disclose PHI about you in response to a court order. When abuse or neglect is suspected, we may also be required to release information. We may also disclose PHI about you in response to a court order, but only after making the effort to inform you of the request and giving you the right to object. We must disclose your PHI when required to do so by law.
-
To coroners or funeral directors. The law authorizes release of information to coroners or funeral directors for the purpose of determining cause of death or identification.
-
For research. We may disclose PHI about you to researchers when their research has been approved by an Institutional Review Board that has reviewed the research proposal and established protocols to assure the privacy of your information.
-
For public health activities. As required by law, we may disclose PHI about you to public health or legal authorities charged with controlling disease, injury, or disability.
-
For purposes of organ donation. If you have informed us of your decision to be an organ donor, we will provide PHI to these organizations as appropriate.
-
For workers’ compensation purposes. We may be required to report PHI in order to comply with workers’ compensation laws for any patients who may be covered.
-
To avoid harm. In order to avoid a threat to you or to the health or safety of another person or the public, we may provide PHI to law enforcement personnel or persons able to prevent or lessen such harm.
-
For specific functions as required by the government. When government agencies request information that may contain PHI, no authorization is required.
-
For reminders or information about health-related services. We may inform you of health-related information which may be helpful to you.
-
Fundraising activities. We may use a limited amount of your health information for purposes of contacting you or your representative to raise money for our location and its operations. You have the right to opt out of receiving such communications.
-
Emergency situations. If you are unable to communicate, emergency services do not require authorization for disclosure of information.
-
To the FDA (Food & Drug Administration). We may disclose PHI to the FDA relative to adverse events involving drugs, food, supplements, products and product defects, or post marketing surveillance information to enable product recalls, repairs, or replacement.
-
To the military and for matters of national security and protection of the President. If you are a member of the Armed Forces, we may release PHI about you as required by military command.
Other uses of your health information
Other uses and disclosures of PHI not covered by this notice or permitted/required by the laws that apply to us will be made only with your written authorization. For example, we are required to seek your written authorization before providing your PHI to a pharmaceutical company for purposes of marketing a product to you.
Items Requiring Written Authorization (not an all-inclusive list):
- Use and disclosure of psychotherapy notes in your medical file
- Use and disclosure of your PHI for paid marketing purposes
- Disclosure for the sale of your PHI
- Use and disclosure of your PHI for the purposes of participation in a research study
If you provide us permission to use or disclose PHI about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose medical information about you for the reasons covered by your written authorization. Please be advised that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we provided to you.
Your Individual Rights Regarding Your PHI.
You have the following rights regarding protected health information we maintain about you:
- Right to inspect and copy: You have the right to inspect and copy your medical and billing information, and any other information that may be used to make decisions about your care. Usually, this includes your medical and billing records, but does not include psychotherapy notes. If part of the medical information is maintained in an electronic format, you have the right to access that specific electronic information as long as the information can be produced in the format agreed upon between you and provider management. To inspect and copy your medical information, you must submit your request in writing to the provider manager/administrator. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies associated with your request. We may deny your request to inspect and copy in certain very limited circumstances involving possible harm to you or other individual(s). If you are denied access to medical information, you may request that the denial be reviewed if the denial is made for certain reasons. Another licensed health care professional chosen by the location will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.
- Right to amend: If you feel that health information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for the location. To request an amendment, your request must be made in writing and submitted to the provider administrator. In addition, you must provide a reason that supports your request. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that: (1) was not created by us, unless the person or entity that created the information is no longer available to make the amendment; (2) is not part of the medical record kept by or for the location; (3) is not part of the information which you would be permitted to inspect and copy; or (4) is accurate and complete.
- Right to an accounting of disclosures: You have the right to request an “accounting of disclosures.” This is a list of certain disclosures we have made of PHI. To request an accounting of disclosures, you must submit your request in writing to the location administrator. Your request must state a time period, which may not be longer than six years for oral or paper protected health information. The period may not be longer than three years for electronic protected health information, and may not include dates before April 14, 2003. The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
- Right to request restrictions: You have the right to request a restriction or limitation on the PHI we use or disclose about you for the purpose of treatment, payment, or health care operations. You may also request a limit on the PHI we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. We are not required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment. To request restrictions, you must make your request in writing to the location administrator. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.
- Right to restrict release of information for certain services: You have the right to restrict the disclosure of information to a health plan, for the purpose of payment or healthcare operations, regarding services for which you have paid in full or on an out of pocket basis, if the disclosure is not otherwise required by law. This information can be released only upon your written authorization.
- Right to request confidential communications: You have the right to request that we communicate with you about health care matters in a certain way or at a certain location. For example, you can ask that we send bills to a certain address. To request confidential communications, you must make your request in writing to the location administrator. We will not ask you the reason for your request. We will accommodate reasonable requests.
- Right to notification of a breach of your medical information: You have the right to be notified following a breach of your PHI.
- Right to opt out of fundraising and/or marketing activities: You have the right not to receive communications regarding fundraisers for the location. You also have the right not to receive communications marketing other treatments or products. To opt out, you must make your request in writing to the location administrator. In your request, you must tell us what information you do not want to receive, for example, communications regarding location fundraisers.
- Right to a paper copy of this notice: You have the right to receive a paper copy of this notice. You may ask us to give you a copy of this notice at any time. To obtain a paper copy of this notice contact the location administrator or office.
Changes to this notice:
We reserve the right to change the terms of this notice. We reserve the right to make the revised or changed notice effective for PHI we already have about you, as well as any information we receive in the future. We will post a copy of the current notice. The notice will contain the effective date.
Concerns:
If you believe your privacy rights have been violated, you may file a concern by contacting us via the Compliance Line 1-888-892-9962. In addition, you may file a written concern with the Office for Civil Rights of the Department of Health and Human Services. You will not be penalized for filing a concern.